[squid-users] unknown source IP in access.log

Sameh Onaissi sameh.onaissi at solcv.com
Wed Dec 14 16:26:34 UTC 2016 

Thanks for your reply.

Here’s the config file:

http://pastebin.com/DNDacy6M


Dovecot used its default ports:
110: pop
143: imap
995: pop3s
993: maps

Postfix SMTP 587

Kind regards,
Sam



[cid:2FD1C3AB-E45C-49F0-84AB-0F8AC658BD11 at routerb408e2.com]Piensa en el medio ambiente antes de imprimir este email.

On Dec 14, 2016, at 10:25 AM, Antony Stone <Antony.Stone at squid.open.source.it<mailto:Antony.Stone at squid.open.source.it>> wrote:

On Wednesday 14 December 2016 at 16:16:17, Sameh Onaissi wrote:

Looking at access.log, to find the Skype IPs, I noticed a LOT of unknown
source IPs. All those IPs seem to be originated from China. In my config
file I deny all but local net IPs 10.0.0.0/24.

I suggest you show us your squid.conf (wiithout comments or blank lines)
because you do not seem to have achieved restricting source IPs as intended.

Here is a sample of the log:

1481728035.855      0 199.233.237.186 TAG_NONE/400 4534 NONE
error:invalid-request - HIER_NONE/- text/html 1481728035.952   1556

118.89.21.244 TCP_MISS/200 445 POST http://online.huya.com/ -
HIER_DIRECT/183.61.6.181 application/multipart-formdata 1481728036.461
595

123.207.123.80 TCP_MISS/200 419 POST http://online.huya.com/ -
HIER_DIRECT/183.61.6.181 application/multipart-formdata 1481728036.993
749

123.207.123.80 TCP_MISS/200 819 POST http://wup.huya.com/ -
HIER_DIRECT/180.208.65.100 application/multipart-formdata 1481728037.538
2307

122.227.189.214 TCP_MISS/200 764 POST
http://webim.ganji.com/message/ImSendMsg? - HIER_DIRECT/124.251.6.233
text/html 1481728038.572   9372

74.222.20.124 TCP_MISS/502 3922 GET http://116.31.99.233:9636/ -
HIER_DIRECT/116.31.99.233 text/html 1481728038.573      0

74.222.20.124 TAG_NONE/400 4532 NONE error:invalid-request - HIER_NONE/-
text/html 1481728038.773   2528

118.89.21.244 TCP_MISS/200 419 POST http://online.huya.com/ -
HIER_DIRECT/183.61.6.181 application/multipart-formdata 1481728039.162
1575

139.199.60.36 TCP_MISS/200 419 POST http://online.huya.com/ -
HIER_DIRECT/183.61.6.181 application/multipart-formdata 1481728039.203
612

122.227.189.214 TCP_MISS/200 1182 POST http://mobapi.ganji.com/datashare/ -
HIER_DIRECT/115.159.231.182 text/html 1481728039.615  51681

172.82.184.19 TCP_MISS/502 3806 GET http://115.231.17.12:9636/ -
HIER_DIRECT/115.231.17.12 text/html 1481728039.615      0

172.82.184.19 TAG_NONE/400 4532 NONE
error:invalid-request - HIER_NONE/- text/html 1481728040.311  36606

74.222.20.124 TCP_MISS/502 3806 GET http://116.31.99.233:9636/ -
HIER_DIRECT/116.31.99.233 text/html 1481728040.312      0

74.222.20.124 TAG_NONE/400 4532 NONE error:invalid-request - HIER_NONE/-
text/html 1481728041.477  67001

74.222.19.19 TCP_MISS/502 3802 GET http://61.155.5.197:9636/ -
HIER_DIRECT/61.155.5.197 text/html 1481728041.478      0

74.222.19.19 TAG_NONE/400 4531 NONE error:invalid-request - HIER_NONE/-
text/html 1481728041.856  13613

172.82.190.245 TCP_MISS/502 3926 GET http://122.226.191.17:9636/ -
HIER_DIRECT/122.226.191.17 text/html 1481728041.857      0

172.82.190.245 TAG_NONE/400 4533 NONE error:invalid-request - HIER_NONE/-
text/html

I am worried about spam…

I would not call this spam - I would call it "people trying to abuse your
proxy".

is this normal?

It is normal that they try.  It is not normal that your access control rules
allow them to get this far.

if not, how can I know what is accessing squid and stop it.

You don't care what is accessing it - you only care that it's coming from the
outside, and that should not be allowed.  Either or both of your Squid ACLs
and your firewall rules need to be reviewed.

NOTE: this server has a small iRedMail server installed on it.

What port/s does that listen on?  It is intended to be externally accessible?


Regards,


Antony.

--
Wanted: telepath.   You know where to apply.

                                                  Please reply to the list;
                                                        please *don't* CC me.
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org<mailto:squid-users at lists.squid-cache.org>
http://lists.squid-cache.org/listinfo/squid-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161214/5d59d3d1/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Image 5-5-16 at 11.48 AM.jpg
Type: image/jpeg
Size: 4083 bytes
Desc: Image 5-5-16 at 11.48 AM.jpg
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161214/5d59d3d1/attachment-0001.jpg>

More information about the squid-users mailing list