Running squid - any required security beyond ACLs?

[fla_panther]

I'm setting up a box in my home to practice a bunch of different things, one of which is setting up squid as a proxy server. In some other threads I've shared that at the moment I'm not 100% trusting of my own LAN in terms of security ... I'm working on that. But in the meantime I've been thinking ...

I've turned off telnet and SSH but isn't squid essentially a web server? And as such isn't it vulnerable to many of the same attacks a web server would be open to? If I trust my LAN I can block all incoming traffic from the internet at my cable modem and then restrict access to squid to users on my local LAN. But if I don't trust my local LAN then isn't there more I could/should be doing to secure squid?

I've looked at the squid page but all I see is this, which refers only to closed security holes, not open ones.

[TrevorH]

You definitely don't want to open up your squid server so that people from the internet can connect through it - you'll get some very unwelcome visitors using it to download some very dodgy content. I doubt very much if squid comes out of the box set up to be an open proxy and if you are behind a domestic router then the chances are that you are on a NAT network and would need to set up port forwarding on that router to allow people from outside to see your squid (don't!).

[enjinn]

I would heed what TrevorH has posted. Additionally you should also look at the http://wiki.squid-cache.org/SquidFaq/SecurityPitfalls

[fla_panther]

To clarify: I am NOT opening up my server to be accessed by the internet. I'm asking if there's any further protections I need to set up if my LAN isn't 100% trusted. If a device on my LAN gets infected by a virus I don't want that to be able to infect my CentOS box if I can avoid it.

Thanks for that link, enjinn. I've reviewed it and confirmed I'm not in conflict with any of those items.

[enjinn]

@fla_panther. If you don't trust your LAN have you considered running all your traffic through SNORT. https://www.snort.org/documents#OfficialDocumentation I'm not sure how familiar you are with it. You can also set your default outbound policy to DROP on your iptables and create rules for all your outbound traffic. If any of your servers in your internal network don't need a default route remove it and create static routes to what you need. It really depends how far you want to go in securing your home LAN.

[fla_panther]

I am the only user on my LAN right now so I could probably run SNORT and see what it digs up. The only problem I foresee is that with the way websites work these days - each page pulling resources from many sources - it could be a huge pain in the butt trying to determine everything is valid traffic. I support the easier thing would be to tell SNORT to run when I'm asleep or at work and see if anything's going on during those hours.

My main thought right now is ... as I understand it, specially crafted web requests can give someone unintended access on a server. (a) I'm not sure how squid works so I don't know if it's vulnerable to the same kinds of attacks. And (b) even though I have scripts set up to email me when a user logs in I've only set them up for root and two user accounts. If these specially crafted attacks elevate the privileges of other non-user accounts I don't know that I would ever notice. If, for example, the squid process surreptitiously gains rights to the root account .... is that considered logging in as root? Would that trigger the email I have set up? Etc.

[fla_panther]

So it occurred to me I could do at least one test. Instead of doing "su -" I just did "su" which I thought was supposed to NOT get me the root user's environment, which I expected to also not involve /root/.bashrc but apparently it did because I got an email confirming a root login. So that's good at least. But I'm still wondering if (a) the kinds of rights elevation attacks I've heard about will trigger /root/.bashrc, and (b) whether or not I need to do anything more to keep squid from being vulnerable to certain attacks. I've signed up to the squid user mailing list, I'll ask over there as well.

[Whoever]

I would also make sure that your firewall does not allow access to the proxy ports from the Internet.

Don't rely on solely the ACLs. Security in depth is important.