[Labs-l] Fwd: [freenode.net #132451] Request to lift a number of connections from IP

[Tim Landscheidt]

Faidon Liambotis <faidon at wikimedia.org> wrote:

>> The best option would be to have a single ident server per IP so that
>> individual projects/tools need to worry about this

> Actually the sensible solution here would be to run an ident server on
> the labs IPs (or a single IP used for IRC, with special network-node NAT
> rules for port 6667), that would return the instance (or project) name
> on the ident reply. The ident protocol was designed to return unix
> usernames where single large unix systems had multiple users, but
> mapping VM instances to ident seems more right for this decade.

> What freenode basically wants is to be able to pinpoint abusers, have
> specific max counts for them, block them and possibly report back to the
> sysadmins. We have no way of going from irc bot -> instance name ->
> project name right now and ident is a simple and fine protocol to do
> that. Ident responses would be visible on /whois, so this makes it a
> great debugging tool even for us internally.

> I don't think it was sensible to ask freenode to lift all limits for all
> labs IPs without having something like the above (and hence I think
> freenode's reply is very appropriate). Labs is an open platform where a
> plethora of users can get access to a VM and potentially set up malware
> or spam bots.

I don't quite understand why you want to return the instance
(or even project) name on identd replies.  For Tools, that
would mean that *all* bots would be identified as "tools"
(or "tools-exec-01", etc.).  That does neither help freenode
to pinpoint abusers nor us to debug.

Why not just install identd on the Tools instances, and then
enable the NAT to forward identd requests to the hosts?

Tim