[squid-users] Squid Deployment Questions
Eliezer Croitoru
eliezer at ngtech.co.il
Wed Dec 31 06:20:17 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hey Evan,
I am missing couple things in my head to get the picture:
How big is the lan? how many clients?
Allowing port 80 and 443 from then lan to the dmz depends on the
services that will be or are there.
Squid default port is 3128.
If the ICAP, NTP, SYSLOG are in the lan segment I am almost sure that
putting the proxy inside the lan is a better idea.
You will just need to block all port 80\443 and maybe other traffic
from passing the firewall unless it comes from the proxy IP address.
Risk? It is unclear to me what are you talking about.
Basically as long you are using a Linux from a maintained distribution
you should be ok about getting critical updates.
I am using ubuntu LTS for couple years and I think it's a good choice
since you always can try their support for a price.
Since it's a linux server most of the access to the server would
probably be throw ssh so install fail2ban to prevent password
attacks(from the internal LAN).
In the case you want to restrict the access a bit more you can use
iptables which is the linux firewall to prevent unwanted probes to
touch your machine.
If you do have some more questions you got into the right place.
All The Bests,
Eliezer
On 12/31/2014 07:59 AM, Evan Blackstone wrote:
> What level of risk would I be assuming (regular patching included)?
> Given that I'm relatively new to monitoring Linux servers for
> security, etc., is this a bad idea? I'm not really sure what to be
> looking for log-wise in terms of compromise. I have edge devices
> and monitoring on the perimeter, but I don't really know what to
> look for on the server itself...
>
> Am I approaching this the wrong way? Should I be looking at putting
> it on the inside LAN? Would such an approach leave my network
> vulnerable should the Squid box get owned?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJUo5WgAAoJENxnfXtQ8ZQUmtEH/190ktYLzjxxS9Llv/RiWaBJ
rXvbgUjPNe8usK04vesx0SVqmQBl3vdHqlKxCKd/rSzs/2/SBDW+nxxqB2aGX+op
HohS7gbyWvME6EaY7WzpnIJjQ3Gthbw2KElm56WrHo3FFRMAXUPyK6JHC8DVJe7f
3wOqW80YiKy5dezYKJCGFirP7YJRJMQOpa0U/tHKpUlvBJ9wdsGM0B/oWR/jmoBO
ToKpluk6lnJdJ5F8j/GFZQ4/OQxbp7NJV/dMER5tfkpfcR6yOzuo2CGbfdmkcp//
9Mefp+EwJT6Z/uca7UmMDeSBVajOpkR2bZ2bcy2klzqlj1j3bm+dIrz2T5td5BU=
=PzLI
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list