So to summarise: "Proxy servers can be abused. Ensure that only authorised users can connect" Exactly how you do this will depend on your circumstances and software. Binding the server to the inward-facing NIC in a 'bastion host' config, ensuring access control features are enabled by default if you are a vendor and blocking inward traffic to proxy port if you run a firewall or filtering router. Perhaps Squid's "X-Forwarded-For: " header is a solution that could be applied for situations where limiting the access to the server is not a viable proposition. A portscanner that bounces through a proxy server, in the style of the ftp 'bounce' attack is at http://www.intasys.com/~angus/pbs.c It goes without saying that 90% of "ftp bounce attack" code will only need very small mods to be used on a WWW proxy. Regards Gus -- angusat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:19:21 PDT