sub checkForOpenProxy { my($self, $ip) = @_; # If we weren't passed an IP address, default to whatever # the current IP address is. if (!$ip && $ENV{GATEWAY_INTERFACE}) { my $r = Apache->request; $ip = $r->connection->remote_ip if $r; } # If we don't have an IP address, it can't be an open proxy. return 0 if !$ip; # Known secure IPs also don't count as open proxies. my $constants = getCurrentStatic(); my $gSkin = getCurrentSkin(); my $secure_ip_regex = $constants->{admin_secure_ip_regex}; return 0 if $secure_ip_regex && $ip =~ /$secure_ip_regex/; # If the IP address is already one we have listed, use the # existing listing. my $port = $self->getKnownOpenProxy($ip); if (defined $port) { #print STDERR scalar(localtime) . " cfop no need to check ip '$ip', port is '$port'\n"; return $port; } #print STDERR scalar(localtime) . " cfop ip '$ip' not known, checking\n"; # No known answer; probe the IP address and get an answer. my $ports = $constants->{comments_portscan_ports} || '80 8080 8000 3128'; my @ports = grep /^\d+$/, split / /, $ports; return 0 if !@ports; my $timeout = $constants->{comments_portscan_timeout} || 5; my $connect_timeout = int($timeout/scalar(@ports)+0.2); my $ok_url = "$gSkin->{absolutedir}/ok.txt"; my $pua = Slash::Custom::ParUserAgent->new(); $pua->redirect(1); $pua->max_redirect(3); $pua->max_hosts(scalar(@ports)); $pua->max_req(scalar(@ports)); $pua->timeout($connect_timeout); #use LWP::Debug; #use Data::Dumper; #LWP::Debug::level("+trace"); LWP::Debug::level("+debug"); my $start_time = Time::HiRes::time; local $_proxy_port = undef; sub _cfop_callback { my($data, $response, $protocol) = @_; #print STDERR scalar(localtime) . " _cfop_callback protocol '$protocol' port '$_proxy_port' succ '" . ($response->is_success()) . "' data '$data' content '" . ($response->is_success() ? $response->content() : "(fail)") . "'\n"; if ($response->is_success() && $data eq "ok\n") { # We got a success, so the IP is a proxy. # We should know the proxy's port at this # point; if not, that's remarkable, so # print an error. my $orig_req = $response->request(); $_proxy_port = $orig_req->{_slash_proxytest_port}; if (!$_proxy_port) { print STDERR scalar(localtime) . " _cfop_callback got data but no port, protocol '$protocol' port '$_proxy_port' succ '" . ($response->is_success()) . "' data '$data' content '" . $response->content() . "'\n"; } $_proxy_port ||= 1; # We can quit listening on any of the # other ports that may have connected, # returning immediately from the wait(). # So we want to return C_ENDALL. Except # C_ENDALL doesn't seem to _work_, it # crashes in _remove_current_connection. # Argh. So we use C_LASTCON. return LWP::Parallel::UserAgent::C_LASTCON; } #print STDERR scalar(localtime) . " _cfop_callback protocol '$protocol' succ '0'\n"; } #print STDERR scalar(localtime) . " cfop beginning registering\n"; for my $port (@ports) { # We switch to a new proxy every time thru. $pua->proxy('http', "http://$ip:$port/"); my $req = HTTP::Request->new(GET => $ok_url); $req->{_slash_proxytest_port} = $port; #print STDERR scalar(localtime) . " cfop registering for proxy '$pua->{proxy}{http}'\n"; $pua->register($req, \&_cfop_callback); } #print STDERR scalar(localtime) . "pua: " . Dumper($pua); my $elapsed = Time::HiRes::time - $start_time; my $wait_timeout = int($timeout - $elapsed + 0.5); $wait_timeout = 1 if $wait_timeout wait($wait_timeout); #print STDERR scalar(localtime) . " cfop done with wait, returning " . (defined $_proxy_port ? 'undef' : "'$port'") . "\n"; $_proxy_port = 0 if !$_proxy_port; $elapsed = Time::HiRes::time - $start_time; # Store this value so we don't keep probing the IP. $self->setKnownOpenProxy($ip, $_proxy_port, $elapsed); return $_proxy_port; }
(Score: 1) by datapharmer on Wednesday April 09 2014, @11:20PM
(Score: 0) by Anonymous Coward on Thursday April 10 2014, @03:13AM
B is actually a really good idea. If you've been following the news lately, you know:
surfing the public web on a device = that device may as well belong to the NSA.
And if you trust the NSA, fine -- what about other governments? Do you trust the Chinese intelligence/military?
OK, let's say you're really trusting, you trust any government, because they're the government. Fine! But governments don't have a monopoly on zero-day exploits, they just have more of them. Online criminals are getting more organized, and the more they succeed the more money they'll have to reinvest in finding and stockpiling zero-days.
You mention your "secure networks" so I assume you actually have stuff you want to keep safe on them, or maybe even stuff your customers want to keep safe. So secure that you have some pretty aggressive firewall rules to help. Good idea, by the way, although it will mostly just help keep the logs clean. People with access to botnets (i.e., organized cybercriminals, i.e., your MAIN threat if you are a "normalish" site that is not interesting to governments and also not vulnerable to script kiddies because you do the basic stuff -- decent passwords, stay up to date on security patches) will still be able to portscan you anyway, by using a uniquely different zombie machine for every connection they [attempt to] open to your machine.
So maybe you should be using a separate device for browsing the public web. A web browser executing on a machine that can't access anything sensitive. Anything less is the same as putting extra locks on the doors but not putting bars on the windows... in a neighborhood where breakins mostly happen through windows
It doesn't have to be your phone. If you can't afford to partially dedicate an old machine for websurfing, use a VM. It's less secure than using a physical machine, but much more secure than doing nothing and running your web browser on your sensitive machine directly -- the attacker needs 2 independent zero-days instead of 1. Pick your hypervisor based on researching which one seems to have the smallest history of VM breakout exploits. Keep browser and hypervisor constantly up to date regarding security patches.
I admit I don't do that either. But at least I feel guilty about it, heh :-)
And I'm not safeguarding something on my network as important as it sounds like you are.
(Score: 0) by Anonymous Coward on Thursday April 10 2014, @03:22AM
Also, just use a VPN. The scan won't hit your corporate firewall.