How to protect a proxy server from lawbreakers

They have: 3 posts

Joined: Apr 2005

Hello,
I have a proxy server that works with HTTP, POP3, and some other protocols. As you know, when a user connects to an Internet host via a proxy the host "sees" the proxy's IP address, not user's one. Thus if a lawbreaker attacks a web site, steals a confidential information, or commits any other crime via a proxy server the owner of the proxy may have problems since the proxy's IP address will be in the logs of the attacked host.

So here are my questions:
1) What problems a proxy server owner may have?
2) How a proxy owner may protect himself and the proxy?
3) If the proxy keeps IP addresses of the users in logs may the logs help to protect the owner from any complaints?
4) How other proxy server owners solve similar problems (especially the owners of numerous anonymous proxies)?

Any suggestions, ideas, or links will be greatly appreciated!

mairving's picture

They have: 2,256 posts

Joined: Feb 2001

Is this an anonymous proxy?
If it is then there would be no way to control the way that someone uses it. You would probably have some liability if you failed to disclose information to the authorities.

It it isn't anonymous, then you should have some kind of AUP that they sign off on when they sign up similar to the ones that many hosts use.

Personal opinion is that an anonymous proxy while it's purpose might be intended for good, is a bad idea. Just too much potential for misuse out there.

Mark Irving
I have a mind like a steel trap; it is rusty and illegal in 47 states

They have: 3 posts

Joined: Apr 2005

mairving wrote: Is this an anonymous proxy?

At present the proxy does not require authentication. I plan to add authentication in future. The users can use the proxy only with proprietary client software since the proxy is a non-standard proprietary proxy server and uses a non-standard protocol. When they install the client software they agree with my license agreement.
Thus I have some control over the users but I don't know how it can provide 100% protection for me since anyone can download and install the client software.

Quote: You would probably have some liability if you failed to disclose information to the authorities.

It is a very interesting question how to avoid failing to disclose information to the authorities?

Quote: It it isn't anonymous, then you should have some kind of AUP that they sign off on when they sign up similar to the ones that many hosts use.

As I told the users must agree with electronic license agreement to be able to install the client software, but as far as know the agreement may only help when the users have any complaints against me and the agreement may not help when anyone has attacked a server from my IP address.

They have: 3 posts

Joined: Apr 2005

mairving wrote: Is this an anonymous proxy?

May be my first answer was not very accurate.
So, technically speaking, my proxy server is not anonymous for HTTP protocol. The proxy transfers HTTP_X_FORWARDED_FOR http header to a web server when a user connects to the web server through the proxy. The HTTP_X_FORWARDED_FOR contains the IP address of the user. Thus my proxy server is not anonymous by definition for HTTP protocol. The problem is that usually web servers don't log HTTP_X_FORWARDED_FOR header. I think the HTTP_X_FORWARDED_FOR header may scare away some hackers since proxy checkers like http://www.all-nettools.com/toolbox show real user's IP address when he uses my proxy, but that is not 100% protection because:
1) Some web servers (I think even most of them) don't log HTTP_X_FORWARDED_FOR.
2) HTTP_X_FORWARDED_FOR does not work for any other protocols. (Of course HTTP is probably most dangerous protocol for me).

Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.