[MM3-users] Re: Abusive user creation - ideas for mitigating

Mon, 04 Nov 2024 03:11:42 -0800 

On 10/31/24 04:59, Andy Smith wrote:

On Thu, Oct 31, 2024 at 03:30:09AM +0000, Andy Smith wrote:

Looks like I could probably autogenerate an Apache ACL that lists all
Tor exit nodes and bans them from posting to /mailman/accounts/signup.


$ wget -qO - 'https://www.dan.me.uk/torlist/?exit' |
     sed 's/^/Require not ip /' |
     sudo tee /etc/apache2/tor-exit-list.conf >/dev/null

     # Block access to the signup form from Tor exit nodes.
     <Location /mailman/accounts/signup>
         <RequireAll>
             Require all granted
             Include /etc/apache2/tor-exit-list.conf
         </RequireAll>
     </Location>

Haven't worked out how to restrict it to POST method only yet, and
updating the list robustly is a job for tomorrow…

thanks a lot for this.

as i'm facing the same problem, i took your code, hopefully filling in 
the missing parts correctly:


```apache.conf
<Location /accounts/signup>
  <Limit POST PUT DELETE>
    order allow,deny
    allow from all
    Include /var/www/tor-exit-list.conf
  </Limit>
</Location>
```

using this script to update the list of exit-nodes:
```sh
#!/bin/sh

if [ $# -lt 1 ]; then
  cat >/dev/stderr <<EOF
usage: $0 <outfile> [<outfile> ...]
e.g.    $0 /var/www/tor-exit-list.conf
EOF
  exit 1
fi

url='https://www.dan.me.uk/torlist/?exit'

outfile=$(mktemp)
trap 'rm -f "${outfile}"' EXIT INT TERM

curl -s -o "${outfile}" --fail "${url}" || exit 1

sed -e "s/^/deny from /" "${outfile}" | tee "$@" >/dev/null
```


(as i'm tracking /etc with etckeeper, i'd rather not write the data to 
the config-directory)



mfgdasr
IOhannes



Attachment:
OpenPGP_signature.asc

Description: OpenPGP digital signature


___________________________________________
Die Inhaltsfilterung von Mailman hat die folgenden 
MIME-Teile aus dieser Nachricht entfernt.

Content-Type: application/pgp-keys
    Name: OpenPGP_0xB65019C47F7A36F8.asc

_______________________________________________
Mailman-users mailing list -- mailman-users@mailman3.org
To unsubscribe send an email to mailman-users-le...@mailman3.org
https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/
Archived at: 
https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/message/BVDALGKYI3SUXBEMZMCBLHDMAFRNI7FI/

This message sent to arch...@mail-archive.com






















					Reply via email to