On Wednesday 14 December 2016 at 17:26:34, Sameh Onaissi wrote: > Thanks for your reply. > > Here’s the config file: http://pastebin.com/DNDacy6M Where is this file located on your system? The answer to this question is needed further down my reply. I've skipped some bits to make my reply clearer... > acl localnet src 10.0.0.0/24 # RFC1918 possible internal network > > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow localhost manager > http_access deny manager > http_access allow localnet > http_access allow localhost > http_access deny all > http_access allow CONNECT localnet numeric_IPs Skype_UA Maybe someone more knowledgeable can say if I'm wrong here, but I find it hard to accept that this really is the squid.conf file you're using: a) if it allows connections from IPs such as 118.89.21.244 b) if it allows *anything* to CONNECT. Please do one of the following: 1. Run "squid -k parse" and make sure it returns no errors, then introduce a deliberate error to your squid.conf file (such as mis-spelling "deny" or similar) and run "squid -k parse" again to make sure it reads the file you think it is using, and reports the error (then undo the mistake again). 2. Run "squid -f /path/to/your/squid.conf -k parse" substituting in the location on your system where your config file lives (as asked above). Assuming this returns no errors, again (as in suggestion 1) instroduce a deliberate error, re-run "squid -f /path/to/you/squid.conf -k parse" and make sure it picks up on the error. I find it hard to believe that the squid.conf you showed can produce the results you report. Please also post the output of "find / -name squid.conf" on your machine. > Dovecot used its default ports: > 110: pop > 143: imap > 995: pop3s > 993: maps > > Postfix SMTP 587 Okay, so nothing to do with Squid, then. I just wondered whether it might have a web interface. Regards, Antony. > On Dec 14, 2016, at 10:25 AM, Antony Stone wrote: > > On Wednesday 14 December 2016 at 16:16:17, Sameh Onaissi wrote: > > Looking at access.log, to find the Skype IPs, I noticed a LOT of unknown > source IPs. All those IPs seem to be originated from China. In my config > file I deny all but local net IPs 10.0.0.0/24. > > I suggest you show us your squid.conf (wiithout comments or blank lines) > because you do not seem to have achieved restricting source IPs as > intended. > > Here is a sample of the log: > > 118.89.21.244 TCP_MISS/200 445 POST http://online.huya.com/ - > HIER_DIRECT/183.61.6.181 application/multipart-formdata 1481728036.461 > 595 > > 123.207.123.80 TCP_MISS/200 419 POST http://online.huya.com/ - > HIER_DIRECT/183.61.6.181 application/multipart-formdata 1481728036.993 > 749 > > 74.222.20.124 TCP_MISS/502 3806 GET http://116.31.99.233:9636/ - > HIER_DIRECT/116.31.99.233 text/html 1481728040.312 0 > > I am worried about spam… > > I would not call this spam - I would call it "people trying to abuse your > proxy". > > is this normal? > > It is normal that they try. It is not normal that your access control > rules allow them to get this far. > > if not, how can I know what is accessing squid and stop it. > > You don't care what is accessing it - you only care that it's coming from > the outside, and that should not be allowed. Either or both of your Squid > ACLs and your firewall rules need to be reviewed. > > NOTE: this server has a small iRedMail server installed on it. > > What port/s does that listen on? It is intended to be externally > accessible? -- "The tofu battle I saw last weekend was quite brutal." - Marija Danute Brigita Kuncaitis Please reply to the list; please *don't* CC me. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
