[ale] ufw help

lollipopman691 lollipopman691 at pm.me
Sun Apr 5 14:52:38 EDT 2026 

In recent days facebook's crawlers ( or someone impersonating them) have been hammering my website hard enough to bring it to its knees.
The hits all seem to originate from addresses in 57.141.0.0/32, which iplocation.net puts in Ashburn,VA and owned by facebook//meta.

Here's an example of a hit from /var/log/apache2/other_vhosts_access.log:

tomshiro.org:443 57.141.0.50 - - [05/Apr/2026:14:26:23 -0400] "GET /foswiki/bin/edit/System/WebSearch?t=1775413530 HTTP/1.1" 504 2571 "-" "meta-webindexer/1.1 (+https://developers.facebook.com/docs/sharing/webmasters/crawler)"

I am getting a *massive* number of these. My (crude) weblog analyzer lists 9515 of them between midnight and 2 pm, many of them in bursts less than a second apart.

So I have attempted to ban that ip address through ufw, using the command "ufw deny from 57.141.0.0/32" .  Here's the output from "ufw status numbered:

Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 25/tcp                     ALLOW IN    Anywhere
[ 2] 22/tcp                     ALLOW IN    Anywhere
[ 3] Anywhere                   DENY IN     146.174.0.0/16
[ 4] Anywhere                   DENY IN     185.171.0.0/16
[ 5] Anywhere                   DENY IN     20.171.207.109
[ 6] Anywhere                   DENY IN     202.76.0.0/16
[ 7] Anywhere                   DENY IN     212.52.0.0/16
[ 8] Anywhere                   DENY IN     216.73.216.125
[ 9] Anywhere                   DENY IN     47.238.0.0/16
[10] Anywhere                   DENY IN     47.239.0.0/16
[11] Anywhere                   DENY IN     47.242.0.0/16
[12] Anywhere                   DENY IN     47.243.0.0/16
[13] Anywhere                   DENY IN     47.76.0.0/16
[14] Anywhere                   DENY IN     8.210.0.0/16
[15] Anywhere                   DENY IN     8.218.0.0/16
[16] Anywhere                   DENY IN     45.206.0.0
[17] Anywhere                   DENY IN     47.128.0.0
[18] Anywhere                   DENY IN     57.141.0.0
[19] 80 (v6)                    ALLOW IN    Anywhere (v6)
[20] 443 (v6)                   ALLOW IN    Anywhere (v6)
[21] 25/tcp (v6)                ALLOW IN    Anywhere (v6)
[22] 22/tcp (v6)                ALLOW IN    Anywhere (v6)



You can see the ban rule in line 18, above. 

Theoretically this should stop these hits, yes? Or should I be saying "ufw deny from 57.141.0.0/16" ?

This is on a pretty much stock Debian 12 server running on aws ec2, FWIW.

-- CHS

More information about the Ale mailing list