[squid-users] unknown source IP in access.log

Sameh Onaissi sameh.onaissi at solcv.com
Wed Dec 14 15:16:17 UTC 2016


Hello,


I have a functional transparent squid with ssl-bump on Ubuntu 16.04

With Eliezer’s great help, I added a bypass pool to bypass Skype for Business IPs and allow the Skype for Business client to log in successfully. I notices that personal Skype is not logging in however, so I wanted to add its IPs to the pool.

Currently, the squid server has only 1 client (my laptop). I closed all my browsers, in an effort to isolate only Skype log in attempts. Mail client is also closed.

Looking at access.log, to find the Skype IPs, I noticed a LOT of unknown source IPs. All those IPs seem to be originated from China.
In my config file I deny all but local net IPs 10.0.0.0/24.

Here is a sample of the log:

1481728035.855      0 199.233.237.186 TAG_NONE/400 4534 NONE error:invalid-request - HIER_NONE/- text/html
1481728035.952   1556 118.89.21.244 TCP_MISS/200 445 POST http://online.huya.com/ - HIER_DIRECT/183.61.6.181 application/multipart-formdata
1481728036.461    595 123.207.123.80 TCP_MISS/200 419 POST http://online.huya.com/ - HIER_DIRECT/183.61.6.181 application/multipart-formdata
1481728036.993    749 123.207.123.80 TCP_MISS/200 819 POST http://wup.huya.com/ - HIER_DIRECT/180.208.65.100 application/multipart-formdata
1481728037.538   2307 122.227.189.214 TCP_MISS/200 764 POST http://webim.ganji.com/message/ImSendMsg? - HIER_DIRECT/124.251.6.233 text/html
1481728038.572   9372 74.222.20.124 TCP_MISS/502 3922 GET http://116.31.99.233:9636/ - HIER_DIRECT/116.31.99.233 text/html
1481728038.573      0 74.222.20.124 TAG_NONE/400 4532 NONE error:invalid-request - HIER_NONE/- text/html
1481728038.773   2528 118.89.21.244 TCP_MISS/200 419 POST http://online.huya.com/ - HIER_DIRECT/183.61.6.181 application/multipart-formdata
1481728039.162   1575 139.199.60.36 TCP_MISS/200 419 POST http://online.huya.com/ - HIER_DIRECT/183.61.6.181 application/multipart-formdata
1481728039.203    612 122.227.189.214 TCP_MISS/200 1182 POST http://mobapi.ganji.com/datashare/ - HIER_DIRECT/115.159.231.182 text/html
1481728039.615  51681 172.82.184.19 TCP_MISS/502 3806 GET http://115.231.17.12:9636/ - HIER_DIRECT/115.231.17.12 text/html
1481728039.615      0 172.82.184.19 TAG_NONE/400 4532 NONE error:invalid-request - HIER_NONE/- text/html
1481728040.311  36606 74.222.20.124 TCP_MISS/502 3806 GET http://116.31.99.233:9636/ - HIER_DIRECT/116.31.99.233 text/html
1481728040.312      0 74.222.20.124 TAG_NONE/400 4532 NONE error:invalid-request - HIER_NONE/- text/html
1481728041.477  67001 74.222.19.19 TCP_MISS/502 3802 GET http://61.155.5.197:9636/ - HIER_DIRECT/61.155.5.197 text/html
1481728041.478      0 74.222.19.19 TAG_NONE/400 4531 NONE error:invalid-request - HIER_NONE/- text/html
1481728041.856  13613 172.82.190.245 TCP_MISS/502 3926 GET http://122.226.191.17:9636/ - HIER_DIRECT/122.226.191.17 text/html
1481728041.857      0 172.82.190.245 TAG_NONE/400 4533 NONE error:invalid-request - HIER_NONE/- text/html

I am worried about spam… is this normal? if not, how can I know what is accessing squid and stop it.

NOTE: this server has a small iRedMail server installed on it.



Sam


[cid:2FD1C3AB-E45C-49F0-84AB-0F8AC658BD11 at routerb408e2.com]Piensa en el medio ambiente antes de imprimir este email.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161214/7f73c778/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Image 5-5-16 at 11.48 AM.jpg
Type: image/jpeg
Size: 4083 bytes
Desc: Image 5-5-16 at 11.48 AM.jpg
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161214/7f73c778/attachment-0001.jpg>


More information about the squid-users mailing list