Hello Squid users all, I have a bad situation partially resolved: the past few days I have been blind-sided by a Trojan based browser hijacking. A script from Trendmicro has allowed me to navigate the net w/o being redirected to a porn site or similar. Notwithstanding I can see from running wireshark the culprit that Trendmicro has not found the signature to as of yet. I am running: a Linux router/gateway, heavily firewalled (iptables) but with the attack I installed Squid. I created two system files with ACLs to match: bad_src_ip and bad_url_regex. From the Linux box ps shows that squid is running but the logs show no activity at all albeit OK access or error. Moreover, I can ping and tracert to the URLs and IPs I think I am blocking. Do I need to be a master of cache proxies to run Squid? An excerpt of my squid.conf is included below in case anyone has any ideas. I looked at redirection (3128) such as Shallalist and other blacklist but I would rather just create my own ACLs that work. Thanks in advance and please advise, David.
*************************************************************** ACL list *************************************************************** #Recommended minimum configuration: acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl SSL_ports port 8443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports_unreg port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 8080 # Tomcat 8080 acl Safe_ports port 8082 # Tomcat proxy redirect acl Safe_ports port 8009 # Tomcat ajp port acl CONNECT method CONNECT acl webmin port 10000 acl usermin port 20000 acl LAN myip 192.168.1.1-192.168.1.254 acl Network_DNS srcdomain www.demon.net www.menandmice.com www.network-tools.com acl davidbrownhosts dstdomain www.davidwbrown.name www.deanbrown.name www.karlbrown.name acl tomcat urlpath_regex pebble acl our_networks src 192.168.1.0/24 ************************************************************************ Proxy restriction list ************************************************************************ acl bad_src_ip src "/usr/local/etc/squid/bad_src_ip_list" acl bad_url_regex url_regex -i "/usr/local/etc/squid/bad_url_regex_list" #acl iana_named_ports port "/usr/local/etc/squid/iana_named_ports_list" http_access deny manager http_access deny !Safe_ports_unreg http_access deny CONNECT !SSL_ports http_access deny to_localhost http_access allow our_networks http_access allow our_networks # And finally deny all other access to this proxy http_access allow localhost http_access deny bad_url_regex http_access deny bad_src_ip http_access deny all
