We all know Squidguard can is used to “filtering” outbound web traffic. For out sites tat have things like ads,porn??,malware,proxies,etc. But I’ve come up with a way to use squidguard to protect my webserver from outside “would be” hackers. And best of all it’s easy to setup !!!

Things you’ll need

• Squid
• Squidguard
• iptables
• Possiably “yum” or “apt” if you don’t installing things from source

Steps:

1. install squid 
   • yum install squid
2. Install squidguard
   • yum install squidgaurd
   • or to save your self some time, you can install squidguard which has the Dependency of squid. So simply installing squidGuard 1st will install both.
3. install iptables
   • yum install iptables

Ok now for there configuration of each:

1. Squid : /etc/squid/squid.conf
   • Setup squid to work as a normal transparent proxy for your domain. Do this even if your not going to use it as a “caching proxy”.
   • Next setup the needed entries for allowing the outside access to use squid (but only to access your website(s) / domain(s) like so:

     # Retain all the fully used incoming url (helps with debugging and seeing
     #  what the little buggers are up too).
     strip_query_terms off
     # Tells squid to listen on all ips using port 3128 and work in transparent mode
     # Yes this should have already been set, but I figured why not cover it anyways
     http_port 3128 transparent
     # Change 10.1.97.0/24 to reflect your ip address range
     acl mynetwork src 10.1.97.0/24
     # change this to reflect your server external IP (unless it's nat'ed)
     # then you'll want to set this to the nat'ed IP
     acl mysite1 dst 66.93.12.247
     # Delete this is you don't need a second IP
     acl mysite2 dst 66.93.12.17
     ## Change these to say your DOMAIN name
     ## make sure the second one is YOUR domain name
     ## but then a . in front of it
     acl mydomain1 dstdomain nomadcf.com
     acl mydomain2 dstdomain .nomadcf.com
     ## These disable caching are website for the outside
     ## you way want to NOT do this. There are some pretty
     ## good gains from doing this. Your choice.
     always_direct allow mydomain1
     always_direct allow mydomain2
      
     ## Allow access to squid FROM
     # Your network
     http_access allow mynetwork
     # to this ip from outside (anywhere really)
     http_access allow mysite1
     # to this second ip from outside (anywhere really)
     http_access allow mysite2
     # stop EVERY one else from using squid
     http_access deny all
      
     # Stops YOUR network from going though squidgaurd
     # But it doesn't have to be this way, you can pass all
     # side though squidguard and have squidguard filter
     # differently based on src ip addresses / ip address ranges
     # AND OR destinations domain,ip,url OR expressions.
     url_rewrite_access deny mynetwork
     ## Allows the outsiders to go though the filter
     url_rewrite_access allow mysite1
     url_rewrite_access allow mysite2
      
     # Tells squid where to and how to use squidguard
     redirect_program /usr/bin/squidGuard -c /etc/squid/squidguard.conf
     # Tells squid how many copies of squidguard to start (squidguard is
     # single threaded you'll to might need a few of them)
     redirect_children 15
     # If all the squidguard copies are in use, we'll have to allow unfiltered
     # access to YOUR site(s) / domain(s). Or you could set this to "Off"
     # which would just stop people from access your site(s) / domain(s)
     # until a squidguard thread was freeded up.
     # "I" recommend leving this on, but watching your squid logs. And if
     # need be increasing your redirect_children to match whats needed
     # plus some room to grow. Then when YOU feel comfortable turn this
     # to "Off".
     redirector_bypass on

2. Setup squidguard : /etc/squid/squidguard.conf

   • # location of where you want to store your
     # ip address lists, expressions, etc
     dbhome /var/lib/squidguard
     # location of where you want it to write
     # out it's log files
     logdir /var/log/squidguard
      
     # This will be how squidguard knows of the
     # ip addresses or ranges we want block
     src hacker_ipaddresses {
      # this is the name of the file
      # relative to dbhome location
      iplist      hacker_ips
      # log all thoughs we catch this way
      log hacker_ipaddresses.log
     }
      
     # this is how squidguard knows what
     # expressions to look for and block in
     #the incoming URLs
     dest hacker_expressions {
      # this is the name of the file
      # relative to dbhome location
      expressionlist   hacker_expressions
      # log all thoughs we catch this way
      log hacker_expressions.log
     }
      
     # YOUR networks ip addreses and ranges
     # along with localhost
     src network {
      ip 10.1.97.0/24
      ip 127.0.0.1/255.255.255.255
     }
      
     acl {
      
      network {
       # do not filter YOUR network
       pass all
      }
      
      hacker_ipaddresses {
       # Block all though who come from ip
       # addresses we don't like
       pass none
       # Redirect them to some other site,
       # with some info about them
       redirect http://www.google.com/?caddr=%a&cname=%n&user=%i&group=%s&url=%u&target=%t
      }
      
      default {
       # Block only those with expressions we don't want
       # and let every one in
       pass !hacker_expressions all
      
       # Redirect them to some other site,
       # with some info about them
       redirect http://http://www.google.com/?caddr=%a&cname=%n&user=%i&group=%s&url=%u&target=%t
      }
     }

3. Setup iptables : /etc/rc.d/rc.proxy

   • #!/bin/bash
      
     #This is the location of iptables
     IPTABLES=/sbin/iptables
     # This is the ip address of the of your squid server
     SquidAddress=10.1.97.4
      
     # Redirect <strong>all</strong> traffic going to port 80 to squid
     $IPTABLES -t nat -A PREROUTING -s ! $SquidAddress -p tcp --dport 80 -j DNAT --to $SquidAddress:3128

Now your almost done, from here you only need to populate the files

• /var/lib/squidguard/hacker_expressions  
• /var/lib/squidguard/hacker_ips

Heres an example of /var/lib/squidguard/hacker_expressions

Config_absolute_path
includepath
GALLERY_BASEDIR
passwd
\.\.\/

The above will BLOCK any all these exmaple:

http://www.nomadcf.com/?includepath=http://www.google.com
http://www.nomadcf.com/?open=../../passwd
http://www.nomadcf.com/?includepath=/tmp/hacked.txt
http://www.nomadcf.com/?look=here&Config_absolute_path=&tom=chris
http://www.nomadcf.com/?something=thisthing&GALLERY_BASEDIR=anything

Heres an example of /var/lib/squidguard/hacker_ips

25.224.0.0-125.231.255.255
125.232.0.0-125.233.255.255
134.208.0.0-134.208.255.255
139.175.0.0-139.175.255.255
139.223.0.0-139.223.255.255
140.92.0.0-140.92.255.255
140.96.0.0-140.96.255.255
140.109.0.0-140.109.255.255
140.110.0.0-140.110.255.255