[SAC] Re-enable LDAP user creation
Sandro Santilli
strk at keybit.net
Mon May 9 06:05:55 PDT 2016
On Sun, May 08, 2016 at 01:20:39PM -0700, Alex Mandel wrote:
>
> I had forgotten, we can re-enable as soon as a fail2ban rule is in place
> to prevent rapid registration from the same ip.
What represents "rapid" ?
I went trough apache logs analisys to sense the current pattern.
Logs contain POSTs to the user creation script from Jan 17 to May 05.
The top 10 busy days, ordered by requests:
245 30/Apr
122 27/Apr
118 03/May
115 02/May
63 01/May
43 14/Mar
38 26/Apr
36 18/Apr
34 23/Feb
34 06/Apr
The average for January, February and initial portion of April was
around 20 new users, so it looks like in April 27th the storm
started with a x6 increment on the number of registered users
and it reached a x12 increment on April 30th.
That day (April 30th) the 245 requests came from a total of 36 IP
addresses. The top 10 hitters of these IPS:
93 103.233.118.38
32 108.61.224.153
26 180.151.246.4
16 182.68.169.25
11 104.156.228.177
11 103.38.177.2
4 151.236.19.24
4 107.152.98.151
4 106.78.50.229
3 98.234.5.157
The 93 hits from 103.233.118.38 all occurred between 14:49 and 15:49,
so within a single hour.
The fail2ban solution will only ban the IP _after_ checking the log
file, so if we use a 1 hour window there could be ~100 new users
before the IP is banned. Maybe we could check every 5 minutes and ban
IPs from which more than 1 user was created. Do you think that's too
conservative ?
--strk;
More information about the Sac
mailing list