* [PATCH 0/4] imap: reduce impact of bot scanners
@ 2022-08-08 23:16 7% Eric Wong
2022-08-08 23:16 5% ` [PATCH 3/4] imap: prioritize AUTH=ANONYMOUS clients Eric Wong
0 siblings, 1 reply; 2+ results
From: Eric Wong @ 2022-08-08 23:16 UTC (permalink / raw)
To: meta
There seems to be a fair amount of bot traffic scanning the
IMAP(S) port on public-inbox.org using username+password logins
(which we currently accept combination of).
AUTH=ANONYMOUS traffic is probably more likely to be legit,
and supported by mutt and lei, at least.
To avoid breaking things for legitimate users using
username+passwords, I've decided to deprioritize, but
still allow traffic of clients using username+password
logins.
The initial prefix change is good regardless, since
even legitimate AUTH=ANONYMOUS clients could've caused
fairness problems with the aggressive pipelining to
git-cat-file||Gcf2.
Eric Wong (4):
imap: limit ibx_async_prefetch to idle git processes
imap: only give AUTH=ANONYMOUS clients prefetch
imap: prioritize AUTH=ANONYMOUS clients
README: recommend AUTH=ANONYMOUS on IMAP URLs
README | 6 +++---
lib/PublicInbox/DS.pm | 2 +-
lib/PublicInbox/GitAsyncCat.pm | 9 ++++-----
lib/PublicInbox/IMAP.pm | 16 +++++++++++++---
lib/PublicInbox/IMAPD.pm | 7 +++++++
5 files changed, 28 insertions(+), 12 deletions(-)
^ permalink raw reply [relevance 7%]
* [PATCH 3/4] imap: prioritize AUTH=ANONYMOUS clients
2022-08-08 23:16 7% [PATCH 0/4] imap: reduce impact of bot scanners Eric Wong
@ 2022-08-08 23:16 5% ` Eric Wong
0 siblings, 0 replies; 2+ results
From: Eric Wong @ 2022-08-08 23:16 UTC (permalink / raw)
To: meta
...by deprioritizing clients using a username + password.
As IMAP provides AUTH=ANONYMOUS for designating anonymous
access, we'll rely on it as a heuristic for favoring "good"
clients. Clients using a username + password seem to (more
often than not) be malicious and looking for info which doesn't
belong in public inboxes.
This copies the technique used by WWW + -httpd to deprioritize
expensive mbox.gz downloads.
---
lib/PublicInbox/DS.pm | 2 +-
lib/PublicInbox/IMAP.pm | 10 ++++++++++
lib/PublicInbox/IMAPD.pm | 7 +++++++
3 files changed, 18 insertions(+), 1 deletion(-)
diff --git a/lib/PublicInbox/DS.pm b/lib/PublicInbox/DS.pm
index 77e2e5e9..5e8a6a66 100644
--- a/lib/PublicInbox/DS.pm
+++ b/lib/PublicInbox/DS.pm
@@ -688,7 +688,7 @@ sub requeue_once {
# but only after all pending writes are done.
# autovivify wbuf. wbuf may be populated by $cb,
# no need to rearm if so: (push returns new size of array)
- requeue($self) if push(@{$self->{wbuf}}, \&long_step) == 1;
+ $self->requeue if push(@{$self->{wbuf}}, \&long_step) == 1;
}
sub long_response ($$;@) {
diff --git a/lib/PublicInbox/IMAP.pm b/lib/PublicInbox/IMAP.pm
index 4ef5252b..605c5e51 100644
--- a/lib/PublicInbox/IMAP.pm
+++ b/lib/PublicInbox/IMAP.pm
@@ -575,6 +575,16 @@ sub fetch_run_ops {
$self->msg_more(")\r\n");
}
+sub requeue { # overrides PublicInbox::DS::requeue
+ my ($self) = @_;
+ if ($self->{anon}) { # AUTH=ANONYMOUS gets high priority
+ $self->SUPER::requeue;
+ } else { # low priority
+ push(@{$self->{imapd}->{-authed_q}}, $self) == 1 and
+ PublicInbox::DS::requeue($self->{imapd});
+ }
+}
+
sub fetch_blob_cb { # called by git->cat_async via ibx_async_cat
my ($bref, $oid, $type, $size, $fetch_arg) = @_;
my ($self, undef, $msgs, $range_info, $ops, $partial) = @$fetch_arg;
diff --git a/lib/PublicInbox/IMAPD.pm b/lib/PublicInbox/IMAPD.pm
index 5368ff04..dd0d2c53 100644
--- a/lib/PublicInbox/IMAPD.pm
+++ b/lib/PublicInbox/IMAPD.pm
@@ -87,4 +87,11 @@ sub idler_start {
$_[0]->{idler} //= PublicInbox::InboxIdle->new($_[0]->{pi_cfg});
}
+sub event_step { # called vai requeue for low-priority IMAP clients
+ my ($self) = @_;
+ my $imap = shift(@{$self->{-authed_q}}) // return;
+ PublicInbox::DS::requeue($self) if scalar(@{$self->{-authed_q}});
+ $imap->event_step; # PublicInbox::IMAP::event_step
+}
+
1;
^ permalink raw reply related [relevance 5%]
Results 1-2 of 2 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2022-08-08 23:16 7% [PATCH 0/4] imap: reduce impact of bot scanners Eric Wong
2022-08-08 23:16 5% ` [PATCH 3/4] imap: prioritize AUTH=ANONYMOUS clients Eric Wong
Code repositories for project(s) associated with this public inbox
https://80x24.org/public-inbox.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).