[squid-users] unknown source IP in access.log

Wed Dec 14 15:25:32 UTC 2016

On Wednesday 14 December 2016 at 16:16:17, Sameh Onaissi wrote:

> Looking at access.log, to find the Skype IPs, I noticed a LOT of unknown
> source IPs. All those IPs seem to be originated from China. In my config
> file I deny all but local net IPs 10.0.0.0/24.

I suggest you show us your squid.conf (wiithout comments or blank lines) 
because you do not seem to have achieved restricting source IPs as intended.

> Here is a sample of the log:
> 
> 1481728035.855      0 199.233.237.186 TAG_NONE/400 4534 NONE
> error:invalid-request - HIER_NONE/- text/html 1481728035.952   1556
>
> 118.89.21.244 TCP_MISS/200 445 POST http://online.huya.com/ -
> HIER_DIRECT/183.61.6.181 application/multipart-formdata 1481728036.461   
> 595
>
> 123.207.123.80 TCP_MISS/200 419 POST http://online.huya.com/ -
> HIER_DIRECT/183.61.6.181 application/multipart-formdata 1481728036.993   
> 749
>
> 123.207.123.80 TCP_MISS/200 819 POST http://wup.huya.com/ -
> HIER_DIRECT/180.208.65.100 application/multipart-formdata 1481728037.538  
> 2307
>
> 122.227.189.214 TCP_MISS/200 764 POST
> http://webim.ganji.com/message/ImSendMsg? - HIER_DIRECT/124.251.6.233
> text/html 1481728038.572   9372
>
> 74.222.20.124 TCP_MISS/502 3922 GET http://116.31.99.233:9636/ -
> HIER_DIRECT/116.31.99.233 text/html 1481728038.573      0
>
> 74.222.20.124 TAG_NONE/400 4532 NONE error:invalid-request - HIER_NONE/-
> text/html 1481728038.773   2528
>
> 118.89.21.244 TCP_MISS/200 419 POST http://online.huya.com/ -
> HIER_DIRECT/183.61.6.181 application/multipart-formdata 1481728039.162  
> 1575
>
> 139.199.60.36 TCP_MISS/200 419 POST http://online.huya.com/ -
> HIER_DIRECT/183.61.6.181 application/multipart-formdata 1481728039.203   
> 612
>
> 122.227.189.214 TCP_MISS/200 1182 POST http://mobapi.ganji.com/datashare/ -
> HIER_DIRECT/115.159.231.182 text/html 1481728039.615  51681
>
> 172.82.184.19 TCP_MISS/502 3806 GET http://115.231.17.12:9636/ -
> HIER_DIRECT/115.231.17.12 text/html 1481728039.615      0
>
> 172.82.184.19 TAG_NONE/400 4532 NONE
> error:invalid-request - HIER_NONE/- text/html 1481728040.311  36606
>
> 74.222.20.124 TCP_MISS/502 3806 GET http://116.31.99.233:9636/ -
> HIER_DIRECT/116.31.99.233 text/html 1481728040.312      0
>
> 74.222.20.124 TAG_NONE/400 4532 NONE error:invalid-request - HIER_NONE/-
> text/html 1481728041.477  67001
>
> 74.222.19.19 TCP_MISS/502 3802 GET http://61.155.5.197:9636/ -
> HIER_DIRECT/61.155.5.197 text/html 1481728041.478      0
>
> 74.222.19.19 TAG_NONE/400 4531 NONE error:invalid-request - HIER_NONE/-
> text/html 1481728041.856  13613
>
> 172.82.190.245 TCP_MISS/502 3926 GET http://122.226.191.17:9636/ -
> HIER_DIRECT/122.226.191.17 text/html 1481728041.857      0
>
> 172.82.190.245 TAG_NONE/400 4533 NONE error:invalid-request - HIER_NONE/-
> text/html
> 
> I am worried about spam…

I would not call this spam - I would call it "people trying to abuse your 
proxy".

> is this normal?

It is normal that they try.  It is not normal that your access control rules 
allow them to get this far.

> if not, how can I know what is accessing squid and stop it.

You don't care what is accessing it - you only care that it's coming from the 
outside, and that should not be allowed.  Either or both of your Squid ACLs 
and your firewall rules need to be reviewed.

> NOTE: this server has a small iRedMail server installed on it.

What port/s does that listen on?  It is intended to be externally accessible?

Regards,

Antony.

-- 
Wanted: telepath.   You know where to apply.

                                                   Please reply to the list;
                                                         please *don't* CC me.