[ale] ufw help

Bob Toxen transam at verysecurelinux.com
Mon Apr 6 11:07:34 EDT 2026 

You can use the following to see what rules are operating on packets:

  iptables -n -v --line-numbers -L !:* | sed "s/          //" | more

Bob

On Sun, Apr 05, 2026 at 06:52:38PM +0000, lollipopman691 via Ale wrote:
> In recent days facebook's crawlers ( or someone impersonating them)
> have been hammering my website hard enough to bring it to its knees.

> The hits all seem to originate from addresses in 57.141.0.0/32, which
> iplocation.net puts in Ashburn,VA and owned by facebook//meta.

> Here's an example of a hit from
> /var/log/apache2/other_vhosts_access.log:

> tomshiro.org:443 57.141.0.50 - - [05/Apr/2026:14:26:23 -0400]
> "GET /foswiki/bin/edit/System/WebSearch?t=1775413530
> HTTP/1.1" 504 2571 "-" "meta-webindexer/1.1
> (+https://developers.facebook.com/docs/sharing/webmasters/crawler)"

> I am getting a *massive* number of these. My (crude) weblog analyzer
> lists 9515 of them between midnight and 2 pm, many of them in bursts
> less than a second apart.

> So I have attempted to ban that ip address through ufw, using the
> command "ufw deny from 57.141.0.0/32" .  Here's the output from "ufw
> status numbered:

> Status: active

>      To                         Action      From
>      --                         ------      ----
> [ 1] 25/tcp                     ALLOW IN    Anywhere
> [ 2] 22/tcp                     ALLOW IN    Anywhere
> [ 3] Anywhere                   DENY IN     146.174.0.0/16
> [ 4] Anywhere                   DENY IN     185.171.0.0/16
> [ 5] Anywhere                   DENY IN     20.171.207.109
> [ 6] Anywhere                   DENY IN     202.76.0.0/16
> [ 7] Anywhere                   DENY IN     212.52.0.0/16
> [ 8] Anywhere                   DENY IN     216.73.216.125
> [ 9] Anywhere                   DENY IN     47.238.0.0/16
> [10] Anywhere                   DENY IN     47.239.0.0/16
> [11] Anywhere                   DENY IN     47.242.0.0/16
> [12] Anywhere                   DENY IN     47.243.0.0/16
> [13] Anywhere                   DENY IN     47.76.0.0/16
> [14] Anywhere                   DENY IN     8.210.0.0/16
> [15] Anywhere                   DENY IN     8.218.0.0/16
> [16] Anywhere                   DENY IN     45.206.0.0
> [17] Anywhere                   DENY IN     47.128.0.0
> [18] Anywhere                   DENY IN     57.141.0.0
> [19] 80 (v6)                    ALLOW IN    Anywhere (v6)
> [20] 443 (v6)                   ALLOW IN    Anywhere (v6)
> [21] 25/tcp (v6)                ALLOW IN    Anywhere (v6)
> [22] 22/tcp (v6)                ALLOW IN    Anywhere (v6)

> You can see the ban rule in line 18, above. 
> Theoretically this should stop these hits, yes? Or should I be saying "ufw deny from 57.141.0.0/16" ?
> This is on a pretty much stock Debian 12 server running on aws ec2, FWIW.

> -- CHS

More information about the Ale mailing list