[squid-users] Squid 3.5.8 RPMs release for CentOS 32 and 64 bit

Eliezer Croitoru eliezer at ngtech.co.il
Mon Sep 7 22:15:17 UTC 2015 

Published at: http://www1.ngtech.co.il/wpe/?p=142



I am happy to release the new RPMs of squid 3.5.8 for Centos 6 64bit, 
32bit and CentOS 7 64bit.

The new release includes couple bug fixes and improvements.
The details about the the RPMs repository are at 
squid-wiki[http://wiki.squid-cache.org/KnowledgeBase/CentOS].
* couple important notes about this release in the end of the article

Do we need to protect squid?

Squid comes also to protect other applications but the past lessons 
teach us that squid like any other software is vulnerable. It can act as 
an internal management service inside a company or an external service 
connecting an external network to some internal systems.
Places that use squid do not always say they do but universities is one 
of the users of squid around the internet. Most of them give access to 
some internal system using a user credentials, a single sign-on pass or 
other authentication methods. In all of these places there is a chance 
that some hacker will try to hack the proxy and use it to access these 
internal systems or to access the internet through it. The basics to 
defend a proxy service is to block clients which are using wrong 
authentication credentials.
In most cases the basic act would be to just DROP the IP traffic in the 
firewall. I do not think it’s a bad way but I do think that using some 
iptables DNAT\REDIRECT rule instead of DROPPING the connection  is kind 
of nicer. especially if it’s a system that gives users access to work or 
office applications and systems.
Fail2ban is one of the great tools to allow the proxy to defend 
itself(using squid access.log) from basic attacks. And of-course depends 
on the sensitivity of the system a DROP rule can be the right solution 
to mitigate the effect of some attackers.
If you would choose to give the blocked user some information about his 
situation and who to contact about it please use a very lightweight http 
service that can take load and use 100% static pages for that 
purpose.(IE don’t use apache with PHP in it).
For this action you would require a special action from fail2ban in the 
mangle table of iptables.

An example fail2ban action file: “action.d/iptables-redirect.conf”
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified by Yaroslav Halchenko for multiport banning
# Modified by Eliezer Croitoru for DNAT into a ban page\service

[INCLUDES]
before = iptables-common.conf

[Definition]
actionstart = <iptables> -t nat -N f2b-<name>
               <iptables> -t nat -A f2b-<name> -j <returntype>
               <iptables> -t nat -I <chain> -p <protocol> -m multiport 
--dports <port> -j f2b-<name>

actionstop = <iptables> -t nat -D <chain> -p <protocol> -m multiport 
--dports <port> -j f2b-<name>
              <iptables> -t nat -F f2b-<name>
              <iptables> -tnat -X f2b-<name>

actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'

actionban = <iptables> -t nat -I f2b-<name> 1 -p <protocol> -s <ip> -j 
REDIRECT --to-ports 8080

actionunban = <iptables> -t nat -D f2b-<name> -p <protocol> -s <ip> -j 
REDIRECT --to-ports 8080

[Init]
##END

I hope it will help others to improve their service.

In this release I will recommend about a nice tutorial video about DDOS 
from Krassimir Tzvetanov, A10 Networks, 
Inc.[https://www.youtube.com/watch?v=POFEMlQw6Rc]
This talk covers the principles and particular implementations of DDoS. 
It goes in detail as to what are the bottlenecks that are generally 
exploited/overloaded, the attack types and the solutions to those.

Or a local mirror at:
Tutorial: Denial of Service 
101[http://ngtech.co.il/squid/videos/POFEMlQw6Rc.mp4]

A note: From this RPM release for the CentOS 7 RPM I have replaced the 
sysV init script with a systemd scripts that can monitor squid but 
requires a special script to make sure that systemd will not halt the 
system before squid was able to shutdown properly.
Also the default number of open file descriptors per process is set to 
16384 and if you want to change it use one of the two options that are 
mentioned in the systemd mailing list :
solution 1, override the unit 
file[http://lists.freedesktop.org/archives/systemd-devel/2015-September/034094.html]
solution 2, override the service relevant 
variable[http://lists.freedesktop.org/archives/systemd-devel/2015-September/034095.html]
The upgrade into the systemd unit file will be reflected when stopping, 
restarting, upgrading or any other stop related usage of the unit.

More details about the repository at 
squid-wiki[http://wiki.squid-cache.org/KnowledgeBase/CentOS].

All The Bests,
Eliezer Croitoru

More information about the squid-users mailing list