# snapshot abusers
# 61.69.254.110 - 20180705, mirroring with wget
- # 18.185.157.46 - 20180821 large amount of requests way too fast
- # 18.194.174.202 - 20180821 large amount of requests way too fast
+ # 20180821 large amount of requests way too fast from some amazon AWS instances
+ # 18.185.157.46
+ # 18.194.174.202
+ # 18.184.181.169
+ # 18.184.5.230
+ # 18.194.137.96
+ # 18.197.147.183
+ # 3.120.39.137
+ # 3.120.41.69
+ # 35.158.129.130
+ # 52.59.199.25
+ # 52.59.228.158
+ # 52.59.245.42
+ # 52.59.253.41
+ # 52.59.71.13
+ # 20180821 mirroring
+ # 99.137.191.34
+ # 20181110 crawler
+ # 51.15.215.91
+ # 20181222, excessive number of requests
+ # 208.91.68.213
+ # 198.11.128.0/18
+ # running jugdo against snapshot
+ # 159.226.95.0/24
+ # 84.204.194.0/24
+ # 211.13.205.0/24
+ # 20190512 tens of thousands of queries
+ # 63.32.0.0/14
+ # 95.115.66.23
@ferm::rule { 'dsa-snapshot-abusers':
- prio => "000",
- rule => "saddr (61.69.254.110 18.185.157.46 18.194.174.202) DROP",
+ prio => "005",
+ rule => "saddr (61.69.254.110 18.128.0.0/9 3.120.0.0/14 35.156.0.0/14 52.58.0.0/15 99.137.191.34 51.15.215.91 208.91.68.213 198.11.128.0/18 159.226.95.0/24 84.204.194.0/24 211.13.205.0/24 63.32.0.0/14 95.115.66.23) DROP",
}
ensure_packages ( [
}
}
+ @ferm::rule { 'dsa-snapshot-connlimit':
+ domain => '(ip ip6)',
+ prio => "005",
+ rule => "proto tcp mod state state (NEW) interface ! lo daddr (${ipv4addr} ${ipv6addr}) mod multiport destination-ports (80 443) mod connlimit connlimit-above 3 DROP;
+ proto tcp mod state state (NEW) interface ! lo dport 6081 mod connlimit connlimit-above 3 DROP
+ ",
+ }
+
# varnish cache
###############
@ferm::rule { 'dsa-nat-snapshot-varnish-v4':