Hardening guide for Squid 3.1.8 on CentOS 5.5

1.      Login to the server using Root account.
2.      Create a new account:
groupadd squid
useradd -g squid -d /var/spool/squid -s /sbin/nologin squid
3.      Install the following RPM files from the CentOS DVD:
rpm -ivh kernel-headers-2.6.18-194.el5.i386.rpm
rpm -ivh glibc-headers-2.5-49.i386.rpm
rpm -ivh glibc-devel-2.5-49.i386.rpm
rpm -ivh gmp-4.1.4-10.el5.i386.rpm
rpm -ivh libgomp-4.4.0-6.el5.i386.rpm
rpm -ivh cpp-4.1.2-48.el5.i386.rpm
rpm -ivh gcc-4.1.2-48.el5.i386.rpm
rpm -ivh libstdc++-devel-4.1.2-48.el5.i386.rpm
rpm -ivh gcc-c++-4.1.2-48.el5.i386.rpm
4.      Download the latest Squid source files from:
http://www.squid-cache.org/Versions/
5.      Copy using SCP (or PSCP), Squid source files into /tmp
6.      Move to /tmp
cd /tmp
7.      Extract Squid source file:
tar zxvf squid-3.1.8.tar.gz
8.      Move to the Squid source folder:
cd /tmp/squid-3.1.8
9.      Run the commands bellow to compile Squid from source files:
./configure –bindir=/usr/sbin –sbindir=/usr/sbin –libexecdir=/usr/lib/squid –with-logdir=/var/log/squid –with-pidfile=/var/run/squid.pid –with-default-user=squid –sysconfdir=/etc/squid –datarootdir=/usr/share/squid  –enable-http-violations
make all
make install
10.  Move one folder up and remove Squid source files and default content:
cd ..
rm -rf /tmp/squid-3.1.8
rm -f /tmp/squid-3.1.8.tar.gz
rm -rf /usr/share/squid/man
rm -f /etc/squid/cachemgr.conf.default
rm -f /etc/squid/errorpage.css.default
rm -f /etc/squid/mime.conf.default
rm -f /etc/squid/msntauth.conf.default
rm -f /etc/squid/squid.conf.default
rm -f /etc/squid/squid.conf.documented
11.  Change ownership and permissions on the log folder:
chown squid:root /var/log/squid
chmod 770 /var/log/squid
12.  Edit using VI, the file /etc/squid/squid.conf and add the following lines to the end of the file:
cache_access_log /var/log/squid/access.log
cache_store_log none
shutdown_lifetime 1 second
icp_port 0
htcp_port 0
icp_access deny all
htcp_access deny all
forwarded_for off
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all
visible_hostname server1
maximum_object_size 4096 KB
minimum_object_size 1 KB
dns_nameservers DNS_value
client_lifetime 360 minutes
pconn_timeout 360 minutes
Note 1: Replace “server1” with the Squid server DNS name.
Note 2: Replace “DNS_value” with IP addresses of DNS servers
13.  Run the command bellow to initialize the Squid:
/usr/sbin/squid -z
14.  In-order to manually start the Squid service, run the command bellow:
/usr/sbin/squid
15.  In-order to start the Squid service at server startup, add the command bellow to the /etc/rc.local file:
/usr/sbin/squid
16.  Uninstall the following RPM:
rpm -e gcc-c++-4.1.2-48.el5
rpm -e libstdc++-devel-4.1.2-48.el5
rpm -e gcc-4.1.2-48.el5
rpm -e cpp-4.1.2-48.el5
rpm -e libgomp-4.4.0-6.el5
rpm -e gmp-4.1.4-10.el5
rpm -e glibc-devel-2.5-49
rpm -e glibc-headers-2.5-49

rpm -e kernel-headers-2.6.18-194.el5

The article can also be found at:
http://security-24-7.com/hardening-guide-for-squid-3-1-8-on-centos-5-5/

Share
  • http://www.staff.ma emploimaroc

    Very interesting thank you for the post !

  • Pingback: ehcache.net

  • http://www.tourismorocco.com albert

    i have try this but don’t work :( thank’s i think i have forget a thing ! i will retry later