[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] Dealing with abusive clients
From: |
Paul M Furley |
Subject: |
Re: [Sks-devel] Dealing with abusive clients |
Date: |
Thu, 20 Jul 2017 17:33:01 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 |
On 20/07/17 15:54, Pete Stephenson wrote:
> Hi all,
>
> I've been receiving some queries that, while not stressing my server,
> appear to be abusive in nature...though perhaps accidentally so.
This is a good reminder for people writing scripts to always include a
user-agent with a contact email address in it!
>
> Here's a quick excerpt from the logs:
> 216.241.59.205 - - [20/Jul/2017:14:46:51 +0000] "GET / HTTP/1.1" 200
> 5285 "-" "-"
> 216.241.59.205 - - [20/Jul/2017:14:46:53 +0000] "GET / HTTP/1.1" 200
> 5285 "-" "-"
> 216.241.59.205 - - [20/Jul/2017:14:46:56 +0000] "GET / HTTP/1.1" 200
> 5285 "-" "-"
> 216.241.59.205 - - [20/Jul/2017:14:46:58 +0000] "GET / HTTP/1.1" 200
> 5285 "-" "-"
>
> This particular client is making continuous requests for the main page
> of my server every 2-3 seconds. They're not making any queries for keys,
> submitting keys, etc., but are only requesting the main page.
>
> This has been going on since at least the 15th of July.
>
> I haven't observed any other odd traffic, so it seems unlikely that a
> botnet is involved. Maybe a script that has gone awry?
There might be a clue in the host header if you could log that? I use
this nginx config to do that (and not log the client IP)
```
log_format anonymized '[ip_not_logged] - $http_host [$time_local] '
'"$request" $status $bytes_sent '
'"$http_referer" "$http_user_agent" "$gzip_ratio"';
```
> Although slightly annoying, it doesn't consume much resources. Any
> suggestions on how to deal with this client? For example, should I
> continue to serve them normally, firewall their IP address, etc.?
Hopefully you'll learn something about the intent behind this - maybe
it's an over-zealous keyserver monitoring bot?
I'd be inclined to do that before doing any firewalling or whatever.
> Any suggestions on how to deal with more serious abuse in the future?
I'm a big fan of fail2ban if there's a particular log pattern you'd like
to pick up on and temporarily firewall.
On a sillier, more evil note, if you're really sure something's
malicious (for example posting credentials to non-existent phpmyadmin
login pages) you could be a real bastard and have some fun... For the
non-existent Wordpress login page on one website I run, I serve a
ZIP-bomb - a small file which expands to a very large file - and
typically crashes the script / bot that accessed the URL.
I don't really recommend that but I find it quite fun to think of the
script kiddies scratching their heads wondering why their l33t hacker
tool isn't working.
Finally: I personally think it's a nice move not to log client IP
addresses. I got scared looking through my access log in the past about
how much those pks queries reveal about our users.
Paul
signature.asc
Description: OpenPGP digital signature