Add notes for 2021-07-17 and 2021-07-18

content/posts/2021-07.md

@@ -431,4 +431,20 @@ $ cat roles/dspace/templates/nginx/abusive-networks.conf.j2 /tmp/abusive-network
 - I deployed the block list on CGSpace (linode18) and the load is down to 1.0 but I see there are still some DDoS IPs getting through... sigh
 - The next thing I need to do is purge all the IPs from Solr using grepcidr...
 
+## 2021-07-18
+
+- After blocking all the ASN network blocks yesterday I still see requests getting through from these abusive networks, so the ASN lists must be out of date
+   - I decided to get a lit of all the IPs that made requests on the server in the last two days, resolve them, and then filter out those from these ASNs: 206485, 35624, 36352, 46844, 49453, 62282
+
+```console
+$ sudo zcat --force /var/log/nginx/access.log /var/log/nginx/access.log.1 /var/log/nginx/access.log.2 | grep -E " (200|499) " | awk '{print $1}' | sort | uniq > /tmp/all-ips.txt
+$ ./ilri/resolve-addresses-geoip2.py -i /tmp/all-ips.txt -o /tmp/all-ips-out.csv
+$ csvgrep -c asn -r '^(206485|35624|36352|46844|49453|62282)$' /tmp/all-ips-out.csv | csvcut -c ip | sed 1d | sort | uniq > /tmp/all-ips-to-block.txt
+$ wc -l /tmp/all-ips-to-block.txt 
+5095 /tmp/all-ips-to-block.txt
+```
+
+- Then I added them to the normal ipset we are already using with firewalld
+  - I will check again in a few hours and ban more
+
 <!-- vim: set sw=2 ts=2: -->