2025-04-07T11:48:12  *** teepee_ is now known as teepee
2025-04-07T18:36:02  <acidsys> cboltz: when able, please check poo#180146
2025-04-07T18:50:30  <cboltz> looks like a(nother) bot gone crazy - and there's another one active right now
2025-04-07T18:52:19  <cboltz> currently there are lots of /index.php?... requests for for zh, with varying source IPs and user agents (most funny one is IE 6 on Windows 95)
2025-04-07T18:54:21  <acidsys> hm
2025-04-07T18:54:34  <acidsys> we could add rate limiting to http-login too
2025-04-07T18:55:32  <acidsys> but if they switch source address often it will not help so much
2025-04-07T18:56:01  <cboltz> the problem with rate limiting is that the IPs change faster than you can look - even the worst IP only appears 34 times in today's zh-access_log
2025-04-07T18:58:14  <acidsys> we could try another round of mod_forensic see if anything new is to add to our odd_clients ACL (though I don't have much hope)
2025-04-07T19:00:09  <cboltz> might indeed be worth a try - basically monitor all /index.php?... requests for zh and try to find a pattern
2025-04-07T19:06:09  <acidsys> /var/log/apache2/cn-forensic_log
2025-04-07T19:06:37  <acidsys> are all those query parameters valid parameters for our mediawiki?
2025-04-07T19:08:08  <cboltz> zh, not cn - I'll change the apache config
2025-04-07T19:08:21  <acidsys> oh, ty
2025-04-07T19:10:13  <cboltz> I didn't check all requests, but they all look like valid MediaWiki requests for looking at the page history and similar things
2025-04-07T19:13:38  <acidsys> I see ..
2025-04-07T19:19:01  <cboltz> funnyly blocking user agents with   Windows 9[58]   would have blocked ~12k requests to zh.o.o today (from 186k requests) total
2025-04-07T19:19:25  <cboltz> From these 12k requests, only 3 requested  "normal" pages
2025-04-07T19:20:53  <acidsys> wouldn't mind blocking those; but user agents are quite unreliable, not sure if any use windows 9[58] for obscurity
2025-04-07T19:22:43  <krop> for chine scrapers, kde sysadmins block anything not understanding http/2 and anything claiming to be chrome on windows
2025-04-07T19:22:48  <krop> chinese*
2025-04-07T19:25:11  <cboltz> the amount of Windows 95/98 requests is very low when you exclude /index.php - only 16 requests for all wikis today
2025-04-07T19:25:45  <cboltz> so IMHO we can take the risk of blocking these
2025-04-07T19:26:16  <matrix-o-o> <Emma [it/its]> nooo dont block me 😔
2025-04-07T19:26:34  <matrix-o-o> <Emma [it/its]> /j
2025-04-07T19:26:58  <cboltz> downgrade your user agent to Windows 3.11 and you'll be fine ;-)
2025-04-07T19:27:10  <matrix-o-o> <Emma [it/its]> fair lol
2025-04-07T19:27:25  <acidsys> :D
2025-04-07T19:27:56  <matrix-o-o> <Emma [it/its]> guess i could always use theoldnet as proxy
2025-04-07T19:28:04  <matrix-o-o> <Emma [it/its]> at least assuming you dont block IA
2025-04-07T19:38:54  <acidsys> theoretically this one would fit better into odd_clients/403 instead of annoying_useragents/429 but might be not worth extra implementation
2025-04-07T20:38:03  <cboltz> just wondering - do we have some statistics how many wiki requests we already block in haproxy?
2025-04-07T20:39:52  <cboltz> (I'd especially be interested in the header-based blocks if we have separate stats for that)
2025-04-07T21:38:36  *** teepee_ is now known as teepee