I have configured a squid server that allows a IP range of 192.168.0.XX to surf the internet , but in the logs i see a lot of public IP address, how is this possibly happening ???? Bellow is the logs !!!
##################################################################################### 1205406926.776 255 192.168.0.101 TCP_MISS/200 438 GET http://mail.google.com/mail/images/cleardot.gif? - DIRECT/209.85.153.83 image/gif 1205406926.780 6 219.254.32.113 TCP_DENIED/403 4197 CONNECT 203.141.160.33:25 - NONE/- text/html 1205406926.812 1680 124.115.0.175 TCP_MISS/200 21162 GET http://www.soso.com/q? - DIRECT/60.28.232.146 text/html 1205406926.900 575 89.149.242.226 TCP_MISS/200 894 POST http://www.glookle.com/usr/proxy/checker5/check.php - DIRECT/89.149.242.226 text/html 1205406927.017 852 71.228.204.50 TCP_MISS/999 5104 GET http://n2.login.scd.yahoo.com/config/pwtoken_get? - DIRECT/209.73.168.34 text/html 1205406927.063 868 84.187.189.180 TCP_MISS/302 381 HEAD http://cl-erotic.com/members/ - DIRECT/78.108.179.136 text/html 1205406927.075 0 222.233.52.156 TCP_DENIED/403 4197 CONNECT 65.54.244.40:25 - NONE/- text/html 1205406927.079 3783 217.126.54.234 TCP_MISS/200 279 CONNECT login.icq.com:443 - DIRECT/64.12.200.89 - 1205406927.093 18 221.139.1.162 TCP_DENIED/403 4197 CONNECT 202.108.5.253:25 - NONE/- text/html 1205406927.128 314 192.168.0.101 TCP_MISS/200 353 POST http://mail.google.com/mail/? - DIRECT/209.85.153.83 text/html 1205406927.169 17 221.139.1.162 TCP_DENIED/403 4197 CONNECT 202.18.170.10:25 - NONE/- text/html 1205406927.196 575 192.168.0.170 TCP_MISS/200 462 GET http://livehelp.qualispace.com/pull/requests.php? - DIRECT/67.15.197.19 text/html 1205406927.249 572 192.168.0.73 TCP_MISS/200 367 GET http://livehelp.qualispace.com/image_tracker.php? - DIRECT/67.15.197.19 image/gif ##############################################################################################
can some one help me with this
Agnello
On Thu, Mar 13, 2008 at 9:55 AM, Agnello George agnello.dsouza@gmail.com wrote:
I have configured a squid server that allows a IP range of 192.168.0.XX to surf the internet , but in the logs i see a lot of public IP address, how is this possibly happening ???? Bellow is the logs !!!
##################################################################################### 1205406926.776 255 192.168.0.101 TCP_MISS/200 438 GET http://mail.google.com/mail/images/cleardot.gif? - DIRECT/209.85.153.83 image/gif
209.85.153.83 is Google's ip. Thats your destination, not source.
Regards, NMK.
On 3/13/08, Nadeem M. Khan nadeem.m.khan@gmail.com wrote:
On Thu, Mar 13, 2008 at 9:55 AM, Agnello George agnello.dsouza@gmail.com wrote:
I have configured a squid server that allows a IP range of 192.168.0.XX
to
surf the internet , but in the logs i see a lot of public IP address,
how
is this possibly happening ???? Bellow is the logs !!!
##################################################################################### 1205406926.776 255 192.168.0.101 TCP_MISS/200 438 GET http://mail.google.com/mail/images/cleardot.gif? - DIRECT/209.85.153.83 image/gif
209.85.153.83 is Google's ip. Thats your destination, not source.
Regards, NMK.
If you chk the log file a sent eairlier the fist line ( 192.168.101 ) of the bellow log is OK ...that one of our local clients accessing a site !!
1205406926.776 255 192.168.0.101 TCP_MISS/200 438 GET http://mail.google.com/mail/images/cleardot.gif? - DIRECT/209.85.153.83 image/gif
But the whoes IP address is 219.254.32.113 ???? similarly 219.254.32.113, 89.149.242.226 , 71.228.204.50 ...... , where have these IP come from ?? ( see bellow log )
1205406926.780 6 219.254.32.113 TCP_DENIED/403 4197 CONNECT 203.141.160.33:25 - NONE/- text/html 1205406926.812 1680 124.115.0.175 TCP_MISS/200 21162 GET http://www.soso.com/q? - DIRECT/60.28.232.146 text/html 1205406926.900 575 89.149.242.226 TCP_MISS/200 894 POST http://www.glookle.com/usr/proxy/checker5/check.php - DIRECT/89.149.242.226 text/html 1205406927.017 852 71.228.204.50 TCP_MISS/999 5104 GET http://n2.login.scd.yahoo.com/config/pwtoken_get? - DIRECT/209.73.168.34 text/html 1205406927.063 868 84.187.189.180 TCP_MISS/302 381 HEAD http://cl-erotic.com/members/ - DIRECT/78.108.179.136 text/html
Thanks for all the help!! :)
On Thu, Mar 13, 2008 at 10:12 AM, Agnello George agnello.dsouza@gmail.com wrote:
On 3/13/08, Nadeem M. Khan nadeem.m.khan@gmail.com wrote:
On Thu, Mar 13, 2008 at 9:55 AM, Agnello George agnello.dsouza@gmail.com wrote:
I have configured a squid server that allows a IP range of 192.168.0.XX
to
surf the internet , but in the logs i see a lot of public IP address,
how
is this possibly happening ???? Bellow is the logs !!!
##################################################################################### 1205406926.776 255 192.168.0.101 TCP_MISS/200 438 GET http://mail.google.com/mail/images/cleardot.gif? - DIRECT/209.85.153.83 image/gif
209.85.153.83 is Google's ip. Thats your destination, not source.
Regards, NMK.
If you chk the log file a sent eairlier the fist line ( 192.168.101 ) of the bellow log is OK ...that one of our local clients accessing a site !!
1205406926.776 255 192.168.0.101 TCP_MISS/200 438 GET http://mail.google.com/mail/images/cleardot.gif? - DIRECT/209.85.153.83 image/gif
But the whoes IP address is 219.254.32.113 ???? similarly 219.254.32.113, 89.149.242.226 , 71.228.204.50 ...... , where have these IP come from ?? ( see bellow log )
1205406926.780 6 219.254.32.113 TCP_DENIED/403 4197 CONNECT 203.141.160.33:25 - NONE/- text/html 1205406926.812 1680 124.115.0.175 TCP_MISS/200 21162 GET http://www.soso.com/q? - DIRECT/60.28.232.146 text/html 1205406926.900 575 89.149.242.226 TCP_MISS/200 894 POST
Those are the sites to which your proxy is *connecting* to. Its a GET.
client --------------------> squid -----------------------> google 192.168.* 192.168.* 209.85.153.83
Clear?
To know more about an IP, do a whois lookup.
Regards, NMK
this was the suggestion from another forum !! which helped me solve my issue!!
################################################### The security risk is not any individual accessing your proxy, it's the proxy itself. *THAT* is what needs looking at.
However, you can deny access to the proxy to anyone not in 192.168.0.0/24 with this iptables rule - assuming your proxy is on port 3128:
# iptables -I INPUT 1 -s ! 192.168.0.0/24 --dport 3128 -j DROP
G. Stewart - gstewart@spamcop.net #####################################################
Agnello
On Thu, Mar 13, 2008 at 12:43 PM, Agnello George agnello.dsouza@gmail.com wrote:
this was the suggestion from another forum !! which helped me solve my issue!!
################################################### The security risk is not any individual accessing your proxy, it's the proxy itself. *THAT* is what needs looking at.
Could you explain that a bit?
However, you can deny access to the proxy to anyone not in 192.168.0.0/24 with this iptables rule - assuming your proxy is on port 3128:
Well, how would someone from the outside connect to your proxy? You were concerned about public IPs like 202.*. How can they connect to port 3128 of your proxy? Public IP? NAT? How?
# iptables -I INPUT 1 -s ! 192.168.0.0/24 --dport 3128 -j DROP
Thats fine. But in your logs, the public IPs were all destination IPs. Do they disappear after implementing the above rule? I don't think so.
Regards, NMK.
However, you can deny access to the proxy to anyone not in 192.168.0.0/24 with this iptables rule - assuming your proxy is on port 3128:
Well, how would someone from the outside connect to your proxy? You were concerned about public IPs like 202.*. How can they connect to port 3128 of your proxy? Public IP? NAT? How?
Bellow was the logs i received in my log file before i added the new rule
1205406926.780 6 219.254.32.113 TCP_DENIED/403 4197 CONNECT 203.141.160.33:25 - NONE/- text/html 1205406926.812 1680 124.115.0.175 TCP_MISS/200 21162 GET http://www.soso.com/q? - DIRECT/60.28.232.146 text/html 1205406926.900 575 89.149.242.226 TCP_MISS/200 894 POST http://www.glookle.com/usr/proxy/checker5/check.php - DIRECT/89.149.242.226 text/html 1205406927.017 852 71.228.204.50 TCP_MISS/999 5104 GET http://n2.login.scd.yahoo.com/config/pwtoken_get? - DIRECT/209.73.168.34 text/html
After i added the rule ( iptables -I INPUT 1 -s ! 192.168.0.0/24 -p tcp--dport 3128 -j DROP )
i only get the following logs ( which looks OK :) )
9 text/html 1205418879.760 29983 192.168.0.250 TCP_MISS/200 892 GET http://b.mail.google.com/a/eadroit.com/channel/bind? - DIRECT/209.85.201.189 text/html 1205418879.998 705 192.168.0.73 TCP_MISS/200 462 GET http://livehelp.qualispace.com/pull/requests.php? - DIRECT/67.15.197.19 text/html 1205418880.217 577 192.168.0.74 TCP_MISS/200 562 POST http://www.hostv.com/livehelp/include/status.php - DIRECT/209.123.178.244 text/html 1205418880.942 587 192.168.0.170 TCP_MISS/200 485 GET http://livehelp.qualispace.com/pull/traffic.php? - DIRECT/67.15.197.19 text/html 1205418881.789 595 192.168.0.248 TCP_MISS/200 462 GET http://livehelp.qualispace.com/pull/requests.php? - DIRECT/67.15.197.19 text/html 1205418882.056 593 192.168.0.151 TCP_MISS/200 462 GET http://livehelp.qualispace.com/pull/requests.php? - DIRECT/67.15.197.19 text/html
Do they disappear after implementing the above rule?
yep it did
Regards, NMK. --
Agnello
On Thu, Mar 13, 2008 at 1:05 PM, Agnello George agnello.dsouza@gmail.com wrote:
Bellow was the logs i received in my log file before i added the new rule
1205406926.780 6 219.254.32.113 TCP_DENIED/403 4197 CONNECT 203.141.160.33:25 - NONE/- text/html 1205406926.812 1680 124.115.0.175 TCP_MISS/200 21162 GET http://www.soso.com/q? - DIRECT/60.28.232.146 text/html 1205406926.900 575 89.149.242.226 TCP_MISS/200 894 POST
http://www.glookle.com/usr/proxy/checker5/check.php - DIRECT/89.149.242.226 text/html 1205406927.017 852 71.228.204.50 TCP_MISS/999 5104 GET http://n2.login.scd.yahoo.com/config/pwtoken_get? - DIRECT/209.73.168.34 text/html
After i added the rule ( iptables -I INPUT 1 -s ! 192.168.0.0/24 -p tcp--dport 3128 -j DROP )
i only get the following logs ( which looks OK :) )
9 text/html 1205418879.760 29983 192.168.0.250 TCP_MISS/200 892 GET http://b.mail.google.com/a/eadroit.com/channel/bind? - DIRECT/209.85.201.189 text/html 1205418879.998 705 192.168.0.73 TCP_MISS/200 462 GET
http://livehelp.qualispace.com/pull/requests.php? - DIRECT/67.15.197.19 text/html 1205418880.217 577 192.168.0.74 TCP_MISS/200 562 POST http://www.hostv.com/livehelp/include/status.php - DIRECT/209.123.178.244 text/html 1205418880.942 587 192.168.0.170 TCP_MISS/200 485 GET http://livehelp.qualispace.com/pull/traffic.php? - DIRECT/67.15.197.19 text/html 1205418881.789 595 192.168.0.248 TCP_MISS/200 462 GET
http://livehelp.qualispace.com/pull/requests.php? - DIRECT/67.15.197.19 text/html 1205418882.056 593 192.168.0.151 TCP_MISS/200 462 GET
http://livehelp.qualispace.com/pull/requests.php? - DIRECT/67.15.197.19 text/html
Do they disappear after implementing the above rule?
yep it did
Some misunderstanding here. I was under the impression that you wanted to remove the GET public IPs. But one thing still baffles me. How were clients (like 124.115.0.175) from outside your lan able to access your proxy? Does your proxy have a public IP? If yes, can I have it? Orkut is banned here :P
Regards, NMK.
some Nice info is available here
http://www.postcastserver.com/help/Open_Proxy_Servers.aspx
http://tools.rosinstrument.com/proxy/
2008/3/13, Agnello George agnello.dsouza@gmail.com:
this was the suggestion from another forum !! which helped me solve my issue!!
################################################### The security risk is not any individual accessing your proxy, it's the proxy itself. *THAT* is what needs looking at.
However, you can deny access to the proxy to anyone not in 192.168.0.0/24 with this iptables rule - assuming your proxy is on port 3128:
# iptables -I INPUT 1 -s ! 192.168.0.0/24 --dport 3128 -j DROP
Alternatively, you might want to bind squid to only your private IP.
http_port 192.168.X.Y:3128
Anurag
On 3/13/08, Anurag anurag@gnuer.org wrote:
However, you can deny access to the proxy to anyone not in 192.168.0.0/24 with this iptables rule - assuming your proxy is on port 3128:
# iptables -I INPUT 1 -s ! 192.168.0.0/24 --dport 3128 -j DROP
Alternatively, you might want to bind squid to only your private IP.
http_port 192.168.X.Y:3128
Also, be careful if you're serving IP's via DHCP. I had this problem, that I was running DHCP, but had given static IP's to all the client. I noticed from sarg reports that though the IP's were in the range of 192.168.1.0/24 many of them were from the set of static IP's I had given. After disabling DHCP this problem was solved.