[SAC] Re-enable LDAP user creation

Alex Mandel tech_dev at wildintellect.com
Mon May 9 07:34:14 PDT 2016


I was thinking of something that might be rather impossible for humans
sitting in the same room over a shared ip or same computer.
Like more than 2-3 in 30 seconds (should take people that long to fill
out the form and click the box)

My chart of actual user creation matches your analysis of the logs.

Go ahead and re-enable the registration, and we'll just have to keep an
eye on it, and possibly adjust the rules. How long does the ban last?

Thanks,
Alex

On 05/09/2016 06:21 AM, Sandro Santilli wrote:
> I've enabled fail2ban banning for one hour IPs from which 2 users
> are created over a 2 minutes period, and re-enabled users creation.
> The /etc/fail2ban directory on "web" machine was put under a local
> git repository, with "master" branch being the default configuration
> from debian and "web" branch being the configuration for "web"
> machine, so to eventually hold the configuration of all machines
> within the same git repository (one branch for host).
> 
> Let's see what happens. Please keep an eye on users creation and
> spam (remember there are a lot of fake users already, so it doesn't
> relaly take a new registration to start spamming).
> 
> --strk;
> 
> On Mon, May 09, 2016 at 03:05:55PM +0200, Sandro Santilli wrote:
>> On Sun, May 08, 2016 at 01:20:39PM -0700, Alex Mandel wrote:
>>>
>>> I had forgotten, we can re-enable as soon as a fail2ban rule is in place
>>> to prevent rapid registration from the same ip.
>>
>> What represents "rapid" ?
>> I went trough apache logs analisys to sense the current pattern.
>> Logs contain POSTs to the user creation script from Jan 17 to May 05.
>> The top 10 busy days, ordered by requests:
>>
>>   245 30/Apr
>>   122 27/Apr
>>   118 03/May
>>   115 02/May
>>   63 01/May
>>   43 14/Mar
>>   38 26/Apr
>>   36 18/Apr
>>   34 23/Feb
>>   34 06/Apr
>>
>> The average for January, February and initial portion of April was
>> around 20 new users, so it looks like in April 27th the storm
>> started with a x6 increment on the number of registered users
>> and it reached a x12 increment on April 30th.
>>
>> That day (April 30th) the 245 requests came from a total of 36 IP
>> addresses. The top 10 hitters of these IPS:
>>
>>   93 103.233.118.38
>>   32 108.61.224.153
>>   26 180.151.246.4
>>   16 182.68.169.25
>>   11 104.156.228.177
>>   11 103.38.177.2
>>   4 151.236.19.24
>>   4 107.152.98.151
>>   4 106.78.50.229
>>   3 98.234.5.157
>>
>> The 93 hits from 103.233.118.38 all occurred between 14:49 and 15:49,
>> so within a single hour. 
>>
>> The fail2ban solution will only ban the IP _after_ checking the log
>> file, so if we use a 1 hour window there could be ~100 new users
>> before the IP is banned. Maybe we could check every 5 minutes and ban
>> IPs from which more than 1 user was created. Do you think that's too
>> conservative ?
>>
>> --strk;



More information about the Sac mailing list