Chris Vogel's avatar
Chris Vogel
@me@chrichri.ween.de

If you can read this you're not affected by the following 🙃 …

This had some load recently and I looked into it. I looked through the logs and counted the connections from each IP. These are the IPs with the highest volume:


     89 192.168.2.20
    385 202.61.242.89
    417 65.21.187.247
    433 141.95.205.35
 275698 34.229.130.24
 287955 44.206.236.255
 297312 54.164.161.50
 304990 3.238.157.198

The last for look suspicious. I looked at the kind of request that added up to those comparative high numbers:


     13 /.well-known/host-meta
     13 /.well-known/webfinger?resource=acct:chrichri@chrichri.ween.de
  22453 /o/350ab61e097f4c89bbe53836f0f5d1f6
  24681 /followers
  24684 /following
  24684 /outbox
 313796 /o/72327fd24abe48bb82564144dcee1ba6
 313803 /featured
 336225 /.well-known/webfinger?resource=acct:me@chrichri.ween.de
 336243 /

All quite common, but one of the highest counts gets one note. All of these accesses from four IPs only within less than a day.

The article that seems to be so interesting is about @midzer@chaos.socials work for flohmarkt and the fact that he can be sponsored via .

The four IPs are all at Amazon:


24.130.229.34.in-addr.arpa domain name pointer ec2-34-229-130-24.compute-1.amazonaws.com.
255.236.206.44.in-addr.arpa domain name pointer ec2-44-206-236-255.compute-1.amazonaws.com.
50.161.164.54.in-addr.arpa domain name pointer ec2-54-164-161-50.compute-1.amazonaws.com.
198.157.238.3.in-addr.arpa domain name pointer ec2-3-238-157-198.compute-1.amazonaws.com.

I blocked the four IPs to get the load back down to a value below 1.

If you can't read this or you'd have a clue why those IPs constantly access those few URLs - please let me know! 😉

Chris Vogel's avatar
Chris Vogel
@me@chrichri.ween.de

in reply to this object

I looked at this again and found that the two notes requested very often from my are those that I 'pinned' that can be found at /featured.

The rest are paths pointing to information about this side. Maybe it has been some kind of ?

Here's a config that helped me blocking the IPs:


# cat /etc/fail2ban/filter.d/manual.conf 
[Definition]




# cat /etc/fail2ban/jail.d/manual.conf 
[manual]
enabled = true
bantime = 14d

This seems to lead to a jail which isn't connected to a logfile and for which manually added IPs stay blocked for 14 days.

To block IPs I used fail2ban-client -vvv set manual banip $IP which leads to


# fail2ban-client status manual basic
Status for the jail: manual
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	0
|  `- File list:	
`- Actions
   |- Currently banned:	4
   |- Total banned:	4
   `- Banned IP list:	34.229.130.24 44.206.236.255 54.164.161.50 3.238.157.198

fail2ban is integrated into my and even though it doesn't come with the greatest documentation I'm starting to love it.