[squid-users] unknown source IP in access.log

Antony Stone Antony.Stone at squid.open.source.it
Wed Dec 14 19:11:46 UTC 2016


On Wednesday 14 December 2016 at 17:26:34, Sameh Onaissi wrote:

> Thanks for your reply.
> 
> Here’s the config file: http://pastebin.com/DNDacy6M

Where is this file located on your system?  The answer to this question is 
needed further down my reply.

I've skipped some bits to make my reply clearer...

> acl localnet src 10.0.0.0/24 # RFC1918 possible internal network
>
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> http_access allow CONNECT localnet numeric_IPs Skype_UA

Maybe someone more knowledgeable can say if I'm wrong here, but I find it hard 
to accept that this really is the squid.conf file you're using:

a) if it allows connections from IPs such as 118.89.21.244

b) if it allows *anything* to CONNECT.


Please do one of the following:

1. Run "squid -k parse" and make sure it returns no errors, then introduce a 
deliberate error to your squid.conf file (such as mis-spelling "deny" or 
similar) and run "squid -k parse" again to make sure it reads the file you 
think it is using, and reports the error (then undo the mistake again).

2. Run "squid -f /path/to/your/squid.conf -k parse" substituting in the 
location on your system where your config file lives (as asked above).  Assuming 
this returns no errors, again (as in suggestion 1) instroduce a deliberate 
error, re-run "squid -f /path/to/you/squid.conf -k parse" and make sure it 
picks up on the error.

I find it hard to believe that the squid.conf you showed can produce the 
results you report.

Please also post the output of "find / -name squid.conf" on your machine.

> Dovecot used its default ports:
> 110: pop
> 143: imap
> 995: pop3s
> 993: maps
> 
> Postfix SMTP 587

Okay, so nothing to do with Squid, then.  I just wondered whether it might 
have a web interface.


Regards,


Antony.

> On Dec 14, 2016, at 10:25 AM, Antony Stone wrote:
> 
> On Wednesday 14 December 2016 at 16:16:17, Sameh Onaissi wrote:
> 
> Looking at access.log, to find the Skype IPs, I noticed a LOT of unknown
> source IPs. All those IPs seem to be originated from China. In my config
> file I deny all but local net IPs 10.0.0.0/24.
> 
> I suggest you show us your squid.conf (wiithout comments or blank lines)
> because you do not seem to have achieved restricting source IPs as
> intended.
> 
> Here is a sample of the log:
> 
> 118.89.21.244 TCP_MISS/200 445 POST http://online.huya.com/ -
> HIER_DIRECT/183.61.6.181 application/multipart-formdata 1481728036.461
> 595
> 
> 123.207.123.80 TCP_MISS/200 419 POST http://online.huya.com/ -
> HIER_DIRECT/183.61.6.181 application/multipart-formdata 1481728036.993
> 749
> 
> 74.222.20.124 TCP_MISS/502 3806 GET http://116.31.99.233:9636/ -
> HIER_DIRECT/116.31.99.233 text/html 1481728040.312      0
> 
> I am worried about spam…
> 
> I would not call this spam - I would call it "people trying to abuse your
> proxy".
> 
> is this normal?
> 
> It is normal that they try.  It is not normal that your access control
> rules allow them to get this far.
> 
> if not, how can I know what is accessing squid and stop it.
> 
> You don't care what is accessing it - you only care that it's coming from
> the outside, and that should not be allowed.  Either or both of your Squid
> ACLs and your firewall rules need to be reviewed.
> 
> NOTE: this server has a small iRedMail server installed on it.
> 
> What port/s does that listen on?  It is intended to be externally
> accessible?

-- 
"The tofu battle I saw last weekend was quite brutal."

 - Marija Danute Brigita Kuncaitis

                                                   Please reply to the list;
                                                         please *don't* CC me.


More information about the squid-users mailing list