Thanks Bill!
On 5/16/2025 10:34 AM, Bill Cole wrote:
RAPTOR REMARK: Alert! Please be careful! This email is from an
EXTERNAL sender. Be aware of impersonation and credential theft.
RAPTOR REMARK: This email was affected by a welcomelist entry for user
"pccc".
RAPTOR REMARK: Warning! This email is from a new mailing list you
haven't corresponded with very often.
On 2025-05-15 at 21:19:08 UTC-0400 (Thu, 15 May 2025 18:19:08 -0700
(PDT))
John Hardin <sysadmins@spamassassin.apache.org>
is rumored to have said:
On Thu, 15 May 2025, Bill Cole wrote:
Root cause of these and others is an ongoing DDoS of RuleQA, coming
mostly from Huawei Cloud IPs hitting ruleqa.cgi with stupid queries.
Possibly AI crawlers. There were some 'Require not ip' entries in
the .htaccess for the worst offenders, but doing that at the HTTP
level was still too rough on the machine, so I've inserted the lot
at the top of the INPUT chain in iptables. I have also reduced the
TCP close/fin/time wait times to clear out dead sessions faster.
Documentation of changes?
Sure, but I'd rather not put them in the Wiki for easy access. This
list seems like a good compromise between broadcasting and privacy.
Or are we relying on root's command history?
The sysctl changes were:
sysctl net.netfilter.nf_conntrack_tcp_timeout_fin_wait=30
sysctl net.netfilter.nf_conntrack_tcp_timeout_time_wait=30
sysctl net.netfilter.nf_conntrack_tcp_timeout_close_wait=15
Those are very low risk, as the wait states exist to make sure new
sockets don't get confused by wandering packets for old ones, and the
defaults (all 4X the above) date from a much less reliable time.
The new iptables rules are 3-26 in this list:
root@sa-vm:~# iptables --line-numbers -nvL |head -29
Chain INPUT (policy ACCEPT 88688 packets, 77M bytes)
num pkts bytes target prot opt in out
source destination
1 5302K 2089M ts-input all -- * * 0.0.0.0/0
0.0.0.0/0
2 5070K 1556M f2b-sshd tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 22
3 576 34560 DROP all -- * * 101.44.64.0/20
0.0.0.0/0
4 228 13680 DROP all -- * * 119.8.24.0/21
0.0.0.0/0
5 20376 1223K DROP all -- * * 101.46.0.0/20
0.0.0.0/0
6 246 14760 DROP all -- * * 119.13.80.0/21
0.0.0.0/0
7 1350 81000 DROP all -- * * 94.74.96.0/20
0.0.0.0/0
8 1842 111K DROP all -- * * 119.8.32.0/19
0.0.0.0/0
9 5700 342K DROP all -- * * 46.250.160.0/20
0.0.0.0/0
10 1602 96120 DROP all -- * * 159.138.128.0/20
0.0.0.0/0
11 2544 153K DROP all -- * * 162.128.175.0/24
0.0.0.0/0
12 10717 643K DROP all -- * * 190.92.192.0/19
0.0.0.0/0
13 44577 2674K DROP all -- * * 188.239.0.0/16
0.0.0.0/0
14 42083 2525K DROP all -- * * 166.108.192.0/18
0.0.0.0/0
15 8928 536K DROP all -- * * 159.138.0.0/16
0.0.0.0/0
16 29715 1783K DROP all -- * * 116.204.0.0/16
0.0.0.0/0
17 43019 2581K DROP all -- * * 124.243.128.0/18
0.0.0.0/0
18 444 26640 DROP all -- * * 119.13.96.0/20
0.0.0.0/0
19 79443 4766K DROP all -- * * 111.119.0.0/16
0.0.0.0/0
20 7674 460K DROP all -- * * 110.238.104.0/21
0.0.0.0/0
21 0 0 DROP all -- * * 103.150.10.0/23
0.0.0.0/0
22 2976 179K DROP all -- * * 101.44.176.0/20
0.0.0.0/0
23 300 18000 DROP all -- * * 101.44.160.0/20
0.0.0.0/0
24 7951 481K DROP all -- * * 94.74.80.0/20
0.0.0.0/0
25 192 11520 DROP all -- * * 49.0.200.0/21
0.0.0.0/0
26 2000 120K DROP all -- * * 45.40.48.0/22
0.0.0.0/0
Those are before the bazillion ASF-wide blocks in the same chain,
so if there's any burden to that large number, we're skipping it.
The specific ranges were targeted by looking at connections and logs
to identify candidate ranges that were hitting old dates, specific
rules, and individual corpora, e.g. no one really wants to know how
FUZZY_SEX performed for Gio in 2018.
The command I used to identify targets was:
tail -n 900 /var/log/apache2/*error.log |grep -o 'client
[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*:' |cut -d: -f1 |cut -d' ' -f2 |cut -d.
-f1-3 |sort -V |uniq -c |sort -n |tail
That emits a list of the 10 most frequent /24 ranges in recent error
logs. I get the route prefix using 'whob' and block the whole thing.
Load avg. is now below 1.0.
Yay!
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Should you meet with a person bent on a campaign of terror,
intending to murder their fellow men and women, to leave behind a
swath of widows, widowers and orphans, to grieve families and
nations alike, do the reasonable thing. Kill them.
-- Matthew @ StraightForward
-----------------------------------------------------------------------
213 days since SpaceX caught the SuperHeavy booster on the first try
--
PCCCLogo <https://www.pccc.com/>
RaptorLogo <https://raptoremailsecurity.com/>
*Kevin A. McGrail
* /CEO Emeritus
/ *Peregrine Computer Consultants Corporation
*
Phone +1.703.798.0171 email
kmcgr...@pccc.com
Globe
www.pccc.com Globe
www.raptoremailsecurity.com
Location
16620 E Riverside Dr, St Paul, VA 24283
LinkedIn <https://linkedin.com/in/kmcgrail> Twitter
<https://twitter.com/kamcgrail>
