Re: Flood from failed cron jobs should stop (was: Cron svn update […])

[Bill Cole]

On 2025-05-15 at 21:19:08 UTC-0400 (Thu, 15 May 2025 18:19:08 -0700 
(PDT))
John Hardin <sysadmins@spamassassin.apache.org>
is rumored to have said:
On Thu, 15 May 2025, Bill Cole wrote:

Root cause of these and others is an ongoing DDoS of RuleQA, coming 
mostly from Huawei Cloud IPs hitting ruleqa.cgi with stupid queries. 
Possibly AI crawlers. There were some 'Require not ip' entries in the 
.htaccess for the worst offenders, but doing that at the HTTP level 
was still too rough on the machine, so I've inserted the lot at the 
top of the INPUT chain in iptables. I have also reduced the TCP 
close/fin/time wait times to clear out dead sessions faster.

Documentation of changes?

Sure, but I'd rather not put them in the Wiki for easy access. This list 
seems like a good compromise between broadcasting and privacy.

Or are we relying on root's command history?

The sysctl changes were:

   sysctl net.netfilter.nf_conntrack_tcp_timeout_fin_wait=30
   sysctl net.netfilter.nf_conntrack_tcp_timeout_time_wait=30
   sysctl net.netfilter.nf_conntrack_tcp_timeout_close_wait=15

Those are very low risk, as the wait states exist to make sure new 
sockets don't get confused by wandering packets for old ones, and the 
defaults (all 4X the above) date from a much less reliable time.


The new iptables rules are 3-26 in this list:

        root@sa-vm:~# iptables --line-numbers  -nvL |head -29
        Chain INPUT (policy ACCEPT 88688 packets, 77M bytes)
	num   pkts bytes target     prot opt in     out     source              
 destination
	1    5302K 2089M ts-input   all  --  *      *       0.0.0.0/0           
 0.0.0.0/0
	2    5070K 1556M f2b-sshd   tcp  --  *      *       0.0.0.0/0           
 0.0.0.0/0            multiport dports 22
	3      576 34560 DROP       all  --  *      *       101.44.64.0/20      
 0.0.0.0/0
	4      228 13680 DROP       all  --  *      *       119.8.24.0/21       
 0.0.0.0/0
	5    20376 1223K DROP       all  --  *      *       101.46.0.0/20       
 0.0.0.0/0
	6      246 14760 DROP       all  --  *      *       119.13.80.0/21      
 0.0.0.0/0
	7     1350 81000 DROP       all  --  *      *       94.74.96.0/20       
 0.0.0.0/0
	8     1842  111K DROP       all  --  *      *       119.8.32.0/19       
 0.0.0.0/0
	9     5700  342K DROP       all  --  *      *       46.250.160.0/20     
 0.0.0.0/0
	10    1602 96120 DROP       all  --  *      *       159.138.128.0/20    
 0.0.0.0/0
	11    2544  153K DROP       all  --  *      *       162.128.175.0/24    
 0.0.0.0/0
	12   10717  643K DROP       all  --  *      *       190.92.192.0/19     
 0.0.0.0/0
	13   44577 2674K DROP       all  --  *      *       188.239.0.0/16      
 0.0.0.0/0
	14   42083 2525K DROP       all  --  *      *       166.108.192.0/18    
 0.0.0.0/0
	15    8928  536K DROP       all  --  *      *       159.138.0.0/16      
 0.0.0.0/0
	16   29715 1783K DROP       all  --  *      *       116.204.0.0/16      
 0.0.0.0/0
	17   43019 2581K DROP       all  --  *      *       124.243.128.0/18    
 0.0.0.0/0
	18     444 26640 DROP       all  --  *      *       119.13.96.0/20      
 0.0.0.0/0
	19   79443 4766K DROP       all  --  *      *       111.119.0.0/16      
 0.0.0.0/0
	20    7674  460K DROP       all  --  *      *       110.238.104.0/21    
 0.0.0.0/0
	21       0     0 DROP       all  --  *      *       103.150.10.0/23     
 0.0.0.0/0
	22    2976  179K DROP       all  --  *      *       101.44.176.0/20     
 0.0.0.0/0
	23     300 18000 DROP       all  --  *      *       101.44.160.0/20     
 0.0.0.0/0
	24    7951  481K DROP       all  --  *      *       94.74.80.0/20       
 0.0.0.0/0
	25     192 11520 DROP       all  --  *      *       49.0.200.0/21       
 0.0.0.0/0
	26    2000  120K DROP       all  --  *      *       45.40.48.0/22       
 0.0.0.0/0

	Those are before the bazillion ASF-wide blocks in the same chain, so if 
there's any burden to that large number, we're skipping it.

The specific ranges were targeted by looking at connections and logs to 
identify candidate ranges that were hitting old dates, specific rules, 
and individual corpora, e.g. no one really wants to know how FUZZY_SEX 
performed for Gio in 2018.

The command I used to identify targets was:

	tail -n 900 /var/log/apache2/*error.log |grep -o 'client 
[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*:' |cut -d: -f1 |cut -d' ' -f2 |cut -d. 
-f1-3 |sort -V |uniq -c |sort -n |tail

That emits a list of the 10 most frequent /24 ranges in recent error 
logs. I get the route prefix using 'whob' and block the whole thing.


Load avg. is now below 1.0.

Yay!

--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhar...@impsec.org                         pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  Should you meet with a person bent on a campaign of terror,
  intending to murder their fellow men and women, to leave behind a
  swath of widows, widowers and orphans, to grieve families and
  nations alike, do the reasonable thing. Kill them.
                                         -- Matthew @ StraightForward
-----------------------------------------------------------------------
 213 days since SpaceX caught the SuperHeavy booster on the first try


--
 Bill Cole
 b...@scconsult.com or billc...@apache.org
 (AKA @grumpybozo@toad.social and many *@billmail.scconsult.com 
addresses)
 Not Currently Available For Hire