FAQ
How to configure Proxy+ to be more secure
(Proxy+ 2.40 version related)
Question:
I want to be sure that my Proxy+
is configured to be secure. What can I check?
Answer:
By default Proxy+ 2.40
creates and uses the Insecure interfaces list automatically.
Most of services (FTP Telnet, SOCKS server) are disabled by default.
You have to check:
- whether the automatic detection of Insecure interfaces
works. Proxy+ creates a list of
dangerous interfaces during startup (when it is starting or restarting). Information about
interfaces is written into ProxyLog.TXT file. You should find there: list of active
intefaces, list of insecure interfaces and the state of insecure interfaces detection
routine. If there is any problem with detection of insecure interfaces appropriate message
is written to the ErrLog.TXT logfile too.
The autodetection of insecure interfaces will fail when you aren't using dialup connection
to the ISP and the operating system lacks of support for routing table lookups API. These
functions aren't included in Windows 95 and WindowsNT 4.0 with Service Pack 3 or lower.
It is possible (and recommended) to use Secure interfaces or Secure clients lists together
with Insecure interfaces list. You can find some examples there:
Secure Interfaces example
Secure clients example
- whether all unused Proxy+'s services are disabled to lower risc of attack in case the
security settings are configured improperly.
- whether the mail server doesn't allow mail relaying.
By default Proxy+'s mail server
(if it is enabled) allows relaying for messages those are sent from any IP address. It
means that anybody from the Internet can send the message through Proxy+'s mail server to non-local users (in another words message from
the Internet can be send back to the Internet). To avoid this you have to configure
"Mail/SMTP -> Enable relaying for these clients" option. If this list is not
empty only the listed IPs can send the messages out to the Internet. Other IPs can send
only messages which recipient is defined on Proxy+ (only messages sent to the local accounts are allowed).
Note: if you aren't using Proxy+
as an receiving SMTP server for Internet mail (you have no domain name registered
and PC with Proxy+ is not used
in appropriate MX record of domain or you didn't configure "Mail/SMTP
Domains") it is better to include the SMTP and the POP3 connections to the
Security settings ("Security/General -> Check security on
SMTP connection" and "Security/General -> Check
security on POP3 connection"). In this case all attempts to send the message
to the Proxy+'s mail server from
the Internet will be denied (if the Security settings will be correct, of course).
Related articles:
How to restrict mail
relaying - example
Other recommended settings:
- WWW Admin password
It is a good idea to set the WWW Admin password. Only the person that knows this
password will be able to access WWW Admin pages which allows to change the Proxy+'s settings.
You can define password for administrator on the page "Proxy
Settings/Administrator/General"
Related articles:
How to access the WWW Admin
interface when the password is lost
- Access List Rules
Access List Rules allows to create more complicated access rules for most of services (the
rules doesn't affect mail server (SMTP nor POP3) connection).
Related articles:
Access List Rules -
examples
Related links:
Art04126 - How to restrict
mail relaying - example
Art00911
- Secure Interfaces example
Art00912 - Security
settings (secure clients example)
Art02000 - How to access
the WWW Admin interface when the password is lost
Art00909 - Access List
samples