<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
Hey Antony, all…
<div class=""><br class="">
</div>
<div class="">The file is where is should be: /etc/squid/squid.conf</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">squid -k parse returns nothing strange. </div>
<div class="">To make sure, I followed your instructions of writing deny wrong (in /etc/squid/squid.conf) and ran "squid -k parse” again, and it complained:</div>
<div class=""><br class="">
</div>
<div class="">
<div style="margin: 0px; line-height: normal; font-family: 'Andale Mono'; color: rgb(41, 249, 20); background-color: rgb(0, 0, 0);" class="">
<span style="font-variant-ligatures: no-common-ligatures" class="">2016/12/14 14:45:15| Processing: http_access denyl !Safe_ports</span></div>
<div style="margin: 0px; line-height: normal; font-family: 'Andale Mono'; color: rgb(41, 249, 20); background-color: rgb(0, 0, 0);" class="">
<span style="font-variant-ligatures: no-common-ligatures" class="">2016/12/14 14:45:15| aclParseAccessLine: /etc/squid/squid.conf line 35: http_access denyl !Safe_ports</span></div>
<div style="margin: 0px; line-height: normal; font-family: 'Andale Mono'; color: rgb(41, 249, 20); background-color: rgb(0, 0, 0);" class="">
<span style="font-variant-ligatures: no-common-ligatures" class="">2016/12/14 14:45:15| aclParseAccessLine: expecting 'allow' or 'deny', got 'denyl'.</span></div>
<div style="margin: 0px; line-height: normal; font-family: 'Andale Mono'; color: rgb(41, 249, 20); background-color: rgb(0, 0, 0);" class="">
<span style="font-variant-ligatures: no-common-ligatures" class="">2016/12/14 14:45:15| Processing: http_access deny CONNECT !SSL_ports</span></div>
<div class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><br class="">
</span></div>
<div class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><br class="">
</span></div>
<div class=""><span style="font-variant-ligatures: no-common-ligatures" class="">I also commented out the line allowing skype IPs and the access log continued showing said results.</span></div>
<div class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><br class="">
</span></div>
<div class=""><span style="font-variant-ligatures: no-common-ligatures" class="">I should mention that this behavior started today, when it was not happening before.</span></div>
<div class=""><br class="">
</div>
<div class="">additionally:</div>
<div class=""><br class="">
</div>
<div class="">
<div style="margin: 0px; line-height: normal; font-family: 'Andale Mono'; color: rgb(41, 249, 20); background-color: rgb(0, 0, 0);" class="">
<span style="font-variant-ligatures: no-common-ligatures" class="">find / -name squid.conf</span></div>
<div style="margin: 0px; line-height: normal; font-family: 'Andale Mono'; color: rgb(41, 249, 20); background-color: rgb(0, 0, 0);" class="">
<span style="font-variant-ligatures: no-common-ligatures" class="">/etc/fail2ban/filter.d/squid.conf</span></div>
<div style="margin: 0px; line-height: normal; font-family: 'Andale Mono'; color: rgb(41, 249, 20); background-color: rgb(0, 0, 0);" class="">
<span style="font-variant-ligatures: no-common-ligatures" class="">/etc/squid.bk/squid.conf</span></div>
<div style="margin: 0px; line-height: normal; font-family: 'Andale Mono'; color: rgb(41, 249, 20); background-color: rgb(0, 0, 0);" class="">
<span style="font-variant-ligatures: no-common-ligatures" class="">/etc/squid/squid.conf</span></div>
<div style="margin: 0px; line-height: normal; font-family: 'Andale Mono'; color: rgb(41, 249, 20); background-color: rgb(0, 0, 0);" class="">
<span style="font-variant-ligatures: no-common-ligatures" class="">find: ‘/run/user/118/gvfs’: Permission denied</span></div>
</div>
<div style="margin: 0px; line-height: normal; font-family: 'Andale Mono'; color: rgb(41, 249, 20); background-color: rgb(0, 0, 0);" class="">
<span style="font-variant-ligatures: no-common-ligatures" class=""><br class="">
</span></div>
<div class=""><br class="webkit-block-placeholder">
</div>
<div class="">I am sure it is not the squid.bk/squid.conf because that has no acls defined nor configured to use squid guard to redirect pages (which currently is functioning)</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">Any other ideas?</div>
<div class=""><br class="">
</div>
<div class="">Thank you again!</div>
<div class="">Sam</div>
<div class=""><br class="Apple-interchange-newline" style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;">
<br class="Apple-interchange-newline" style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;">
<span style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><span><img height="38" width="45" apple-inline="yes" id="FD8D003E-4648-4A3E-A883-DF88B0DDB542" apple-width="yes" apple-height="yes" src="cid:2FD1C3AB-E45C-49F0-84AB-0F8AC658BD11@routerb408e2.com" class=""></span><em style="font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; color: rgb(0, 128, 0); font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px; background-color: rgb(255, 255, 255);" class=""><strong class="">Piensa
en el medio ambiente antes de imprimir este email.</strong></em> </span></div>
<br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Dec 14, 2016, at 2:11 PM, Antony Stone <<a href="mailto:Antony.Stone@squid.open.source.it" class="">Antony.Stone@squid.open.source.it</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div class="">On Wednesday 14 December 2016 at 17:26:34, Sameh Onaissi wrote:<br class="">
<br class="">
<blockquote type="cite" class="">Thanks for your reply.<br class="">
<br class="">
Here’s the config file: <a href="http://pastebin.com/DNDacy6M" class="">http://pastebin.com/DNDacy6M</a><br class="">
</blockquote>
eaWhere is this file located on your system? The answer to this question is <br class="">
needed further down my reply.<br class="">
<br class="">
I've skipped some bits to make my reply clearer...<br class="">
<br class="">
<blockquote type="cite" class="">acl localnet src 10.0.0.0/24 # RFC1918 possible internal network<br class="">
<br class="">
http_access deny !Safe_ports<br class="">
http_access deny CONNECT !SSL_ports<br class="">
http_access allow localhost manager<br class="">
http_access deny manager<br class="">
http_access allow localnet<br class="">
http_access allow localhost<br class="">
http_access deny all<br class="">
http_access allow CONNECT localnet numeric_IPs Skype_UA<br class="">
</blockquote>
<br class="">
Maybe someone more knowledgeable can say if I'm wrong here, but I find it hard <br class="">
to accept that this really is the squid.conf file you're using:<br class="">
<br class="">
a) if it allows connections from IPs such as 118.89.21.244<br class="">
<br class="">
b) if it allows *anything* to CONNECT.<br class="">
<br class="">
<br class="">
Please do one of the following:<br class="">
<br class="">
1. Run "squid -k parse" and make sure it returns no errors, then introduce a <br class="">
deliberate error to your squid.conf file (such as mis-spelling "deny" or <br class="">
similar) and run "squid -k parse" again to make sure it reads the file you <br class="">
think it is using, and reports the error (then undo the mistake again).<br class="">
<br class="">
2. Run "squid -f /path/to/your/squid.conf -k parse" substituting in the <br class="">
location on your system where your config file lives (as asked above). Assuming <br class="">
this returns no errors, again (as in suggestion 1) instroduce a deliberate <br class="">
error, re-run "squid -f /path/to/you/squid.conf -k parse" and make sure it <br class="">
picks up on the error.<br class="">
<br class="">
I find it hard to believe that the squid.conf you showed can produce the <br class="">
results you report.<br class="">
<br class="">
Please also post the output of "find / -name squid.conf" on your machine.<br class="">
<br class="">
<blockquote type="cite" class="">Dovecot used its default ports:<br class="">
110: pop<br class="">
143: imap<br class="">
995: pop3s<br class="">
993: maps<br class="">
<br class="">
Postfix SMTP 587<br class="">
</blockquote>
<br class="">
Okay, so nothing to do with Squid, then. I just wondered whether it might <br class="">
have a web interface.<br class="">
<br class="">
<br class="">
Regards,<br class="">
<br class="">
<br class="">
Antony.<br class="">
<br class="">
<blockquote type="cite" class="">On Dec 14, 2016, at 10:25 AM, Antony Stone wrote:<br class="">
<br class="">
On Wednesday 14 December 2016 at 16:16:17, Sameh Onaissi wrote:<br class="">
<br class="">
Looking at access.log, to find the Skype IPs, I noticed a LOT of unknown<br class="">
source IPs. All those IPs seem to be originated from China. In my config<br class="">
file I deny all but local net IPs 10.0.0.0/24.<br class="">
<br class="">
I suggest you show us your squid.conf (wiithout comments or blank lines)<br class="">
because you do not seem to have achieved restricting source IPs as<br class="">
intended.<br class="">
<br class="">
Here is a sample of the log:<br class="">
<br class="">
118.89.21.244 TCP_MISS/200 445 POST <a href="http://online.huya.com/" class="">http://online.huya.com/</a> -<br class="">
HIER_DIRECT/183.61.6.181 application/multipart-formdata 1481728036.461<br class="">
595<br class="">
<br class="">
123.207.123.80 TCP_MISS/200 419 POST <a href="http://online.huya.com/" class="">http://online.huya.com/</a> -<br class="">
HIER_DIRECT/183.61.6.181 application/multipart-formdata 1481728036.993<br class="">
749<br class="">
<br class="">
74.222.20.124 TCP_MISS/502 3806 GET <a href="http://116.31.99.233:9636/" class="">
http://116.31.99.233:9636/</a> -<br class="">
HIER_DIRECT/116.31.99.233 text/html 1481728040.312 0<br class="">
<br class="">
I am worried about spam…<br class="">
<br class="">
I would not call this spam - I would call it "people trying to abuse your<br class="">
proxy".<br class="">
<br class="">
is this normal?<br class="">
<br class="">
It is normal that they try. It is not normal that your access control<br class="">
rules allow them to get this far.<br class="">
<br class="">
if not, how can I know what is accessing squid and stop it.<br class="">
<br class="">
You don't care what is accessing it - you only care that it's coming from<br class="">
the outside, and that should not be allowed. Either or both of your Squid<br class="">
ACLs and your firewall rules need to be reviewed.<br class="">
<br class="">
NOTE: this server has a small iRedMail server installed on it.<br class="">
<br class="">
What port/s does that listen on? It is intended to be externally<br class="">
accessible?<br class="">
</blockquote>
<br class="">
-- <br class="">
"The tofu battle I saw last weekend was quite brutal."<br class="">
<br class="">
- Marija Danute Brigita Kuncaitis<br class="">
<br class="">
Please reply to the list;<br class="">
please *don't* CC me.<br class="">
_______________________________________________<br class="">
squid-users mailing list<br class="">
<a href="mailto:squid-users@lists.squid-cache.org" class="">squid-users@lists.squid-cache.org</a><br class="">
http://lists.squid-cache.org/listinfo/squid-users<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</body>
</html>