spamassassin-sysadmins mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matthias Leisi <matth...@dnswl.org>
Subject Re: sa-update ruleset updates enabled again
Date Tue, 21 Nov 2017 05:33:45 GMT
In addition to server-side blocking, would it make sense for sa-update to rate-limit itself?

— Matthias

Von meinem iPhone gesendet

> Am 21.11.2017 um 03:53 schrieb Kevin A. McGrail <kevin.mcgrail@mcgrail.com>:
> 
>> On 11/20/2017 7:17 PM, Dave Jones wrote:
>> Could we use something like mod_evasive to limit any IP connecting more than 3 times
(one batch of ruleset files) an hour? SA instances behind NAT'd IPs could cause a legitimate
reason for more than 2x hits per day.
> I'd like to keep it simpler for now.  The abuse hasn't been too bad.
> 
> I've put them on notice on the users@ list and I'm going to look at adding more information
such as a unique id to sa-update's call for wget/curl so we can identify NAT'ing.
> 
>> There may be some abusers in the future that we would want to permanently block with
a centralized .htaccess file that gets distributed with the normal rsync pulls by each mirror.
> Agreed.  Let's keep an eye on things.
> 
> So from the last 3.8mm GETs Top 14 IPs
> 
> (grep GET sa-update.pccc.com-access_log | awk -F" " '{ print $1 }' | sort | uniq -c |
sort -n -r | head -n 14)
> 
>  964649 52.169.9.191 (Machine we already had taken care of)
>   71273 176.61.138.136
>   40397 41.76.211.56
>   22535 108.163.197.66
>   21100 108.61.28.10
>   21037 79.137.36.178
>   20270 149.56.17.151
>   19826 91.204.24.253
>   18141 178.32.88.139
>   18003 207.210.201.60
>   14037 158.69.200.153
>   12539 78.229.96.116
>   12525 37.221.192.173
>   11568 45.77.52.43
>>>> Here are the top 10 IPs that seem to be running sa-update or a curl script
most frequently:
>>>> 
>>>> 41.76.211.56 (sa-update/svn917659/3.3.2 every 5 minutes)
>>>> 108.61.28.10 (sa-update/svn917659/3.3.2 every 15 minutes)
>>>> 202.191.60.145 (curl/7.19.7 every minute rotating mirrors)
>>>> 202.191.60.146 (curl/7.19.7 every minute rotating mirrors)
>>>> 108.163.197.66 (sa-update/svn917659/3.3.2 every 5 minutes)
>>>> 208.74.121.106 (NAT'd IP? curl/7.29.0 & curl/7.19.7)
>>>> 91.204.24.253 (NAT'd IP? various user agents)
>>>> 207.210.201.60
>>>> 78.110.96.3
>>>> 190.0.150.3
>>>> 
>>>> -- 


Mime
View raw message