Linux how to articles and guides, PHP / MySQL / Python / Bash scripting, and music tips, tricks, and hacks

This is a pretty simple one and goes along with my last few posts about Squid. Sites like whatismyip.com will let you know if they detect a proxy, and other services might act strange if you’re behind a proxy — particularly music / movie streaming stuff. Since we’re not doing anything malicious here, we can just make Squid undetectable so those sites will just work “as they should”.

Throw this into your Squid config and restart squid to apply the changes (note that there are two blocks here depending on what version of squid you’re using — comment/uncomment accordingly):

# privacy stuff so squid is undetectable
via off
httpd_suppress_version_string    on
forwarded_for delete

# --- Squid 3.x section ---
request_header_access Via deny all
request_header_access X-Forwarded-For deny all
## you just need the 'request_header_access' stuff for localhost squid setups,
## but the below might also come in handy for running a proxy on your local net
# reply_header_access Via deny all
# reply_header_access X-Forwarded-For deny all
# --- end Squid 3.x section ---

# --- Squid 2.x section ---
# header_access Via deny all
# header_access X-Forwarded-For deny all
# --- end Squid 3.x section ---

I haven’t tried this in a long time, but I used to run Squid3 at home on my pfSense router box (older Pentium 4 — worked great) and I just had the idea to use it on my laptop to speed up web browsing. It makes a HUGE difference and now pages look like they’re using AJAX for requests since the images and headers and stuff just stay put when moving between pages. RAM cache is monumentally faster than disk cache, and we’re just totally disabling disk caching / log files with this squid3 config.

To set this up, you’ll need to install squid3, set your web browser to use 127.0.0.1 (sometimes the POSIX standard of just ’0′ isn’t supported because some developers make crappy software that isn’t really POSIX) port 3128 as a proxy for HTTP (you could cache HTTPS too but IMO it’s not worth it for just general browsing), paste the stuff below at the bottom of your squid3 config file (/etc/squid3/squid.conf on Ubuntu 11.04 for me) and restart squid3 (/etc/init.d/squid3 restart).

I left most of the stuff default, but I disabled the log files and set the RAM cache down to 128 MB. You can adjust as necessary.

Update: Put some comments in to help with getting this working in Squid v2.x, disk cache, and making it work on your local network

## root@helios:/etc/squid3# egrep -v '^#' squid.conf |tr -s '\n'

## uncomment next line if using squid 2
#acl all src 0.0.0.0/0.0.0.0

## example of how to let your whole local 192.168.1.0/24 network use the cache
#acl localnet src 192.168.1.0/24
#http_access allow manager localnet
#http_access allow localnet

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
cache_mem 128 MB
maximum_object_size_in_memory 512 KB
memory_replacement_policy heap LFUDA
coredump_dir /var/spool/squid3
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320

## disk cache stuff if you want
#cache_replacement_policy heap LFUDA
#cache_dir aufs /var/spool/squid 4096 16 256
#minimum_object_size 0 KB
#maximum_object_size 4096 KB
#cache_swap_low 90
#cache_swap_high 95

## disable all logging for better performance
access_log none
cache_store_log none
cache_log /dev/null

At a cafe I frequent, people aren’t very considerate of other wifi users. I usually sit there and code and browse blogs and news, but some people like to watch Netflix, Youtube, Amazon Prime streaming, and basically do other stupid high-bandwidth things. I should note that this cafe usually has at least 20 people with laptops, and we’re all sharing a ~6mbit DSL connection with about 128K upload (as in about 1/8th of one mbit).

When people at this cafe watch videos, it sucks for everyone. The internet there is already stupid slow with that many people just browsing Facebook. When you add video streams to the mix, it becomes unusable. Normal ping times to my current place of employment (about 30 miles away) are in the neighborhood of 2,000-5,000ms. When I press a single key in an SSH session to my co-located server, it takes a few seconds for that to show up on screen. This makes coding on a remote box or trying to debug basically anything impossible.

Of course, I like to implement solutions when I have a computer problem, and this is very much a computer problem. The solution is the awesome Aircrack-ng suite of tools. I used to be quite a bit more involved in the Aircrack-ng community (testing beta software, helping with driver issues, helping in IRC, etc), but there hasn’t been much new interesting stuff happening there in a while.

First, we need to identify who is abusing their free internet access. To do that, we’ll use Airodump-ng to inspect the network. We need to be able to parse the output, so we’ll write out a CSV file. There is actually another step before this (putting the interface into monitor mode or using patched WiFi drivers) which should be automatic, but is otherwise left as an exercise to the reader(you’ll need to go through that stuff and modify this script a bit if you’re using an Atheros chipset and/or the excellent MadWiFi drivers).
(( If you’re having driver problems, I feel bad for you son, I got 99 chipsets but Broadcom ain’t one ))

Next, we need to parse our CSV and grab the MAC of clients who are being stupid. We’ll set the “stupidity” threshold based on packet count over a defined period (I picked 5 seconds, you might need to play with this a bit). I picked 50 packets over a 5 second period as my threshold (again, YMMV — is easy to change). We use some fun AWK to get this info, then launch Aireplay-ng to inject our deauth frames, and we’ll also go ahead and spoof the MAC of the base station, because connected clients tend to ignore deauth frames not coming from there.

For added fun, you can run this on a cycle every few minutes:

while true; do bash script.sh; sleep $(($RANDOM / 50)); done

Most users will eventually just stop being stupid or leave in frustration, which I’ll also consider a win for us in this case.

Update: Video demo now up on YouTube.

Clicky kitty: