|
|
| Author |
Message |
janc
|
|
Grex to use Web Proxy Server
| 
Aug 19 18:51 UTC 2001 |
We are in the process of making some changes to the way web access from Grex
works. We don't expect this to impact most users, but I thought we should
post something here to keep the users informed about what we are up to.
Grex's staff is in the process of setting things up so that it will only be
possible to access the web from grex via a proxy server running on another
machine. So if you run lynx on Grex to access http://www.arbornet.org or
any other web site, then lynx will pass the request to the proxy server which
will then pass the request to arbornet. Arbornet will respond to the proxy
server, which will pass the request back to you.
Proxy servers are pretty widely used, and users should notice virtually no
difference. Obviously there may be a very slight slowdown in responses
because of the extra layer of indirection.
A common reason for using proxy servers is to do caching of pages. The proxy
server keeps copies of commonly accessed pages and can serve them directly
instead of actually having to access them over the internet. This can
actually speed up many requests, and reduce load on the internet connection.
However, since rather few people on Grex use lynx, and they tend to access
a lot of different pages instead of the same pages, and few images are fetched
anyway, this probably won't be that big a gain for Grex. So caching is pretty
much beside the point.
The main issue the Grex staff is concerned about is throttling back the number
of attacks being launched by Grex users on other systems on the net via http.
Most net access is not permitted to guest accounts, so most kinds of attacks
on other systems cannot be launched from a Grex guest account. However, in
recent years, there have been more and more http-based attacks. We have lots
of users upload programs that make http connections to lists of systems,
and try to run all sorts of CGI programs with known security holes. We don't
like our system being used as an anonymous platform from which to attack
other people's systems, and we don't like our network connection and cpu
being jammed up with this kind of thing.
So when we are done setting things up, it will no longer be possible to
open http connections from Grex to any other server on the net (the kernel
blocks will be updated to shut down access to port 80 for guests). However
you will be able to make connections to the proxy server, and lynx and
any other legitimate web tools we have will be reconfigured to do so by
default. The proxy server will be programmed to recognize most of the standard
attacks, and refuse to transmit them. This should stop at least all the
cookbook script kiddie attacks (which is to say, essentially all of them).
|
| 18 responses total. |
janc
|
|
response 1 of 18:
|
Aug 19 18:53 UTC 2001 |
Current status of this project is that Dan Gryniewicz has set up the 'squid'
proxy server program on gryps.cyberspace.org. I think the next steps will
be to set up the filter rules, reconfigure lynx, and finally close port 80
on Grex.
|
devnull
|
|
response 2 of 18:
|
Aug 20 02:25 UTC 2001 |
Sounds good.
Are ports other than 80 currently allowed to make outgoing connections for
guests? I thought that for example whois may have been allowed?
|
janc
|
|
response 3 of 18:
|
Aug 20 18:53 UTC 2001 |
See http://www.cyberspace.org/staffnote/blocks.html
The ports currently open to guests are
43 whois
53 dns
70 gopher
79 finger
80 http
113 ident
517 talk
518 ntalk
My guess is that we will block port 80 only for guests, so members could still
bypass the proxy, but the default will be to go through the proxy even for
members.
|
cross
|
|
response 4 of 18:
|
Aug 21 18:29 UTC 2001 |
Out of curiousity, why is port 113 (auth/ident/tap) open? It's of limited
utility (really only to people who are running their own servers, and even
then the quality of received information isn't all that good, particularly
now days, as most people have shut it off. Perhaps it's open to allow the
system daemon's to use the auth protocol for incoming connections, after
they've switched UID from root to the user?)
|
cross
|
|
response 5 of 18:
|
Aug 21 18:31 UTC 2001 |
Regarding #4; sorry to follow up to my own post, but I guess I should
mention that the idea of a system daemon doing tap after switching to
another user is a little odd, as usually the ident stage is done before
the switch from root (eg, by tcpd or some other TCP wrappers like
service).
|
mdw
|
|
response 6 of 18:
|
Aug 21 21:54 UTC 2001 |
I don't know the exact reason why we did this. I know one reason we
might have wanted to - httpd opens its port, becomes "nobody", then
accepts requests. If it wants to do ident lookups (and this code still
exists in apache although I don't think we have it turned on) it would
need to make an out-going ident connection as "nobody".
|
janc
|
|
response 7 of 18:
|
Sep 5 00:42 UTC 2001 |
Wanted to add a note to this. I just noticed that the proxy server does
something else interesting - it keeps a log file. This means that all web
requests made from Grex would be logged there. It isn't entirely easy to
figure out who made the request, all it really says is that someone on Grex
visited xxx.gerbils.com at such and such time. At most you'd know it was one
of the people logged in then. However, this is a bit of information about
user activity that was not previously logged in any way on Grex. I think the
log is worth having, because if we are to filter out attacks being made from
Grex, we need to be able to see them first. I think this is something staff
should be expected to treat with great caution and respect for the user's
privacy, much as we currently treat mail files. I don't think there is a
problem here, but I think users should know about it.
I'll probably be installing a version of new version of lynx sometime soon,
one configured to go through the proxy by default (it is currently being
tested on the development system). After that, we'll see about reconfiguring
the other relevant tools, including wget and the web browser whose name I've
forgotten. Then we'll shut down direct http acccess from Grex.
|
aruba
|
|
response 8 of 18:
|
Sep 5 01:38 UTC 2001 |
If you'll be compiling a new version of Lynx, could you try to build in
support for color? I believe it needs the "slang" library.
|
keesan
|
|
response 9 of 18:
|
Sep 5 01:42 UTC 2001 |
Lynx 2.8.5dev version 2 is out - can you do that one? I am curious if it
supports 'easy upload' to geocities, which is where grexers who want to post
images can post them for free (now that they are disabled on grex).
2.8.3 (at m-net) does not support the upload.
|
janc
|
|
response 10 of 18:
|
Sep 5 02:04 UTC 2001 |
I actually finished building a new lynx, version 2.8.4. I hadn't attempted
slang. Maybe I'll look at it.
I'm not installing a development release. Building these things is enough
work that I'm not interested in doing it for a release that the authors aren't
willing to call stable. If you can give me the URL for the file upload page
you are talking about, then maybe I can find time to look at it.
My main goal here is going to be to get the proxy stuff up. I'll promise you
a lynx no worse than the previous one, but I'm not sure I have time for every
lynx improvement people want at this time.
|
janc
|
|
response 11 of 18:
|
Sep 5 02:36 UTC 2001 |
Looks like color support can be achieved by using either slang or ncurses.
It appears that slang is rather aggressive about using color, using it even
if your termcap doesn't say your terminal understands it. This will do awful
things to some older terminals, I think. Hence ncurses is the better choice
for Grex, though that may have some issues too. At very least, you won't see
color unless your termcap is properly configured.
|
aruba
|
|
response 12 of 18:
|
Sep 5 02:41 UTC 2001 |
Sounds good to me.
|
janc
|
|
response 13 of 18:
|
Sep 5 03:49 UTC 2001 |
Not so good to me. I built ncurses on the development machine, but found
that, not too surprisingly, none of the termcaps on Grex define colors. So
if anything is to be achieved here, then I need to upgrade at least the most
common termcaps, and preferable terminfo too. But before I can do that, I
need to make sure that upgrading the termcap and/or terminfos won't screw
up programs built with the classical old sun curses. All this requires a
fair bit of thought and work. It's not going to be quick.
|
aruba
|
|
response 14 of 18:
|
Sep 5 13:29 UTC 2001 |
Ah. No problem. Thanks for doing the work you're doing, Jan.
|
devnull
|
|
response 15 of 18:
|
Sep 11 22:29 UTC 2001 |
Would it be reasonable to have a policy that once a day, log rotation
happens such that we only keep three days worth of logs?
Also, how does the new web logging compare to whatever mail logging
has previously been happening?
|
keesan
|
|
response 16 of 18:
|
Sep 20 18:50 UTC 2001 |
Jan, thanks very much for lynx 2.8.4. I am using it now on my DOS computer
but the grex connection can be as fast as 13K/sec and mine is 3K/sec.
It is not a matter of the URL for the upload page. First you have to sign
up for a free geocities account (at geocities.yahoo.com) and to do that you
need to be able to view a number or word which is an image, and type that in.
I managed with Lynx anyway. With 2.8.3 there is simply no way to type in teh
file path and name - the line is there, but it does not accept input. Same
for Arachne and Skipper. I will try to post the HTML for the problem page.
I was also unable to FTP files to geocities, using several FTP programs.
|
janc
|
|
response 17 of 18:
|
Nov 11 21:03 UTC 2001 |
Lynx 2.8.4 is now installed. It uses the proxy by default. Soon using the
proxy will be the only way to access the web.
|
malymi
|
|
response 18 of 18:
|
Nov 16 07:50 UTC 2001 |
re #7: if you really want to find the perpetrators, and otherwise
make the proxy act differently for each user, you probably want
to use authentication. (lynx supports this.)
|