[SAC] Re-enable LDAP user creation

Mon May 9 06:32:54 PDT 2016

Frank: I noticed that failing to solve the captcha still results
in a 200 http response (at least so it looks from the apache logs),
can it be ? Also the error is not very user friendly (it's a
stacktrace from the script), can it be improved ?

We found the cgi-bin directory to be managed in an SVN repository
but only users in the LDAP "admin" group have access and it looks
neither I nor Alex are in that group. Would it be worth converting
that SVN repository to a GIT one for easier access ?

--strk;

On Mon, May 09, 2016 at 03:21:18PM +0200, Sandro Santilli wrote:
> I've enabled fail2ban banning for one hour IPs from which 2 users
> are created over a 2 minutes period, and re-enabled users creation.
> The /etc/fail2ban directory on "web" machine was put under a local
> git repository, with "master" branch being the default configuration
> from debian and "web" branch being the configuration for "web"
> machine, so to eventually hold the configuration of all machines
> within the same git repository (one branch for host).
> 
> Let's see what happens. Please keep an eye on users creation and
> spam (remember there are a lot of fake users already, so it doesn't
> relaly take a new registration to start spamming).
> 
> --strk;
> 
> On Mon, May 09, 2016 at 03:05:55PM +0200, Sandro Santilli wrote:
> > On Sun, May 08, 2016 at 01:20:39PM -0700, Alex Mandel wrote:
> > > 
> > > I had forgotten, we can re-enable as soon as a fail2ban rule is in place
> > > to prevent rapid registration from the same ip.
> > 
> > What represents "rapid" ?
> > I went trough apache logs analisys to sense the current pattern.
> > Logs contain POSTs to the user creation script from Jan 17 to May 05.
> > The top 10 busy days, ordered by requests:
> > 
> >   245 30/Apr
> >   122 27/Apr
> >   118 03/May
> >   115 02/May
> >   63 01/May
> >   43 14/Mar
> >   38 26/Apr
> >   36 18/Apr
> >   34 23/Feb
> >   34 06/Apr
> > 
> > The average for January, February and initial portion of April was
> > around 20 new users, so it looks like in April 27th the storm
> > started with a x6 increment on the number of registered users
> > and it reached a x12 increment on April 30th.
> > 
> > That day (April 30th) the 245 requests came from a total of 36 IP
> > addresses. The top 10 hitters of these IPS:
> > 
> >   93 103.233.118.38
> >   32 108.61.224.153
> >   26 180.151.246.4
> >   16 182.68.169.25
> >   11 104.156.228.177
> >   11 103.38.177.2
> >   4 151.236.19.24
> >   4 107.152.98.151
> >   4 106.78.50.229
> >   3 98.234.5.157
> > 
> > The 93 hits from 103.233.118.38 all occurred between 14:49 and 15:49,
> > so within a single hour. 
> > 
> > The fail2ban solution will only ban the IP _after_ checking the log
> > file, so if we use a 1 hour window there could be ~100 new users
> > before the IP is banned. Maybe we could check every 5 minutes and ban
> > IPs from which more than 1 user was created. Do you think that's too
> > conservative ?
> > 
> > --strk;