[SAC] Re-enable LDAP user creation

Sandro Santilli strk at keybit.net
Mon May 9 06:21:18 PDT 2016 

I've enabled fail2ban banning for one hour IPs from which 2 users
are created over a 2 minutes period, and re-enabled users creation.
The /etc/fail2ban directory on "web" machine was put under a local
git repository, with "master" branch being the default configuration
from debian and "web" branch being the configuration for "web"
machine, so to eventually hold the configuration of all machines
within the same git repository (one branch for host).

Let's see what happens. Please keep an eye on users creation and
spam (remember there are a lot of fake users already, so it doesn't
relaly take a new registration to start spamming).

--strk;

On Mon, May 09, 2016 at 03:05:55PM +0200, Sandro Santilli wrote:
> On Sun, May 08, 2016 at 01:20:39PM -0700, Alex Mandel wrote:
> > 
> > I had forgotten, we can re-enable as soon as a fail2ban rule is in place
> > to prevent rapid registration from the same ip.
> 
> What represents "rapid" ?
> I went trough apache logs analisys to sense the current pattern.
> Logs contain POSTs to the user creation script from Jan 17 to May 05.
> The top 10 busy days, ordered by requests:
> 
>   245 30/Apr
>   122 27/Apr
>   118 03/May
>   115 02/May
>   63 01/May
>   43 14/Mar
>   38 26/Apr
>   36 18/Apr
>   34 23/Feb
>   34 06/Apr
> 
> The average for January, February and initial portion of April was
> around 20 new users, so it looks like in April 27th the storm
> started with a x6 increment on the number of registered users
> and it reached a x12 increment on April 30th.
> 
> That day (April 30th) the 245 requests came from a total of 36 IP
> addresses. The top 10 hitters of these IPS:
> 
>   93 103.233.118.38
>   32 108.61.224.153
>   26 180.151.246.4
>   16 182.68.169.25
>   11 104.156.228.177
>   11 103.38.177.2
>   4 151.236.19.24
>   4 107.152.98.151
>   4 106.78.50.229
>   3 98.234.5.157
> 
> The 93 hits from 103.233.118.38 all occurred between 14:49 and 15:49,
> so within a single hour. 
> 
> The fail2ban solution will only ban the IP _after_ checking the log
> file, so if we use a 1 hour window there could be ~100 new users
> before the IP is banned. Maybe we could check every 5 minutes and ban
> IPs from which more than 1 user was created. Do you think that's too
> conservative ?
> 
> --strk;

More information about the Sac mailing list