On Wednesday 14 December 2016 at 16:16:17, Sameh Onaissi wrote:
Looking at access.log, to find the Skype IPs, I noticed a LOT of unknown
source IPs. All those IPs seem to be originated from China. In my config
file I deny all but local net IPs 10.0.0.0/24.
I suggest you show us your squid.conf (wiithout comments or blank lines)
because you do not seem to have achieved restricting source IPs as intended.
Here is a sample of the log:
1481728035.855 0 199.233.237.186 TAG_NONE/400 4534 NONE
error:invalid-request - HIER_NONE/- text/html 1481728035.952 1556
118.89.21.244 TCP_MISS/200 445 POST http://online.huya.com/ -
HIER_DIRECT/183.61.6.181 application/multipart-formdata 1481728036.461
595
123.207.123.80 TCP_MISS/200 419 POST http://online.huya.com/ -
HIER_DIRECT/183.61.6.181 application/multipart-formdata 1481728036.993
749
123.207.123.80 TCP_MISS/200 819 POST http://wup.huya.com/ -
HIER_DIRECT/180.208.65.100 application/multipart-formdata 1481728037.538
2307
122.227.189.214 TCP_MISS/200 764 POST
http://webim.ganji.com/message/ImSendMsg? - HIER_DIRECT/124.251.6.233
text/html 1481728038.572 9372
74.222.20.124 TCP_MISS/502 3922 GET
http://116.31.99.233:9636/ -
HIER_DIRECT/116.31.99.233 text/html 1481728038.573 0
74.222.20.124 TAG_NONE/400 4532 NONE error:invalid-request - HIER_NONE/-
text/html 1481728038.773 2528
118.89.21.244 TCP_MISS/200 419 POST http://online.huya.com/ -
HIER_DIRECT/183.61.6.181 application/multipart-formdata 1481728039.162
1575
139.199.60.36 TCP_MISS/200 419 POST http://online.huya.com/ -
HIER_DIRECT/183.61.6.181 application/multipart-formdata 1481728039.203
612
122.227.189.214 TCP_MISS/200 1182 POST
http://mobapi.ganji.com/datashare/ -
HIER_DIRECT/115.159.231.182 text/html 1481728039.615 51681
172.82.184.19 TCP_MISS/502 3806 GET
http://115.231.17.12:9636/ -
HIER_DIRECT/115.231.17.12 text/html 1481728039.615 0
172.82.184.19 TAG_NONE/400 4532 NONE
error:invalid-request - HIER_NONE/- text/html 1481728040.311 36606
74.222.20.124 TCP_MISS/502 3806 GET
http://116.31.99.233:9636/ -
HIER_DIRECT/116.31.99.233 text/html 1481728040.312 0
74.222.20.124 TAG_NONE/400 4532 NONE error:invalid-request - HIER_NONE/-
text/html 1481728041.477 67001
74.222.19.19 TCP_MISS/502 3802 GET http://61.155.5.197:9636/ -
HIER_DIRECT/61.155.5.197 text/html 1481728041.478 0
74.222.19.19 TAG_NONE/400 4531 NONE error:invalid-request - HIER_NONE/-
text/html 1481728041.856 13613
172.82.190.245 TCP_MISS/502 3926 GET
http://122.226.191.17:9636/ -
HIER_DIRECT/122.226.191.17 text/html 1481728041.857 0
172.82.190.245 TAG_NONE/400 4533 NONE error:invalid-request - HIER_NONE/-
text/html
I am worried about spam…
I would not call this spam - I would call it "people trying to abuse your
proxy".
is this normal?
It is normal that they try. It is not normal that your access control rules
allow them to get this far.
if not, how can I know what is accessing squid and stop it.
You don't care what is accessing it - you only care that it's coming from the
outside, and that should not be allowed. Either or both of your Squid ACLs
and your firewall rules need to be reviewed.
NOTE: this server has a small iRedMail server installed on it.
What port/s does that listen on? It is intended to be externally accessible?
Regards,
Antony.
--
Wanted: telepath. You know where to apply.
Please reply to the list;
please *don't* CC me.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
Piensa
en el medio ambiente antes de imprimir este email. 