Squid / ClamAV Experience
-
Has anyone used Squid with the ClamAV package? I've used it in many installs with the SaneSecurity definitions added but as I'm going through them I don't see anything but some false positives with the foxhole definitions. Since most everything is https does it really help? It eats up a lot of resources and I'm wondering if it is worth it.
-
Unless you are also doing SSL MITM (which is a bad idea), then it is a mostly worthless waste of CPU cycles these days.
That said, as long as it's not overly taxing your system, and so long as you consider it a "just in case" extra check, it's not actively harmful either. There is always the potential that it might help. Whether it's worth the extra load is up for debate, but ultimately that's up to you.
-
@jimp That's what I was thinking. I just didn't know if other people were having a similar experience or if some people actually saw it helping. I'm running APU2x4 units so sometimes it pegs the cores. Normally things are fine, though.
-
In that case I'd shut it off. And also I'd question if running squid at all is advantageous for you in this day and age while you're at it.
-
@jimp That's where I'm at. SquidGuard was always a headache. I'm moving to DNSBL but it's giving me some fits at the moment. Really, it's just about the AV at this point. The cache very rarely gets a HIT and oftentimes the cache breaks things. It'll store old VOIP phone configs. It's interfered with NVR security systems using certain Dynamic DNS services. Last week it broke email on just 1 computer. I'll be glad if it's gone but if others are finding the AV useful then maybe it isn't just a checklist item.
-
Network/edge AV has always been dodgy at best. There is no safe/sane way to do that anywhere other than endpoints that have access to data (client workstations, file servers, mail servers, etc).
You'd probably be better off trading out the proxy/AV for an IDS looking for suspicious network traffic.
-
@jimp I'm already using Suricata. I'm surprised at what these little boxes can do. With pfBlocker, Suricata, and Squid (with ClamAV) all on we can still fully utilize a 500Mb fiber connection at a hotel with 250+ rooms. That's the fastest I've got access to. There are times where ClamAV and Suricata will both peak at the same time and slow things down for 15-30 minutes but it still works well even then.
-
In that case, I'd just ditch squid entirely. It's probably only dragging you down.
If DNSBL isn't doing quite what you are after you might try offloading DNS to something small and off the edge like a Pi-hole box. Though most people find DNSBL to work just as well (if not better) than pi-hole, others prefer its interface and other aspects.
-
@jimp I like it, I just don't get how pfBlockerNG-Devel flows and blocks. For example I had a client using Sage Timberline last week and it was messing up the SSL certificate saying it was issued by DNSBL. Before that it was blocking EVERYTHING because of US Reputation. There was 0 internet access until we switched Reputation off. We didn't have these problems with pfBlockerNG. Obviously we're missing something to how it works.
-
Another thought. If I pull out Squid, how do I keep track of who is using up the data and where they are going? Is there another way?
-
Squid probably isn't tracking that accurately anyhow. You'd be better off with a setup more like netflow but that would require an off-box collector to keep the data and make graphs. ntopng may help locally.