cgspace-notes/docs/2018-11/index.html

<!DOCTYPE html>
<html lang="en">

  <head>
    <meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">

<meta property="og:title" content="November, 2018" />
<meta property="og:description" content="2018-11-01


Finalize AReS Phase I and Phase II ToRs
Send a note about my dspace-statistics-api to the dspace-tech mailing list


2018-11-03


Linode has been sending mails a few times a day recently that CGSpace (linode18) has had high CPU usage
Today these are the top 10 IPs:


" />
<meta property="og:type" content="article" />
<meta property="og:url" content="https://alanorth.github.io/cgspace-notes/2018-11/" /><meta property="article:published_time" content="2018-11-01T16:41:30&#43;02:00"/>
<meta property="article:modified_time" content="2018-11-04T12:18:52&#43;02:00"/>

<meta name="twitter:card" content="summary"/>
<meta name="twitter:title" content="November, 2018"/>
<meta name="twitter:description" content="2018-11-01


Finalize AReS Phase I and Phase II ToRs
Send a note about my dspace-statistics-api to the dspace-tech mailing list


2018-11-03


Linode has been sending mails a few times a day recently that CGSpace (linode18) has had high CPU usage
Today these are the top 10 IPs:


"/>
<meta name="generator" content="Hugo 0.50" />


<script type="application/ld+json">
{
  "@context": "http://schema.org",
  "@type": "BlogPosting",
  "headline": "November, 2018",
  "url": "https://alanorth.github.io/cgspace-notes/2018-11/",
  "wordCount": "992",
  "datePublished": "2018-11-01T16:41:30&#43;02:00",
  "dateModified": "2018-11-04T12:18:52&#43;02:00",
  "author": {
    "@type": "Person",
    "name": "Alan Orth"
  },
  "keywords": "Notes"
}
</script>


    <link rel="canonical" href="https://alanorth.github.io/cgspace-notes/2018-11/">

    <title>November, 2018 | CGSpace Notes</title>

    <!-- combined, minified CSS -->
    <link href="https://alanorth.github.io/cgspace-notes/css/style.css" rel="stylesheet" integrity="sha384-Upm5uY/SXdvbjuIGH6fBjF5vOYUr9DguqBskM&#43;EQpLBzO9U&#43;9fMVmWEt&#43;TTlGrWQ" crossorigin="anonymous">

    
  </head>

  <body>

    
    <div class="blog-masthead">
      <div class="container">
        <nav class="nav blog-nav">
          <a class="nav-link " href="https://alanorth.github.io/cgspace-notes/">Home</a>
        </nav>
      </div>
    </div>
    

    <header class="blog-header">
      <div class="container">
        <h1 class="blog-title"><a href="https://alanorth.github.io/cgspace-notes/" rel="home">CGSpace Notes</a></h1>
        <p class="lead blog-description">Documenting day-to-day work on the <a href="https://cgspace.cgiar.org">CGSpace</a> repository.</p>
      </div>
    </header>
    

    <div class="container">
      <div class="row">
        <div class="col-sm-8 blog-main">

          
<article class="blog-post">
  <header>
    <h2 class="blog-post-title"><a href="https://alanorth.github.io/cgspace-notes/2018-11/">November, 2018</a></h2>
    <p class="blog-post-meta"><time datetime="2018-11-01T16:41:30&#43;02:00">Thu Nov 01, 2018</time> by Alan Orth in 

<i class="fa fa-tag" aria-hidden="true"></i>&nbsp;<a href="/cgspace-notes/tags/notes" rel="tag">Notes</a>

</p>
  </header>
  <h2 id="2018-11-01">2018-11-01</h2>

<ul>
<li>Finalize AReS Phase I and Phase II ToRs</li>
<li>Send a note about my <a href="https://github.com/ilri/dspace-statistics-api">dspace-statistics-api</a> to the dspace-tech mailing list</li>
</ul>

<h2 id="2018-11-03">2018-11-03</h2>

<ul>
<li>Linode has been sending mails a few times a day recently that CGSpace (linode18) has had high CPU usage</li>
<li>Today these are the top 10 IPs:</li>
</ul>

<p></p>

<pre><code># zcat --force /var/log/nginx/*.log /var/log/nginx/*.log.1 | grep -E &quot;03/Nov/2018&quot; | awk '{print $1}' | sort | uniq -c | sort -n | tail -n 10
   1300 66.249.64.63
   1384 35.237.175.180
   1430 138.201.52.218
   1455 207.46.13.156
   1500 40.77.167.175
   1979 50.116.102.77
   2790 66.249.64.61
   3367 84.38.130.177
   4537 70.32.83.92
  22508 66.249.64.59
</code></pre>

<ul>
<li>The <code>66.249.64.x</code> are definitely Google</li>
<li><code>70.32.83.92</code> is well known, probably CCAFS or something, as it&rsquo;s only a few thousand requests and always to REST API</li>
<li><code>84.38.130.177</code> is some new IP in Latvia that is only hitting the XMLUI, using the following user agent:</li>
</ul>

<pre><code>Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.792.0 Safari/535.1
</code></pre>

<ul>
<li>They at least seem to be re-using their Tomcat sessions:</li>
</ul>

<pre><code>$ grep -c -E 'session_id=[A-Z0-9]{32}:ip_addr=84.38.130.177' dspace.log.2018-11-03 | sort | uniq
342
</code></pre>

<ul>
<li><code>50.116.102.77</code> is also a regular REST API user</li>
<li><code>40.77.167.175</code> and <code>207.46.13.156</code> seem to be Bing</li>
<li><code>138.201.52.218</code> seems to be on Hetzner in Germany, but is using this user agent:</li>
</ul>

<pre><code>Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:62.0) Gecko/20100101 Firefox/62.0
</code></pre>

<ul>
<li>And it doesn&rsquo;t seem they are re-using their Tomcat sessions:</li>
</ul>

<pre><code>$ grep -c -E 'session_id=[A-Z0-9]{32}:ip_addr=138.201.52.218' dspace.log.2018-11-03 | sort | uniq
1243
</code></pre>

<ul>
<li>Ah, we&rsquo;ve apparently seen this server exactly a year ago in 2017-11, making 40,000 requests in one day&hellip;</li>
<li>I wonder if it&rsquo;s worth adding them to the list of bots in the nginx config?</li>
<li>Linode sent a mail that CGSpace (linode18) is using high outgoing bandwidth</li>
<li>Looking at the nginx logs again I see the following top ten IPs:</li>
</ul>

<pre><code># zcat --force /var/log/nginx/*.log /var/log/nginx/*.log.1 | grep -E &quot;03/Nov/2018&quot; | awk '{print $1}' | sort | uniq -c | sort -n | tail -n 10
   1979 50.116.102.77
   1980 35.237.175.180
   2186 207.46.13.156
   2208 40.77.167.175
   2843 66.249.64.63
   4220 84.38.130.177
   4537 70.32.83.92
   5593 66.249.64.61
  12557 78.46.89.18
  32152 66.249.64.59
</code></pre>

<ul>
<li><code>78.46.89.18</code> is new since I last checked a few hours ago, and it&rsquo;s from Hetzner with the following user agent:</li>
</ul>

<pre><code>Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:62.0) Gecko/20100101 Firefox/62.0
</code></pre>

<ul>
<li>It&rsquo;s making lots of requests and using quite a number of Tomcat sessions:</li>
</ul>

<pre><code>$ grep -c -E 'session_id=[A-Z0-9]{32}:ip_addr=78.46.89.18' /home/cgspace.cgiar.org/log/dspace.log.2018-11-03 | sort | uniq
8449
</code></pre>

<ul>
<li>I could add this IP to the list of bot IPs in nginx, but it seems like a futile effort when some new IP could come along and do the same thing</li>
<li>Perhaps I should think about adding rate limits to dynamic pages like <code>/discover</code> and <code>/browse</code></li>
<li>I think it&rsquo;s reasonable for a human to click one of those links five or ten times a minute&hellip;</li>
<li>To contrast, <code>78.46.89.18</code> made about 300 requests per minute for a few hours today:</li>
</ul>

<pre><code># grep 78.46.89.18 /var/log/nginx/access.log | grep -o -E '03/Nov/2018:[0-9][0-9]:[0-9][0-9]' | sort | uniq -c | sort -n | tail -n 20
    286 03/Nov/2018:18:02
    287 03/Nov/2018:18:21
    289 03/Nov/2018:18:23
    291 03/Nov/2018:18:27
    293 03/Nov/2018:18:34
    300 03/Nov/2018:17:58
    300 03/Nov/2018:18:22
    300 03/Nov/2018:18:32
    304 03/Nov/2018:18:12
    305 03/Nov/2018:18:13
    305 03/Nov/2018:18:24
    312 03/Nov/2018:18:39
    322 03/Nov/2018:18:17
    326 03/Nov/2018:18:38
    327 03/Nov/2018:18:16
    330 03/Nov/2018:17:57
    332 03/Nov/2018:18:19
    336 03/Nov/2018:17:56
    340 03/Nov/2018:18:14
    341 03/Nov/2018:18:18
</code></pre>

<ul>
<li>If they want to download all our metadata and PDFs they should use an API rather than scraping the XMLUI</li>
<li>I will add them to the list of bot IPs in nginx for now and think about enforcing rate limits in XMLUI later</li>
<li>Also, this is the third (?) time a mysterious IP on Hetzner has done this&hellip; who is this?</li>
</ul>

<h2 id="2018-11-04">2018-11-04</h2>

<ul>
<li>Forward Peter&rsquo;s information about CGSpace financials to Modi from ICRISAT</li>
<li>Linode emailed about the CPU load and outgoing bandwidth on CGSpace (linode18) again</li>
<li>Here are the top ten IPs active so far this morning:</li>
</ul>

<pre><code># zcat --force /var/log/nginx/*.log /var/log/nginx/*.log.1 | grep -E &quot;04/Nov/2018&quot; | awk '{print $1}' | sort | uniq -c | sort -n | tail -n 10
   1083 2a03:2880:11ff:2::face:b00c
   1105 2a03:2880:11ff:d::face:b00c
   1111 2a03:2880:11ff:f::face:b00c
   1134 84.38.130.177
   1893 50.116.102.77
   2040 66.249.64.63
   4210 66.249.64.61
   4534 70.32.83.92
  13036 78.46.89.18
  20407 66.249.64.59
</code></pre>

<ul>
<li><code>78.46.89.18</code> is back&hellip; and still making tons of Tomcat sessions:</li>
</ul>

<pre><code>$ grep -c -E 'session_id=[A-Z0-9]{32}:ip_addr=78.46.89.18' dspace.log.2018-11-04 | sort | uniq
8765
</code></pre>

<ul>
<li>Also, now we have a ton of Facebook crawlers:</li>
</ul>

<pre><code># zcat --force /var/log/nginx/*.log /var/log/nginx/*.log.1 | grep -E &quot;04/Nov/2018&quot; | grep &quot;2a03:2880:11ff:&quot; | awk '{print $1}' | sort | uniq -c | sort -n
    905 2a03:2880:11ff:b::face:b00c
    955 2a03:2880:11ff:5::face:b00c
    965 2a03:2880:11ff:e::face:b00c
    984 2a03:2880:11ff:8::face:b00c
    993 2a03:2880:11ff:3::face:b00c
    994 2a03:2880:11ff:7::face:b00c
   1006 2a03:2880:11ff:10::face:b00c
   1011 2a03:2880:11ff:4::face:b00c
   1023 2a03:2880:11ff:6::face:b00c
   1026 2a03:2880:11ff:9::face:b00c
   1039 2a03:2880:11ff:1::face:b00c
   1043 2a03:2880:11ff:c::face:b00c
   1070 2a03:2880:11ff::face:b00c
   1075 2a03:2880:11ff:a::face:b00c
   1093 2a03:2880:11ff:2::face:b00c
   1107 2a03:2880:11ff:d::face:b00c
   1116 2a03:2880:11ff:f::face:b00c
</code></pre>

<ul>
<li>They are really making shit tons of Tomcat sessions:</li>
</ul>

<pre><code>$ grep -c -E 'session_id=[A-Z0-9]{32}:ip_addr=2a03:2880:11ff' dspace.log.2018-11-04 | sort | uniq
14368
</code></pre>

<ul>
<li>Their user agent is:</li>
</ul>

<pre><code>facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)
</code></pre>

<ul>
<li>I will add it to the Tomcat Crawler Session Manager valve</li>
<li>Later in the evening&hellip; ok, this Facebook bot is getting super annoying:</li>
</ul>

<pre><code># zcat --force /var/log/nginx/*.log /var/log/nginx/*.log.1 | grep -E &quot;04/Nov/2018&quot; | grep &quot;2a03:2880:11ff:&quot; | awk '{print $1}' | sort | uniq -c | sort -n
   1871 2a03:2880:11ff:3::face:b00c
   1885 2a03:2880:11ff:b::face:b00c
   1941 2a03:2880:11ff:8::face:b00c
   1942 2a03:2880:11ff:e::face:b00c
   1987 2a03:2880:11ff:1::face:b00c
   2023 2a03:2880:11ff:2::face:b00c
   2027 2a03:2880:11ff:4::face:b00c
   2032 2a03:2880:11ff:9::face:b00c
   2034 2a03:2880:11ff:10::face:b00c
   2050 2a03:2880:11ff:5::face:b00c
   2061 2a03:2880:11ff:c::face:b00c
   2076 2a03:2880:11ff:6::face:b00c
   2093 2a03:2880:11ff:7::face:b00c
   2107 2a03:2880:11ff::face:b00c
   2118 2a03:2880:11ff:d::face:b00c
   2164 2a03:2880:11ff:a::face:b00c
   2178 2a03:2880:11ff:f::face:b00c
</code></pre>

<ul>
<li>And still making shit tons of Tomcat sessions:</li>
</ul>

<pre><code>$ grep -c -E 'session_id=[A-Z0-9]{32}:ip_addr=2a03:2880:11ff' dspace.log.2018-11-04 | sort | uniq
28470
</code></pre>

<ul>
<li>And that&rsquo;s even using the Tomcat Crawler Session Manager valve!</li>
<li>Maybe we need to limit more dynamic pages, like the &ldquo;most popular&rdquo; country, item, and author pages</li>
<li>It seems these are popular too, and there is no fucking way Facebook needs that information, yet they are requesting thousands of them!</li>
</ul>

<pre><code># grep 'face:b00c' /var/log/nginx/access.log /var/log/nginx/access.log.1 | grep -c 'most-popular/'
7033
</code></pre>

<ul>
<li>I added the &ldquo;most-popular&rdquo; pages to the list that return <code>X-Robots-Tag: none</code> to try to inform bots not to index or follow those pages</li>
<li>Also, I implemented an nginx rate limit of twelve requests per minute on all dynamic pages&hellip; I figure a human user might legitimately request one every five seconds</li>
</ul>

<!-- vim: set sw=2 ts=2: -->

  
</article> 


        </div> <!-- /.blog-main -->

        <aside class="col-sm-3 ml-auto blog-sidebar">
  

        <section class="sidebar-module">
    <h4>Recent Posts</h4>
    <ol class="list-unstyled">


<li><a href="/cgspace-notes/2018-11/">November, 2018</a></li>

<li><a href="/cgspace-notes/2018-10/">October, 2018</a></li>

<li><a href="/cgspace-notes/2018-09/">September, 2018</a></li>

<li><a href="/cgspace-notes/2018-08/">August, 2018</a></li>

<li><a href="/cgspace-notes/2018-07/">July, 2018</a></li>

    </ol>
  </section>

  
  <section class="sidebar-module">
    <h4>Links</h4>
    <ol class="list-unstyled">
      
      <li><a href="https://cgspace.cgiar.org">CGSpace</a></li>
      
      <li><a href="https://dspacetest.cgiar.org">DSpace Test</a></li>
      
      <li><a href="https://github.com/ilri/DSpace">CGSpace @ GitHub</a></li>
      
    </ol>
  </section>
  
</aside>


      </div> <!-- /.row -->
    </div> <!-- /.container -->
    

    <footer class="blog-footer">
      <p>
      
      Blog template created by <a href="https://twitter.com/mdo">@mdo</a>, ported to Hugo by <a href='https://twitter.com/mralanorth'>@mralanorth</a>.
      
      </p>
      <p>
      <a href="#">Back to top</a>
      </p>
    </footer>
    

  </body>

</html>
Add notes for 2018-11-01 2018-11-01 15:43:37 +01:00			`<!DOCTYPE html>`
			`<html lang="en">`

			`<head>`
			`<meta charset="utf-8">`
			`<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">`

			`<meta property="og:title" content="November, 2018" />`
			`<meta property="og:description" content="2018-11-01`


			`Finalize AReS Phase I and Phase II ToRs`
			`Send a note about my dspace-statistics-api to the dspace-tech mailing list`


Add notes for 2018-11-03 2018-11-03 17:13:49 +01:00			`2018-11-03`


			`Linode has been sending mails a few times a day recently that CGSpace (linode18) has had high CPU usage`
			`Today these are the top 10 IPs:`


Add notes for 2018-11-01 2018-11-01 15:43:37 +01:00			`" />`
			`<meta property="og:type" content="article" />`
			`<meta property="og:url" content="https://alanorth.github.io/cgspace-notes/2018-11/" /><meta property="article:published_time" content="2018-11-01T16:41:30+02:00"/>`
Update notes for 2018-11-04 2018-11-04 21:45:00 +01:00			`<meta property="article:modified_time" content="2018-11-04T12:18:52+02:00"/>`
Add notes for 2018-11-01 2018-11-01 15:43:37 +01:00
			`<meta name="twitter:card" content="summary"/>`
			`<meta name="twitter:title" content="November, 2018"/>`
			`<meta name="twitter:description" content="2018-11-01`


			`Finalize AReS Phase I and Phase II ToRs`
			`Send a note about my dspace-statistics-api to the dspace-tech mailing list`


Add notes for 2018-11-03 2018-11-03 17:13:49 +01:00			`2018-11-03`


			`Linode has been sending mails a few times a day recently that CGSpace (linode18) has had high CPU usage`
			`Today these are the top 10 IPs:`


Add notes for 2018-11-01 2018-11-01 15:43:37 +01:00			`"/>`
			`<meta name="generator" content="Hugo 0.50" />`



			`<script type="application/ld+json">`
			`{`
			`"@context": "http://schema.org",`
			`"@type": "BlogPosting",`
			`"headline": "November, 2018",`
			`"url": "https://alanorth.github.io/cgspace-notes/2018-11/",`
Update notes for 2018-11-04 2018-11-04 21:45:00 +01:00			`"wordCount": "992",`
Add notes for 2018-11-01 2018-11-01 15:43:37 +01:00			`"datePublished": "2018-11-01T16:41:30+02:00",`
Update notes for 2018-11-04 2018-11-04 21:45:00 +01:00			`"dateModified": "2018-11-04T12:18:52+02:00",`
Add notes for 2018-11-01 2018-11-01 15:43:37 +01:00			`"author": {`
			`"@type": "Person",`
			`"name": "Alan Orth"`
			`},`
			`"keywords": "Notes"`
			`}`
			`</script>`



			`<link rel="canonical" href="https://alanorth.github.io/cgspace-notes/2018-11/">`

			`<title>November, 2018 \| CGSpace Notes</title>`

			`<!-- combined, minified CSS -->`
			`<link href="https://alanorth.github.io/cgspace-notes/css/style.css" rel="stylesheet" integrity="sha384-Upm5uY/SXdvbjuIGH6fBjF5vOYUr9DguqBskM+EQpLBzO9U+9fMVmWEt+TTlGrWQ" crossorigin="anonymous">`









			`</head>`

			`<body>`


			`<div class="blog-masthead">`
			`<div class="container">`
			`<nav class="nav blog-nav">`
			`<a class="nav-link " href="https://alanorth.github.io/cgspace-notes/">Home</a>`
			`</nav>`
			`</div>`
			`</div>`



			`<header class="blog-header">`
			`<div class="container">`
			`<h1 class="blog-title"><a href="https://alanorth.github.io/cgspace-notes/" rel="home">CGSpace Notes</a></h1>`
			`<p class="lead blog-description">Documenting day-to-day work on the <a href="https://cgspace.cgiar.org">CGSpace</a> repository.</p>`
			`</div>`
			`</header>`



			`<div class="container">`
			`<div class="row">`
			`<div class="col-sm-8 blog-main">`




			`<article class="blog-post">`
			`<header>`
			`<h2 class="blog-post-title"><a href="https://alanorth.github.io/cgspace-notes/2018-11/">November, 2018</a></h2>`
			`<p class="blog-post-meta"><time datetime="2018-11-01T16:41:30+02:00">Thu Nov 01, 2018</time> by Alan Orth in`

			`<i class="fa fa-tag" aria-hidden="true"></i> <a href="/cgspace-notes/tags/notes" rel="tag">Notes</a>`

			`</p>`
			`</header>`
			`<h2 id="2018-11-01">2018-11-01</h2>`

			`<ul>`
			`<li>Finalize AReS Phase I and Phase II ToRs</li>`
			`<li>Send a note about my <a href="https://github.com/ilri/dspace-statistics-api">dspace-statistics-api</a> to the dspace-tech mailing list</li>`
			`</ul>`

Add notes for 2018-11-03 2018-11-03 17:13:49 +01:00			`<h2 id="2018-11-03">2018-11-03</h2>`

			`<ul>`
			`<li>Linode has been sending mails a few times a day recently that CGSpace (linode18) has had high CPU usage</li>`
			`<li>Today these are the top 10 IPs:</li>`
			`</ul>`

Update notes for 2018-11-03 2018-11-04 00:02:29 +01:00			`<p></p>`

Add notes for 2018-11-03 2018-11-03 17:13:49 +01:00			`<pre><code># zcat --force /var/log/nginx/.log /var/log/nginx/.log.1 \| grep -E "03/Nov/2018" \| awk '{print $1}' \| sort \| uniq -c \| sort -n \| tail -n 10`
			`1300 66.249.64.63`
			`1384 35.237.175.180`
			`1430 138.201.52.218`
			`1455 207.46.13.156`
			`1500 40.77.167.175`
			`1979 50.116.102.77`
			`2790 66.249.64.61`
			`3367 84.38.130.177`
			`4537 70.32.83.92`
			`22508 66.249.64.59`
			`</code></pre>`

			`<ul>`
			`<li>The <code>66.249.64.x</code> are definitely Google</li>`
			`<li><code>70.32.83.92</code> is well known, probably CCAFS or something, as it’s only a few thousand requests and always to REST API</li>`
			`<li><code>84.38.130.177</code> is some new IP in Latvia that is only hitting the XMLUI, using the following user agent:</li>`
			`</ul>`

			`<pre><code>Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.792.0 Safari/535.1`
			`</code></pre>`

			`<ul>`
			`<li>They at least seem to be re-using their Tomcat sessions:</li>`
			`</ul>`

			`<pre><code>$ grep -c -E 'session_id=[A-Z0-9]{32}:ip_addr=84.38.130.177' dspace.log.2018-11-03 \| sort \| uniq`
			`342`
			`</code></pre>`

			`<ul>`
			`<li><code>50.116.102.77</code> is also a regular REST API user</li>`
			`<li><code>40.77.167.175</code> and <code>207.46.13.156</code> seem to be Bing</li>`
			`<li><code>138.201.52.218</code> seems to be on Hetzner in Germany, but is using this user agent:</li>`
			`</ul>`

			`<pre><code>Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:62.0) Gecko/20100101 Firefox/62.0`
			`</code></pre>`

			`<ul>`
			`<li>And it doesn’t seem they are re-using their Tomcat sessions:</li>`
			`</ul>`

			`<pre><code>$ grep -c -E 'session_id=[A-Z0-9]{32}:ip_addr=138.201.52.218' dspace.log.2018-11-03 \| sort \| uniq`
			`1243`
			`</code></pre>`

			`<ul>`
			`<li>Ah, we’ve apparently seen this server exactly a year ago in 2017-11, making 40,000 requests in one day…</li>`
			`<li>I wonder if it’s worth adding them to the list of bots in the nginx config?</li>`
Update notes for 2018-11-03 2018-11-04 00:02:29 +01:00			`<li>Linode sent a mail that CGSpace (linode18) is using high outgoing bandwidth</li>`
			`<li>Looking at the nginx logs again I see the following top ten IPs:</li>`
Add notes for 2018-11-03 2018-11-03 17:13:49 +01:00			`</ul>`

Update notes for 2018-11-03 2018-11-04 00:02:29 +01:00			`<pre><code># zcat --force /var/log/nginx/.log /var/log/nginx/.log.1 \| grep -E "03/Nov/2018" \| awk '{print $1}' \| sort \| uniq -c \| sort -n \| tail -n 10`
			`1979 50.116.102.77`
			`1980 35.237.175.180`
			`2186 207.46.13.156`
			`2208 40.77.167.175`
			`2843 66.249.64.63`
			`4220 84.38.130.177`
			`4537 70.32.83.92`
			`5593 66.249.64.61`
			`12557 78.46.89.18`
			`32152 66.249.64.59`
			`</code></pre>`

			`<ul>`
			`<li><code>78.46.89.18</code> is new since I last checked a few hours ago, and it’s from Hetzner with the following user agent:</li>`
			`</ul>`

			`<pre><code>Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:62.0) Gecko/20100101 Firefox/62.0`
			`</code></pre>`

			`<ul>`
			`<li>It’s making lots of requests and using quite a number of Tomcat sessions:</li>`
			`</ul>`

			`<pre><code>$ grep -c -E 'session_id=[A-Z0-9]{32}:ip_addr=78.46.89.18' /home/cgspace.cgiar.org/log/dspace.log.2018-11-03 \| sort \| uniq`
			`8449`
			`</code></pre>`

			`<ul>`
			`<li>I could add this IP to the list of bot IPs in nginx, but it seems like a futile effort when some new IP could come along and do the same thing</li>`
			`<li>Perhaps I should think about adding rate limits to dynamic pages like <code>/discover</code> and <code>/browse</code></li>`
			`<li>I think it’s reasonable for a human to click one of those links five or ten times a minute…</li>`
			`<li>To contrast, <code>78.46.89.18</code> made about 300 requests per minute for a few hours today:</li>`
			`</ul>`

			`<pre><code># grep 78.46.89.18 /var/log/nginx/access.log \| grep -o -E '03/Nov/2018:[0-9][0-9]:[0-9][0-9]' \| sort \| uniq -c \| sort -n \| tail -n 20`
			`286 03/Nov/2018:18:02`
			`287 03/Nov/2018:18:21`
			`289 03/Nov/2018:18:23`
			`291 03/Nov/2018:18:27`
			`293 03/Nov/2018:18:34`
			`300 03/Nov/2018:17:58`
			`300 03/Nov/2018:18:22`
			`300 03/Nov/2018:18:32`
			`304 03/Nov/2018:18:12`
			`305 03/Nov/2018:18:13`
			`305 03/Nov/2018:18:24`
			`312 03/Nov/2018:18:39`
			`322 03/Nov/2018:18:17`
			`326 03/Nov/2018:18:38`
			`327 03/Nov/2018:18:16`
			`330 03/Nov/2018:17:57`
			`332 03/Nov/2018:18:19`
			`336 03/Nov/2018:17:56`
			`340 03/Nov/2018:18:14`
			`341 03/Nov/2018:18:18`
			`</code></pre>`

			`<ul>`
			`<li>If they want to download all our metadata and PDFs they should use an API rather than scraping the XMLUI</li>`
			`<li>I will add them to the list of bot IPs in nginx for now and think about enforcing rate limits in XMLUI later</li>`
Update notes for 2018-11-04 2018-11-04 11:18:52 +01:00			`<li>Also, this is the third (?) time a mysterious IP on Hetzner has done this… who is this?</li>`
			`</ul>`

			`<h2 id="2018-11-04">2018-11-04</h2>`

			`<ul>`
			`<li>Forward Peter’s information about CGSpace financials to Modi from ICRISAT</li>`
			`<li>Linode emailed about the CPU load and outgoing bandwidth on CGSpace (linode18) again</li>`
			`<li>Here are the top ten IPs active so far this morning:</li>`
			`</ul>`

			`<pre><code># zcat --force /var/log/nginx/.log /var/log/nginx/.log.1 \| grep -E "04/Nov/2018" \| awk '{print $1}' \| sort \| uniq -c \| sort -n \| tail -n 10`
			`1083 2a03:2880:11ff:2::face:b00c`
			`1105 2a03:2880:11ff:d::face:b00c`
			`1111 2a03:2880:11ff:f::face:b00c`
			`1134 84.38.130.177`
			`1893 50.116.102.77`
			`2040 66.249.64.63`
			`4210 66.249.64.61`
			`4534 70.32.83.92`
			`13036 78.46.89.18`
			`20407 66.249.64.59`
			`</code></pre>`

			`<ul>`
			`<li><code>78.46.89.18</code> is back… and still making tons of Tomcat sessions:</li>`
			`</ul>`

			`<pre><code>$ grep -c -E 'session_id=[A-Z0-9]{32}:ip_addr=78.46.89.18' dspace.log.2018-11-04 \| sort \| uniq`
			`8765`
			`</code></pre>`

			`<ul>`
			`<li>Also, now we have a ton of Facebook crawlers:</li>`
			`</ul>`

			`<pre><code># zcat --force /var/log/nginx/.log /var/log/nginx/.log.1 \| grep -E "04/Nov/2018" \| grep "2a03:2880:11ff:" \| awk '{print $1}' \| sort \| uniq -c \| sort -n`
			`905 2a03:2880:11ff:b::face:b00c`
			`955 2a03:2880:11ff:5::face:b00c`
			`965 2a03:2880:11ff:e::face:b00c`
			`984 2a03:2880:11ff:8::face:b00c`
			`993 2a03:2880:11ff:3::face:b00c`
			`994 2a03:2880:11ff:7::face:b00c`
			`1006 2a03:2880:11ff:10::face:b00c`
			`1011 2a03:2880:11ff:4::face:b00c`
			`1023 2a03:2880:11ff:6::face:b00c`
			`1026 2a03:2880:11ff:9::face:b00c`
			`1039 2a03:2880:11ff:1::face:b00c`
			`1043 2a03:2880:11ff:c::face:b00c`
			`1070 2a03:2880:11ff::face:b00c`
			`1075 2a03:2880:11ff:a::face:b00c`
			`1093 2a03:2880:11ff:2::face:b00c`
			`1107 2a03:2880:11ff:d::face:b00c`
			`1116 2a03:2880:11ff:f::face:b00c`
			`</code></pre>`

			`<ul>`
			`<li>They are really making shit tons of Tomcat sessions:</li>`
			`</ul>`

			`<pre><code>$ grep -c -E 'session_id=[A-Z0-9]{32}:ip_addr=2a03:2880:11ff' dspace.log.2018-11-04 \| sort \| uniq`
			`14368`
			`</code></pre>`

			`<ul>`
			`<li>Their user agent is:</li>`
			`</ul>`

			`<pre><code>facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)`
			`</code></pre>`

			`<ul>`
			`<li>I will add it to the Tomcat Crawler Session Manager valve</li>`
Update notes for 2018-11-04 2018-11-04 21:45:00 +01:00			`<li>Later in the evening… ok, this Facebook bot is getting super annoying:</li>`
			`</ul>`

			`<pre><code># zcat --force /var/log/nginx/.log /var/log/nginx/.log.1 \| grep -E "04/Nov/2018" \| grep "2a03:2880:11ff:" \| awk '{print $1}' \| sort \| uniq -c \| sort -n`
			`1871 2a03:2880:11ff:3::face:b00c`
			`1885 2a03:2880:11ff:b::face:b00c`
			`1941 2a03:2880:11ff:8::face:b00c`
			`1942 2a03:2880:11ff:e::face:b00c`
			`1987 2a03:2880:11ff:1::face:b00c`
			`2023 2a03:2880:11ff:2::face:b00c`
			`2027 2a03:2880:11ff:4::face:b00c`
			`2032 2a03:2880:11ff:9::face:b00c`
			`2034 2a03:2880:11ff:10::face:b00c`
			`2050 2a03:2880:11ff:5::face:b00c`
			`2061 2a03:2880:11ff:c::face:b00c`
			`2076 2a03:2880:11ff:6::face:b00c`
			`2093 2a03:2880:11ff:7::face:b00c`
			`2107 2a03:2880:11ff::face:b00c`
			`2118 2a03:2880:11ff:d::face:b00c`
			`2164 2a03:2880:11ff:a::face:b00c`
			`2178 2a03:2880:11ff:f::face:b00c`
			`</code></pre>`

			`<ul>`
			`<li>And still making shit tons of Tomcat sessions:</li>`
			`</ul>`

			`<pre><code>$ grep -c -E 'session_id=[A-Z0-9]{32}:ip_addr=2a03:2880:11ff' dspace.log.2018-11-04 \| sort \| uniq`
			`28470`
			`</code></pre>`

			`<ul>`
			`<li>And that’s even using the Tomcat Crawler Session Manager valve!</li>`
			`<li>Maybe we need to limit more dynamic pages, like the “most popular” country, item, and author pages</li>`
			`<li>It seems these are popular too, and there is no fucking way Facebook needs that information, yet they are requesting thousands of them!</li>`
			`</ul>`

			`<pre><code># grep 'face:b00c' /var/log/nginx/access.log /var/log/nginx/access.log.1 \| grep -c 'most-popular/'`
			`7033`
			`</code></pre>`

			`<ul>`
			`<li>I added the “most-popular” pages to the list that return <code>X-Robots-Tag: none</code> to try to inform bots not to index or follow those pages</li>`
			`<li>Also, I implemented an nginx rate limit of twelve requests per minute on all dynamic pages… I figure a human user might legitimately request one every five seconds</li>`
Update notes for 2018-11-03 2018-11-04 00:02:29 +01:00			`</ul>`
Add notes for 2018-11-01 2018-11-01 15:43:37 +01:00
			`<!-- vim: set sw=2 ts=2: -->`





			`</article>`



			`</div> <!-- /.blog-main -->`

			`<aside class="col-sm-3 ml-auto blog-sidebar">`



			`<section class="sidebar-module">`
			`<h4>Recent Posts</h4>`
			`<ol class="list-unstyled">`


			`<li><a href="/cgspace-notes/2018-11/">November, 2018</a></li>`

			`<li><a href="/cgspace-notes/2018-10/">October, 2018</a></li>`

			`<li><a href="/cgspace-notes/2018-09/">September, 2018</a></li>`

			`<li><a href="/cgspace-notes/2018-08/">August, 2018</a></li>`

			`<li><a href="/cgspace-notes/2018-07/">July, 2018</a></li>`

			`</ol>`
			`</section>`




			`<section class="sidebar-module">`
			`<h4>Links</h4>`
			`<ol class="list-unstyled">`

			`<li><a href="https://cgspace.cgiar.org">CGSpace</a></li>`

			`<li><a href="https://dspacetest.cgiar.org">DSpace Test</a></li>`

			`<li><a href="https://github.com/ilri/DSpace">CGSpace @ GitHub</a></li>`

			`</ol>`
			`</section>`

			`</aside>`


			`</div> <!-- /.row -->`
			`</div> <!-- /.container -->`



			`<footer class="blog-footer">`
			`<p>`

			`Blog template created by <a href="https://twitter.com/mdo">@mdo</a>, ported to Hugo by <a href='https://twitter.com/mralanorth'>@mralanorth</a>.`

			`</p>`
			`<p>`
			`<a href="#">Back to top</a>`
			`</p>`
			`</footer>`


			`</body>`

			`</html>`