[squid-users] unknown source IP in access.log
Antony Stone
Antony.Stone at squid.open.source.it
Wed Dec 14 19:11:46 UTC 2016
On Wednesday 14 December 2016 at 17:26:34, Sameh Onaissi wrote:
> Thanks for your reply.
>
> Here’s the config file: http://pastebin.com/DNDacy6M
Where is this file located on your system? The answer to this question is
needed further down my reply.
I've skipped some bits to make my reply clearer...
> acl localnet src 10.0.0.0/24 # RFC1918 possible internal network
>
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> http_access allow CONNECT localnet numeric_IPs Skype_UA
Maybe someone more knowledgeable can say if I'm wrong here, but I find it hard
to accept that this really is the squid.conf file you're using:
a) if it allows connections from IPs such as 118.89.21.244
b) if it allows *anything* to CONNECT.
Please do one of the following:
1. Run "squid -k parse" and make sure it returns no errors, then introduce a
deliberate error to your squid.conf file (such as mis-spelling "deny" or
similar) and run "squid -k parse" again to make sure it reads the file you
think it is using, and reports the error (then undo the mistake again).
2. Run "squid -f /path/to/your/squid.conf -k parse" substituting in the
location on your system where your config file lives (as asked above). Assuming
this returns no errors, again (as in suggestion 1) instroduce a deliberate
error, re-run "squid -f /path/to/you/squid.conf -k parse" and make sure it
picks up on the error.
I find it hard to believe that the squid.conf you showed can produce the
results you report.
Please also post the output of "find / -name squid.conf" on your machine.
> Dovecot used its default ports:
> 110: pop
> 143: imap
> 995: pop3s
> 993: maps
>
> Postfix SMTP 587
Okay, so nothing to do with Squid, then. I just wondered whether it might
have a web interface.
Regards,
Antony.
> On Dec 14, 2016, at 10:25 AM, Antony Stone wrote:
>
> On Wednesday 14 December 2016 at 16:16:17, Sameh Onaissi wrote:
>
> Looking at access.log, to find the Skype IPs, I noticed a LOT of unknown
> source IPs. All those IPs seem to be originated from China. In my config
> file I deny all but local net IPs 10.0.0.0/24.
>
> I suggest you show us your squid.conf (wiithout comments or blank lines)
> because you do not seem to have achieved restricting source IPs as
> intended.
>
> Here is a sample of the log:
>
> 118.89.21.244 TCP_MISS/200 445 POST http://online.huya.com/ -
> HIER_DIRECT/183.61.6.181 application/multipart-formdata 1481728036.461
> 595
>
> 123.207.123.80 TCP_MISS/200 419 POST http://online.huya.com/ -
> HIER_DIRECT/183.61.6.181 application/multipart-formdata 1481728036.993
> 749
>
> 74.222.20.124 TCP_MISS/502 3806 GET http://116.31.99.233:9636/ -
> HIER_DIRECT/116.31.99.233 text/html 1481728040.312 0
>
> I am worried about spam…
>
> I would not call this spam - I would call it "people trying to abuse your
> proxy".
>
> is this normal?
>
> It is normal that they try. It is not normal that your access control
> rules allow them to get this far.
>
> if not, how can I know what is accessing squid and stop it.
>
> You don't care what is accessing it - you only care that it's coming from
> the outside, and that should not be allowed. Either or both of your Squid
> ACLs and your firewall rules need to be reviewed.
>
> NOTE: this server has a small iRedMail server installed on it.
>
> What port/s does that listen on? It is intended to be externally
> accessible?
--
"The tofu battle I saw last weekend was quite brutal."
- Marija Danute Brigita Kuncaitis
Please reply to the list;
please *don't* CC me.
More information about the squid-users
mailing list