[squid-users] unknown source IP in access.log

Amos Jeffries squid3 at treenet.co.nz
Thu Dec 15 04:16:44 UTC 2016 

On 15/12/2016 8:58 a.m., Sameh Onaissi wrote:
> Hey Antony, all…
> 
> The file is where is should be: /etc/squid/squid.conf
> 
> 
> squid -k parse returns nothing strange.
> To make sure, I followed your instructions of writing deny wrong (in /etc/squid/squid.conf) and ran "squid -k parse” again, and it complained:
> 
> 2016/12/14 14:45:15| Processing: http_access denyl !Safe_ports
> 2016/12/14 14:45:15| aclParseAccessLine: /etc/squid/squid.conf line 35: http_access denyl !Safe_ports
> 2016/12/14 14:45:15| aclParseAccessLine: expecting 'allow' or 'deny', got 'denyl'.
> 2016/12/14 14:45:15| Processing: http_access deny CONNECT !SSL_ports
> 
> 
> I also commented out the line allowing skype IPs and the access log continued showing said results.
> 
> I should mention that this behavior started today, when it was not happening before.
> 
> additionally:
> 
> find / -name squid.conf
> /etc/fail2ban/filter.d/squid.conf
> /etc/squid.bk/squid.conf
> /etc/squid/squid.conf
> find: ‘/run/user/118/gvfs’: Permission denied
> 
> 
> I am sure it is not the squid.bk/squid.conf because that has no acls defined nor configured to use squid guard to redirect pages (which currently is functioning)
> 
> 
> Any other ideas?

>> acl Safe_ports port 587 #SMTP

SMTP is the #1 worst protocol to let anywhere near an HTTP proxy.
Preventing what you have allowed to happen is one of the primary reasons
Safe_ports exists in the first place!

Some (but not all) of the log lines you displayed show signs of email
being delivered through the HTTP proxy to external mailservers.

The protocols look nearly identical in syntax. But the semantic meaning
of the message is different and gets interpreted by HTTP and SMTP relays
in ways the make the results quite nasty (for you) and practically a
haven for spammers.

> 
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access allow localnet
> http_access allow localhost
> http_access deny all

'deny all' is final. No following http_access will ever be used. Which
is lucky given your problem.

> http_access allow CONNECT localnet numeric_IPs Skype_UA
> 
> Maybe someone more knowledgeable can say if I'm wrong here, but I find it hard
> to accept that this really is the squid.conf file you're using:
> 
> a) if it allows connections from IPs such as 118.89.21.244
> 
> b) if it allows *anything* to CONNECT.
> 

With some simple mistake(s) in the iptables rules the port 587 being
allowed could lead to this behaviour. Though the external IP showing up
in the log and not being denied is odd.

Sameh Onaissi: what are your iptables rules? (all of them. For nat,
mangle and filter tables).


One other thing to try is to take the access.log and subtract the
duration times from the timestamp and see what turns out to be starting
at about the same times. The durations on these requests is very long,
so important bits will be happening long before they get logged.

Amos

More information about the squid-users mailing list