| Table
of Contents
What
is a Proxy?
SOCKS Proxying
HTTP Proxying
BNC Proxying
Securing your
Computer
Making a Strong
Password
Local Area Interface
What's wrong with
Wingate?
Useful
Links
What
is a Proxy?
A
proxy server is one method for sharing your Internet connection.
A proxy has two functions: Cache and gateway. We'll talk about
three kinds of proxying technologies currently available for
IRC: SOCKS, HTTP, and BNC.
SOCKS
Proxying Socks
protocols (RFC1928) have version 4 and 5. Only Socks v5 has
password authentication. Socks v4 depends on other firewall
settings (such as ipchains) to control access. In Windows,
Deerfield Wingate is a popular proxying software that
hosts socks server on a user's computer. It can be easily
misconfigured and gives strangers proxy access. All insecure
socks proxies are banned on GalaxyNet. If you are one of the
victims, please read here.
HTTP
Proxying HTTP
Proxying was applied to mIRC since version 5.81, and has been
popular among other Internet groups such as ISPs wanting to
save bandwidth. However, since when it has been introduced
to IRC, this protocol gives malicious users ways to flood
IRC channels. 99% of the public proxies, unfortunately have
no password authentication restriction due to the nature of
world wide web - as anonymous as possible. Standard TCP ports:
80, 3128, 8080, 8888. All insecure http proxies are banned
on GalaxyNet. If you are one of the victims, please read
here.
BNC
Proxying This
is the secure proxy of IRC. This type of proxy has no standard
ports. Users with a shell account install a BNC software and
configure passwords and ports. This is not a free service.
If your BNC host is banned with insecure proxy message, it
is likely that there is also an insecure proxy running on
it.
Securing
your Computer If
you are a server administrator, please configure your proxy
to bind to local area interface only. If
you must bind to the Internet interface, restrict the access
to certain IPs, and require password authentication.
Avoid using Socks v4.
If
you are a MS Windows 98SE, ME, 2000, XP user, please take
note that Internet Connection Sharing (ICS) can be misconfigured
to accept proxy connections! The easiest way is to disable
ICS. Go to Network Settings (or right click Network Neighborhood/My
Network Places, and click Properties), select the connection,
and check out the Properties -> tab:Sharing. Remove ICS
to TCP ports 1080 (socks), 3128 (http proxy), and 8080 (http
proxy) (They aren't there originally).
If
you have a hardware firewall, block ports 1080, 3128, and
8080 from the Internet side.
If
you are a user, knowing that you are using a proxy to connect
to GalaxyNet, please consider buying a bnc/shell account,
because you'd never know who's watching every word you type.
If
you use the software Wingate, please read
here.
Making
a Strong Password Assume
that brute-force (guessing passwords from A to Z, 0 to 9 (AAAA,
AAAB, AAAC, ... ZZZZ)) processes one million passwords in
one second, how complex should your password be?
The
answer is - 8 mixed characters. It will have 6,095,689,385,410,816
(6 zillion) possible combinations if you use A to Z, a to
z, 0 to 9, and all those printable punctuation marks. Therefore
it will take 193 years to crack - That equals impossible.
Do
not use one single thing to make up your password. For example,
your favorite color, your birthdate, or your favorite pet's
name.
Do
not just change O to 0, I to 1. Password guessing software
knows those tricks.
Here
are the number of possible combinations for each type of characters
mixed (8 characters long):
One
alphabet case only = 208,827,064,576 (2.5 days to get)
Two alphabet cases = 53,459,728,531,456 (1.7 years to get)
Two alphabet and digits = 218,340,105,584,896 (6.92 years)
Two alphabet, digits, and all punctuation marks = 6,095,689,385,410,816
(193 years)
Printable and high-ASCII characters = 5,899,616,690,476,974,336
(187 millenniums)
Good
examples of passwords (Do not use them as your passwords though):
Source:
"I found the value of Pi with Calculus"
Password: IftvoPwC
(It takes 1.7 year to get a password consisting only 8 alphabets.)
Source:
"America has a 25 cents - the quarter"
Password: Aha25ct¼
(187 millenniums to get this password.)
Local
Area Interface The
following IP address masks are private and only workable in
local area networks. Please bind your personal/family proxy
only to this interface to reduce possible access from the
public Internet.
10.0.0.0
- 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
(RFC1918)
What's
wrong with Wingate? The
2.X versions of Wingate are infamous for the security problems
that they can cause. The problem is not that the program is
bad, but that it is easily misconfigured.
The 3.X versions of Wingate use a different technology that
makes them function more like a NAT based router, and can
be more secure than the 2.X versions. The 3.X Home version
uses only the newer NAT-like method, and can't be misconfigured.
But the 3.X Standard and Pro versions allow the user to also
use the older, pure proxy-based method, that can be misconfigured
like the 2.X version.
How
to prevent myself from making an Insecure Proxy in Wingate?
The
following "how-to" information applies to primarily to Wingate
2.X, 3.X Standard and Pro versions. But the precautions are
applicable to any proxy server that requires that you set
your Internet applications (web browser, email, etc.) to use
a proxy:
Point 1: Don't enable any more proxy services than
necessary
Web browsing requires only an HTTP or WWW service. Once you
have an HTTP service successfully running, you can use the
Wingate help files to enable more services. Unless you have
fairly sophisticated needs you probably won't need to enable
anything beyond the following services (in addition to the
HTTP/WWW service you've already enabled):
POP3 Proxy service - For incoming email.
SMTP mapping service - For outgoing email.
NNTP mapping service - For newsgroup access.
RealAudio Proxy service- if you use this service.
VDOLive Proxy service- if you use this service.
Installation of the following services is not recommended
unless you know what you are doing.
Improper configuration of these services can open your system
(and your ISP's network) to unauthorized users, cause problems
for your ISP, or both! The services with a high capability
of damage are indicated with a .
FTP Proxy service - Needed if you run an FTP server to transfer
files between your computer and Web site, or maybe if you
are using some FTP client programs.
(Note! You don't need to enable this service to FTP files
to your computer using your Web browser.)
If you do enable this service, don't allow anonymous FTP unless
you really need to!
Telnet Proxy service - allows connection to another computer
to run programs and access files.
This service also allows users to Telnet to your computer.
However, you need to be running a Telnet service on your computer
and Windows 95/98 does not provide one.
If you do enable this service, require anyone Telneting into
your computer to have their own password!
DNS service - Needed only if you want to run a DNS server
on your LAN. Wingate recommends that you install a DNS server
for any of four reasons:
1) You want to use SOCKS4 to access FTP or Gopher or HTTPS
URLs in a browser.
2) You want to run some other SOCKS4 capable software.
3) You have a large LAN and you want name resolution for the
machines on your LAN.
4) You want to be able to refer to 'wingate' in your client
setup.
I recommend not installing this service.
DHCP service - This service automatically assigns IP addresses
to machines on your network. You must have a separate LAN,
i.e. two NICs in the machine connected to the cable modem,
and you must properly configure this service.
If you don't follow the two musts above, expect to hear from
your ISP, either before or after they disconnect you for interfering
with the DHCP servers that they use to run their network!
The basic rule of keeping things as simple as possible will
serve you well and keep your network protected.
Point 2: Control where the Proxy can be accessed
from
To take care of point two, follow the "Option 1" directions
on the Wingate security page. What this will do is set Wingate
so that it only allows service to requests from computers
that are on the local (192.168.*) subnet.
If you don't secure your site, unknown users will be able
to access your proxy server for HTTP/WWW service. Although
you might not think this level of service would be harmful,
remember that lots of different things (Javascript, Java applets,
multimedia files) can be transferred using the HTTP protocol.
Even if this does no harm, do you really want your proxy server
to be serving users you don't even know, coming from who knows
where?
Point 3: Shut it off when you're not using it.
Wingate defaults to starting up every time you boot your machine.
It runs as a service, not a program, so you won't see it in
the Windows Task bar or even in the "Close Program" dialog
box. The latest version (2.1d as of this writing) puts up
a Pop-Up when it starts, but earlier versions don't announce
they've started.
If you don't want Wingate to start when you boot your system,
create a Windows shortcut to the "Stop WinGate Engine" icon
that you'll find in the
C:\Windows\Start Menu\Programs\Wingate 2.1 folder and move
it to the
C:\Windows\Start Menu\Programs\StartUp folder.
If you've done this properly, you'll see a "Wingate Stopped"
dialog box pop up when you boot the system. You can then start
Wingate when you want to via the "Start WinGate Engine" icon
in the Start Menu (contained in the Programs\Wingate 2.1 folder).
If you're comfortable editing the Windows Registry, you can
delete the "WinGate Service" key in the registry branch:
My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\RunServices
NOTE! Improperly editing the Registry can leave your computer
inoperable!
You may want to export that branch of the registry before
you delete the key. That way, you'll be able to restore the
Wingate auto-start key to the Registry by just double clicking
on the exported file.
Point
4: Setup and Check the logs.
When you installed Wingate you let it install a logging service.
The logs are located at:
C:\Program Files\Wingate\Logs
If you have properly secured your site, then when you read
the logs (Notepad or Wordpad work fine) you should see service
requests only from IP addresses or computer names that are
in your network. If you see entries from any other addresses,
then unknown people are accessing your proxy server. You should
shut off the offending service or just shut down Wingate until
you can correct the problem.
If you've followed the process I've outlined, you really won't
need to check your logs, since your site is properly secured.
But if you enable more services, it's a good idea to check
the logs occasionally to make sure no unauthorized people
are accessing your system.
(Practically
Networked. "Securing a Proxy Server." INT Media
Group, Inc. http://www.practicallynetworked.com/sharing/secureproxy.htm)
|
