Forums

Dealing with addresses that have been reported for spamming

I have been getting several connection attempts in my logs the past days originating from 198.27.74.* addresses. They seem to be checks for exploits since different user agents are reported and trying any of them in google.com returns spam reports.

I understand that banning IPs is better done before web.py is ever invoked, so do you think that it would be a good idea for pythonanywhere.com to ban these addresses or is the risk of blocking actual users too great?

Log sample follows.

198.27.74.212 - - [15/Jun/2013:01:28:01 +0000] "GET / HTTP/1.0" 200 2033 "http://abc.pythonanywhere.com/" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11"

198.27.74.197 - - [15/Jun/2013:01:31:35 +0000] "GET / HTTP/1.0" 200 2033 "http://abc.pythonanywhere.com/" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0"

198.27.74.179 - - [15/Jun/2013:01:39:18 +0000] "GET / HTTP/1.0" 200 2033 "http://abc.pythonanywhere.com/" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.1634 Safari/535.19 YE"

198.27.74.178 - - [15/Jun/2013:01:40:01 +0000] "GET / HTTP/1.0" 200 2033 "http://abc.pythonanywhere.com/" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"

198.27.74.71 - - [15/Jun/2013:01:46:28 +0000] "GET / HTTP/1.0" 200 2033 "http://abc.pythonanywhere.com/" "Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0"

198.27.74.220 - - [15/Jun/2013:01:50:00 +0000] "GET / HTTP/1.0" 200 2033 "http://abc.pythonanywhere.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

198.27.74.218 - - [15/Jun/2013:01:53:27 +0000] "GET / HTTP/1.0" 200 2033 "http://abc.pythonanywhere.com/" "Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20100101 Firefox/13.0.1"

198.27.74.169 - - [15/Jun/2013:01:54:20 +0000] "GET / HTTP/1.0" 200 2033 "http://abc.pythonanywhere.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"

198.27.74.61 - - [15/Jun/2013:02:14:12 +0000] "GET / HTTP/1.0" 200 2033 "http://abc.pythonanywhere.com/" "Opera/9.80 (Windows NT 5.1; MRA 6.0 (build 5998)) Presto/2.12.388 Version/12.11"

198.27.74.63 - - [15/Jun/2013:02:24:57 +0000] "GET / HTTP/1.0" 200 2033 "http://abc.pythonanywhere.com/" "Opera/9.80 (Windows NT 6.1; Edition Yx) Presto/2.12.388 Version/12.11"

198.27.74.214 - - [15/Jun/2013:02:27:02 +0000] "GET / HTTP/1.0" 200 2033 "http://abc.pythonanywhere.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.92 Safari/537.4"

198.27.74.185 - - [15/Jun/2013:02:55:18 +0000] "GET / HTTP/1.0" 200 2033 "http://abc.pythonanywhere.com/" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.1634 Safari/535.19 YE"

198.27.74.128 - - [15/Jun/2013:04:50:28 +0000] "GET / HTTP/1.0" 200 2033 "http://abc.pythonanywhere.com/" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.5 (KHTML, like Gecko) YaBrowser/1.1.1084.5409 Chrome/19.1.1084.5409 Safari/536.5"

198.27.74.180 - - [15/Jun/2013:05:11:32 +0000] "GET / HTTP/1.0" 200 2033 "http://abc.pythonanywhere.com/" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.121 Safari/535.2"

198.27.74.181 - - [15/Jun/2013:05:17:54 +0000] "GET / HTTP/1.0" 200 2033 "http://abc.pythonanywhere.com/" "Opera/9.80 (Windows NT 6.1; WOW64; U; ru) Presto/2.10.289 Version/12.00"

Interesting. I suppose we could block specific IPs from accessing people's sites. But as you say, there is a high risk that we'd wind up blocking legitimate use if we got it wrong.

One possibility -- perhaps you could use Cloudflare as well as us? They have a free plan that I think can handle this kind of blocking.

That does sound like a plan, but my website is very simple and has no other reason to rely on cloudflare. I don't think that there's actualy immediate danger for me personally, but let this be a heads up in case they're targeting your network in general.

Another (slightly more far-fetched) idea would be to allow users themselves to do this kind of blocking.

Letting the user specify rules at the iptables level isn't really feasible, because users may be sharing a server IP address so PA needs to accept the TCP connection and read the request at least as far as the Host header to decide which user should receive the request. It would probably be possible to allow nginx to reject the connection at this point, by allowing the user to put appropriate deny lines in their virtual server's config block, but that's probably quite a fiddly thing to implement and I'm not sure there's much benefit beyond users simply putting this rejection into their top-level WSGI application.

As long as people write their WSGI applications well (i.e. avoid SQL injection attacks, put a limit on the size of all fields accepted, etc) then the vulnerability to exploits should be minor as both nginx and uwsgi are both well-written components with comparatively few flaws.

If PA ran any PHP applications then perhaps things might be different... (^_^)

As an aside, I tried a handful of those addresses in Spamhaus' lookup tool and all the ones I tried came back negative, so if those addresses are used by spammers then they're not particularly active ones.

Right as usual, Cartroo :-)

We could definitely put in a layer that filtered stuff out, but it would be quite a lot of work so I don't see it getting to the top of the list soon.

I would like to recommend Cloudflare once again, though -- I use them for a Wordpress blog I still haven't moved over to PythonAnywhere/Mezzanine (see Cartroo's comment about PHP above...) and they've been excellent. It was really easy to set up -- took an hour or so -- and was free. Definitely worth a look.