1. What is this? Why would I want it?



Similar documents
Implementing Reverse Proxy Using Squid. Prepared By Visolve Squid Team

Linux Squid Proxy Server

Cover Page. Content Server - Reverse Proxy Server Resource Guide 10g Release 3 ( ) March 2007

Redhat 6.2 Installation Howto -Basic Proxy and Transparent

QuickBooks Enterprise Solutions. Linux Database Server Manager Installation and Configuration Guide

42goISP Documentation

HOWTO: Set up a Vyatta device with ThreatSTOP in bridge mode

Verax Service Desk Installation Guide for UNIX and Windows

WEB2CS INSTALLATION GUIDE

HOWTO: Set up a Vyatta device with ThreatSTOP in router mode

ISPConfig Documentation

What is included in the ATRC server support

W3Perl A free logfile analyzer

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

Upgrade to Webtrends Analytics 8.7: Best Practices

Apache 2.0 Installation Guide

SSL Tunnels. Introduction

LOCKSS on LINUX. Installation Manual and the OpenBSD Transition 02/17/2011

PROXY SETUP WITH IIS USING URL REWRITE, APPLICATION REQUEST ROUTING AND WEB FARM FRAMEWORK OR APACHE HTTP SERVER FOR EMC DOCUMENTUM EROOM

NoMachine Enterprise Products, Cloud Server Installation and Configuration Guide

CYAN SECURE WEB APPLIANCE. User interface manual

Volume SYSLOG JUNCTION. User s Guide. User s Guide

Smartphone Pentest Framework v0.1. User Guide

Penetration Testing LAB Setup Guide

ULTEO OPEN VIRTUAL DESKTOP UBUNTU (PRECISE PANGOLIN) SUPPORT

Intuit QuickBooks Enterprise Solutions. Linux Database Server Manager Installation and Configuration Guide

Defeating Firewalls : Sneaking Into Office Computers From Home

IBM WebSphere Application Server Version 7.0

Quick Note 052. Connecting to Digi Remote Manager SM Through Web Proxy

Wolfr am Lightweight Grid M TM anager USER GUIDE

Penetration Testing LAB Setup Guide

This section is intended to provide sample configurations and script examples common to long-term operation of a Jive SBS installation.

Setting up a Squid-Proxy Server

CN=Monitor Installation and Configuration v2.0

LOCKSS on LINUX. CentOS6 Installation Manual 08/22/2013

RecoveryVault Express Client User Manual

24x7 Scheduler Multi-platform Edition 5.2

Proxy Servers. Building and Deploying System Improvement and Protection. Elvin Smith & Jose Robles

Accelerating Zope applications with Squid and ESI

Deploying IBM Lotus Domino on Red Hat Enterprise Linux 5. Version 1.0

CommandCenter Secure Gateway

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

How To Install Storegrid Server On Linux On A Microsoft Ubuntu 7.5 (Amd64) Or Ubuntu (Amd86) (Amd77) (Orchestra) (For Ubuntu) (Permanent) (Powerpoint

EMC AVAMAR BACKUP CLIENTS

1. Product Information

NRPE Documentation CONTENTS. 1. Introduction... a) Purpose... b) Design Overview Example Uses... a) Direct Checks... b) Indirect Checks...

TCH Forecaster Installation Instructions

Online Backup Client User Manual

Online Backup Client User Manual Linux

Online Backup Client User Manual

Introduction to Operating Systems

EMC Avamar. Backup Clients User Guide. Version REV 02

ISPS & WEBHOSTS SETUP REQUIREMENTS & SIGNUP FORM LOCAL CLOUD

GroundWork Monitor Open Source Installation Guide

Installing a Symantec Backup Exec Agent on a SnapScale Cluster X2 Node or SnapServer DX1 or DX2. Summary

CycleServer Grid Engine Support Install Guide. version 1.25

OpenWRT - embedded Linux for wireless routers

Set up a Home Secure Global Desktop Enterprise Edition Remote Access Server

Installing and Configuring Websense Content Gateway

APACHE WEB SERVER. Andri Mirzal, PhD N

GlobalSign Solutions

Apache and Virtual Hosts Exercises

PolyServe Understudy QuickStart Guide

Using Webmin and Bind9 to Setup DNS Sever on Linux

Monitoring Clearswift Gateways with SCOM

Securing the Apache Web Server

ClickCartPro Software Installation README

Best Practices & Deployment SurfControl Mobile Filter v

FileMaker Server 8. Administrator s Guide

F-Secure Internet Gatekeeper

Applications Manager Best Practices document

1 Recommended Readings. 2 Resources Required. 3 Compiling and Running on Linux

OS Installation Guide Red Hat Linux 9.0

Log Analysis using OSSEC

Guardian Digital WebTool Firewall HOWTO. by Pete O Hara

Contents Set up Cassandra Cluster using Datastax Community Edition on Amazon EC2 Installing OpsCenter on Amazon AMI References Contact

NetIQ Sentinel Quick Start Guide

Best Practices in Hardening Apache Services under Linux

Review Quiz 1. What is the stateful firewall that is built into Mac OS X and Mac OS X Server?

How To Install An Org Vm Server On A Virtual Box On An Ubuntu (Orchestra) On A Windows Box On A Microsoft Zephyrus (Orroster) 2.5 (Orner)

Rally Installation Guide

Avast for linux technical documentation

Zimbra :: The Leader in Open Source Collaboration. Administrator's PowerTip #3: June 21, 2007 Zimbra Forums - Zimbra wiki - Zimbra Blog

Server Installation/Upgrade Guide

QuickDNS 4.6 Installation Instructions

NSi Mobile Installation Guide. Version 6.2

Signiant Agent installation

Online Backup Linux Client User Manual

An Embedded Wireless Mini-Server with Database Support

HARFORD COMMUNITY COLLEGE 401 Thomas Run Road Bel Air, MD Course Outline CIS INTRODUCTION TO UNIX

Installing, Uninstalling, and Upgrading Service Monitor

Installation Guide for WebSphere Application Server (WAS) and its Fix Packs on AIX V5.3L

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

WebTrends 7 Installation and Configuration Guide

avast! for linux technical documentation

Transcription:

HOWTO - Jeanne, redirector for Squid Reverse Proxy Vincent Berk (c)2001 vberk@ists.dartmouth.edu GNU/GPL Marion Bates (c) 2001 mbates@ists.dartmouth.edu Installation Guide with Examples (ALPHA distribution) 1. What is this? Why would I want it? This document describes how you can protect your webserver against certain nasty vulnerabilities using the Jeanne Reverse Proxy program. Its value was proven with the recent IIS unicode attacks, Code Red/II/Blue and NIMDA. We were shielded from all these before we even knew about their existence. Why is it called jeanne? Ask Chris Brenton. 2. Then what does it do? The webserver is placed behind your firewall, and the firewall only allows jeanne to communicate with it. Jeanne will verify each HTTP request before passing it on to the actual webserver. 3. Installation This is a step by step installation of the concept described above. For this document, a general network setup is assumed, with a firewall in front of the webserver. It does not matter whether you have a DMZ/localnet with a dedicated firewall, or simply a hostbased firewall on the webserver, as long as you know how to work with it. See the two examples at the end of this document. 3.1. Get a box Hardware requirements are fairly simple. Anything capable of running UNIX/Linux should be fine. The proxy has been used successfully under RedHat Linux and Debian Linux (on Intel hardware) and Solaris (on Sparc). It is recommended that you use a machine similar to your webserver to simplify maintenance. 3.2. Install the Operating System Anything that can run Squid and has a working C compiler will work. An out-of-the-box installation of Linux will usually meet this requirement, as will Solaris. In our test installation, we 1

used a PC with an Intel Pentium III running at 600MHz with 128 Mb of RAM and a 9 GB 10,000RPM UW SCSI hard disk. We installed Debian Linux 2.2 release 3 and upgraded to the 2.2.4 kernel. We installed only the base system plus the latest version of OpenSSH. 3.3 Make it Secure Shut down all services, except possibly an up-to-date version of sshd (Secure Shell daemon). Refer to the SANS document "Securing Linux (or Solaris) Step-by-Step" or a similar how-to for detailed information on how to shut down internet services. SECURING THIS BOX IS CRUCIAL! Unneeded/unpatched services are the easiest way for servers to become compromised by an attacker. Some commonly-vulnerable services include SunRPC things like portmapper, programs launched by inetd, lpd, Xwindows, telnetd, and ftpd. If you run a portmapper such as nmap against this system, you should find no ports open except those which you know you definitely want, like SSH. Also make sure that any installed webservers are shut down, and disable these processes from starting up again when the box is rebooted. 3.4. Obtain and Install Squid Download the Squid source tarball. Refer to the highly-comprehensive Squid documentation for installation details. Basically: ftp://ftp.squid-cache.org cd pub/squid-2/stable/ get squid-2.4.stable2-src.tar.gz (or whatever's the latest version) tar -xvzf squid-2.4.stable2-src.tar.gz cd squid-2.4.stable2./configure --prefix=/usr (unless you wanted it in /usr/local, which is default) make (become root) make install 3.5. Configure Squid This is where it gets a little more complicated. By default, Squid is set up to be a normal webcache, yet we want it to work as a reverse proxy. To configure Squid, edit the file: /etc/squid.conf. Take a look at the following example configuration: 2

# squid.conf - basic httpd reverse proxy server configuration # Make reverse proxy listen on port 80 like normal webserver. # Hostname will be www. http_port 80 visible_hostname www.my-domain.com # The IP address and port number of the real webserver located behind # the firewall. httpd_accel_host 10.20.30.4 httpd_accel_port 80 # Turn off the original proxy server. httpd_accel_with_proxy off # Configure the cache to be valid for 30 seconds. refresh_pattern. 0 0% 30 # The Access Control Lists # Everyone is allowed to use the GET method on the HTTP port 80. # For this example, assume your local net is 10.20.30.0. # All other methods and ports are denied. # For a more accurate description see the Squid documentation. acl all src 0.0.0.0/0.0.0.0 acl localhost src 127.0.0.1/255.255.255.255 acl localnet src 10.20.30.0/255.255.255.0 acl safeports port 80 acl safemethods method GET http_access deny!safeports http_access deny!safemethods http_access allow all # We'll get to this later on. Must be correct path to jeanne. redirect_program /usr/mrp/jeanne # Make sure we never bypass the redirector redirector_bypass off # Give us 5 children redirect_children 5 # Make cache directories here: # use the ufs filetype (Squid likes it), make the max cache size # 1024 Mb, allow 16 level 1 cache subdirectories, and allow 256 # level 2 cache subdirectories (meaning that each of the 16 # level 1 directories can have 256 directories within itself.) cache_dir ufs /var/squid/cache 1024 16 256 # End of squid.conf reverse proxy server configuration Make sure your original webserver (wwwfiles in our case) reports as its hostname www (the name of the MRP). This will prevent the real webserver from building redirect requests with its new hostname (i.e. redirect to: wwwfiles.your-domain.com/index.html), which is now behind the firewall. Most webservers have this as an option (ServerName in Apache). 3

We installed an edited skeleton script into /etc/rc.d/init.d and made the proper runlevels' start and kill symlinks to that script. Squid is started with the flags -D -syc. -D = disable initial DNS tests -s = enable syslog -Y = Only return UDP_HIT or UDP_MISS_NOFETCH during fast reload -C = Do not catch fatal signals. (Can t be killed/won t crash.) Create /var/squid/cache (or whatever you want to call it, as long as it matches the cache_dir line in squid.conf) and chown nobody:nogroup it. Then run squid -z to create the cache directory. Make a directory, such as /usr/mrp, where backups of scripts and the redirector program will be stored. Make sure the following line in squid.conf contains the right path to where you will put jeanne: redirect_program /usr/mrp/jeanne 3.6. Compile/configure Jeanne Put jeanne.c in /usr/mrp. Edit the jeanne makefile, if needed. Currently there is only one useful compile option (define): -DMS_IGN_CASE Depending on the OS of your webserver, case of filenames is treated differently. In Unix, 'TEST' and 'test' are two different filenames, while in Windows, they're the same. With this option you can force jeanne to ignore case. You would want to enable this if your webserver is Windowsbased (IIS). Edit jeanne.c such that DEF_URL_FILE variable points to your allowed URLs file and DEF_REJECT_URL is set to the webpage you want to use as your reject page. (If the reject page you define here does not exist, users will get a generic "error 404: Not found" error if they request invalid URLs.) Compile jeanne.c by typing "make". Put the getlist script (and its cronjob script) into /usr/mrp. You will need to modify some variable definitions such that paths to files are defined properly. Modify getlist such that: HOME=/usr/mrp URLSFILE=$HOME/urls and set the IP address be the IP of the actual webserver. Edit getlist.cron such that: 4

MAILTO is set to what you want and HOME=/usr/mrp 3.7. Build the URLs File Install makeurls and its cronjob on the webserver and edit the path definitions like you did with getlist. If you want the URLs list on the webserver to be updated more or less often, alter the crontab appropriately. Keep in mind though that the find function is pretty processorintensive, so you may not want to run it too often. Make sure to add the cron job to the root crontab (crontab makeurls.cron). The URLs file has a very simple setup and syntax. All lines starting with a pound (#) are ignored as comments. All other lines are the valid URLs that are passed on to the webserver. In this file you put only those URLs that are to be retrieved from the original webserver. The program will only verify the filename, and will add the hostname later. If the URL ends with a question mark (?), then everything that comes in with that request is copied to the request made by the reverse proxy server to the webserver. This is used as input for CGI scripts, like search requests. Example: # URLs file for my webserver wwwfiles.domain.com # The reverse proxy will be called www.domain.com # # General files http://wwwfiles.domain.com/ http://wwwfiles.domain.com/index.html http://wwwfiles.domain.com/nextpage.html http://wwwfiles.domain.com/somethingelse.html http://wwwfiles.domain.com/mypicture.gif http://wwwfiles.domain.com/myotherpicture.jpg # # My search cgi: http://wwwfiles.domain.com/search.cgi? 3.8. Modify DNS Records You will need to change your DNS server(s) such that all requests made to "www.domain.com" go to the IP of the reverse proxy server running jeanne. The original webserver can be called "wwwfiles.domain.com," as in the following examples. If you have your own DNS you can make this modification yourself. If your ISP has control over your DNS records, then probably the easiest method is to change the IP address of your reverse proxy to be that of your original webserver. Then change the IP of your webserver to that of "wwwfiles.domain.com." In other words: 5

Old setup: DNS thinks that www.domain.com -> 12.34.56.78. New setup: Assign 12.34.56.78 to proxy. DNS still thinks that www.domain.com -> 12.34.56.78 and we make actual webserver have different hostname and IP, which DNS doesn't need to know (and we don't even want it to know!): wwwfiles.domain.com -> 12.34.56.89 (webserver) 3.9. Modify Firewall Rules Modify your firewall rules to reflect your new setup. The original webserver, now named "wwwfiles," can only be contacted by "www," the new reverse proxy. "www" can be reached by the whole world, but only via the HTTP port (80). 3.10. Test Everything Restart the reverse proxy server with the redirector. Make some requests with your favorite browser: http://www.domain.com/ Do a search: http://www.domain.com/search.cgi?my_search_terms Try an exploit or two: http://www.domain.com/../../../../etc/passwd http://www.domain.com/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir (These won't work, even if they did before! :) 6

4. Examples a. Local webserver hosted behind an ISP; DNS provided by ISP Network Layout BEFORE Reverse Proxy: Fig. 1: Typical Network Layout Firewall Rules BEFORE Reverse Proxy: Fig. 2: Typical Firewall Rulebase ISP. Requests to www go directly to the webserver/firewall. DNS records are handled by the 7

Network Layout AFTER Reverse Proxy: Fig. 3: Revised Network Layout Firewall Rules AFTER Reverse Proxy: It would also be possible to have a network setup similar to above, but with a separate machine as the reverse proxy, sitting in front of the webserver/host-based firewall. Ideally, the proxy machine would have two network cards, one facing the ISP and the other dedicated to communicating with the webserver. 8

b. Network with dedicated firewall and its own DNS servers Network Layout BEFORE Reverse Proxy: Fig. 5: Typical Network Layout 9

Firewall Rules BEFORE Reverse Proxy: Fig. 6: Typical Firewall Rulebase The webserver, www, sits on the relatively-unprotected DMZ. Requests for "www.domain.com" are passed directly to the webserver. DNS entry for www points to IP address of webserver, 192.168.1.6. 10

Network Layout AFTER Reverse Proxy: Fig. 7: Revised Network Layout 11

Firewall Rules AFTER Reverse Proxy: Fig. 8: Revised Firewall Rulebase Requests from the outside world for "www.domain.com" are directed to the proxy. Only the proxy can connect to the webserver ("wwwfiles"). END 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information