[RndTbl] web access abuse of lisa

Trevor Cordes trevor at tecnopolis.ca
Tue Apr 26 13:53:18 CDT 2016

I noticed stomething strange.  Lisa's web hits (as per access logs) were 
through the roof since around the site changeover date.  Weird.

I glanced at them and noticed we're getting tons of hits from just 1 user: - - [24/Apr/2016:05:20:11 -0500] "GET /pub/epel/6/x86_64/repodata/repomd.xml HTTP/1.1" 301 332 "-" "urlgrabber/3.9.1 yum/3.2.29"
All the same!

Of 8434659 total current access.log hits, 8243763 (97.7%) were this same 
guy!  Many per second!  For a couple of weeks now (but not before that!).

An ip lookup says this is Ubisoft in Montreal.  Looks like someone has a 
misconfig on their box.

Should we contact them about fixing this?

If have added that IP to an iptables DROP rule on lisa.  I just did this 
now and they sent 49 more hits and then stopped.  Their runaway ps must 
have been looking for success before continuing.  I guess I'll leave it in 
for a while then we can take it out?

Looks like this IP has hit the new server but only a few times; i.e. 
normal looking access.

Perhaps when the switchover occurred and the redirects were put in place 
it made their client go mental... Maybe it never dropped its http 
connection this whole time!

Lastly, fail2ban-server is often in the top 5 ps's in top on lisa, but I 
don't see any fail2ban rule in iptables?  Does it only create a rule once 
it gets something to put in?  I thought it made a blank table that it 
filled up as needed, not no table at all.  Maybe it's not working?

More information about the Roundtable mailing list