[RndTbl] web access abuse of lisa
trevor at tecnopolis.ca
Tue Apr 26 13:53:18 CDT 2016
I noticed stomething strange. Lisa's web hits (as per access logs) were
through the roof since around the site changeover date. Weird.
I glanced at them and noticed we're getting tons of hits from just 1 user:
188.8.131.52 - - [24/Apr/2016:05:20:11 -0500] "GET /pub/epel/6/x86_64/repodata/repomd.xml HTTP/1.1" 301 332 "-" "urlgrabber/3.9.1 yum/3.2.29"
All the same!
Of 8434659 total current access.log hits, 8243763 (97.7%) were this same
guy! Many per second! For a couple of weeks now (but not before that!).
An ip lookup says this is Ubisoft in Montreal. Looks like someone has a
misconfig on their box.
Should we contact them about fixing this?
If have added that IP to an iptables DROP rule on lisa. I just did this
now and they sent 49 more hits and then stopped. Their runaway ps must
have been looking for success before continuing. I guess I'll leave it in
for a while then we can take it out?
Looks like this IP has hit the new server but only a few times; i.e.
normal looking access.
Perhaps when the switchover occurred and the redirects were put in place
it made their client go mental... Maybe it never dropped its http
connection this whole time!
Lastly, fail2ban-server is often in the top 5 ps's in top on lisa, but I
don't see any fail2ban rule in iptables? Does it only create a rule once
it gets something to put in? I thought it made a blank table that it
filled up as needed, not no table at all. Maybe it's not working?
More information about the Roundtable