X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Froles%2Fmanifests%2Fsecurity_tracker.pp;h=4aa42196f6628b9dde83f8c89b22346832c55875;hb=2a425a85aee59abba7f8de4b9bb6f61824938d82;hp=40ed08a76d7b86d1691780f534102e4152540305;hpb=77bfd7351d9585910a6d3d59e0b88de80ec35bb5;p=mirror%2Fdsa-puppet.git

diff --git a/modules/roles/manifests/security_tracker.pp b/modules/roles/manifests/security_tracker.pp
index 40ed08a76..4aa42196f 100644
--- a/modules/roles/manifests/security_tracker.pp
+++ b/modules/roles/manifests/security_tracker.pp
@@ -3,6 +3,19 @@ class roles::security_tracker {
 	include apache2::proxy_http
 	include apache2::expires
 
+	apache2::module { 'cache_disk':
+		ensure => absent,
+	}
+
+	# security-tracker abusers
+	#  66.170.99.1  20180706 excessive number of requests
+	#  66.170.99.2  20180706 excessive number of requests
+	ferm::rule { 'dsa-sectracker-abusers':
+		prio  => "005",
+		rule  => "saddr (66.170.99.1 66.170.99.2) DROP",
+	}
+
+
 	ssl::service { 'security-tracker.debian.org':
 		notify  => Exec['service apache2 reload'],
 		key => true,
@@ -14,11 +27,11 @@ class roles::security_tracker {
 	}
 
 	# traffic shaping http traffic
-	@ferm::rule { 'dsa-security-tracker-shape':
-		table => 'mangle',
-		chain => 'OUTPUT',
-		rule  => "proto tcp dport 443 MARK set-mark 20",
-	}
+	#ferm::rule { 'dsa-security-tracker-shape':
+	#	table => 'mangle',
+	#	chain => 'OUTPUT',
+	#	rule  => "proto tcp sport 443 MARK set-mark 20",
+	#}
 
 	file { '/usr/local/sbin/traffic-shape':
 		mode   => '0755',