[squid-users] unknown source IP in access.log
Antony.Stone at squid.open.source.it
Wed Dec 14 19:11:46 UTC 2016
On Wednesday 14 December 2016 at 17:26:34, Sameh Onaissi wrote:
> Thanks for your reply.
> Here’s the config file: http://pastebin.com/DNDacy6M
Where is this file located on your system? The answer to this question is
needed further down my reply.
I've skipped some bits to make my reply clearer...
> acl localnet src 10.0.0.0/24 # RFC1918 possible internal network
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> http_access allow CONNECT localnet numeric_IPs Skype_UA
Maybe someone more knowledgeable can say if I'm wrong here, but I find it hard
to accept that this really is the squid.conf file you're using:
a) if it allows connections from IPs such as 18.104.22.168
b) if it allows *anything* to CONNECT.
Please do one of the following:
1. Run "squid -k parse" and make sure it returns no errors, then introduce a
deliberate error to your squid.conf file (such as mis-spelling "deny" or
similar) and run "squid -k parse" again to make sure it reads the file you
think it is using, and reports the error (then undo the mistake again).
2. Run "squid -f /path/to/your/squid.conf -k parse" substituting in the
location on your system where your config file lives (as asked above). Assuming
this returns no errors, again (as in suggestion 1) instroduce a deliberate
error, re-run "squid -f /path/to/you/squid.conf -k parse" and make sure it
picks up on the error.
I find it hard to believe that the squid.conf you showed can produce the
results you report.
Please also post the output of "find / -name squid.conf" on your machine.
> Dovecot used its default ports:
> 110: pop
> 143: imap
> 995: pop3s
> 993: maps
> Postfix SMTP 587
Okay, so nothing to do with Squid, then. I just wondered whether it might
have a web interface.
> On Dec 14, 2016, at 10:25 AM, Antony Stone wrote:
> On Wednesday 14 December 2016 at 16:16:17, Sameh Onaissi wrote:
> Looking at access.log, to find the Skype IPs, I noticed a LOT of unknown
> source IPs. All those IPs seem to be originated from China. In my config
> file I deny all but local net IPs 10.0.0.0/24.
> I suggest you show us your squid.conf (wiithout comments or blank lines)
> because you do not seem to have achieved restricting source IPs as
> Here is a sample of the log:
> 22.214.171.124 TCP_MISS/200 445 POST http://online.huya.com/ -
> HIER_DIRECT/126.96.36.199 application/multipart-formdata 1481728036.461
> 188.8.131.52 TCP_MISS/200 419 POST http://online.huya.com/ -
> HIER_DIRECT/184.108.40.206 application/multipart-formdata 1481728036.993
> 220.127.116.11 TCP_MISS/502 3806 GET http://18.104.22.168:9636/ -
> HIER_DIRECT/22.214.171.124 text/html 1481728040.312 0
> I am worried about spam…
> I would not call this spam - I would call it "people trying to abuse your
> is this normal?
> It is normal that they try. It is not normal that your access control
> rules allow them to get this far.
> if not, how can I know what is accessing squid and stop it.
> You don't care what is accessing it - you only care that it's coming from
> the outside, and that should not be allowed. Either or both of your Squid
> ACLs and your firewall rules need to be reviewed.
> NOTE: this server has a small iRedMail server installed on it.
> What port/s does that listen on? It is intended to be externally
"The tofu battle I saw last weekend was quite brutal."
- Marija Danute Brigita Kuncaitis
Please reply to the list;
please *don't* CC me.
More information about the squid-users