I am admin of a small network. Users in our network have access to internet through a squid NAT server.
Recently, we have detected that some users are using LOIC to attack servers on the internet. How can I detect and block such attacker automatically?
Is there any straightforward way for this (e.g. blocking an especial port or pattern?) Or I have to use a intelligent software that detects misbehavior of our users and blocks them?
A temporary IP-based blocking is sufficient for us.
Situation:
We, as the pioneering researchers(!), have a small network in our lab and the university has provided Internet access that let us access to privileged scientific resources like IEEE, ScienceDirect, etc.
I am looking for a way to connect to lab network through Internet when we are away and have this privileged access (and also be able to remotely connect to the lab computers and simulate some things).
Sadly, our network is behind the NAT-server of university, so there is no chance in a pure VPN-Server solution. There is no chance to configure the main NAT-server of university neither.
Possible Solution:
I have tried Hamachi VPN software, but as I realized Hamachi does not establish a VPN Server behind a NAT. It is actually a peer-to-peer solution for computers behind NATs over the Internet.
One Hamachi-based solution is to configure one of the lab computers as a VPN server and installing Hamachi on it. Then the distant users should install and run Hamachi on their computers and then connect to first the Virtual Hamachi Network and then the VPN-Server.
Problems of proposed solution:
But there is some problems about this:
Future work:
Do you know any better free solution to connect to the workplace LAN that is behind a NAT?
Some words about legality:
Just as SvenW said, actions like this is a may raise some legal concerns. I asked about this and sysadmins said it is okay as far as we don't spread this access to the other people. Our team is consisted of 14 people and each of us can have his username/password to connect to. Therefore, all the activities can be logged and any misuse can be traced.
We have configured Microsoft forefront TMG 2010 Enterprise as the cache server which provides internet access for all computers in our department.
Is there any way to limit download speed per host/user by configuring forefront TMG?
I have found a tool called Bandwidth Splitter but it is expensive ($499 for 50 clients!) and we would like to avoid it.
It is a shame for Microsoft if its 6 thousands dollar software does not provide this feature, but squid does! (with leaky buckets)
Note: We (sadly?) have to use forefront TMG
Recently a large appealing on Body Area Networks is shown. Even the an IEEE taskgroup taskgroup is started working on the standards.
I want to know why we should search for a new standard when we have ZigBee and of course Bluetooth. In other words, what is the shortcomings of ZigBee and Bluetooth that make IEEE people search for a new standard.
Note: I asked this question on SF because I hope some answer that explain the network architecture weaknesses of ZigBee and Bluetooth that makes them impractical choices for BANs.
I have configured Routing and Remote Access Service in Windows Server 2003 as the VPN server. VPN users are defined in Active Directory which is running on this server too.
How i can configure the server to give each user a limited download size (for example 1GB) and does not authenticate them when they exceeds their download quota.
The VPN server should also disconnect the users that reach their quota.
Update: Apparently a third-party RADIUS server could provide this feature. One solution I have found is TekRADIUS but it is commercial. FreeRADIUS is a open-source free RADIUS server but I am not sure if it could these kind of features.
I have installed squid as a non-transparent proxy/cache server with --enable-ssl configuration. It is a child of a parent proxy server proxy1.ut.ac.ir.
Everything is OK for HTTP URLs, but any HTTPS URL is responded by a 404 Server not found (for example for Gmail or https://www.google.com).
This is the access.log entries for opening www.gmail.com:
1279493581.278 544 127.0.0.1 TCP_MISS/302 1136 GET http://mail.google.com/mail/ - DEFAULT_PARENT/proxy1.iut.ac.ir text/html
1279493581.283 0 127.0.0.1 TCP_MISS/404 0 CONNECT www.google.com:443 - DIRECT/- -
And squid in terminal says:
2010/07/18 18:52:27| ipcacheParse: No Address records in response to 'www.google.com'
Here is the squid.conf:
http_port 3128
http_access allow all
cache_peer proxy1.ut.ac.ir parent 3128 0 no-query default no-digest no-netdb-exchange
cache_dir ufs /usr/local/squid/var/cache 100 16 256
coredump_dir /usr/local/squid/var/cache
There is no problem when i set proxy1.ut.ac.ir as the proxy server in browsers so there is nothing wrong in parent proxy server.
once upon a time, there was a beautiful warm virtual-jungle in south america, and a squid server lived there. here is an perceptual image of the network:
<the Internet>
|
|
A | B
Users <---------> [squid-Server] <---> [LDAP-Server]
When the Users request access to the Internet, squid ask their name and passport, authenticate them by LDAP and if ldap approved them, then he granted them.
Everyone was happy until some sniffers stole passport in path between users and squid [path A]. This disaster happened because squid used Basic-Authentication method.
The people of jungle gathered to solve the problem. Some bunnies offered using NTLM of method. Snakes prefered Digest-Authentication while Kerberos recommended by trees.
After all, many solution offered by people of jungle and all was confused! The Lion decided to end the situation. He shouted the rules for solutions:
Then, a very resonable-comprehensive-clever solution offered by a monkey, making him the new king of the jungle!
can you guess what was the solution?
Tip:
The path between squid and LDAP is protected by the lion, so the solution have not to secure it.
Note: sorry if the story is boring and messy, but most of it is real! =)
/~\/~\/~\ /\~/~\/~\/~\/~\ ((/~\/~\/~\/~\/~\)) (/~\/~\/~\/~\/~\/~\/~\) (//// ~ ~ \\\\) (\\\\( (0) (0) )////) (\\\\( __\-/__ )////) (\\\( /-\ )///) (\\\( (""""") )///) (\\\( \^^^/ )///) (\\\( )///) (\/~\/~\/~\/) ** (\/~\/~\/) *####* | | **** /| | | |\ \\ _/ | | | | \_ _________// Thanks! (,,)(,,)_(,,)(,,)--------'
Massimo explained that the authenticating method between Users-squid and squid-LDAP does not have to be same. we can use arbitary method to get authentication information from users and arbitary method to authenticated gathered data.
But there is a problem: the input/output of all types of authenticators is not same. For example:
Basic authenticator should read "username password" pair in a line and reply a OK if user-pass is correct or ERRDigest authenticator should read a username:realm and reply a hex-encoded of HA(A1) or an ERR. Althought there is no direct relationship between client-squid method and squid-ldap method, the gathered data from client must be compatible with method used in squid-ldap part. Therefore, if we change authenticating method in users-side, we maybe should change our authenticator too.
So the problem simplifies to:
In first level, i (the monkey!) am looking for a good authentication method in user-side. Which method do you recommend which is secure and supported by most browsers? i am in confused between NTLM, Kerberos and Digest.
Where i can find an authenticator which supports credentials information of selected method and authenticates through LDAP.
In this question I figured out how to disable the Lock feature in Windows XP throught the registry. Just by creating a DWORD key named DisableLockWorkstation with value 1 in:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
But in this solution, the current user can also re-enable this feature in the same way (by setting the value of DisableLockWorkstation to 0 or even deleting it).
I know there is ACLs for registry and it is possible to restrict the user access and deny write access to this path. But I am searching for a simpler solution.
Is there any other solution to disable lock feature (for example by setting a value in HKLM instead of HKCU hive)?
Is there any way to forward packets from network A to network B (just like a router) without changing source IP Address (and vice versa, from network B to network A) and also enforcing traffic shaping rules?
The solution should be implemented in FreeBSD.
I googled about traffic shaping in FreeBSD and found ALTQ but i am not sure whether it is possible to forwards packets with ALTQ transparently or not.
If it's possible then it's likely that i could setup a network with a Squid server (for caching and more imporant logging user's download/upload) and ALTQ (or something else) to manage their bandwidth. So my network architecture will be:
Internet <==> SquidServer <==> TrafficshapingServer <==> LocalNetwork
But if TrafficShaping replaces SourceIP of packets with his IP Address, logs of Squid becomes useless. because Squid didn't know which packet is from which IP Address (all Squid see is TrafficShaping IPAddress)
I have a 64MB/s internet connection and it should be divided among 17 LANs with a priority. Any computer from any LAN should have a particular share from bandwidth (For example computers from LAN1 have half of bandwidth that computers from LAN2) but it's share should vary when overall internet load varies.
So the allocated bandwidth should not be given statically and must be changed according to the load.
I tried Squid and iproute. But as far as i found, none of them could allocate bandwidth dynamically. They just could give an IP a static bandwidth (say 64kbps)
UPDATE:
As Crankyadmin, carson and David Bliss said, there are three ways to do this:
As i found, all of them are solutions for this problem. But i don't know if one is suitable for high loads and can manage hundreds of Computers.
I am using FreeBSD as a proxy server so it's nice to have a solution that works on FreeBSD too.
So I need a FreeBSD compatible solution that can deal with high load. it should be efficient and fast) and doesn't waste the internet bandwidth.
In fact my problem is with users who download large files from internet in my network.
I have a Squid cache/proxy server in my network that is placed between my network and the Internet.
I thought terminating connections that is alive for a long time maybe helps to prevent users downloading large files. So ask it in SO in this post but didn't get clear answer. it seems it's impossible with Squid. :-/
Now, one solution that also suggested in that post is limiting bandwidth for each user: We just give a suitable bandwidth to each user and user can do anything (even downloading) without bothering others.
But as far as i know Squid can only assign some static bandwidths to users. So any user has a particular static bandwidth that cannot be changed. I seems this is not fair nor optimum, Because in idle situations (when little users are requesting) we should give them more bandwidth than their share in busy situations.
So in a fair system the bandwidth should be divided between available users considering a priority (some users should have more share than others). The share of any user depends on all available users. more users less share. Something like this:
UserBandwidth = (OverallAllBandWidth / NumberOfCurrentUsers)
If in one moment we only have one user, we should assign all bandwidth to him.
So:
Is this solution possible with Squid?
Is it possible with any other software? How about Linux itself? I heard about some abilities in linux kernel for traffic shaping.
If it's impractical, what other solution would you suggest in order to:
or
Thanks!
I have a Squid proxy server that controls all internet traffic for my network.
I need a way to stop users from downloading big files (say >50MB) in my network. I banned some famous ports (e.g. torrent) but some downloads are possible by HTTP port. Obviously I cannot ban port 80!
A simple solution is limiting maxmimum number of the simultaneous connections for each IP (e.g. 3 connections). It's possible in Squid with this config:
acl ACCOUNTSDEPT 192.168.5.0/24
acl limitusercon maxconn 3
http_access deny ACCOUNTSDEPT limitusercon
But this solution has really bad impact in web browsing, because any smart browser get different parts of a website by several connections simultaneously to speedup web browsing. But if we have a maximum number of connections, the browsers will fail to get some parts and the website will be shown partially and some parts/images/frames will not be shown.
So, can we limit maximum number of persist connections? I think this policy will works: Specify Maximum number of connections that is alive for 10 seconds But Number of simultaneous connections for every IP is unlimited
But how can we implement this policy when Squid? With which config?
artifex and Tom Newton offered using a bandwidth-limiting approach to fight against downloaders.
But bandwidth-limiting in Squid has a shortcoming: It's static and cannot dynamically change. So a person has a limited bandwidth not matter how many people are using internet (maybe nobody!)
Also, this solution cannot help to stop people from downloading. They still can download but in a lower speed.
But if we find a way to terminate persist connections (or any connection that is alive more than a specific time), downloading big files will be almost impossible (always there is some way!)