On Wednesday 14 December 2016 at 16:16:17, Sameh Onaissi wrote: > Looking at access.log, to find the Skype IPs, I noticed a LOT of unknown > source IPs. All those IPs seem to be originated from China. In my config > file I deny all but local net IPs 10.0.0.0/24. I suggest you show us your squid.conf (wiithout comments or blank lines) because you do not seem to have achieved restricting source IPs as intended. > Here is a sample of the log: > > 1481728035.855 0 199.233.237.186 TAG_NONE/400 4534 NONE > error:invalid-request - HIER_NONE/- text/html 1481728035.952 1556 > > 118.89.21.244 TCP_MISS/200 445 POST http://online.huya.com/ - > HIER_DIRECT/183.61.6.181 application/multipart-formdata 1481728036.461 > 595 > > 123.207.123.80 TCP_MISS/200 419 POST http://online.huya.com/ - > HIER_DIRECT/183.61.6.181 application/multipart-formdata 1481728036.993 > 749 > > 123.207.123.80 TCP_MISS/200 819 POST http://wup.huya.com/ - > HIER_DIRECT/180.208.65.100 application/multipart-formdata 1481728037.538 > 2307 > > 122.227.189.214 TCP_MISS/200 764 POST > http://webim.ganji.com/message/ImSendMsg? - HIER_DIRECT/124.251.6.233 > text/html 1481728038.572 9372 > > 74.222.20.124 TCP_MISS/502 3922 GET http://116.31.99.233:9636/ - > HIER_DIRECT/116.31.99.233 text/html 1481728038.573 0 > > 74.222.20.124 TAG_NONE/400 4532 NONE error:invalid-request - HIER_NONE/- > text/html 1481728038.773 2528 > > 118.89.21.244 TCP_MISS/200 419 POST http://online.huya.com/ - > HIER_DIRECT/183.61.6.181 application/multipart-formdata 1481728039.162 > 1575 > > 139.199.60.36 TCP_MISS/200 419 POST http://online.huya.com/ - > HIER_DIRECT/183.61.6.181 application/multipart-formdata 1481728039.203 > 612 > > 122.227.189.214 TCP_MISS/200 1182 POST http://mobapi.ganji.com/datashare/ - > HIER_DIRECT/115.159.231.182 text/html 1481728039.615 51681 > > 172.82.184.19 TCP_MISS/502 3806 GET http://115.231.17.12:9636/ - > HIER_DIRECT/115.231.17.12 text/html 1481728039.615 0 > > 172.82.184.19 TAG_NONE/400 4532 NONE > error:invalid-request - HIER_NONE/- text/html 1481728040.311 36606 > > 74.222.20.124 TCP_MISS/502 3806 GET http://116.31.99.233:9636/ - > HIER_DIRECT/116.31.99.233 text/html 1481728040.312 0 > > 74.222.20.124 TAG_NONE/400 4532 NONE error:invalid-request - HIER_NONE/- > text/html 1481728041.477 67001 > > 74.222.19.19 TCP_MISS/502 3802 GET http://61.155.5.197:9636/ - > HIER_DIRECT/61.155.5.197 text/html 1481728041.478 0 > > 74.222.19.19 TAG_NONE/400 4531 NONE error:invalid-request - HIER_NONE/- > text/html 1481728041.856 13613 > > 172.82.190.245 TCP_MISS/502 3926 GET http://122.226.191.17:9636/ - > HIER_DIRECT/122.226.191.17 text/html 1481728041.857 0 > > 172.82.190.245 TAG_NONE/400 4533 NONE error:invalid-request - HIER_NONE/- > text/html > > I am worried about spam… I would not call this spam - I would call it "people trying to abuse your proxy". > is this normal? It is normal that they try. It is not normal that your access control rules allow them to get this far. > if not, how can I know what is accessing squid and stop it. You don't care what is accessing it - you only care that it's coming from the outside, and that should not be allowed. Either or both of your Squid ACLs and your firewall rules need to be reviewed. > NOTE: this server has a small iRedMail server installed on it. What port/s does that listen on? It is intended to be externally accessible? Regards, Antony. -- Wanted: telepath. You know where to apply. Please reply to the list; please *don't* CC me. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
