[squid-users] unknown source IP in access.log

Sameh Onaissi sameh.onaissi at solcv.com
Wed Dec 14 19:58:18 UTC 2016 

Hey Antony, all…

The file is where is should be: /etc/squid/squid.conf


squid -k parse returns nothing strange.
To make sure, I followed your instructions of writing deny wrong (in /etc/squid/squid.conf) and ran "squid -k parse” again, and it complained:

2016/12/14 14:45:15| Processing: http_access denyl !Safe_ports
2016/12/14 14:45:15| aclParseAccessLine: /etc/squid/squid.conf line 35: http_access denyl !Safe_ports
2016/12/14 14:45:15| aclParseAccessLine: expecting 'allow' or 'deny', got 'denyl'.
2016/12/14 14:45:15| Processing: http_access deny CONNECT !SSL_ports


I also commented out the line allowing skype IPs and the access log continued showing said results.

I should mention that this behavior started today, when it was not happening before.

additionally:

find / -name squid.conf
/etc/fail2ban/filter.d/squid.conf
/etc/squid.bk/squid.conf
/etc/squid/squid.conf
find: ‘/run/user/118/gvfs’: Permission denied


I am sure it is not the squid.bk/squid.conf because that has no acls defined nor configured to use squid guard to redirect pages (which currently is functioning)




Any other ideas?

Thank you again!
Sam


[cid:2FD1C3AB-E45C-49F0-84AB-0F8AC658BD11 at routerb408e2.com]Piensa en el medio ambiente antes de imprimir este email.

On Dec 14, 2016, at 2:11 PM, Antony Stone <Antony.Stone at squid.open.source.it<mailto:Antony.Stone at squid.open.source.it>> wrote:

On Wednesday 14 December 2016 at 17:26:34, Sameh Onaissi wrote:

Thanks for your reply.

Here’s the config file: http://pastebin.com/DNDacy6M
eaWhere is this file located on your system?  The answer to this question is
needed further down my reply.

I've skipped some bits to make my reply clearer...

acl localnet src 10.0.0.0/24 # RFC1918 possible internal network

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_access allow CONNECT localnet numeric_IPs Skype_UA

Maybe someone more knowledgeable can say if I'm wrong here, but I find it hard
to accept that this really is the squid.conf file you're using:

a) if it allows connections from IPs such as 118.89.21.244

b) if it allows *anything* to CONNECT.


Please do one of the following:

1. Run "squid -k parse" and make sure it returns no errors, then introduce a
deliberate error to your squid.conf file (such as mis-spelling "deny" or
similar) and run "squid -k parse" again to make sure it reads the file you
think it is using, and reports the error (then undo the mistake again).

2. Run "squid -f /path/to/your/squid.conf -k parse" substituting in the
location on your system where your config file lives (as asked above).  Assuming
this returns no errors, again (as in suggestion 1) instroduce a deliberate
error, re-run "squid -f /path/to/you/squid.conf -k parse" and make sure it
picks up on the error.

I find it hard to believe that the squid.conf you showed can produce the
results you report.

Please also post the output of "find / -name squid.conf" on your machine.

Dovecot used its default ports:
110: pop
143: imap
995: pop3s
993: maps

Postfix SMTP 587

Okay, so nothing to do with Squid, then.  I just wondered whether it might
have a web interface.


Regards,


Antony.

On Dec 14, 2016, at 10:25 AM, Antony Stone wrote:

On Wednesday 14 December 2016 at 16:16:17, Sameh Onaissi wrote:

Looking at access.log, to find the Skype IPs, I noticed a LOT of unknown
source IPs. All those IPs seem to be originated from China. In my config
file I deny all but local net IPs 10.0.0.0/24.

I suggest you show us your squid.conf (wiithout comments or blank lines)
because you do not seem to have achieved restricting source IPs as
intended.

Here is a sample of the log:

118.89.21.244 TCP_MISS/200 445 POST http://online.huya.com/ -
HIER_DIRECT/183.61.6.181 application/multipart-formdata 1481728036.461
595

123.207.123.80 TCP_MISS/200 419 POST http://online.huya.com/ -
HIER_DIRECT/183.61.6.181 application/multipart-formdata 1481728036.993
749

74.222.20.124 TCP_MISS/502 3806 GET http://116.31.99.233:9636/ -
HIER_DIRECT/116.31.99.233 text/html 1481728040.312      0

I am worried about spam…

I would not call this spam - I would call it "people trying to abuse your
proxy".

is this normal?

It is normal that they try.  It is not normal that your access control
rules allow them to get this far.

if not, how can I know what is accessing squid and stop it.

You don't care what is accessing it - you only care that it's coming from
the outside, and that should not be allowed.  Either or both of your Squid
ACLs and your firewall rules need to be reviewed.

NOTE: this server has a small iRedMail server installed on it.

What port/s does that listen on?  It is intended to be externally
accessible?

--
"The tofu battle I saw last weekend was quite brutal."

- Marija Danute Brigita Kuncaitis

                                                  Please reply to the list;
                                                        please *don't* CC me.
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org<mailto:squid-users at lists.squid-cache.org>
http://lists.squid-cache.org/listinfo/squid-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161214/f093aad5/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Image 5-5-16 at 11.48 AM.jpg
Type: image/jpeg
Size: 4083 bytes
Desc: Image 5-5-16 at 11.48 AM.jpg
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161214/f093aad5/attachment-0001.jpg>

More information about the squid-users mailing list