 |
How to find that Proxy+ is/was abused by unauthorized users
Beginning
Proxy+ stores a lot of information about users activity to log files. There are several of these files, each of them contains some specific messages. These files are accessible via Proxy+ admin WWW interface (Log Files\Display Logs) or it's possible to view these files in any text file viewer.
The log files are stored in the Logs subdirectory under the Proxy+ installation directory. It's possible to change the name of this subdirectory in the settings.
Note.:
Default log file names are used in the following text. User has a possibility to change these names with a restrictions that the name prefix is fixed, e.g. AccessLog.TXT can be renamed so its name starts with "Access", rest is optional and it can contain tags which will be replaced by a file creation date/time.
Proxy+ supports log files rotation. It means that new (empty) log file is created after some time. Old log files are renamed as needed. If the number of old files exceeds a limit the oldest log file is deleted. If you want to search some older information it's possible it's not in the current log file. In this case you have to search older ones which you can open in some text file viewer (they're not accessible via Proxy+ admin WWW interface).
Following files are important for checking security:
AccessLog.TXT - this file records all clients' requests. There are not records about sent/received mails.
MailLog.TXT - this file records information about sent/received mails and mail received via Mail\POP3 Download service.
ProxyLog.TXT - this file contains information about Proxy+ settings and running services. Proxy+ logs a state of the list of insecure interfaces to this file when starting.
SecLog.TXT - this file contains all requests denied due to a security settings of Proxy+. This information cannot help to find if Proxy+ was abused (accepted and served requests are not logged here), but it may help you to see who and how often is trying to abuse Proxy+.
AccessLog.TXT
This file records information about all Proxy+ clients' activities (except mail services). You can check if accepted requests originated on your LAN clients.
Every line of this file contains information about a computer (its IP address) where the request originated.
Example of AccessLog.TXT records:
06/02/2000 10:56:56 192.168.0.2 - ADMIN "GET /logs/proxylog HTTP/1.0" 200 0 0 0 540 - 192.168.0.1 -
06/02/2000 10:57:09 192.168.0.4 - MAPPED "pop.mail.yahoo.com (110)" OK 101 101 24 1872 - - -
06/02/2000 10:57:31 192.168.0.2 - SOCKS5 "CONNECT wwwkeys.pgp.net:11371" 5 0 0 0 6990 - 212.55.198.212 -
06/02/2000 10:57:53 192.168.0.7 - ADMIN "GET /logs HTTP/1.0" 200 0 0 0 0 - 192.168.0.1 -
06/02/2000 10:57:55 192.168.0.7 - ADMIN "GET /logs/accesslog HTTP/1.0" 200 0 0 0 440 - 192.168.0.1 -
06/02/2000 10:58:15 192.168.0.2 - SOCKS5 "CONNECT wwwkeys.ch.pgp.net:11371" 0 19902 19902 85 3154 - 212.55.198.213 -
06/02/2000 10:58:46 192.168.0.2 - SOCKS5 "CONNECT pgpkeys.mit.edu:11371" 0 0 0 0 66635 - 208.228.228.80 -
06/02/2000 10:58:51 192.168.0.2 - ADMIN "GET /images/bcg000.gif HTTP/1.0" 200 0 0 0 0 - 192.168.0.1 -
06/02/2000 10:58:51 192.168.0.2 - ADMIN "GET /logs/accesslog HTTP/1.0" 200 0 0 0 450 - 192.168.0.1 -
The third column contains the IP address of a client who sent the request. All computers in this example use IP addresses from the range 192.168.0.0-192.168.0.255 (network 192.168.0.0, netmask 255.255.255.0), so all addresses in this example are ok - they belong to local computers.
It may happen that you find a line which contains an unknown IP address:
06/02/2000 17:26:04 213.8.207.87 - SOCKS4 "Connect 208.51.159.10:6667" 90 - 1024/79 - - -
It's probable that Proxy+ has been abused by an another user from the Internet. In this example it's wrong security setting of Proxy+ which allows an access to the SOCKS server to any user (someone from the Internet connects anonymously to an IRC server via SOCKS server).
Status Info
This page of Proxy+ admin WWW interface displays (among others) IP addresses of computers using Proxy+ services. If you find unknown IP addresses in the Connected users table, check the AccessLog.TXT log file (see above).
MailLog.TXT
An information about sent and received mails is stored to this file. It's possible to find if all mails accepted by Proxy+ SMTP server originated from LAN clients. If you don't use Proxy+ as a SMTP server for receiving mails for whole domain via SMTP protocol (Mail\General\ Server Type is not Internet Mail server) only your LAN clients are allowed to use Proxy+ SMTP server for sending mail via SMTP protocol (mail clients - Outlook, Eudora, Netscape Messanger - send outgoing mails via SMTP). It's the best to set the security so it allows access to the POP3 and SMTP servers only from restricted range of local IP addresses (Security\General\Check security on SMTP connections, Security\General\Check security on POP3 connections).
For a server which accepts mails for whole domain via SMTP protocol it's necessary to configure it so it disallows so called mail relaying. It means to deny sending mail from a user from the Internet back to the Internet. Sending mails to the Internet should be allowed to a defined group of users only (local clients). It's possible to achieve this by setting Mail\SMTP\Enable relaying for these clients. If the mail server is not set up correctly is may be abused for mass sending of unsolicited mails (spam).
Lines containing identifier SMTPR are logged to the MailLog.TXT after Proxy+ receives mail via SMTP protocol. These lines may look as following:
05.11.2000 15:40:45 00BC: SMTPR: from: , relay:192.168.0.11, nrcpts=2
It means that user who uses an e-mail address johnny@company.com sent an e-mail from computer with an IP address 192.168.0.11 to two recipients. Following lines of the MailLog.TXT contain more details. The sender's IP address is important for us. If it's a LAN address it's ok. If you find foreign addresses, it's possible that someone abuses Proxy+ to send his own mails. Please note, that this applies only when Proxy+ is not used for receiving mails for whole domain via SMTP protocol (in this case foreign IP addresses should appear in MailLog.TXT - otherwise no mails would come from the Internet).
Request for reading mail from Proxy+ via POP3 are logged to MailLog.TXT as well. A record looks like:
05.15.2000 13:45:45 00D1: POP3: connection from:192.168.0.22
If you find an IP address which is not from your range it's possible that someone from the Internet tries to read mails stored on Proxy+ mail server.
Other signs
- Maybe you noticed that Proxy+ claims that the limit of licensed users has been reached even you have less or the same number (as the number of users of your registration key) of computers connected and using Proxy+. One of the possibilities is that someone from the Internet uses your Proxy+ and when added to number of legal users it exceeds the limit.
- Did some records vanished from the Proxy+ log files? It's possible that the intruder cleaned signs of his presence and using admin WWW interface he deleted log files.
|
|
|
