Squid
-
Oke Om,.,., siiiip,.,. thanks. ;D
-
httpReadReply: Request not yet fully sent "POST http://89.248.172.90/update.php"
httpReadReply: Request not yet fully sent "POST http://89.248.172.90/update.php"salah satu client kena virus tuh hihihi
-
Itu milik client hotspot OM g' tau milik sapa tuh tangtop, kalau di rule dan blacklist squid udah q block port2 yg Q anggap berbahaya dan nama2 virus yg saya ketahui:
Firewall: Rules
Proto Source Port Destination Port Gateway Schedule Description
TCP LAN net * * 65506 * Drop PhatBot, Agobot, Gaobot
TCP LAN net * * 3128 * Proxy
TCP LAN net * * 8080 * Proxy
TCP LAN net * * 8000 * Proxy
TCP LAN net * * 47624 * –---
TCP LAN net * * 8181 * -----
TCP LAN net * * 27374 * Drop SubSeven
TCP LAN net * * 17300 * Drop Kuang2
TCP LAN net * * 12345 * Drop NetBus
TCP LAN net * * 10080 * Drop MyDoom.B
TCP LAN net * * 9898 * Drop Beagle.A-B
TCP LAN net * * 8866 * Drop Beagle.B
TCP LAN net * * 5554 * Drop Sasser
TCP/UDP LAN net * * 4444 * Worm
TCP LAN net * * 3410 * Drop Backdoor OptixPro
TCP LAN net * * 3127 * Drop MyDoom
TCP LAN net * * 2745 * Drop Beagle.C-K
TCP LAN net * * 2535 * Drop Beagle
TCP LAN net * * 2283 * Drop Dumaru.Y
TCP LAN net * * 2745 * Bagle Virus
TCP LAN net * * 1377 * cichlid
TCP LAN net * * 1373 * hromgrafx
TCP LAN net * * 1368 * screen cast
TCP LAN net * * 1363 - 1364 * ndm requester & ndm Server
TCP LAN net * * 1214 * ________
TCP LAN net * * 1080 * Drop MyDoom
TCP LAN net * * 1024 - 1030 * ________
TCP LAN net * * 593 * ________
TCP/UDP LAN net * * 445 (MS DS) * Drop Blaster Worm
TCP LAN net * * 1433 - 1434 * Worm
TCP/UDP LAN net * * 135 - 139 * Drop Messenger Worm
ICMP LAN net * * * * ICMP
TCP LAN net * * 6667 - 6669 * IRC
TCP LAN net * * 5222 * GTALK
TCP LAN net * * 5050 *
TCP LAN net * * 5000 - 5010 *
TCP LAN net * * 3000 - 3129 * 3000-3129
TCP LAN net * * 3131 - 4000 * 3131-4000mungkin dari Om ada tambahan?
Gmn cara block virusnya OM? Rule/nat?$ pfctl -sn
nat-anchor "pftpx/" all
nat-anchor "natearly/" all
nat-anchor "natrules/" all
nat on fxp0 inet from 192.168.254.0/24 port = isakmp to any port = isakmp -> (fxp0) port 500 round-robin
nat on fxp0 inet from 192.168.254.0/24 port = 5060 to any port = 5060 -> (fxp0) port 5060 round-robin
nat on fxp0 inet from 192.168.254.0/24 to any -> (fxp0) port 1024:65535 round-robin
rdr-anchor "pftpx/" all
rdr-anchor "slb" all
no rdr on re0 inet proto tcp from any to 192.168.0.0/16 port = http
no rdr on re0 inet proto tcp from any to 172.16.0.0/12 port = http
no rdr on re0 inet proto tcp from any to 10.0.0.0/8 port = http
rdr on re0 inet proto tcp from any to ! (re0) port = http -> 127.0.0.1 port 80
rdr-anchor "imspector" all
rdr-anchor "miniupnpd" allmgr info
Select loop called: 849129 times, 15.683 ms avg
loop called, apa berpengaruh OM?Ini masih nongol…
2009/11/20 22:40:01| WARNING: All dnsserver processes are busy.
2009/11/20 22:40:01| WARNING: up to 10 pending requests queued
2009/11/20 22:42:35| WARNING: All dnsserver processes are busy.
2009/11/20 22:42:35| WARNING: up to 5 pending requests queued
2009/11/20 22:42:35| Consider increasing the number of dnsserver processes to at least 10 in your config file.
2009/11/20 22:42:38| dnsSubmit: queue overload, rejecting img132.imageshack.us
2009/11/20 22:43:41| WARNING: All dnsserver processes are busy.
2009/11/20 22:43:41| WARNING: up to 10 pending requests queued
2009/11/20 22:43:41| Consider increasing the number of dnsserver processes to at least 15 in your config file.Ups,.,. :-X :-X :-X Setelah Q telity,.,. ada client yang pakai Ultrasurf http://ultrareach.net/,.,. ini program buat bypass proxy sangat mantabb tuh, g' bisa di block ta Om?
Ultrasurf pakai proxy local 127.0.0.1 port 9666, Q coba download n Q pakai,., wah ternyata bobol juga tuh proxy, Q block port 9666 eh ternyata g' mempan, dia pakai port 9666 hanya untuk local saja, terus ?
IP kadang 65.49.14.10, 65.49.2.17 dan banyak lagi…..... Q tanya mbah google, eh ternyata ultrasurf pakai port https(443), ya q Block port 443, Walkhasil email Yahoo dan Gmail dan situs yg pakai https juga g' bisa kebuka,.. Alkhamdulillah keblock kabeh, solusinya?
-
All dnsserver processes are busy
inti masalahnya di dns, bisa karena bottleneck jaringan / karena dns server tidak cepat merespon query dns client
solusi :
1. coba sih squid -vapakah ada option –disable-internal-dns, kalau ada upgrade squid nya, gunakan internal dns saja lebih ok
2. coba di nslookup abc.com dari client, apakah server bisa cepat merespon,
jika menggunakan dnsmasq, tambahkan cache-size=10000 (10Mb) atau naikkan pelan2, sesuikan dengan ram fisik, jika masih tetap saja bussy berarti segera buat dns-cache selain dnsmasq, dnsmasq hanya utuk net kecil, solusinya buat dedicated dns-server (bukan di box pfsense), recomend gunakan bind atau djbdnsjika menggunakan bind, tambahkan option datasize 12M; max-cache-size 10M; naikkan pelan2, dengan client +/- 2000 nilai 256M sudah sangat responsif
3. tambahkan di squid.inc half_closed_clients off
block ultra yang tunneling ke port 443 banyak cara, bisa lewat firewall/squid
1. lewat squid
tambahkan di squid.inc
acl numeric_IPs url_regex ^[0-9]+.[0-9]+.[0-9]+.[0-9]+
http_access deny CONNECT numeric_IP allkelemahannya gak bisa buka web yang menggunakan ip, hanya bisa domain,
contohnya skype jk melakukan call menggunakan numerik ip acak, bukan domain, jadi gak bisa connect hehehe ;D2. lewat firewall, block ip ultrasurf, lihat di attachment, banyak sekali hehehe
untuk virus, kalau client menjalankan aplikasi yang bervirus dan mengandung trojan / hijack browser, solusi satu2nya basmi virusnya di client, firewall secanggih apapun gak bisa ngapa2in, trojan itu destination ip dan portnya acak, ini yang susah
-
Oh ya om untuk Skypi Q nyontoh
http://www1.cs.columbia.edu/~salman/skype/BlockingSkype_corp.pdf
inti :Your acl definitions
acl numeric_IPs urlpath_regex ^[0-9]+.[0-9]+.[0-9]+.[0-9]+
acl connect method CONNECTApply your acls
http_access deny connect numeric_IPs all
dan
http://www.riccardoriva.com/archives/275
isi :
This post will explain a quick and dirt method to block Skype for some user, but avoid to block access to https urls not defined as FQDN.This post assume that your client have non direct Internet access and must pass trough your Squid Proxy Server to have an external connection.
This Post assume your local network is 192.168.1.0/24
This post assume you want to give SKYPE access to IPs from 192.168.1.100 to 192.168.1.200 and you want to give internet access to all your network.Obviously you MUST change the IPs based on your REAL network configuration.
In the following configuration, I’m going to create some ACL to define my networks, the skype connection method, skype connections destinations and create a sort of WhiteList that could fill in with some exceptions to avoid https connection problems.
The WhiteList file is /etc/squid/https_url_allowed and you can fill in with a single ip address for line, example :
proxy:~ # cat /etc/squid/https_url_allowed
aaa.bbb.ccc.ddd
eee.fff.ggg.hhh
iii.jjj.kkk.lll
mmm.nnn.ooo.ppp
qqq.rrr.sss.ttt
uuu.vvv.www.xxxproxy:~ #
All the following lines is in the main SquidProxy Configuration file, usually /etc/squid/squid.conf
# Declare an ACL to catch ALL
acl all src 0.0.0.0/0.0.0.0
# Define an ACL to define my local network
acl mynetworks src 192.168.1.0/24
# Define an ACL to have some IPs that can connect to SKYPE
acl skype_users src 192.168.1.100-192.168.1.200
# Define a CONNECT acl for the CONNECT method
acl CONNECT method CONNECT# Define an ACL for the URLs composed only of numbers, not FQDN
acl skype_url url_regex ^[0-9]+.[0-9]+.[0-9]+.[0-9]+# Define an ACL for use URLs composed only of numbers, not FQDN
acl https_url_allowed url_regex -i “/etc/squid/https_url_allowed”# Allow SKYPE access for the group “skype_users”
http_access allow CONNECT skype_url skype_users# Allow https access for IP Addresses defined in “/etc/squid/https_url_allowed”
http_access allow CONNECT https_url_allowed# Deny Access to SKYPE and all other
http_access deny CONNECT skype_url# Allow Internet access to all “mynetworks”
http_access allow mynetworks# And finally deny all other access from this proxy
http_access deny allAt this point you can restart squid an check if all works with :
/etc/init.d/squid restart
Hope this help
Bye
RiccardoUltrasurf,.,., biarlah berlalu dulu,
-
All dnsserver processes are busy
inti masalahnya di dns, bisa karena bottleneck jaringan / karena dns server tidak cepat merespon query dns client
solusi :
1. coba sih squid -vapakah ada option –disable-internal-dns, kalau ada upgrade squid nya, gunakan internal dns saja lebih ok
2. coba di nslookup abc.com dari client, apakah server bisa cepat merespon,
jika menggunakan dnsmasq, tambahkan cache-size=10000 (10Mb) atau naikkan pelan2, sesuikan dengan ram fisik, jika masih tetap saja bussy berarti segera buat dns-cache selain dnsmasq, dnsmasq hanya utuk net kecil, solusinya buat dedicated dns-server (bukan di box pfsense), recomend gunakan bind atau djbdnsjika menggunakan bind, tambahkan option datasize 12M; max-cache-size 10M; naikkan pelan2, dengan client +/- 2000 nilai 256M sudah sangat responsif
3. tambahkan di squid.inc half_closed_clients off
block ultra yang tunneling ke port 443 banyak cara, bisa lewat firewall/squid
**1. lewat squid
tambahkan di squid.inc
acl numeric_IPs url_regex ^[0-9]+.[0-9]+.[0-9]+.[0-9]+
http_access deny CONNECT numeric_IP allkelemahannya gak bisa buka web yang menggunakan ip, hanya bisa domain,
contohnya skype jk melakukan call menggunakan numerik ip acak, bukan domain, jadi gak bisa connect hehehe ;D**2. lewat firewall, block ip ultrasurf, lihat di attachment, banyak sekali hehehe
untuk virus, kalau client menjalankan aplikasi yang bervirus dan mengandung trojan / hijack browser, solusi satu2nya basmi virusnya di client, firewall secanggih apapun gak bisa ngapa2in, trojan itu destination ip dan portnya acak, ini yang susah
klo lewat transparent squid bgmn yaa?? klo squid dijadikan transparent hanya port 80 yang di direct ke squid…. mohon pencerahannya....
-
klo lewat transparent squid bgmn yaa?? klo squid dijadikan transparent hanya port 80 yang di direct ke squid…. mohon pencerahannya....
Untuk metode yang HTTPS atau IP Acak, ya katah Om grage itu solusinya, blm ada port 443 dijadikan transparent, kalau mau obok2 privasi misal YM, ICQ, dan email ya di squid di tambah method CONNECT seperti om grage bilang.
-
imspector package …
-
Kira-kira ini karena apa yach?
2009/11/24 22:42:37| clientReadRequest: FD 74 (192.168.254.201:1441) Invalid Request
2009/11/24 22:43:07| parseHttpRequest: Unsupported method 'NICK'
2009/11/24 22:43:07| clientReadRequest: FD 117 (192.168.254.201:1442) Invalid Request
2009/11/24 22:43:37| parseHttpRequest: Unsupported method 'NICK'
2009/11/24 22:43:37| clientReadRequest: FD 74 (192.168.254.201:1443) Invalid Request -
Hasil dari: squidclient mgr:delay
HTTP/1.0 200 OK
Server: Lusca/LUSCA_HEAD
Date: Thu, 26 Nov 2009 01:46:15 GMT
Content-Type: text/plain
Expires: Thu, 26 Nov 2009 01:46:15 GMT
X-Cache: MISS from xx.xx.xx
Via: 1.0 proxy.pfsense:80 (Lusca/LUSCA_HEAD)
Connection: closeDelay pools configured: 2
Pool: 1
Class: 2Aggregate:
Disabled.Individual:
Disabled.Pool: 2
Class: 2Aggregate:
Disabled.Individual:
Max: 10000
Rate: 10000
Current: 12:-57987 4:10000Memory Used: 6792 bytes
Apa yg menyebabkan hingga delay pool trsebut mendapat nilai min(-)….???
-
Hasil dari: squidclient mgr:delay
HTTP/1.0 200 OK
Server: Lusca/LUSCA_HEAD
Date: Thu, 26 Nov 2009 01:46:15 GMT
Content-Type: text/plain
Expires: Thu, 26 Nov 2009 01:46:15 GMT
X-Cache: MISS from xx.xx.xx
Via: 1.0 proxy.pfsense:80 (Lusca/LUSCA_HEAD)
Connection: closeDelay pools configured: 2
Pool: 1
Class: 2Aggregate:
Disabled.Individual:
Disabled.Pool: 2
Class: 2Aggregate:
Disabled.Individual:
Max: 10000
Rate: 10000
Current: 12:-57987 4:10000Memory Used: 6792 bytes
Apa yg menyebabkan hingga delay pool trsebut mendapat nilai min(-)….???
itu menngunalan berapa pools?????
kalau memang satu g' dipakai buang aja..