Proxy server is a computer system or application which is installed on computer system that works as a  acts as an agent or channel for requests from clients looking for resources from other servers. You can check see this post for more information about installation and configuration of Squid Proxy.

Now after installation when you try to check your IP in any site like whatismyip.com it will show that you are using proxy along with the hostname and version of Squid proxy server which is a security concern.

1) Hide Proxy version & server hostname

a) Hide Squid Version

open “/etc/squid/squid.conf” in a editor like vim and search for “httpd_suppress_version_string” and enable it.

Change FROM:

TO:

b) Hide Hostname

Search for “visible_hostname” and change FROM:

TO:

<your desired hostname> will be the name you want to show to world

2) Configure Multiple IP for Squid

Sometime it happens that the Proxy server which you have setup have multiple IP address and you want to configure squid server to use multiple IP addresses (i.e. Systems will show the secondary IP of the server instead of primary). Open squid configuration file; search for “tcp_outgoing_address” and add following

Replace <IP Address> with the IP assigned to your Proxy Server.

Restart Squid Server with command “service squid restart“

“QaasWall” is an open-source Firewall for windows which uses IP security policy (IPSec) to block IP address automatically that means users does not need to make any efforts other than running the setup on the server. The word “Qaas” in Arabic means Tough which spells it as ToughWall. After installation all your previous rules (IPSec or Firewall rules) would get disabled and it works in layers which are mentioned below:

1. It will scan all the standard ports DNS, MSSQL, MySQL, SMTP, POP3, HTTP, SSL and Sharing on the server and save its out put in a file, which is saved in the /temp directory, with the info on how many connections does each IP address have on them.

2. Any IP that has more than 100 connection at the time of scan will be blocked using Windows IP security Policy, named “Qaas Policy”. Any IP address that has been already blocked, added in white list file or belong to the server will be ignored.

3. Currently QaasWall creates 2 schedule tasks, QassWall and Qaas Empty, one of it is to scan services every 5 mins and other to delist IP addresses after 24 hours.

4. The IP will remain blocked for 24 hours (max) and Qaas will release the IP address then.. These setting can be changed by rescheduling the Task.

QaasWall also has a white list file where you can add IP that you want to be safe. Any IP that belong to the server or is already blocked or is added in the white list, will be ignored.

This firewall is developed by Eukhost Windows System Administrator Martin to overcome the limitations of Windows Default firewall. He said, “I have been working on how to block IP Addresses on Windows server for 2 years due to the fact that Windows 2003 Server did not have any option in the default firewall to block a single IP address and these is the reason I was curious to create something that would allow us to block a single IP address on the server. Then we found IP security policy which looked a bit complicated and difficult to configure however we managed to master it in no time. We have always faced numerous attack on our Windows server specially a brute force attack on the MSSQL master login “sa” and it use to be a pain in back side to block single IP address every time. This was the only reason (or you can call it a desperate need) why QaasWall was brought to life.”

QaasWall Firewall can be downloaded from source forge.

Software Security Researchers at matousec.com has developed a method which can bypass protections built in to many of the most popular anti-virus products like McAfee, Trend Micro, AVG, and BitDefender.

The attack, called KHOBE (Kernel HOok Bypassing Engine) works like “bait-and-switch” style by sending a file which contains Harmless code that passes the user’s System Check and as soon as it get passed the code is swapped with malicious code. This attack works more efficiently on Multi-Core systems as in Multi-Core System one thread doesn’t monitors on other threads that are running simultaneously which makes the switch/swapping easier. As a result, the vast majority of malware protection offered for Windows PCs can be tricked into allowing malicious code that under normal conditions would be blocked.

“We have performed tests with [most of] today’s Windows desktop security products,” the researchers wrote. “The results can be summarized in one sentence: If a product uses SSDT hooks or other kind of kernel mode hooks on similar level to implement security features it is vulnerable. In other words, 100% of the tested products were found vulnerable.”

List of Antivirus solutions which was tested by matousec.com and found vulnerable

• 3D EQSecure Professional Edition 4.2
• avast! Internet Security 5.0.462
• AVG Internet Security 9.0.791
• Avira Premium Security Suite 10.0.0.536
• BitDefender Total Security 2010 13.0.20.347
• Blink Professional 4.6.1
• CA Internet Security Suite Plus 2010 6.0.0.272
• Comodo Internet Security Free 4.0.138377.779
• DefenseWall Personal Firewall 3.00
• Dr.Web Security Space Pro 6.0.0.03100
• ESET Smart Security 4.2.35.3
• F-Secure Internet Security 2010 10.00 build 246
• G DATA TotalCare 2010
• Kaspersky Internet Security 2010 9.0.0.736
• KingSoft Personal Firewall 9 Plus 2009.05.07.70
• Malware Defender 2.6.0
• McAfee Total Protection 2010 10.0.580
• Norman Security Suite PRO 8.0
• Norton Internet Security 2010 17.5.0.127
• Online Armor Premium 4.0.0.35
• Online Solutions Security Suite 1.5.14905.0
• Outpost Security Suite Pro 6.7.3.3063.452.0726
• Outpost Security Suite Pro 7.0.3330.505.1221 BETA VERSION
• Panda Internet Security 2010 15.01.00
• PC Tools Firewall Plus 6.0.0.88
• PrivateFirewall 7.0.20.37
• Security Shield 2010 13.0.16.313
• Sophos Endpoint Security and Control 9.0.5
• ThreatFire 4.7.0.17
• Trend Micro Internet Security Pro 2010 17.50.1647.0000
• Vba32 Personal 3.12.12.4
• VIPRE Antivirus Premium 4.0.3272
• VirusBuster Internet Security Suite 3.2
• Webroot Internet Security Essentials 6.1.0.145
• ZoneAlarm Extreme Security 9.1.507.000
• probably other versions of above mentioned software
• possibly many other software products that use kernel hooks to implement security features

KHOBE can be loaded/initiated under standard user or account having limited access as this attack doesn’t requires Administrator Access to the System. As it requires a large amount of code/Script to be loaded on the targeted System, making it impractical for shellcode-based attacks that rely on speed and stealth. It can also be initiated only when an attacker already has the ability to run a binary on the system. The technique might be combined with an exploit of another piece of software, like a vulnerable version of Adobe Reader or Oracle’s Java Virtual Machine to install malware without rising the suspicion of the any Anti-Virus software the victim is using.