I noticed stomething strange. Lisa's web hits (as per access logs) were through the roof since around the site changeover date. Weird.

I glanced at them and noticed we're getting tons of hits from just 1 user: 216.98.56.20 - - [24/Apr/2016:05:20:11 -0500] "GET /pub/epel/6/x86_64/repodata/repomd.xml HTTP/1.1" 301 332 "-" "urlgrabber/3.9.1 yum/3.2.29" All the same!

Of 8434659 total current access.log hits, 8243763 (97.7%) were this same guy! Many per second! For a couple of weeks now (but not before that!).

An ip lookup says this is Ubisoft in Montreal. Looks like someone has a misconfig on their box.

Should we contact them about fixing this?

If have added that IP to an iptables DROP rule on lisa. I just did this now and they sent 49 more hits and then stopped. Their runaway ps must have been looking for success before continuing. I guess I'll leave it in for a while then we can take it out?

Looks like this IP has hit the new server but only a few times; i.e. normal looking access.

Perhaps when the switchover occurred and the redirects were put in place it made their client go mental... Maybe it never dropped its http connection this whole time!

Lastly, fail2ban-server is often in the top 5 ps's in top on lisa, but I don't see any fail2ban rule in iptables? Does it only create a rule once it gets something to put in? I thought it made a blank table that it filled up as needed, not no table at all. Maybe it's not working?