Hello
please i need your help to tell me what is this mean
when going to squid access report via log viewer i saw this
my Eth1 for my lan network and it's 192.168.1.253
how the report show the 192.168.1.253 to 192.168.1.253 ?
other lines show the computer ip to my proxy server 192.168.1.253 that's is normal
but this line from report show the proxy server ip access to proxy server ip too !!!!
is that someone hacked system and open sites without any polices ?
my server using proxy with none transparent with user authentication
thanks and i hope to see anyone can tell me what is that?
please i need your help to tell me what is this mean
when going to squid access report via log viewer i saw this
1484398636.413 120077 192.168.1.253 TCP_MISS/000 0 GET http://192.168.1.253:8080/ - DIRECT/192.168.1.253 -
my Eth1 for my lan network and it's 192.168.1.253
how the report show the 192.168.1.253 to 192.168.1.253 ?
other lines show the computer ip to my proxy server 192.168.1.253 that's is normal
but this line from report show the proxy server ip access to proxy server ip too !!!!
is that someone hacked system and open sites without any polices ?
my server using proxy with none transparent with user authentication
thanks and i hope to see anyone can tell me what is that?
In Log Viewer
Share this post:
Responses (35)
-
Accepted Answer
-
Accepted Answer
If use PuTTy, you can just scroll up and select the text. Selecting it copies it to the clipboard and you can then paste it into the forum (between code tags, please). Alternatively do:
The second command will append to the file from the first command. You will find the file in your current folder (probably root, also displayed as ~)iptables -nvL > somefile.txt
iptables -nvL -t nat >> somefile.txt -
Accepted Answer
Nick Howitt wrote:
I'm trying to research this online. Please can you past the output to:
and put the result between code tags (the piece pf paper icon with a <> on it)iptables -nvL
iptables -nvL -t nat
thanks Nick for your help,
i saw many lines in ssh for result is there any way to save result as a txt or log file ? -
Accepted Answer
-
Accepted Answer
now i have new loop with browser
2017/09/12 10:46:34| WARNING: Forwarding loop detected for:
GET /favicon.ico HTTP/1.0
Host: 192.168.1.253:8080
Authorization: Basic bS5hYm9zbzNvb2Q6bWlkb2Fib3NvM29vZA==
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
Accept: image/webp,image/apng,image/*,*/*;q=0.8
Referer: http://192.168.1.253:8080/approot/content_filter/htdocs/warning.php?DENIEDURL=52525252525252526REASON%25252525252525253dBanned%25252525252525252520site%2525252525252525253a%25252525252525252520Blanket%252525252525
Accept-Encoding: identity,gzip,deflate
Accept-Language: en-US,ar;q=0.8,en;q=0.6,en-GB;q=0.4
Via: 1.0 fw1.medcom.local (squid/3.1.23), 1.0 fw1.medcom.local (squid/3.1.23), 1.0 fw1.medcom.local (squid/3.1.23), 1.0 fw1.medcom.local (squid/3.1.23), 1.0 fw1.medcom.local (squid/3.1.23), 1.0 fw1.medcom.local (squid/3.1.23), 1.0 fw1.medcom.local (squid/3.1.23), 1.0 fw1.medcom.local (squid/3.1.23), 1.0 fw1.medcom.local (squid/3.1.23), 1.0
Cache-Control: max-age=259200
Connection: keep-alive
X-Forwarded-For: 192.168.1.253 -
Accepted Answer
Nick Howitt wrote:
Not really my thread, but does it not tell you the user agents:
andUser-Agent: Microsoft Office 2014
So, perhaps a line like:User-Agent: Microsoft Office/16.0 (HubTaskHost.exe 16.0.7608; Pro)
in /etc/dansguardian-av/lists/bannedregexpheaderlist will cover both and more.User-Agent: Microsoft Office.*
thank you very much
but after make that i am still see same result for forward loop for microsoft office and i don'y know how to know this device make this loop the cash.log and access.log not show any ip for device it's only show clearos LAN Ip 192.168.1.253
unbelievable i can'y know the device make this!! please if there anything can stop this loop forward for micosoft -
Accepted Answer
The top log entry of the recursive loop shows the culprit. You can also sometimes find the machine that is causing this on your LAN with the following:
grep "http://192.168.1.253:8080" [^] /var/log/squid/access.log | grep -v "DIRECT/192.168.1.253 "
(Notice the space at the end of the "DIRECT/192.168.1.253 " portion) -
Accepted Answer
Not really my thread, but does it not tell you the user agents:
andUser-Agent: Microsoft Office 2014
So, perhaps a line like:User-Agent: Microsoft Office/16.0 (HubTaskHost.exe 16.0.7608; Pro)
in /etc/dansguardian-av/lists/bannedregexpheaderlist will cover both and more.User-Agent: Microsoft Office.*
-
Accepted Answer
Hello,
i have another type of forward loop too
i have blocked the avast via user-agent but i don't know how to make this blocked because i don't know the user agent for Microsoft.
also is there any way to find this device ?
2017/08/30 12:17:33| WARNING: Forwarding loop detected for:
GET / HTTP/1.0
Accept: */*
User-Agent: Microsoft Office 2014
X-MSEdge-IG: D635F83C-ADB8-46F8-93CF-5A5CBAD2B867
X-MSEdge-AppID: officehub
X-OCAS-Platform: winrt
X-OCAS-Build: 16.0.7608
Accept-Encoding: identity,gzip,deflate
Host: 192.168.1.253:8080
Via: 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.m
Cache-Control: no-cache
Connection: keep-alive
X-Forwarded-For: 192.168.1.253
2017/08/30 12:17:43| WARNING: Forwarding loop detected for:
GET / HTTP/1.0
Accept: */*
User-Agent: Microsoft Office/16.0 (HubTaskHost.exe 16.0.7608; Pro)
X-IDCRL_ACCEPTED: t
X-Office-Version: 16.0.7608
X-Office-Application: 29
X-Office-Platform: Universal
X-Office-SqmUserId: {5A1EC062-521F-4D45-B8E2-510611DAB32C}
Accept-Encoding: identity,gzip,deflate
Host: 192.168.1.253:8080
Via: 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.m
Cache-Control: no-cache
Connection: keep-alive
X-Forwarded-For: 192.168.1.253 -
Accepted Answer
thank you Dave Loper for your answer.
i am using proxy with none transparent with user authentication and i already have custom firewall to block some ports and IPs
so i think the option no.1 must using with transparent mode.
and second option no.2 if i changed the port 8080 i think this will solve this problem for some time but not always because the avast detect the proxy port from browser or another way like my case i don't know how the avast detect it 8080 !! but i must try first.
i hope to find solution to make this forward blocked via iptable for all software like avast.
based on your link i found way about user agent and i think this excellent if i added it correctly and i can with this block any application too by user agent is this true ??
thank you very much -
Accepted Answer
There are two different ways you can perform a workaround. For compatibility reasons between apps, I recommend the first one:
OPTION 1
Download the custom firewall from the ClearOS Marketplace. If you are using transparent mode you can use the custom firewall to block directed access to port 8080 on the LAN segment with a rule similar to:
iptables -t mangle -I PREROUTING -i eth1 -p tcp --destination-port 8080 -s ! 192.168.1.253 -j DROP # Drop 8080 queries from external if 'eth1' is your network interface
or something more general like this...
iptables -t mangle -I PREROUTING -i eth1 -p tcp --dport 8080 -j DROP # If 'eth1' is your network interface
Another way to handle this is....
OPTION 2
Alternative work around...move DG port to something other than 8080.
For now, you need to edit two files:
/etc/dansguardian-av/dansguardian.conf
filterport = 8080
and
/usr/clearos/apps/firewall/deploy/firewall.lua
local SQUID_FILTER_PORT = "8080"
Change the 8080 references to an alt port...eg. 8081.
Restart services:
service dansguardian-av restart
service firewall restart -
Accepted Answer
Dave Loper wrote:
This is a recursive lookup. You will see the event in your cache.log. It escalates quickly and can cause a disruption. Any chance you are running Avast?
https://tracker.clearos.com/view.php?id=6791
after checked the cash.log i saw this
2017/08/27 12:04:46| WARNING: Forwarding loop detected for:
GET / HTTP/1.0
User-Agent: avast! Antivirus
Host: 192.168.1.253:8080
Accept: */*
Via: 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23)
Cache-Control: max-age=259200
Connection: keep-alive
X-Forwarded-For: 192.168.1.253
now i think this is avast on some computers, is there any way to ignore this loop and fix this?
thank you for your help -
Accepted Answer
This is a recursive lookup. You will see the event in your cache.log. It escalates quickly and can cause a disruption. Any chance you are running Avast?
https://tracker.clearos.com/view.php?id=6791 -
Accepted Answer
Nick Howitt wrote:
At a guess this is someone asking for something from your server. Do you bypass the proxy for LAN (or server) requests?Nick Howitt wrote:
At a guess this is someone asking for something from your server. Do you bypass the proxy for LAN (or server) requests?
i don't have any device using bypass the proxy in my LAN
sorry for my late but really i don't know why when going to squid access report via log viewer i saw this
1484398636.413 120077 192.168.1.253 TCP_MISS/000 0 GET http://192.168.1.253:8080/ - DIRECT/192.168.1.253
i have blocked all ports exception some ports to using proxy and mail via IPtables by adding rules in custom
and still saw same line some times and i am sure about some of employees try to using browser like tor to open all sites and bypass the proxy. but i can't find this device
the normal time i saw all device IPs to my LAN IP in clearOS like
when going to squid access report via log viewer i saw this
1484398636.413 120077 192.168.1.100 TCP_MISS/000 0 GET http://192.168.1.253:8080/ - DIRECT/192.168.1.253
but some time i saw this
1484398636.413 120077 192.168.1.253 TCP_MISS/000 0 GET http://192.168.1.253:8080/ - DIRECT/192.168.1.253
and the 192.168.1.253 this is LAN IP of eth1 in clearos
finally i don't know what can i do with this, i am tired because i can't know why this and can't find this device make this after 6 months. -
Accepted Answer
-
Accepted Answer
Nick Howitt wrote:
I was assuming all your many DROP rules were TOR rules. Is that correct? I've done a quick check and they are not TOR points which I can get from Emerging Threats.. Do you know what they are? If they are not TOR rules then it is a huge list for something else.
With regards ipset, I was referring to this thread, although the first script needs to be reduced a bit to only handle TOR rules without the other Snort stuff.
i think all these drop rule for TOR because i have blocked IP Domains in content filter also i have past alot of ip in banned ip in content filter but my banned ip in content filter not same in the iptable !!
i think i must try your solution about TOR and make your script but i will need your help to do this because some steps i don't know how to make it from my post about TOR. -
Accepted Answer
Sarg by default formats the information solely from the proxy (squid) reports...
It can also generate reports from DansGuardian logs, SquidGuard logs and web proxy redirector logs such as the ones created by squidGuard or Rejik. Never used these options so cannot comment further. See https://sourceforge.net/projects/sarg/support?source=navbar for more help and support for sarg... -
Accepted Answer
today i found again this line again in proxy access
1484485559.917 120023 192.168.1.253 TCP_MISS/000 0 GET http://192.168.1.253:8080/ - DIRECT/192.168.1.253 -
but i know now why the proxy access show this line
because i found computer in LAN network using TOR Browser and after running TOR the TOR try to connect the TOR Network
so when the TOR try to connect to TOR network the proxy access show this line.
my question now
how to make the report show this PC and how to show type of browser when user start browsing ??
also i want my users in LAN using only firefox, chrome, internet explorer is this possible? is there any solution for when any user start run another my legal browsers show it in report like pc name - MAC - and browser name to know it and make action with this user based on report.
Unfortunately this line not show any info. for the pc or MAC or user name or browser name and i need it because based on this report i will take action with this user
i don't know the SARG can help me to show it or not ? or any other report tool
i hope to help me to make my report show everything in LAN network.
thank you very much -
Accepted Answer
I was assuming all your many DROP rules were TOR rules. Is that correct? I've done a quick check and they are not TOR points which I can get from Emerging Threats.. Do you know what they are? If they are not TOR rules then it is a huge list for something else.
With regards ipset, I was referring to this thread, although the first script needs to be reduced a bit to only handle TOR rules without the other Snort stuff. -
Accepted Answer
I run sarg on both ClearOS 6.8 and 7.2 Community Edition - I don't have any professional editions so cannot comment regarding that platform...
Instructions for Community Editions 6 and 7 on these forums and on my site at
http://www.sraellis.tk/master.php?topic=sarg_installv7 -
Accepted Answer
Nick Howitt wrote:
It sounds like you're getting there. For reports, search this site for Sarg.
In your INPUT chain you have a number of rules with destination IP's. These are meaningless when you've specified the external interface and can be removed. The destination will always be your WAN IP.
Does your firewall take an age to start with so many rules? You'll probably find using ipset (as in another of your threads) is way more efficient at loading and will give fewer delays for traffic passing through the firewall..
i have searched about Sarg tool for proxy report is this safe and can be installed it on my last clearos6.8 professional ? i am using now filter and proxy report from clearos is this tool from Sarg better ?
i have forward from firewall to some computers in my lan on port 3389 (remote desktop) and open mail ports.
another rule in input chain marked drop and i don't know what is it? because it's show many IP's !!
about the last part of your word about ipset and question i don't understand it can you please tell me more what do you mean
thank you for your help -
Accepted Answer
It sounds like you're getting there. For reports, search this site for Sarg.
In your INPUT chain you have a number of rules with destination IP's. These are meaningless when you've specified the external interface and can be removed. The destination will always be your WAN IP.
Does your firewall take an age to start with so many rules? You'll probably find using ipset (as in another of your threads) is way more efficient at loading and will give fewer delays for traffic passing through the firewall.. -
Accepted Answer
i have blocked all pots on eth1 by
iptables -I INPUT -i eth1 -j DROP
and added others open rule for any other ports.
i think now the INPUT LAN interface eth1 in the clearos in safe and i will monitor the squid access log for 2 days and see will show same line or not. and back again to you
if there anything can i do when i found it again in live traffic to know the MAC address for the client computer to catch him i will be very happy.
thank you very much -
Accepted Answer
see the iptable mr. nick.
thank you very much and waiting your opinion and command for block ports on the eth1 -
Accepted Answer
Nick Howitt wrote:
Rather than attach the file, copy and paste the contents between code tags.
You do not want to block all incoming LAN traffic except proxy or you'll block DNS and DHCP as well as your mail and proxy. To block 80 and 443, try:
If you know what you want to allow, do a drop all rule (irrespective of protocol) and then specific UDP and TCP allow rules.iptables -I eth1 -p -tcp -m multiport --dports 80,443 -j DROP
how to block all ports on eth1 via custom firewall can you tell me the command to put it. -
Accepted Answer
Rather than attach the file, copy and paste the contents between code tags.
You do not want to block all incoming LAN traffic except proxy or you'll block DNS and DHCP as well as your mail and proxy. To block 80 and 443, try:
If you know what you want to allow, do a drop all rule (irrespective of protocol) and then specific UDP and TCP allow rules.iptables -I eth1 -p -tcp -m multiport --dports 80,443 -j DROP
-
Accepted Answer
Nick Howitt wrote:
I don't understand how ClearOS can be standalone and a gateway at the same time. Please can you clarify your network set up?
If it is gateway, you should be able to block Egress on 80 and 443 which blocks the FORWARD chain - if ClearOS has not done this for you. I think you can also block incoming traffic on 80 and 443 on interface eth1 (-i eth1)
My Clearos work as gateway only sorry for my mistake i mean not synced or linked with domain controller it's for only for internet service in my network.
my Egress block all ports and of course http & https and all ports except smtp and pop3 only in Egress accepted.
and my users in lan using the ip 192.168.1.253 for browsing via proxy on port 8080 and in gateway to send and receive mails.
but i like idea about block incoming traffic on 80 and 443 for eht1 or block all ports on eth1 except pop3 and smtp to make lan can send and receive mails.
can you please tell me how that via custom firewall ?
i can't upload the txt extension here to upload iptable results i will upload it on the any drive and past it the url. -
Accepted Answer
Nick Howitt wrote:
I don't understand how ClearOS can be standalone and a gateway at the same time. Please can you clarify your network set up?
If it is gateway, you should be able to block Egress on 80 and 443 which blocks the FORWARD chain - if ClearOS has not done this for you. I think you can also block incoming traffic on 80 and 443 on interface eth1 (-i eth1)
My Clearos work as gateway only sorry for my mistake i mean not synced or linked with domain controller it's for only for internet service in my network.
my Egress block all ports and of course http & https and all ports except smtp and pop3 only in Egress accepted.
and my users in lan using the ip 192.168.1.253 for browsing and in gateway to send and receive mails.
but i like idea about block incoming traffic on 80 and 443 for eht1 or block all ports on eth1 except pop3 and smtp to make lan can send and receive mails.
can you please tell me how that via custom firewall ?
i have attached the iptable.txt -
Accepted Answer
alahwany wrote:
If you are using PuTTy, just scroll up or hold down the left mouse button and move the mouse to the top of the screen. Alternatively output the results to file ("iptables -nvL > iptables.txt") then view the file in WinSCP.
i have run your command for iptabel and show many lines in ssh and can't copy result becasue i didn't saw the start results and it's many
is there any way to see all results from start ? becasue i saw the end part and when up to top it's not go to start part. tell me how to see all results to send it to you.
I don't understand how ClearOS can be standalone and a gateway at the same time. Please can you clarify your network set up?
If it is gateway, you should be able to block Egress on 80 and 443 which blocks the FORWARD chain - if ClearOS has not done this for you. I think you can also block incoming traffic on 80 and 443 on interface eth1 (-i eth1) -
Accepted Answer
yes my clearos working as a standalone in my lan and i have configured all computers to using clearos as gateway & proxy server in internet browser.
and i have blocked all ports in Egress Firewall except ports for mail pop3, smtp, smtps. and make only accept webconfig from external and ssh from specific ip from external and lan network
i have run your command for iptabel and show many lines in ssh and can't copy result becasue i didn't saw the start results and it's many
is there any way to see all results from start ? becasue i saw the end part and when up to top it's not go to start part. tell me how to see all results to send it to you.
anyway the last part of results is: other lines above is drop
10772 7597K ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0
616 101K ACCEPT all -- * eth2 0.0.0.0/0 0.0.0.0/0
35 1015 ACCEPT icmp -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:68 dpt:67
99 49284 ACCEPT tcp -- * eth0 PUBLIC-IP 0.0.0.0/0 tcp spt:81
7090 1148K ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain DROP-lan (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
tell me what do you think? or if you need more tell me how to execute the command to see all results from start.
i have changed the results and hide the public ip here. -
Accepted Answer
I'll start off by saying I don't really know the proxy and I don't use it.
Is ClearOS your gateway as well as proxy with the domain controller as a standalone machine on your LAN.
As a configuration, you must have configured all PC's to use the proxy? I suspect the standard configuration may be to bypass the proxy for all devices on your LAN?
In your firewall you should be able to block just about everything in the Egress firewall if it is not done when you activate the proxy. What is the output of "iptables -nvL" (between code tags, please). -
Accepted Answer
Hello Nick,
my server using this settings in webproxy:
user authentication + none transparent
domain controller IP(192.168.1.1) in bypass in web proxy
domain controller IP(192.168.1.1) in Exception IPs in content filter
192.168.1.253 it's eth1 on my clearos
eth0 with public IP on my clearos
this is my settings and everything working fine but some times in work time i saw this and i think someone from employees try to open all sites
because from a month ago i found someone using TOR browser and i have blocked it by adding tor sites in banned sites.
so i think the employee try new way to open the sites again i don't know how to catch him ?
can you help me to make my clearos in safe and can't anyone in the LAN bypass the proxy ?
i think someone from my lan change computer IP to proxy IP and try to open sites or try any way to open sites.
is there anyway to know which computer in lan make this line from report? or show MAC address for this line like
MAC address computer lan to mac eth1 on clearos ?? to see the source and destination via MAC and see the computers and catch this person ?
thanks -
Accepted Answer
-
Accepted Answer
At a guess this is someone asking for something from your server. Do you bypass the proxy for LAN (or server) requests?
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »