Transparent Proxy Using Squid Cache and Cisco Router in Linux

There is a excellent article about setting up transparent proxy to control web traffic using Squid and Cisco router. Here's my summary note.

Step 1: Install Squid Cache

 

Step 2: Prepare Squid Cache

$ sudo vi /etc/sysctl.conf

# To make sure the OS will never drop the packet because of wrong dest IP addr.

net.ipv4.ip_forward = 1 #set to 1 for enable the packet forwarding feature

# To make sure the OS will accept packets that not accessible or the dest IP addr in the same subnet
net.ipv4.conf.default.rp_filter = 0 # set to 0 for disable the reverse path filter behavior

$

Step 3: Create GRE interface

$ vi /etc/sysconfig/network-script/ifcfg-gre0

DEVICE=gre0
BOOTPROTO=static
IPADDR=10.0.0.2         #unused ip address in your network
NETMASK=255.255.255.252
ONBOOT=yes
IPV6INIT=no

$ sudo service network restart

$

Step 4: Configuring Squid Cache

$ vi /etc/squid/squid.conf

http_port 3128 intercept                 # Define SQUID listening port
wccp2_router 192.168.1.254          #ip address of the router
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service standard 0

$ service squid restart

$ sudo  iptables -t nat -A PREROUTING -i gre0 -p tcp --dport 80 -j REDIRECT --to-port 3128
$ sudo  iptables -t nat -A POSTROUTING -j MASQUERADE

Step 5: Cisco router configuration

Enable WCCP at Cisco router

R1(config)# ip wccp version 2
Then we must use an ACL for introducing SQUID cache machine to router
R1(config)# ip access-list standard SQUID-MACHINE
R1(config-std-nacl)# permit host 192.168.1.10

Define ACL to except squid-cache from WCCP tunnel. Then forward web traffic to squid-cache via WCCP tunnel.

R1(config)#ip access-list LAN-TRAFFICS
R1(config-ext-nacl)#deny ip host 192.168.1.10 any                            #Prevent SQUID to get in loop
R1(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 any equal www           #define LAN Traffics

Next, create ACL with WCCP:

R1(config)# ip wccp web-cache redirect-list LAN-TRAFFIC group-list SQUID-MACHINE

Last, specific the interface for web traffic re-direction:

R1(config)#interface fastEthernet 0/0
R1((config-if)# ip wccp web-cache redirect in

Link:

• https://www.tecmint.com/control-web-traffic-using-squid-and-cisco-router-in-linux/
  

Top Five Vulnerability Management Failures and Best Practices

This is an easy to follow webinar fro David Hazar that talks about the top-5 failures and best practices in vulnerability management.

Top Five Failures in Vulnerability Management:

1. We don't understand our asset management.
2. We focus too much on prioritization.
3. We only present facts and data.
4. We accept too much risk on behalf of the organization
5. We are not consistent.

 Notes:

• Use API access to create inventory, and supplement/validate to ITAM.
  
• Balance prioritization with root cause analysis.
• Focus on the solutions with different solution groups and solution types.
• Only Driver and Guardian are interested in facts/data (but not Pioneer and Integrator). 
• Storytelling - build the story for leadership.
• Uses owner-based, role-based, and team-based reporting.
• Tracking invisible risks: exclusion.
• Apply standardization, integration and automation. 
• Use aging report for those who do nothing.
  

Best Practices:

1.  Automate the reconciliation of inventory and process for obtaining contextual data.
2. Don't just prioritize. Focus on the bigger picture.
3. Learn to communicate more than just facts and data.
4. Track risk and technical debt, and communicate it in the right way to the right people.
5. Standardize, integrate, and automate your way to increased consistency.
6. Automate everything (that can be automated).
   

Spoofing Attack in Script

Heard of SQL-injection (SQLi)? Do you know we can do script injection, similar to SQLi? Here is how to protect the shell script from injection attack.

First, check out what is SheBang if you haven't heard of it.

Second, sometime you will notice some SheBang will end with - or --.

#!/bin/bash -

#!/bin/bash --

The purpose of the single-dash is to protect it from script injection. IT simply mens the end of the options and disable any further option processing. Any argument after the --   is treated as filenames and arguments

This can protect the script from setuid based root spoofing and avoid interpreter spoofing, and eventually improve script security.

 

* Many OS ignore the setuid attribute when it detects shebang in an executable shell scripts.

Links:

• https://www.cyberciti.biz/faq/binbash-interpreter-spoofing/
  
• https://www.in-ulm.de/~mascheck/various/shebang/
• http://www.faqs.org/faqs/unix-faq/faq/part4/section-7.html
• https://unix.stackexchange.com/questions/364/allow-setuid-on-shell-scripts
  

Portable SheBang

To make a portable SheBang across different UNIX OS, we can use /usr/bin/env command as shebang. For example:

#!/usr/bin/env bash

#!/usr/bin/env perl

#!/usr/bin/env python

The advantage is, it will use whatever interpreter executable appears first in the running user’s $PATH variable. 

To locate a full or exact path, like env,  we can use 3 commands:

$ type env

$ command -V env

$ which env

Links:

• https://www.cyberciti.biz/tips/finding-bash-perl-python-portably-using-env.html
  

SheBang

Shebang starts with #! characters and the path to the bash or other interpreter of your choice. Let us see what is Shebang in Linux and Unix bash shell scripts. 

The #! syntax is used in scripts to indicate an interpreter for script execution. The directive must be the first line of script and must start with shebang #!. You can add argument after the shebang characters, which is optional. Make sure the interpreter is the full path to a binary file. 

For example: 

#!/bin/bash

#!/bin/bash -x 

#!/usr/bin/env python

 

To ignore SheBang, just override the SheBang at the command line.

$ python2 hello_world.py

Links:

• https://bash.cyberciti.biz/guide/Shebang