2025-07-15 Is somebody abusing my fedi instance? No.
====================================================

Time to find out. Load is at 16. The list of processes doesn't show
anything suspicious. What's going on?

    ~# 2h-access-log ^social | log-user-agent | rank-lines 
       1390 Mastodon/4.5.0-nightly.2025-07-11 (http.rb/5.3.1; +https://mastodon.social/)
        598 Mozilla/5.0 (Windows NT 10.0; rv:128.0) Gecko/20100101 Firefox/128.0
        395 Mastodon/4.4.1 (http.rb/5.3.1; +https://social.wildeboer.net/)
        373 Mastodon/4.5.0-alpha.1+glitch (http.rb/5.3.1; +https://infosec.exchange/)
        363 Mastodon/4.4.1 (http.rb/5.3.1; +https://sauropods.win/)
        363 Mastodon/4.3.9 (http.rb/5.2.0; +https://chaos.social/)
        340 Mastodon/4.3.8 (http.rb/5.2.0; +https://hachyderm.io/)
        285 Mastodon/4.4.1 (http.rb/5.3.1; +https://mas.to/)
        203 Mastodon/4.4.1 (http.rb/5.3.1; +https://mathstodon.xyz/)
        176 Mastodon/4.3.8 (http.rb/5.2.0; +https://social.coop/)

The second line is suspicious. That doesn't look like a fedi instance.
What sort of requests is it making?

    # 2h-access-log ^social \
        | grep 'Mozilla/5.0 (Windows NT 10.0; rv:128.0) Gecko/20100101 Firefox/128.0' \
        | log-request \
        | rank-lines
         15 /api/v1/followed_tags?limit=200
          6 /api/v1/notifications?limit=1&since_id=01K06NZSCZQFKKYCKM5AHKDZF8
          4 /api/v1/timelines/home?limit=5&since_id=01K06SVB7G03W31DEZ26KR8AP8
          4 /api/v1/timelines/home?limit=5&since_id=01K06SQTXR7ECESAG531C0X493
          4 /api/v1/timelines/home?limit=5&since_id=01K06RYDEGAB5XSF1FTKSPZ1MR
          4 /api/v1/timelines/home?limit=20
          3 /fileserver/01JV5VX0DTX1NRX6XVD0B02H5A/attachment/small/01JV5VX3KSXT9BH52QSKF032WW.webp
          3 /fileserver/01JPNGX1BT5PMRYTK34FM5NZ52/attachment/small/01JSYB0NYYCPG2S9VK1NJXZBA9.jpeg
          3 /fileserver/01JDB8P0TJN4YZRXN7C9ACC993/attachment/small/01JDB8P1AJ2G4STB9QRCTNPR3G.jpeg
          3 /fileserver/01JCPET54MFFGX73MXH0P03D3H/attachment/small/01JXTFBH492M437DZVK0ERGH5S.jpeg

It's basically spying on me? I don't follow tags, in any case.

    ~# 2h-access-log ^social \
        | grep 'Mozilla/5.0 (Windows NT 10.0; rv:128.0) Gecko/20100101 Firefox/128.0' \
        | log-ip \
        | asncounter --no-prefixes 2>/dev/null
    count	percent	ASN	AS
    598	100.0	13030	INIT7, CH
    total: 598

Whoops, it's me! I guess one of my clients is using this user-agent.

#Administration

2025-07-22. Another instance of nobody abusing my instance. I went
for a hike, came back, and noticed a huge spike.

Firewall throughput over the last few days suddenly going up from
around 40 packets/second to over 200 packets/second in the last 2h.
Load is much more erratic but also jumped up 0.5 to 3.5 in the last
2h. What the hell are they doing? Apache volume going from less than
50KB/s to 1.3MB/s in the last 2h

That last one gave me pause. My defences were not reacting? So the web
server was actually serving all this data?

Time to find out.

Some scripting later: Oh no, these are the pictures from my hike I
just posted to my GoToSocial account! 😱

Maybe I should find a way to upload scaled down versions of those
images. 😬

    # 2h-access-log | log-request-volume | rank-lines-volume | head
    652.57MB / 131 => 4.98MB /fileserver/01K2DJD311GXMP5ZYRDFN12992/attachment/original/01K0S70FS8JSQKFM62GD4FFDKY.jpeg
    491.37MB / 107 => 4.59MB /fileserver/01K2DJD311GXMP5ZYRDFN12992/attachment/original/01K0S70KHXSM53G1R0C3410RYE.jpeg
    474.95MB / 106 => 4.48MB /fileserver/01K2DJD311GXMP5ZYRDFN12992/attachment/original/01K0S6W1HK2FCKP2P0AKN92AK5.jpeg
    506.71MB / 115 => 4.41MB /fileserver/01K2DJD311GXMP5ZYRDFN12992/attachment/original/01K0S787AJGGF2FR642RMF11J4.jpeg
    457.29MB / 105 => 4.36MB /fileserver/01K2DJD311GXMP5ZYRDFN12992/attachment/original/01K0S6W553S8G01778DDF57T6Q.jpeg
    451.14MB / 106 => 4.26MB /fileserver/01K2DJD311GXMP5ZYRDFN12992/attachment/original/01K0S70SMG84AAEGMN0RKDYR11.jpeg
    461.43MB / 109 => 4.23MB /fileserver/01K2DJD311GXMP5ZYRDFN12992/attachment/original/01K0S783BDJ95C6KYGKFTTWWCM.jpeg
    406.02MB / 103 => 3.94MB /fileserver/01K2DJD311GXMP5ZYRDFN12992/attachment/original/01K0S6VY79RT4DVT8ZBARNN7R3.jpeg
    528.20MB / 135 => 3.91MB /fileserver/01K2DJD311GXMP5ZYRDFN12992/attachment/original/01K0S77ZB7YK3BWYNTMH0XY5XE.jpeg
    393.85MB / 106 => 3.72MB /fileserver/01K2DJD311GXMP5ZYRDFN12992/attachment/original/01K0S70P9PTQZG9FK62WS64EQ8.jpeg

(Scripts are available.)