Techrights logo

IRC: #boycottnovell @ FreeNode: September 28th, 2014-October 4th, 2014

Join us now at the IRC channel.

*schestowitz_log_ has quit (Remote host closed the connection)Sep 28 09:35
*schestowitz has quit (Read error: Connection reset by peer)Sep 28 09:35
*schestowitz (~schestowi@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovellSep 28 09:35
*schestowitz has quit (Changing host)Sep 28 09:35
*schestowitz (~schestowi@unaffiliated/schestowitz) has joined #boycottnovellSep 28 09:35
*ChanServ gives channel operator status to schestowitzSep 28 09:35
*schestowitz_log_ (~schestowi@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovellSep 28 09:35
*schestowitz_log_ has quit (Changing host)Sep 28 09:35
*schestowitz_log_ (~schestowi@unaffiliated/schestowitz) has joined #boycottnovellSep 28 09:35
*ChanServ gives channel operator status to schestowitz_log_Sep 28 09:35
*cubelog has quit (Ping timeout: 272 seconds)Sep 28 11:46
*cubelog (~cubeman@maxhost.org) has joined #boycottnovellSep 28 14:06
*cubelog has quit (Remote host closed the connection)Sep 28 20:59
*cubelog (~cubeman@maxhost.org) has joined #boycottnovellSep 28 21:45
*edanny101_ (~edanny101@175.144.248.66) has joined #boycottnovellSep 29 05:22
*edanny101_ has quit (Quit: AndroIRC - Android IRC Client ( http://www.androirc.com ))Sep 29 05:27
*freedomrun (~quassel@unaffiliated/freedomrun) has joined #boycottnovellSep 29 06:31
*freedomrun has quit (Remote host closed the connection)Sep 29 07:35
*freedomrun (~quassel@unaffiliated/freedomrun) has joined #boycottnovellSep 29 07:40
*freedomrun has quit (Remote host closed the connection)Sep 29 09:10
*pidgin_log1 has quit (Quit: Leaving.)Sep 29 09:26
*schestowitz__ has quit (Quit: Konversation term)Sep 29 09:35
*schestowitz__ (~schestowi@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovellSep 29 14:00
*schestowitz__ has quit (Changing host)Sep 29 14:00
*schestowitz__ (~schestowi@unaffiliated/schestowitz) has joined #boycottnovellSep 29 14:00
*ChanServ gives channel operator status to schestowitz__Sep 29 14:00
*pidgin_log (~roy@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovellSep 29 14:00
*freedomrun (~quassel@unaffiliated/freedomrun) has joined #boycottnovellSep 29 16:00
*freedomrun has quit (Read error: Connection reset by peer)Sep 29 19:14
schestowitz__http://www.youtube.com/watch?v=ZcgTog780bs&list=UU0znI3dRWpNF8lvbPBTlzywSep 30 01:00
-TechrightsBN/#boycottnovell-www.youtube.com | Selfridges, BOY, The Third Reich and the Self Hating Gays - YouTube [ http://ur1.ca/i9jnm ]Sep 30 01:00
schestowitz__> He's mostly been very well behaved on our site. Again, I've never metSep 30 01:15
schestowitz__> him face to face, so I don't know why he turned bitter -- maybe he wasSep 30 01:15
schestowitz__> always like that. With me, he's always as nice as can beSep 30 01:15
schestowitz__> Sep 30 01:15
schestowitz__>  He gets accused of being a Microsoft shill a lot. Since quitting atSep 30 01:15
schestowitz__> Fuduntu, he's taken to defending Microsoft a lot, which doesn't playSep 30 01:15
schestowitz__> well on FOSS forums. You're free to call him to task in the comments,Sep 30 01:15
schestowitz__> although I'm not sure that would be productive.Sep 30 01:15
schestowitz__> Sep 30 01:15
schestowitz__> I'm sorry for any grief this has caused you.Sep 30 01:15
schestowitz__I never saw him accused of that.Sep 30 01:15
schestowitz__Either way, this didn't cause grief. I was just struggling to figure out who I could have said that about. Turns out, the error was his, not mine.Sep 30 01:15
schestowitz__https://joindiaspora.com/posts/4824143Sep 30 01:21
-TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: #gnu #linux #pdf readers like #evince and #okular are mature enough and they make #adobe obsolete http://news.softpedia.com/news/Linux-No-Longer-Listed-as-Supported-Platform-for-Adobe-Reader-460372.shtmlSep 30 01:21
-TechrightsBN/#boycottnovell--> news.softpedia.com | Linux No Longer Listed as Supported Platform for Adobe Reader - Softpedia [ http://ur1.ca/i9k58 ]Sep 30 01:21
schestowitz__"Agreed. I wouldn't use Adobe's Reader on my system at all. If someone required me to use it for work, I would find another way around the problem."Sep 30 01:21
schestowitz__"You don't even need a PDF reader. Firefox has pdf.js, and while I wouldn't recommend Chrome that has a PDF reader too."Sep 30 01:21
schestowitz__"Okular is still way more performant for huge PDFs which contain a lot of scanned images. But pdf.js is still great to have.'Sep 30 01:22
*libertybox_ has quit (Remote host closed the connection)Sep 30 02:37
*libertyboxes (~liberty@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovellSep 30 02:38
*TechrightsBN has quit (Read error: Connection reset by peer)Sep 30 03:10
*freedomrun (~quassel@unaffiliated/freedomrun) has joined #boycottnovellSep 30 04:26
schestowitz__> If you don't mind, keep me updated on the Tux Machines situation. WhenSep 30 08:43
schestowitz__> you're back up and running we'll help get the word out.Sep 30 08:43
schestowitz__I have just checked again. The botnet is still active, but the bursts gradually reduce in terms of scale, not enough to unblock parts of the site.Sep 30 08:43
*TechrightsBN (~b0t@mail.copilotco.com) has joined #boycottnovellSep 30 08:48
TechrightsBNHello World! I'm TechrightsBN running phIRCe v0.75Sep 30 08:48
schestowitz__https://joindiaspora.com/posts/4825946Oct 01 01:14
-TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: I find is utterly astounding the Western media spends more time bemoaning trauma of 'pilots', not victims on ground http://www.huffingtonpost.com/2014/09/29/military-drone-operators_n_5899478.html?utm_hp_ref=politicsOct 01 01:14
-TechrightsBN/#boycottnovell--> www.huffingtonpost.com | Military Drone Operators Can Feel Emotional Strains Of War [ http://ur1.ca/i9omn ]Oct 01 01:14
schestowitz__"Cry me a river."Oct 01 01:14
schestowitz__https://joindiaspora.com/posts/4825863Oct 01 01:16
-TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: 'Hunting' with automatic rifles http://earthisland.org/elist/graphics/DehogaflierTruck.jpgOct 01 01:16
schestowitz__"Maybe animals are a lot more smart than those hunters so they need high-tech gear to level the field."Oct 01 01:16
**** BEGIN LOGGING AT Wed Oct 1 01:59:53 2014
*Now talking on #boycottnovellOct 01 01:59
*Topic for #boycottnovell is: TechRights.org | Channel #boycottnovell for http://TechRights.org | Free Software Sentry – watching and reporting maneuvers of those who oppose software freedom :: please also join channels #techrights and #boycottnovell-socialOct 01 01:59
*Topic for #boycottnovell set by schestowitz at Fri May 7 00:19:56 2010Oct 01 01:59
-ChanServ-[#boycottnovell] Welcome to the #boycottnovell channelOct 01 02:00
*libertyboxes (~liberty@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovellOct 01 02:00
*freedomrun has quit (Remote host closed the connection)Oct 01 10:44
*pidgin_log has quit (Ping timeout: 272 seconds)Oct 01 13:11
*schestowitz_log has quit (Ping timeout: 260 seconds)Oct 01 13:12
*schestowitz__ has quit (Ping timeout: 272 seconds)Oct 01 13:13
*schestowitz_log (~schestowi@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovellOct 01 13:13
*schestowitz_log has quit (Changing host)Oct 01 13:13
*schestowitz_log (~schestowi@unaffiliated/schestowitz) has joined #boycottnovellOct 01 13:13
*ChanServ gives channel operator status to schestowitz_logOct 01 13:13
*pidgin_log (~roy@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovellOct 01 13:13
*schestowitz__ (~schestowi@unaffiliated/schestowitz) has joined #boycottnovellOct 01 13:13
*ChanServ gives channel operator status to schestowitz__Oct 01 13:13
*pidgin_log has quit (Quit: Leaving.)Oct 01 13:22
*pidgin_log (~roy@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovellOct 01 13:24
*freedomrun (~quassel@unaffiliated/freedomrun) has joined #boycottnovellOct 01 14:45
*MinceR_ (~mincer@unaffiliated/mincer) has joined #boycottnovellOct 01 17:16
*ChanServ gives channel operator status to MinceR_Oct 01 17:18
*MinceR has quit (Read error: Connection reset by peer)Oct 01 17:19
*MinceR_ is now known as MinceROct 01 17:20
*freedomrun has quit (Read error: Connection reset by peer)Oct 01 17:24
*freedomrun (~quassel@unaffiliated/freedomrun) has joined #boycottnovellOct 01 22:39
*freedomrun has quit (Remote host closed the connection)Oct 02 01:34
*schestowitz_log has quit (Ping timeout: 272 seconds)Oct 02 03:08
*schestowitz_log (~schestowi@unaffiliated/schestowitz) has joined #boycottnovellOct 02 03:09
*ChanServ gives channel operator status to schestowitz_logOct 02 03:09
schestowitz__https://joindiaspora.com/posts/4833576Oct 02 06:00
-TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: More trolling from Brian Fagioli, who calls #microsoft "hero", said #firefox was anti-gay, and Linux anti-women http://betanews.com/2014/09/30/sorry-linux-fans-windows-10-will-continue-microsofts-desktop-domination/Oct 02 06:00
schestowitz__"Sounds like an Italian dish."Oct 02 06:00
-TechrightsBN/#boycottnovell--> betanews.com | Sorry Linux fans, Windows 10 will continue Microsoft's desktop domination [ http://ur1.ca/ia203 ]Oct 02 06:00
schestowitz__"What low life."Oct 02 06:00
schestowitz__> Hi, Roy,> Oct 02 14:18
schestowitz__> I see that Tuxmachines has been down for a DDOS for many days.  There isOct 02 14:18
schestowitz__> a redirect to TR and Fossforce even had an article.Oct 02 14:18
schestowitz__The front page is redirected because it's the main target. There's some junk in referrer (well, I know there is always some junk there), which I think Varnish might interpret as unique and then pass to Apache. I am thinking it's about time to make better workarounds because the attacks don't just stop.Oct 02 14:18
schestowitz__ Oct 02 14:18
schestowitz__> Is there an equivalent of fail2ban for Varnish that triggers on serverOct 02 14:18
schestowitz__> response codes?  I'm guessing that to get through the varnish cache theyOct 02 14:18
schestowitz__> are sending junk URLs.  Or is it varnish that is DDOSed?  If it is junkOct 02 14:18
schestowitz__> URLs a script can scan the log output and fire up an iptables rule toOct 02 14:18
schestowitz__> block and then expire the block later.  That is something which isOct 02 14:18
schestowitz__> easier in PF but I think is doable with iptables.Oct 02 14:18
schestowitz__I didn't like pfsense when we set it us for a client because it caused some major cryptic issues and we ended up replacing it with Linux-based firewall.Oct 02 14:18
schestowitz__> To digress about the wiki, I remember that it was not possible to blockOct 02 14:18
schestowitz__> ip addresses in the wiki because it looked like everything was comingOct 02 14:18
schestowitz__> from the varnish server.  I found a possible way around that.Oct 02 14:18
schestowitz__> mod_setenv might be able to assign the HTTP header "X-Forwarded-For" toOct 02 14:18
schestowitz__> an environment variable that the wiki could be then modified to swap inOct 02 14:18
schestowitz__> for the source address:Oct 02 14:18
schestowitz__> Oct 02 14:18
schestowitz__> %{VARNAME}i The contents of VARNAME: header line(s) in theOct 02 14:18
schestowitz__> request sent to the server. Changes made by other modules (e.g.Oct 02 14:18
schestowitz__> mod_headers) affect this. If you're interested in what theOct 02 14:18
schestowitz__> request header was prior to when most modules would haveOct 02 14:18
schestowitz__> modified it, use mod_setenvif to copy the header into anOct 02 14:18
schestowitz__> internal environment variable and log that value with theOct 02 14:18
schestowitz__> %{VARNAME}e described above.Oct 02 14:18
schestowitz__> Oct 02 14:19
schestowitz__> - https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formatsOct 02 14:19
-TechrightsBN/#boycottnovell-httpd.apache.org | mod_log_config - Apache HTTP Server Version 2.4 [ http://ur1.ca/iacww ]Oct 02 14:19
schestowitz__> Oct 02 14:19
schestowitz__> That should be easy in Apache2 and the wiki would only need one lineOct 02 14:19
schestowitz__> added if the contents of one variable is substituted for another.Oct 02 14:19
schestowitz__> Oct 02 14:19
schestowitz__> But that would be for after things are settled with TM.Oct 02 14:19
schestowitz__People in TM told me that it's possible to address issues with Varnish and stats, for example, but I never found them crucial enough to do lots of work for. The Wiki of the site did get spam even if one had to sign up.Oct 02 14:19
schestowitz__On the other hand, a large client of ours is unable to do lots of staff due to caching, e.g. polls. I just wish Varnish didn't have this kind of weakness, or came with IP diversity solutions out of the box.Oct 02 14:19
*freedomrun (~quassel@unaffiliated/freedomrun) has joined #boycottnovellOct 02 14:27
*freedomrun has quit (Read error: Connection reset by peer)Oct 02 19:06
schestowitz__https://twitter.com/sgviews/status/517685775060963329Oct 02 21:26
-TechrightsBN/#boycottnovell-@sgviews: @schestowitz Thank you for sharingOct 02 21:26
schestowitz__https://joindiaspora.com/posts/4841498Oct 02 22:21
-TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: "ownCloud is one of the biggest open source project written in PHP if you look into the latest statistics" http://karlitschek.de/2014/10/a-possible-future-for-php/http://karlitschek.de/2014/10/a-possible-future-for-php/Oct 02 22:21
schestowitz__"https://n-1.cc/ is also written in PHP"Oct 02 22:21
-TechrightsBN/#boycottnovell--> karlitschek.de | Frank Karlitschek_ » A possible future for PHP [ http://ur1.ca/iaf2a ]Oct 02 22:21
schestowitz__"I love ownCloud, but I wish PHP apps were more secure :)"Oct 02 22:21
-TechrightsBN/#boycottnovell-n-1.cc | N-1Oct 02 22:21
schestowitz__Drupal and WordPress are PHPOct 02 22:21
schestowitz__https://joindiaspora.com/posts/4841427Oct 02 22:22
-TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: "most powerful instrument of freedom and democracy ever seen, which is the Internet." http://www.laquadrature.net/en/open-letter-to-the-council-of-the-european-union-on-net-neutrality but also used for #surveillanceOct 02 22:22
-TechrightsBN/#boycottnovell--> www.laquadrature.net | Open Letter to the Council of the European Union on Net Neutrality | La Quadrature du Net [ http://ur1.ca/iaf2f ]Oct 02 22:22
schestowitz__"Indeed! The most powerful surveillance platform ever developed by humans."Oct 02 22:22
schestowitz__https://joindiaspora.com/posts/4841484Oct 02 22:22
-TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: #ddos attacks (exclusively by #microsoft #windows botnets) have not stopped; #tuxmachines now 10 days under attack. Trying to mitigate.Oct 02 22:22
schestowitz__"Someone is paying attention to your posts, at least you're not being ignored."Oct 02 22:22
schestowitz__https://joindiaspora.com/posts/4845186Oct 02 22:23
schestowitz__"It's my favorite audio software. The only thing I don't like, it's the equalizer don't work in real time and this it's a big problem for me. I will view if the 2.0.6 solve this when will be available in my packets manager."Oct 02 22:23
-TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: #Audacity 2.0.6 http://www.neowin.net/news/audacity-206Oct 02 22:23
-TechrightsBN/#boycottnovell--> www.neowin.net | Audacity 2.0.6 - NeowinOct 02 22:23
schestowitz__I used it for all episodes of techbytesOct 02 22:23
*freedomrun (~quassel@unaffiliated/freedomrun) has joined #boycottnovellOct 02 22:25
schestowitz__https://twitter.com/sgviews/status/517685775060963329Oct 02 22:27
*MinceR_ (~mincer@unaffiliated/mincer) has joined #boycottnovellOct 03 03:37
*MinceR has quit (Ping timeout: 260 seconds)Oct 03 03:39
*pidgin_log has quit (Quit: Leaving.)Oct 03 04:56
*pidgin_log (~roy@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovellOct 03 04:57
schestowitz__https://joindiaspora.com/posts/4839958Oct 03 05:11
-TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: #freebsd embraces #uefi patent and restrictions mess from #intel http://news.softpedia.com/news/FreeBSD-10-1-Beta-3-Features-Even-More-UEFI-Improvements-460651.shtmlOct 03 05:11
schestowitz__"There's not much choice. My Asus, for example, won't even boot FreeBSD 10.1 Beta 2. I hope it will do Beta 3. (I'm using kFreeBSD's install disk because its GRUB will boot my FreeBSD installation.)"Oct 03 05:11
-TechrightsBN/#boycottnovell--> news.softpedia.com | FreeBSD 10.1 Beta 3 Features Even More UEFI Improvements - Softpedia [ http://ur1.ca/iag0g ]Oct 03 05:11
schestowitz__https://joindiaspora.com/posts/4840300Oct 03 05:11
-TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: elementary OS: Don't Hate Me Because I'm Beautiful http://news.softpedia.com/news/elementary-OS-Don-t-Hate-Me-Because-I-m-Beautiful-460713.shtml #gnu #linuxOct 03 05:11
-TechrightsBN/#boycottnovell--> news.softpedia.com | elementary OS: Don't Hate Me Because I'm Beautiful - Softpedia [ http://ur1.ca/iacvh ]Oct 03 05:11
schestowitz__"Unity is awesome. I'm using (sometime) multiple display, it is still verry usable and you can alwase add a dock like plank"Oct 03 05:11
schestowitz__https://joindiaspora.com/posts/4840408Oct 03 05:12
-TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: CUPS Turn 15 Years Old, CUPS 2.0 Released http://www.phoronix.com/scan.php?page=news_item&px=MTgwMjE #cups #unixOct 03 05:12
-TechrightsBN/#boycottnovell--> www.phoronix.com | [Phoronix] CUPS Turn 15 Years Old, CUPS 2.0 Released [ http://ur1.ca/iag0k ]Oct 03 05:12
schestowitz__"Thank you Apple."Oct 03 05:12
schestowitz__https://joindiaspora.com/posts/4845186Oct 03 05:12
schestowitz__"I too say +1 for #Audacity. It's the best."Oct 03 05:12
schestowitz__"The EPO's corruption, as I witnessed in 2008, is best understood by insiders. Every Monday I published one part (next Monday is part 5), so this too I will study and do a post about. Keep em coming :-)"Oct 03 05:28
schestowitz__-meOct 03 05:28
schestowitz__-meOct 03 06:20
schestowitz__#!/usr/bin/perl -T    Oct 03 06:20
schestowitz__use strict;Oct 03 06:20
schestowitz__use warnings;Oct 03 06:20
schestowitz__# see https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats                                     Oct 03 06:20
-TechrightsBN/#boycottnovell-httpd.apache.org | mod_log_config - Apache HTTP Server Version 2.4 [ http://ur1.ca/iacww ]Oct 03 06:20
schestowitz__my $varnish = qq(/usr/bin/varnishncsa -F "%h\t%l\t%u\t%t\t%r\t%s\t%b\t%{Referer}i\t%{User-agent}i" -m TxStatus:404);Oct 03 06:20
schestowitz__my $iptables = qq(/bin/echo);Oct 03 06:20
schestowitz__#/sbin/iptables);                                                                                          Oct 03 06:20
schestowitz__$ENV{PATH}=qq(/bin:/sbin:/usr/bin:/usr/sbin);   # don't trust the provided path                             Oct 03 06:20
schestowitz__open( VARNISHLOG, "$varnish |" ) or die( "Could not run '$varnish' : $!\n" );Oct 03 06:20
schestowitz__while ( my $line = <VARNISHLOG> ) {Oct 03 06:20
schestowitz__    my ( $remote, undef, undef, $time, $request, $status, $size, $referer, $agent ) = split( /\t/, $line );Oct 03 06:20
schestowitz__    # proceed only with untainted $rhost                                                                        if ( ( my $rhost ) = $remote =~ m/^([\w\.\-\_]*)$/s ) {Oct 03 06:20
schestowitz__        my @args = (Oct 03 06:20
schestowitz__            '-A INPUT',Oct 03 06:21
schestowitz__            '-p tcp',Oct 03 06:21
schestowitz__            '-i eth0',Oct 03 06:21
schestowitz__            '-m comment --comment "limit DDOS"',Oct 03 06:21
schestowitz__            qq(--source $rhost),Oct 03 06:21
schestowitz__            '--dport 80',Oct 03 06:21
schestowitz__            '-j REJECT'Oct 03 06:21
schestowitz__            );Oct 03 06:21
schestowitz__        system( $iptables, @args ) == 0 or die( "Could not run '$iptables' : $1 \n" );Oct 03 06:21
schestowitz__    }Oct 03 06:21
schestowitz__}Oct 03 06:21
schestowitz__close( VARNISHLOG );Oct 03 06:21
*freedomrun has quit (Read error: Connection reset by peer)Oct 03 06:28
*schestowitz__ has quit (Quit: Konversation term)Oct 03 06:48
*schestowitz__ (~schestowi@unaffiliated/schestowitz) has joined #boycottnovellOct 03 06:49
*ChanServ gives channel operator status to schestowitz__Oct 03 06:49
*MinceR_ is now known as MinceROct 03 07:09
*ChanServ gives channel operator status to MinceROct 03 07:09
schestowitz__> On 10/03/2014 11:20 AM, Roy Schestowitz wrote:Oct 03 09:38
schestowitz__>>> >> There shouldn't be a line break but it works in  2.4.7-1ubuntu4.1 inOct 03 09:38
schestowitz__>>> >> Ubuntu 14.04 LTS.  I could test in CentOS tomorrow, if needed, butOct 03 09:38
schestowitz__>>> >> Apache2 should be the same in both.  The location of the configurationOct 03 09:38
schestowitz__>>> >> files would be different between Ubuntu and CentOSOct 03 09:38
schestowitz__>> > Oct 03 09:38
schestowitz__>> > Does that go strictly in apache config file or can that also go intoOct 03 09:38
schestowitz__>> > .htaccess. I only tried the latter.Oct 03 09:38
schestowitz__> It has to go into the regular configuration file for that vhost.  I justOct 03 09:38
schestowitz__> tried it now in .htaccess and it had no effect.Oct 03 09:38
schestowitz__> Oct 03 09:38
schestowitz__> The Options for .htaccess are intentionally limited:Oct 03 09:38
schestowitz__> Oct 03 09:38
schestowitz__> https://httpd.apache.org/docs/2.4/mod/core.html#optionsOct 03 09:38
schestowitz__I can try to put that in the vhost. I think the requirements quickly change however. i managed to redeem the front page temporarily as the attacker is targeting other pages now. Let's see if he returns to knocking on the front page.Oct 03 09:38
-TechrightsBN/#boycottnovell-httpd.apache.org | core - Apache HTTP Server Version 2.4 [ http://ur1.ca/iaggb ]Oct 03 09:38
schestowitz__TM lost many visitors, inc. regulars, since the attacks began. So I can say the attacks were effective.Oct 03 09:38
schestowitz__ Oct 03 09:38
schestowitz__> If you have access to the configuration file, then use of .htaccessOct 03 09:38
schestowitz__> should be avoided anyway.Oct 03 09:38
schestowitz__> Oct 03 09:38
schestowitz__>> > Also, it would be wiser to block forOct 03 09:39
schestowitz__>> > any referrer (referer [sic]) containing "aggregator"Oct 03 09:39
schestowitz__> As far as I can tell, it will take any PCRE syntax:Oct 03 09:39
schestowitz__> Oct 03 09:39
schestowitz__> https://httpd.apache.org/docs/2.4/glossary.html#regexOct 03 09:39
schestowitz__> Oct 03 09:39
-TechrightsBN/#boycottnovell-httpd.apache.org | Glossary - Apache HTTP Server Version 2.4 [ http://ur1.ca/iagge ]Oct 03 09:39
schestowitz__> and multiple instances of setenvif can be used.Oct 03 09:39
schestowitz__I will give that a go if the attack method becomes consistent, it changes every hour today. A good thing I was up all night...Oct 03 09:39
schestowitz__>> > the attacker now targets other landing points, inc. signup, register,Oct 03 09:39
schestowitz__>> > aggregator (blocked for 2 weeks), and forums (was blocked earlier). AtOct 03 09:39
schestowitz__>> > one stage he (of she? Unlikely!) bombarded many different nodes that areOct 03 09:39
schestowitz__>> > real pages, which would pose a greater issue if that persisted (hard toOct 03 09:39
schestowitz__>> > block).Oct 03 09:39
schestowitz__> Ok.  The setenvif directive sent earlier matches on Referer {sic} so theOct 03 09:39
schestowitz__> target URL is not relevant.Oct 03 09:39
schestowitz__> Oct 03 09:39
schestowitz__> Have you or your wife been nagging the ISPs of the guilty machines?Oct 03 09:39
schestowitz__Nagging ISPs about windows microsoft (exclusively) machines that attack my sites exercise in futility. New Windows PCs too easy to hijack.Oct 03 09:39
schestowitz__>> ...Oct 03 10:04
schestowitz__>>> https://httpd.apache.org/docs/2.4/mod/core.html#optionsOct 03 10:04
-TechrightsBN/#boycottnovell-httpd.apache.org | core - Apache HTTP Server Version 2.4 [ http://ur1.ca/iaggb ]Oct 03 10:04
schestowitz__>>Oct 03 10:04
schestowitz__>> I can try to put that in the vhost. I think the requirements quicklyOct 03 10:04
schestowitz__>> change however. i managed to redeem the front page temporarily as theOct 03 10:04
schestowitz__>> attacker is targeting other pages now. Let's see if he returns toOct 03 10:04
schestowitz__>> knocking on the front page.Oct 03 10:05
schestowitz__> Oct 03 10:05
schestowitz__> I can't think of another way around using the configuration file.Oct 03 10:05
schestowitz__It seems like a powerful tool. I'm prepared to use it shortly; for now, I think the attacker is not sure why he can't bring down the site... might take some hours to catch up.Oct 03 10:05
schestowitz__>> TM lost many visitors, inc. regulars, since the attacks began. So I canOct 03 10:05
schestowitz__>> say the attacks were effective.Oct 03 10:05
schestowitz__> Oct 03 10:05
schestowitz__> :(  They will come back, but first the DDOS has to be neutralized.Oct 03 10:05
schestowitz__Yes, I suppose the sympathy quotient might help. Still, many hours of work fighting DDOS, not posting articles...Oct 03 10:05
schestowitz__> I've looked around and preliminarily it looks like iptables can doOct 03 10:05
schestowitz__> passive OS fingerprinting like PF can.  That would make it possible toOct 03 10:05
schestowitz__> do rate limiting on Windows machines, in theory.  If that is possible,Oct 03 10:05
schestowitz__> it should be able to find a rate per second plus burst rate that allowsOct 03 10:05
schestowitz__> users to load a page but prevents a rapidfire attack.Oct 03 10:05
schestowitz__Maybe I can rate-limit for a particular URL, regardless of referer? If the attacker starts hammering on random pages (been done before), this would not work.Oct 03 10:05
schestowitz__>>> and multiple instances of setenvif can be used.Oct 03 10:05
schestowitz__>>Oct 03 10:05
schestowitz__>> I will give that a go if the attack method becomes consistent, itOct 03 10:05
schestowitz__>> changes every hour today. A good thing I was up all night...Oct 03 10:05
schestowitz__>> ...Oct 03 10:05
schestowitz__> Oct 03 10:05
schestowitz__> How many hosts appear to be involved?  I think that blocking theOct 03 10:05
schestowitz__> incoming ip at the varnish server would be the way to go, or at leastOct 03 10:05
schestowitz__> one layer in the defense.Oct 03 10:05
schestowitz__It's possible that only a dozen machines are used. They target a particular area every ten minutes at the same time; they don't have the same HTTP headers.Oct 03 10:05
schestowitz__>>> I can't think of another way around using the configuration file.>>Oct 03 10:18
schestowitz__>> It seems like a powerful tool. I'm prepared to use it shortly; for now,Oct 03 10:18
schestowitz__>> I think the attacker is not sure why he can't bring down the site...Oct 03 10:18
schestowitz__>> might take some hours to catch up.Oct 03 10:18
schestowitz__> Oct 03 10:18
schestowitz__> Working more upstream, on the varnish server, would help because that isOct 03 10:18
schestowitz__> the one that has direct contact with the offending machines.Oct 03 10:18
schestowitz__I'm not too good with varnish but I have full (root) access to the varnish server. Does that work with iptables?Oct 03 10:18
schestowitz__>>>> TM lost many visitors, inc. regulars, since the attacks began. So I canOct 03 10:18
schestowitz__>>>> say the attacks were effective.Oct 03 10:18
schestowitz__>>>Oct 03 10:18
schestowitz__>>> :(  They will come back, but first the DDOS has to be neutralized.Oct 03 10:18
schestowitz__>>Oct 03 10:18
schestowitz__>> Yes, I suppose the sympathy quotient might help. Still, many hours ofOct 03 10:18
schestowitz__>> work fighting DDOS, not posting articles...Oct 03 10:18
schestowitz__> Oct 03 10:18
schestowitz__> Oct 03 10:18
schestowitz__> Oct 03 10:18
schestowitz__>>> I've looked around and preliminarily it looks like iptables can doOct 03 10:18
schestowitz__>>> passive OS fingerprinting like PF can.  That would make it possible toOct 03 10:18
schestowitz__>>> do rate limiting on Windows machines, in theory.  If that is possible,Oct 03 10:18
schestowitz__>>> it should be able to find a rate per second plus burst rate that allowsOct 03 10:18
schestowitz__>>> users to load a page but prevents a rapidfire attack.Oct 03 10:18
schestowitz__>>Oct 03 10:18
schestowitz__>> Maybe I can rate-limit for a particular URL, regardless of referer? IfOct 03 10:18
schestowitz__>> the attacker starts hammering on random pages (been done before), thisOct 03 10:18
schestowitz__>> would not work.Oct 03 10:18
schestowitz__> Oct 03 10:18
schestowitz__> That would in some ways make it easer to DOS a particular URL, but itOct 03 10:18
schestowitz__> might reduce the overall load on the machine.Oct 03 10:18
schestowitz__> Oct 03 10:18
schestowitz__> I see mod_evasive is in the Ubuntu repository as libapache2-mod-evasive.Oct 03 10:18
schestowitz__>  The docs show that it might help with that, a problem I can predict isOct 03 10:18
schestowitz__> that currently all the requests are coming to Apache fro the same IPOct 03 10:18
schestowitz__> address -- the Varnish server.  The module might be able in CentOS, too.Oct 03 10:19
schestowitz__>  You are on CentOS 6?Oct 03 10:19
schestowitz__YesOct 03 10:19
schestowitz__> When I get home in aboiut 8 hours I can tryOct 03 10:19
schestowitz__> setting up CentOS on the LAN and trying a few things with limiting.Oct 03 10:19
schestowitz__I think I've managed to defeat the attacker, for now... logins and registrations are blocked (not a huge deal), but the front page is now accessible and load is OK.Oct 03 10:19
*freedomrun (~quassel@unaffiliated/freedomrun) has joined #boycottnovellOct 03 10:34
schestowitz__>> I'm not too good with varnish but I have full (root) access to theOct 03 12:09
schestowitz__>> varnish server. Does that work with iptables?Oct 03 12:09
schestowitz__> Oct 03 12:09
schestowitz__> If the OS has the Linux kernel (since 2.4) then it is using iptables.Oct 03 12:09
schestowitz__> Most mitigations I have been able to think of do not need to work withOct 03 12:09
schestowitz__> the varnish configuration itself.  But most parse the logs and you doOct 03 12:09
schestowitz__> not have to be root to parse the varnish logs (a minor privacy andOct 03 12:09
schestowitz__> security bug) but root accesses, or tweaked sudoers, is needed forOct 03 12:09
schestowitz__> iptables configurations.Oct 03 12:09
schestowitz__> Oct 03 12:09
schestowitz__> Working with raw iptables on the varnish server, one needs a rule at theOct 03 12:09
schestowitz__> top to allow established connections.Oct 03 12:09
schestowitz__> Oct 03 12:09
schestowitz__>  iptables -I INPUT -i eth0 -m state --state ESTABLISHED,RELATED \Oct 03 12:09
schestowitz__>   -j ACCEPTOct 03 12:09
schestowitz__> Oct 03 12:09
schestowitz__> Then near the top allowing incoming with some rate limiting.Oct 03 12:09
schestowitz__> Oct 03 12:09
schestowitz__>  iptables -A INPUT -p icmp --icmp-type echo-request \Oct 03 12:09
schestowitz__>         -m limit --limit 1/s -i eth0 -j ACCEPTOct 03 12:10
schestowitz__> Oct 03 12:10
schestowitz__>  iptables  -I INPUT -p TCP --dport 80 -m state --state NEW \Oct 03 12:10
schestowitz__> -m limit --limit 60/minute --limit-burst 100 -j ACCEPTOct 03 12:10
schestowitz__> Oct 03 12:10
schestowitz__> The --limit and --limit-burst would depend on the profile for normal useOct 03 12:10
schestowitz__> for an incoming ip number.Oct 03 12:10
schestowitz__> Oct 03 12:10
schestowitz__> If you do try to adjust iptables, I  would recommend using either an atOct 03 12:10
schestowitz__> job to restore the last known working settings or else iptables-apply,Oct 03 12:10
schestowitz__> to prevent getting locked out.Oct 03 12:10
schestowitz__Can a command be crafted to tie burst limiting on a per-URL/request basis? Right now I managed to narrowly defeat bursts that mostly (not only) target the front page. If I could limit varnish access to this page to one per second, that would help solve the problem. I am observing the attacks in real time every 10 minutes to better understand them. It's like a game of Chess now and I win most rounds (rounds 10 minutes apart), but Oct 03 12:10
schestowitz__not all..Oct 03 12:10
schestowitz__https://twitter.com/Metztli_IT/status/517998739911237633Oct 03 12:32
-TechrightsBN/#boycottnovell-@Metztli_IT: ♺@schestowitz On Occupy Central’s Ties w/the #NED http://t.co/JxjNqkiudG #US pursues #oppression at home & #chaos abroad…#UmbrellaRevolutionOct 03 12:32
-TechrightsBN/#boycottnovell--> www.commondreams.org | On Occupy Central’s Ties with the NED | Common Dreams | Breaking News & Views for the Progressive CommunityOct 03 12:32
schestowitz__I could use a script that checks average and when it rises above some number, it would swap a file (.htaccess), reload apache, then swap it back when the load is low again. Has this been done before?Oct 03 13:05
schestowitz__https://twitter.com/ender2038/status/518009453166465025Oct 03 13:09
-TechrightsBN/#boycottnovell-@ender2038: @schestowitz then all the others are pro demOct 03 13:09
*libertyboxes has quit (Quit: Konversation terminated!)Oct 03 14:17
**** BEGIN LOGGING AT Sat Oct 11 09:36:22 2014
BACKUP
*schestowitz_log_ has quit (Remote host closed the connection)Sep 28 08:38
*schestowitz has quit (Read error: Connection reset by peer)Sep 28 08:38
*schestowitz (~schestowi@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovellSep 28 08:38
*schestowitz has quit (Changing host)Sep 28 08:38
*schestowitz (~schestowi@unaffiliated/schestowitz) has joined #boycottnovellSep 28 08:38
*ChanServ gives channel operator status to schestowitzSep 28 08:38
*schestowitz_log_ (~schestowi@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovellSep 28 08:38
*schestowitz_log_ has quit (Changing host)Sep 28 08:38
*schestowitz_log_ (~schestowi@unaffiliated/schestowitz) has joined #boycottnovellSep 28 08:38
*ChanServ gives channel operator status to schestowitz_log_Sep 28 08:38
*cubelog has quit (Ping timeout: 272 seconds)Sep 28 10:49
*cubelog (~cubeman@maxhost.org) has joined #boycottnovellSep 28 13:09
*cubelog has quit (Remote host closed the connection)Sep 28 20:02
*cubelog (~cubeman@maxhost.org) has joined #boycottnovellSep 28 20:48
*edanny101_ (~edanny101@175.144.248.66) has joined #boycottnovellSep 29 04:25
*edanny101_ has quit (Quit: AndroIRC - Android IRC Client ( http://www.androirc.com ))Sep 29 04:30
*freedomrun (~quassel@unaffiliated/freedomrun) has joined #boycottnovellSep 29 05:34
*freedomrun has quit (Remote host closed the connection)Sep 29 06:38
*freedomrun (~quassel@unaffiliated/freedomrun) has joined #boycottnovellSep 29 06:43
*freedomrun has quit (Remote host closed the connection)Sep 29 08:14
*pidgin_log1 has quit (Quit: Leaving.)Sep 29 08:29
*schestowitz__ has quit (Quit: Konversation term)Sep 29 08:38
*schestowitz__ (~schestowi@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovellSep 29 13:03
*schestowitz__ has quit (Changing host)Sep 29 13:03
*schestowitz__ (~schestowi@unaffiliated/schestowitz) has joined #boycottnovellSep 29 13:03
*ChanServ gives channel operator status to schestowitz__Sep 29 13:03
*pidgin_log (~roy@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovellSep 29 13:03
*freedomrun (~quassel@unaffiliated/freedomrun) has joined #boycottnovellSep 29 15:03
*freedomrun has quit (Read error: Connection reset by peer)Sep 29 18:17
schestowitz__http://www.youtube.com/watch?v=ZcgTog780bs&list=UU0znI3dRWpNF8lvbPBTlzywSep 30 00:03
-TechrightsBN/#boycottnovell-www.youtube.com | Selfridges, BOY, The Third Reich and the Self Hating Gays - YouTube [ http://ur1.ca/i9jnm ]Sep 30 00:03
schestowitz__> He's mostly been very well behaved on our site. Again, I've never metSep 30 00:18
schestowitz__> him face to face, so I don't know why he turned bitter -- maybe he wasSep 30 00:18
schestowitz__> always like that. With me, he's always as nice as can beSep 30 00:18
schestowitz__> Sep 30 00:18
schestowitz__>  He gets accused of being a Microsoft shill a lot. Since quitting atSep 30 00:18
schestowitz__> Fuduntu, he's taken to defending Microsoft a lot, which doesn't playSep 30 00:18
schestowitz__> well on FOSS forums. You're free to call him to task in the comments,Sep 30 00:18
schestowitz__> although I'm not sure that would be productive.Sep 30 00:18
schestowitz__> Sep 30 00:18
schestowitz__> I'm sorry for any grief this has caused you.Sep 30 00:18
schestowitz__I never saw him accused of that.Sep 30 00:18
schestowitz__Either way, this didn't cause grief. I was just struggling to figure out who I could have said that about. Turns out, the error was his, not mine.Sep 30 00:18
schestowitz__https://joindiaspora.com/posts/4824143Sep 30 00:24
-TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: #gnu #linux #pdf readers like #evince and #okular are mature enough and they make #adobe obsolete http://news.softpedia.com/news/Linux-No-Longer-Listed-as-Supported-Platform-for-Adobe-Reader-460372.shtmlSep 30 00:24
-TechrightsBN/#boycottnovell--> news.softpedia.com | Linux No Longer Listed as Supported Platform for Adobe Reader - Softpedia [ http://ur1.ca/i9k58 ]Sep 30 00:24
schestowitz__"Agreed. I wouldn't use Adobe's Reader on my system at all. If someone required me to use it for work, I would find another way around the problem."Sep 30 00:24
schestowitz__"You don't even need a PDF reader. Firefox has pdf.js, and while I wouldn't recommend Chrome that has a PDF reader too."Sep 30 00:24
schestowitz__"Okular is still way more performant for huge PDFs which contain a lot of scanned images. But pdf.js is still great to have.'Sep 30 00:25
*libertybox_ has quit (Remote host closed the connection)Sep 30 01:40
*libertyboxes (~liberty@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovellSep 30 01:41
*TechrightsBN has quit (Read error: Connection reset by peer)Sep 30 02:13
*freedomrun (~quassel@unaffiliated/freedomrun) has joined #boycottnovellSep 30 03:29
schestowitz__> If you don't mind, keep me updated on the Tux Machines situation. WhenSep 30 07:46
schestowitz__> you're back up and running we'll help get the word out.Sep 30 07:46
schestowitz__I have just checked again. The botnet is still active, but the bursts gradually reduce in terms of scale, not enough to unblock parts of the site.Sep 30 07:46
*TechrightsBN (~b0t@mail.copilotco.com) has joined #boycottnovellSep 30 07:51
TechrightsBNHello World! I'm TechrightsBN running phIRCe v0.75Sep 30 07:51
schestowitz__https://joindiaspora.com/posts/4825946Oct 01 00:17
-TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: I find is utterly astounding the Western media spends more time bemoaning trauma of 'pilots', not victims on ground http://www.huffingtonpost.com/2014/09/29/military-drone-operators_n_5899478.html?utm_hp_ref=politicsOct 01 00:17
-TechrightsBN/#boycottnovell--> www.huffingtonpost.com | Military Drone Operators Can Feel Emotional Strains Of War [ http://ur1.ca/i9omn ]Oct 01 00:17
schestowitz__"Cry me a river."Oct 01 00:17
schestowitz__https://joindiaspora.com/posts/4825863Oct 01 00:19
-TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: 'Hunting' with automatic rifles http://earthisland.org/elist/graphics/DehogaflierTruck.jpgOct 01 00:19
schestowitz__"Maybe animals are a lot more smart than those hunters so they need high-tech gear to level the field."Oct 01 00:19
*liberty_back has quit (Ping timeout: 258 seconds)Oct 01 00:44
*libertyboxes has quit (Ping timeout: 240 seconds)Oct 01 00:45
*liberty_back (~Liberium@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovellOct 01 01:03
*libertyboxes (~liberty@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovellOct 01 01:03
*freedomrun has quit (Remote host closed the connection)Oct 01 09:47
*Disconnected ().Oct 01 12:13
**** ENDING LOGGING AT Wed Oct 1 12:13:05 2014
**** BEGIN LOGGING AT Wed Oct 1 12:17:02 2014
*Now talking on #boycottnovellOct 01 12:17
*Topic for #boycottnovell is: TechRights.org | Channel #boycottnovell for http://TechRights.org | Free Software Sentry – watching and reporting maneuvers of those who oppose software freedom :: please also join channels #techrights and #boycottnovell-socialOct 01 12:17
*Topic for #boycottnovell set by schestowitz at Thu May 6 23:19:56 2010Oct 01 12:17
-ChanServ-[#boycottnovell] Welcome to the #boycottnovell channelOct 01 12:17
*ChanServ gives channel operator status to schestowitz_logOct 01 12:17
*pidgin_log (~roy@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovellOct 01 12:17
*schestowitz__ (~schestowi@unaffiliated/schestowitz) has joined #boycottnovellOct 01 12:17
*ChanServ gives channel operator status to schestowitz__Oct 01 12:17
*pidgin_log has quit (Quit: Leaving.)Oct 01 12:25
*pidgin_log (~roy@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovellOct 01 12:27
*freedomrun (~quassel@unaffiliated/freedomrun) has joined #boycottnovellOct 01 13:48
*MinceR_ (~mincer@unaffiliated/mincer) has joined #boycottnovellOct 01 16:20
*ChanServ gives channel operator status to MinceR_Oct 01 16:21
*MinceR has quit (Read error: Connection reset by peer)Oct 01 16:22
*MinceR_ is now known as MinceROct 01 16:23
*freedomrun has quit (Read error: Connection reset by peer)Oct 01 16:27
*freedomrun (~quassel@unaffiliated/freedomrun) has joined #boycottnovellOct 01 21:42
*freedomrun has quit (Remote host closed the connection)Oct 02 00:37
*Disconnected (Connection reset by peer).Oct 02 02:11
**** ENDING LOGGING AT Thu Oct 2 02:11:55 2014
**** BEGIN LOGGING AT Thu Oct 2 02:12:23 2014
*Now talking on #boycottnovellOct 02 02:12
*Topic for #boycottnovell is: TechRights.org | Channel #boycottnovell for http://TechRights.org | Free Software Sentry – watching and reporting maneuvers of those who oppose software freedom :: please also join channels #techrights and #boycottnovell-socialOct 02 02:12
*Topic for #boycottnovell set by schestowitz at Thu May 6 23:19:56 2010Oct 02 02:12
-ChanServ-[#boycottnovell] Welcome to the #boycottnovell channelOct 02 02:12
*ChanServ gives channel operator status to schestowitz_logOct 02 02:12
schestowitz__https://joindiaspora.com/posts/4833576Oct 02 05:04
-TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: More trolling from Brian Fagioli, who calls #microsoft "hero", said #firefox was anti-gay, and Linux anti-women http://betanews.com/2014/09/30/sorry-linux-fans-windows-10-will-continue-microsofts-desktop-domination/Oct 02 05:04
schestowitz__"Sounds like an Italian dish."Oct 02 05:04
-TechrightsBN/#boycottnovell--> betanews.com | Sorry Linux fans, Windows 10 will continue Microsoft's desktop domination [ http://ur1.ca/ia203 ]Oct 02 05:04
schestowitz__"What low life."Oct 02 05:04
schestowitz__> Hi, Roy,> Oct 02 13:21
schestowitz__> I see that Tuxmachines has been down for a DDOS for many days.  There isOct 02 13:21
schestowitz__> a redirect to TR and Fossforce even had an article.Oct 02 13:21
schestowitz__The front page is redirected because it's the main target. There's some junk in referrer (well, I know there is always some junk there), which I think Varnish might interpret as unique and then pass to Apache. I am thinking it's about time to make better workarounds because the attacks don't just stop.Oct 02 13:21
schestowitz__ Oct 02 13:21
schestowitz__> Is there an equivalent of fail2ban for Varnish that triggers on serverOct 02 13:21
schestowitz__> response codes?  I'm guessing that to get through the varnish cache theyOct 02 13:21
schestowitz__> are sending junk URLs.  Or is it varnish that is DDOSed?  If it is junkOct 02 13:21
schestowitz__> URLs a script can scan the log output and fire up an iptables rule toOct 02 13:21
schestowitz__> block and then expire the block later.  That is something which isOct 02 13:21
schestowitz__> easier in PF but I think is doable with iptables.Oct 02 13:21
schestowitz__I didn't like pfsense when we set it us for a client because it caused some major cryptic issues and we ended up replacing it with Linux-based firewall.Oct 02 13:21
schestowitz__> To digress about the wiki, I remember that it was not possible to blockOct 02 13:22
schestowitz__> ip addresses in the wiki because it looked like everything was comingOct 02 13:22
schestowitz__> from the varnish server.  I found a possible way around that.Oct 02 13:22
schestowitz__> mod_setenv might be able to assign the HTTP header "X-Forwarded-For" toOct 02 13:22
schestowitz__> an environment variable that the wiki could be then modified to swap inOct 02 13:22
schestowitz__> for the source address:Oct 02 13:22
schestowitz__> Oct 02 13:22
schestowitz__> %{VARNAME}i The contents of VARNAME: header line(s) in theOct 02 13:22
schestowitz__> request sent to the server. Changes made by other modules (e.g.Oct 02 13:22
schestowitz__> mod_headers) affect this. If you're interested in what theOct 02 13:22
schestowitz__> request header was prior to when most modules would haveOct 02 13:22
schestowitz__> modified it, use mod_setenvif to copy the header into anOct 02 13:22
schestowitz__> internal environment variable and log that value with theOct 02 13:22
schestowitz__> %{VARNAME}e described above.Oct 02 13:22
schestowitz__> Oct 02 13:22
schestowitz__> - https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formatsOct 02 13:22
schestowitz__> Oct 02 13:22
-TechrightsBN/#boycottnovell-httpd.apache.org | mod_log_config - Apache HTTP Server Version 2.4 [ http://ur1.ca/iacww ]Oct 02 13:22
schestowitz__> That should be easy in Apache2 and the wiki would only need one lineOct 02 13:22
schestowitz__> added if the contents of one variable is substituted for another.Oct 02 13:22
schestowitz__> Oct 02 13:22
schestowitz__> But that would be for after things are settled with TM.Oct 02 13:22
schestowitz__People in TM told me that it's possible to address issues with Varnish and stats, for example, but I never found them crucial enough to do lots of work for. The Wiki of the site did get spam even if one had to sign up.Oct 02 13:22
schestowitz__On the other hand, a large client of ours is unable to do lots of staff due to caching, e.g. polls. I just wish Varnish didn't have this kind of weakness, or came with IP diversity solutions out of the box.Oct 02 13:22
*freedomrun (~quassel@unaffiliated/freedomrun) has joined #boycottnovellOct 02 13:30
*freedomrun has quit (Read error: Connection reset by peer)Oct 02 18:09
schestowitz__https://twitter.com/sgviews/status/517685775060963329Oct 02 20:29
-TechrightsBN/#boycottnovell-@sgviews: @schestowitz Thank you for sharingOct 02 20:29
schestowitz__https://joindiaspora.com/posts/4841498Oct 02 21:24
-TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: "ownCloud is one of the biggest open source project written in PHP if you look into the latest statistics" http://karlitschek.de/2014/10/a-possible-future-for-php/http://karlitschek.de/2014/10/a-possible-future-for-php/Oct 02 21:24
schestowitz__"https://n-1.cc/ is also written in PHP"Oct 02 21:24
-TechrightsBN/#boycottnovell--> karlitschek.de | Frank Karlitschek_ » A possible future for PHP [ http://ur1.ca/iaf2a ]Oct 02 21:24
schestowitz__"I love ownCloud, but I wish PHP apps were more secure :)"Oct 02 21:24
-TechrightsBN/#boycottnovell-n-1.cc | N-1Oct 02 21:24
schestowitz__Drupal and WordPress are PHPOct 02 21:24
schestowitz__https://joindiaspora.com/posts/4841427Oct 02 21:25
-TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: "most powerful instrument of freedom and democracy ever seen, which is the Internet." http://www.laquadrature.net/en/open-letter-to-the-council-of-the-european-union-on-net-neutrality but also used for #surveillanceOct 02 21:25
-TechrightsBN/#boycottnovell--> www.laquadrature.net | Open Letter to the Council of the European Union on Net Neutrality | La Quadrature du Net [ http://ur1.ca/iaf2f ]Oct 02 21:25
schestowitz__"Indeed! The most powerful surveillance platform ever developed by humans."Oct 02 21:25
schestowitz__https://joindiaspora.com/posts/4841484Oct 02 21:26
-TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: #ddos attacks (exclusively by #microsoft #windows botnets) have not stopped; #tuxmachines now 10 days under attack. Trying to mitigate.Oct 02 21:26
schestowitz__"Someone is paying attention to your posts, at least you're not being ignored."Oct 02 21:26
schestowitz__https://joindiaspora.com/posts/4845186Oct 02 21:26
schestowitz__"It's my favorite audio software. The only thing I don't like, it's the equalizer don't work in real time and this it's a big problem for me. I will view if the 2.0.6 solve this when will be available in my packets manager."Oct 02 21:26
-TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: #Audacity 2.0.6 http://www.neowin.net/news/audacity-206Oct 02 21:26
-TechrightsBN/#boycottnovell--> www.neowin.net | Audacity 2.0.6 - NeowinOct 02 21:26
schestowitz__I used it for all episodes of techbytesOct 02 21:27
*freedomrun (~quassel@unaffiliated/freedomrun) has joined #boycottnovellOct 02 21:28
schestowitz__https://twitter.com/sgviews/status/517685775060963329Oct 02 21:30
*MinceR_ (~mincer@unaffiliated/mincer) has joined #boycottnovellOct 03 02:40
*MinceR has quit (Ping timeout: 260 seconds)Oct 03 02:42
*pidgin_log has quit (Quit: Leaving.)Oct 03 04:00
*pidgin_log (~roy@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovellOct 03 04:00
schestowitz__https://joindiaspora.com/posts/4839958Oct 03 04:14
-TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: #freebsd embraces #uefi patent and restrictions mess from #intel http://news.softpedia.com/news/FreeBSD-10-1-Beta-3-Features-Even-More-UEFI-Improvements-460651.shtmlOct 03 04:14
schestowitz__"There's not much choice. My Asus, for example, won't even boot FreeBSD 10.1 Beta 2. I hope it will do Beta 3. (I'm using kFreeBSD's install disk because its GRUB will boot my FreeBSD installation.)"Oct 03 04:14
-TechrightsBN/#boycottnovell--> news.softpedia.com | FreeBSD 10.1 Beta 3 Features Even More UEFI Improvements - Softpedia [ http://ur1.ca/iag0g ]Oct 03 04:14
schestowitz__https://joindiaspora.com/posts/4840300Oct 03 04:15
-TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: elementary OS: Don't Hate Me Because I'm Beautiful http://news.softpedia.com/news/elementary-OS-Don-t-Hate-Me-Because-I-m-Beautiful-460713.shtml #gnu #linuxOct 03 04:15
-TechrightsBN/#boycottnovell--> news.softpedia.com | elementary OS: Don't Hate Me Because I'm Beautiful - Softpedia [ http://ur1.ca/iacvh ]Oct 03 04:15
schestowitz__"Unity is awesome. I'm using (sometime) multiple display, it is still verry usable and you can alwase add a dock like plank"Oct 03 04:15
schestowitz__https://joindiaspora.com/posts/4840408Oct 03 04:15
-TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: CUPS Turn 15 Years Old, CUPS 2.0 Released http://www.phoronix.com/scan.php?page=news_item&px=MTgwMjE #cups #unixOct 03 04:15
-TechrightsBN/#boycottnovell--> www.phoronix.com | [Phoronix] CUPS Turn 15 Years Old, CUPS 2.0 Released [ http://ur1.ca/iag0k ]Oct 03 04:15
schestowitz__"Thank you Apple."Oct 03 04:15
schestowitz__https://joindiaspora.com/posts/4845186Oct 03 04:16
schestowitz__"I too say +1 for #Audacity. It's the best."Oct 03 04:16
schestowitz__"The EPO's corruption, as I witnessed in 2008, is best understood by insiders. Every Monday I published one part (next Monday is part 5), so this too I will study and do a post about. Keep em coming :-)"Oct 03 04:31
schestowitz__-meOct 03 04:31
schestowitz__-meOct 03 05:24
schestowitz__#!/usr/bin/perl -T    Oct 03 05:24
schestowitz__use strict;Oct 03 05:24
schestowitz__use warnings;Oct 03 05:24
schestowitz__# see https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats                                     Oct 03 05:24
-TechrightsBN/#boycottnovell-httpd.apache.org | mod_log_config - Apache HTTP Server Version 2.4 [ http://ur1.ca/iacww ]Oct 03 05:24
schestowitz__my $varnish = qq(/usr/bin/varnishncsa -F "%h\t%l\t%u\t%t\t%r\t%s\t%b\t%{Referer}i\t%{User-agent}i" -m TxStatus:404);Oct 03 05:24
schestowitz__my $iptables = qq(/bin/echo);Oct 03 05:24
schestowitz__#/sbin/iptables);                                                                                          Oct 03 05:24
schestowitz__$ENV{PATH}=qq(/bin:/sbin:/usr/bin:/usr/sbin);   # don't trust the provided path                             Oct 03 05:24
schestowitz__open( VARNISHLOG, "$varnish |" ) or die( "Could not run '$varnish' : $!\n" );Oct 03 05:24
schestowitz__while ( my $line = <VARNISHLOG> ) {Oct 03 05:24
schestowitz__    my ( $remote, undef, undef, $time, $request, $status, $size, $referer, $agent ) = split( /\t/, $line );Oct 03 05:24
schestowitz__    # proceed only with untainted $rhost                                                                        if ( ( my $rhost ) = $remote =~ m/^([\w\.\-\_]*)$/s ) {Oct 03 05:24
schestowitz__        my @args = (Oct 03 05:24
schestowitz__            '-A INPUT',Oct 03 05:24
schestowitz__            '-p tcp',Oct 03 05:24
schestowitz__            '-i eth0',Oct 03 05:24
schestowitz__            '-m comment --comment "limit DDOS"',Oct 03 05:24
schestowitz__            qq(--source $rhost),Oct 03 05:24
schestowitz__            '--dport 80',Oct 03 05:24
schestowitz__            '-j REJECT'Oct 03 05:24
schestowitz__            );Oct 03 05:24
schestowitz__        system( $iptables, @args ) == 0 or die( "Could not run '$iptables' : $1 \n" );Oct 03 05:24
schestowitz__    }Oct 03 05:24
schestowitz__}Oct 03 05:24
schestowitz__close( VARNISHLOG );Oct 03 05:24
*freedomrun has quit (Read error: Connection reset by peer)Oct 03 05:32
*schestowitz__ has quit (Quit: Konversation term)Oct 03 05:51
*schestowitz__ (~schestowi@unaffiliated/schestowitz) has joined #boycottnovellOct 03 05:52
*ChanServ gives channel operator status to schestowitz__Oct 03 05:52
*MinceR_ is now known as MinceROct 03 06:12
*ChanServ gives channel operator status to MinceROct 03 06:12
schestowitz__> On 10/03/2014 11:20 AM, Roy Schestowitz wrote:Oct 03 08:41
schestowitz__>>> >> There shouldn't be a line break but it works in  2.4.7-1ubuntu4.1 inOct 03 08:41
schestowitz__>>> >> Ubuntu 14.04 LTS.  I could test in CentOS tomorrow, if needed, butOct 03 08:42
schestowitz__>>> >> Apache2 should be the same in both.  The location of the configurationOct 03 08:42
schestowitz__>>> >> files would be different between Ubuntu and CentOSOct 03 08:42
schestowitz__>> > Oct 03 08:42
schestowitz__>> > Does that go strictly in apache config file or can that also go intoOct 03 08:42
schestowitz__>> > .htaccess. I only tried the latter.Oct 03 08:42
schestowitz__> It has to go into the regular configuration file for that vhost.  I justOct 03 08:42
schestowitz__> tried it now in .htaccess and it had no effect.Oct 03 08:42
schestowitz__> Oct 03 08:42
schestowitz__> The Options for .htaccess are intentionally limited:Oct 03 08:42
schestowitz__> Oct 03 08:42
schestowitz__> https://httpd.apache.org/docs/2.4/mod/core.html#optionsOct 03 08:42
schestowitz__I can try to put that in the vhost. I think the requirements quickly change however. i managed to redeem the front page temporarily as the attacker is targeting other pages now. Let's see if he returns to knocking on the front page.Oct 03 08:42
-TechrightsBN/#boycottnovell-httpd.apache.org | core - Apache HTTP Server Version 2.4 [ http://ur1.ca/iaggb ]Oct 03 08:42
schestowitz__TM lost many visitors, inc. regulars, since the attacks began. So I can say the attacks were effective.Oct 03 08:42
schestowitz__ Oct 03 08:42
schestowitz__> If you have access to the configuration file, then use of .htaccessOct 03 08:42
schestowitz__> should be avoided anyway.Oct 03 08:42
schestowitz__> Oct 03 08:42
schestowitz__>> > Also, it would be wiser to block forOct 03 08:42
schestowitz__>> > any referrer (referer [sic]) containing "aggregator"Oct 03 08:42
schestowitz__> As far as I can tell, it will take any PCRE syntax:Oct 03 08:42
schestowitz__> Oct 03 08:42
schestowitz__> https://httpd.apache.org/docs/2.4/glossary.html#regexOct 03 08:42
schestowitz__> Oct 03 08:42
-TechrightsBN/#boycottnovell-httpd.apache.org | Glossary - Apache HTTP Server Version 2.4 [ http://ur1.ca/iagge ]Oct 03 08:42
schestowitz__> and multiple instances of setenvif can be used.Oct 03 08:42
schestowitz__I will give that a go if the attack method becomes consistent, it changes every hour today. A good thing I was up all night...Oct 03 08:42
schestowitz__>> > the attacker now targets other landing points, inc. signup, register,Oct 03 08:42
schestowitz__>> > aggregator (blocked for 2 weeks), and forums (was blocked earlier). AtOct 03 08:42
schestowitz__>> > one stage he (of she? Unlikely!) bombarded many different nodes that areOct 03 08:42
schestowitz__>> > real pages, which would pose a greater issue if that persisted (hard toOct 03 08:42
schestowitz__>> > block).Oct 03 08:42
schestowitz__> Ok.  The setenvif directive sent earlier matches on Referer {sic} so theOct 03 08:42
schestowitz__> target URL is not relevant.Oct 03 08:42
schestowitz__> Oct 03 08:42
schestowitz__> Have you or your wife been nagging the ISPs of the guilty machines?Oct 03 08:42
schestowitz__Nagging ISPs about windows microsoft (exclusively) machines that attack my sites exercise in futility. New Windows PCs too easy to hijack.Oct 03 08:42
schestowitz__>> ...Oct 03 09:08
schestowitz__>>> https://httpd.apache.org/docs/2.4/mod/core.html#optionsOct 03 09:08
-TechrightsBN/#boycottnovell-httpd.apache.org | core - Apache HTTP Server Version 2.4 [ http://ur1.ca/iaggb ]Oct 03 09:08
schestowitz__>>Oct 03 09:08
schestowitz__>> I can try to put that in the vhost. I think the requirements quicklyOct 03 09:08
schestowitz__>> change however. i managed to redeem the front page temporarily as theOct 03 09:08
schestowitz__>> attacker is targeting other pages now. Let's see if he returns toOct 03 09:08
schestowitz__>> knocking on the front page.Oct 03 09:08
schestowitz__> Oct 03 09:08
schestowitz__> I can't think of another way around using the configuration file.Oct 03 09:08
schestowitz__It seems like a powerful tool. I'm prepared to use it shortly; for now, I think the attacker is not sure why he can't bring down the site... might take some hours to catch up.Oct 03 09:08
schestowitz__>> TM lost many visitors, inc. regulars, since the attacks began. So I canOct 03 09:08
schestowitz__>> say the attacks were effective.Oct 03 09:08
schestowitz__> Oct 03 09:08
schestowitz__> :(  They will come back, but first the DDOS has to be neutralized.Oct 03 09:08
schestowitz__Yes, I suppose the sympathy quotient might help. Still, many hours of work fighting DDOS, not posting articles...Oct 03 09:08
schestowitz__> I've looked around and preliminarily it looks like iptables can doOct 03 09:08
schestowitz__> passive OS fingerprinting like PF can.  That would make it possible toOct 03 09:08
schestowitz__> do rate limiting on Windows machines, in theory.  If that is possible,Oct 03 09:08
schestowitz__> it should be able to find a rate per second plus burst rate that allowsOct 03 09:08
schestowitz__> users to load a page but prevents a rapidfire attack.Oct 03 09:08
schestowitz__Maybe I can rate-limit for a particular URL, regardless of referer? If the attacker starts hammering on random pages (been done before), this would not work.Oct 03 09:08
schestowitz__>>> and multiple instances of setenvif can be used.Oct 03 09:08
schestowitz__>>Oct 03 09:08
schestowitz__>> I will give that a go if the attack method becomes consistent, itOct 03 09:08
schestowitz__>> changes every hour today. A good thing I was up all night...Oct 03 09:08
schestowitz__>> ...Oct 03 09:08
schestowitz__> Oct 03 09:08
schestowitz__> How many hosts appear to be involved?  I think that blocking theOct 03 09:08
schestowitz__> incoming ip at the varnish server would be the way to go, or at leastOct 03 09:08
schestowitz__> one layer in the defense.Oct 03 09:09
schestowitz__It's possible that only a dozen machines are used. They target a particular area every ten minutes at the same time; they don't have the same HTTP headers.Oct 03 09:09
schestowitz__>>> I can't think of another way around using the configuration file.>>Oct 03 09:21
schestowitz__>> It seems like a powerful tool. I'm prepared to use it shortly; for now,Oct 03 09:21
schestowitz__>> I think the attacker is not sure why he can't bring down the site...Oct 03 09:21
schestowitz__>> might take some hours to catch up.Oct 03 09:21
schestowitz__> Oct 03 09:21
schestowitz__> Working more upstream, on the varnish server, would help because that isOct 03 09:21
schestowitz__> the one that has direct contact with the offending machines.Oct 03 09:21
schestowitz__I'm not too good with varnish but I have full (root) access to the varnish server. Does that work with iptables?Oct 03 09:21
schestowitz__>>>> TM lost many visitors, inc. regulars, since the attacks began. So I canOct 03 09:21
schestowitz__>>>> say the attacks were effective.Oct 03 09:21
schestowitz__>>>Oct 03 09:21
schestowitz__>>> :(  They will come back, but first the DDOS has to be neutralized.Oct 03 09:21
schestowitz__>>Oct 03 09:21
schestowitz__>> Yes, I suppose the sympathy quotient might help. Still, many hours ofOct 03 09:21
schestowitz__>> work fighting DDOS, not posting articles...Oct 03 09:21
schestowitz__> Oct 03 09:21
schestowitz__> Oct 03 09:21
schestowitz__> Oct 03 09:22
schestowitz__>>> I've looked around and preliminarily it looks like iptables can doOct 03 09:22
schestowitz__>>> passive OS fingerprinting like PF can.  That would make it possible toOct 03 09:22
schestowitz__>>> do rate limiting on Windows machines, in theory.  If that is possible,Oct 03 09:22
schestowitz__>>> it should be able to find a rate per second plus burst rate that allowsOct 03 09:22
schestowitz__>>> users to load a page but prevents a rapidfire attack.Oct 03 09:22
schestowitz__>>Oct 03 09:22
schestowitz__>> Maybe I can rate-limit for a particular URL, regardless of referer? IfOct 03 09:22
schestowitz__>> the attacker starts hammering on random pages (been done before), thisOct 03 09:22
schestowitz__>> would not work.Oct 03 09:22
schestowitz__> Oct 03 09:22
schestowitz__> That would in some ways make it easer to DOS a particular URL, but itOct 03 09:22
schestowitz__> might reduce the overall load on the machine.Oct 03 09:22
schestowitz__> Oct 03 09:22
schestowitz__> I see mod_evasive is in the Ubuntu repository as libapache2-mod-evasive.Oct 03 09:22
schestowitz__>  The docs show that it might help with that, a problem I can predict isOct 03 09:22
schestowitz__> that currently all the requests are coming to Apache fro the same IPOct 03 09:22
schestowitz__> address -- the Varnish server.  The module might be able in CentOS, too.Oct 03 09:22
schestowitz__>  You are on CentOS 6?Oct 03 09:22
schestowitz__YesOct 03 09:22
schestowitz__> When I get home in aboiut 8 hours I can tryOct 03 09:22
schestowitz__> setting up CentOS on the LAN and trying a few things with limiting.Oct 03 09:22
schestowitz__I think I've managed to defeat the attacker, for now... logins and registrations are blocked (not a huge deal), but the front page is now accessible and load is OK.Oct 03 09:22
*freedomrun (~quassel@unaffiliated/freedomrun) has joined #boycottnovellOct 03 09:37
schestowitz__>> I'm not too good with varnish but I have full (root) access to theOct 03 11:12
schestowitz__>> varnish server. Does that work with iptables?Oct 03 11:12
schestowitz__> Oct 03 11:13
schestowitz__> If the OS has the Linux kernel (since 2.4) then it is using iptables.Oct 03 11:13
schestowitz__> Most mitigations I have been able to think of do not need to work withOct 03 11:13
schestowitz__> the varnish configuration itself.  But most parse the logs and you doOct 03 11:13
schestowitz__> not have to be root to parse the varnish logs (a minor privacy andOct 03 11:13
schestowitz__> security bug) but root accesses, or tweaked sudoers, is needed forOct 03 11:13
schestowitz__> iptables configurations.Oct 03 11:13
schestowitz__> Oct 03 11:13
schestowitz__> Working with raw iptables on the varnish server, one needs a rule at theOct 03 11:13
schestowitz__> top to allow established connections.Oct 03 11:13
schestowitz__> Oct 03 11:13
schestowitz__>  iptables -I INPUT -i eth0 -m state --state ESTABLISHED,RELATED \Oct 03 11:13
schestowitz__>   -j ACCEPTOct 03 11:13
schestowitz__> Oct 03 11:13
schestowitz__> Then near the top allowing incoming with some rate limiting.Oct 03 11:13
schestowitz__> Oct 03 11:13
schestowitz__>  iptables -A INPUT -p icmp --icmp-type echo-request \Oct 03 11:13
schestowitz__>         -m limit --limit 1/s -i eth0 -j ACCEPTOct 03 11:13
schestowitz__> Oct 03 11:13
schestowitz__>  iptables  -I INPUT -p TCP --dport 80 -m state --state NEW \Oct 03 11:13
schestowitz__> -m limit --limit 60/minute --limit-burst 100 -j ACCEPTOct 03 11:13
schestowitz__> Oct 03 11:13
schestowitz__> The --limit and --limit-burst would depend on the profile for normal useOct 03 11:13
schestowitz__> for an incoming ip number.Oct 03 11:13
schestowitz__> Oct 03 11:13
schestowitz__> If you do try to adjust iptables, I  would recommend using either an atOct 03 11:13
schestowitz__> job to restore the last known working settings or else iptables-apply,Oct 03 11:13
schestowitz__> to prevent getting locked out.Oct 03 11:13
schestowitz__Can a command be crafted to tie burst limiting on a per-URL/request basis? Right now I managed to narrowly defeat bursts that mostly (not only) target the front page. If I could limit varnish access to this page to one per second, that would help solve the problem. I am observing the attacks in real time every 10 minutes to better understand them. It's like a game of Chess now and I win most rounds (rounds 10 minutes apart), but Oct 03 11:13
schestowitz__not all..Oct 03 11:13
schestowitz__https://twitter.com/Metztli_IT/status/517998739911237633Oct 03 11:35
-TechrightsBN/#boycottnovell-@Metztli_IT: ♺@schestowitz On Occupy Central’s Ties w/the #NED http://t.co/JxjNqkiudG #US pursues #oppression at home & #chaos abroad…#UmbrellaRevolutionOct 03 11:35
-TechrightsBN/#boycottnovell--> www.commondreams.org | On Occupy Central’s Ties with the NED | Common Dreams | Breaking News & Views for the Progressive CommunityOct 03 11:35
schestowitz__I could use a script that checks average and when it rises above some number, it would swap a file (.htaccess), reload apache, then swap it back when the load is low again. Has this been done before?Oct 03 12:09
schestowitz__https://twitter.com/ender2038/status/518009453166465025Oct 03 12:12
-TechrightsBN/#boycottnovell-@ender2038: @schestowitz then all the others are pro demOct 03 12:12
*libertyboxes has quit (Quit: Konversation terminated!)Oct 03 13:21
*liberty_back has quit (Remote host closed the connection)Oct 03 13:21
*freedomrun has quit (Remote host closed the connection)Oct 03 18:02
schestowitz__> It's been 10+ years since I've dealt with RPM.  But despite that I gotOct 03 20:12
schestowitz__> CentOS 6 installed (it would not boot initially) and Apache2 withOct 03 20:12
schestowitz__> Varnish, though the latter was not in the repository.  The repo is alsoOct 03 20:12
schestowitz__> missing tmux.  I'll be able to get varnish working with apache tomorrowOct 03 20:12
schestowitz__> after some sleep.Oct 03 20:12
schestowitz__These are very sought-after skills. You'd easily find a sysadmin job in the UK.Oct 03 20:12
*roy (~schestowi@unaffiliated/schestowitz) has joined #boycottnovellOct 04 02:47
*ChanServ gives channel operator status to royOct 04 02:47
*schestowitz has quit (*.net *.split)Oct 04 03:00
*cubelog has quit (Read error: Connection reset by peer)Oct 04 08:04
*cubelog (~cubeman@maxhost.org) has joined #boycottnovellOct 04 08:04
roygetting warnings about the disk filling up on the serverOct 04 08:16
roy[09:12] <roy> I will take a lookOct 04 08:16
schestowitz__> I've looked at Apache2 on CentOS6 now and see that mod_evasive is not inOct 04 08:27
schestowitz__> the repositories.  It is in the EPEL repository, though.Oct 04 08:27
schestowitz__> Oct 04 08:28
schestowitz__> http://xmodulo.com/harden-apache-web-server-mod_security-mod_evasive-centos.htmlOct 04 08:28
-TechrightsBN/#boycottnovell-xmodulo.com | How to harden Apache web server with mod_security and mod_evasive on CentOS - Xmodulo [ http://ur1.ca/iaktp ]Oct 04 08:28
schestowitz__> Oct 04 08:28
schestowitz__> It might do the job with the 20/s ... BUT unfortunately, it works per-ipOct 04 08:28
schestowitz__> address and varnish is hiding that.  I spent some time trying to findOct 04 08:28
schestowitz__> ways to rewrite the REMOTE_ADDR header, but no luck yet.  There areOct 04 08:28
schestowitz__> still a few ways to try though and I'm looking into one.Oct 04 08:28
schestowitz__> Oct 04 08:28
schestowitz__> iptables rate limiting on the varnish server would also prevent the 20/sOct 04 08:28
schestowitz__> attacks.Oct 04 08:28
schestowitz__Most of the attacks are not fact but persistent, they build up the load by picking RAM- and CPU-heavy pages that are not in cache.Oct 04 08:28
schestowitz__At this stage both TR and TM go offline sometimes. Someone told me in Twitter that El Reg too was attacked last week. FOSS Force has a new article.Oct 04 08:28
royBoth sites have been under attack and I don't know if you have some tools for the varnish side that can help reduce the floods of Windows botnets http://fossforce.com/2014/10/tux-machines-ddos-attack-moves-to-techrights/Oct 04 08:30
-TechrightsBN/#boycottnovell-fossforce.com | 'Tux Machines' DDOS Attack Moves to 'TechRights' | FOSS Force [ http://ur1.ca/iaku3 ]Oct 04 08:30
*roy has quit (Read error: No route to host)Oct 04 09:52
*schestowitz_log_ has quit (Read error: Connection reset by peer)Oct 04 09:52
*schestowitz_log_ (~schestowi@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovellOct 04 09:52
*schestowitz_log_ has quit (Changing host)Oct 04 09:52
*schestowitz_log_ (~schestowi@unaffiliated/schestowitz) has joined #boycottnovellOct 04 09:52
*ChanServ gives channel operator status to schestowitz_log_Oct 04 09:52
*schestowitz (~schestowi@unaffiliated/schestowitz) has joined #boycottnovellOct 04 09:52
*ChanServ gives channel operator status to schestowitzOct 04 09:52
*Disconnected (Connection timed out).Oct 04 10:49
**** ENDING LOGGING AT Sat Oct 4 10:49:18 2014
**** BEGIN LOGGING AT Sat Oct 4 10:49:46 2014
*Now talking on #boycottnovellOct 04 10:49
*Topic for #boycottnovell is: TechRights.org | Channel #boycottnovell for http://TechRights.org | Free Software Sentry – watching and reporting maneuvers of those who oppose software freedom :: please also join channels #techrights and #boycottnovell-socialOct 04 10:49
*Topic for #boycottnovell set by schestowitz at Thu May 6 23:19:56 2010Oct 04 10:49
-ChanServ-[#boycottnovell] Welcome to the #boycottnovell channelOct 04 10:49
*ChanServ gives channel operator status to schestowitz_logOct 04 10:49
*pidgin_log (~roy@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovellOct 04 10:50
*Disconnected ().Oct 04 14:43
**** ENDING LOGGING AT Sat Oct 4 14:43:58 2014
**** BEGIN LOGGING AT Sat Oct 4 14:44:18 2014
*Now talking on #boycottnovellOct 04 14:44
*Topic for #boycottnovell is: TechRights.org | Channel #boycottnovell for http://TechRights.org | Free Software Sentry – watching and reporting maneuvers of those who oppose software freedom :: please also join channels #techrights and #boycottnovell-socialOct 04 14:44
*Topic for #boycottnovell set by schestowitz at Thu May 6 23:19:56 2010Oct 04 14:44
-ChanServ-[#boycottnovell] Welcome to the #boycottnovell channelOct 04 14:44
*ChanServ gives channel operator status to schestowitz_logOct 04 14:44
*schestowitz_log_ (~schestowi@unaffiliated/schestowitz) has joined #boycottnovellOct 04 14:54
*ChanServ gives channel operator status to schestowitz_log_Oct 04 14:54
*pidgin_log (~roy@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovellOct 04 14:57
*pidgin_log has quit (Ping timeout: 260 seconds)Oct 04 15:19
*schestowitz_log_ has quit (Ping timeout: 272 seconds)Oct 04 15:20
*pidgin_log (~roy@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovellOct 04 15:33
*schestowitz_log_ (~schestowi@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovellOct 04 15:33
*schestowitz_log_ has quit (Changing host)Oct 04 15:33
*schestowitz_log_ (~schestowi@unaffiliated/schestowitz) has joined #boycottnovellOct 04 15:33
*ChanServ gives channel operator status to schestowitz_log_Oct 04 15:33
*benJIman has quit (Ping timeout: 245 seconds)Oct 04 15:36
*benJIman (~benji@li273-180.members.linode.com) has joined #boycottnovellOct 04 15:37
*Disconnected (Connection timed out).Oct 04 16:17
**** ENDING LOGGING AT Sat Oct 4 16:17:34 2014
**** BEGIN LOGGING AT Sat Oct 4 16:18:04 2014
*Now talking on #boycottnovellOct 04 16:18
*Topic for #boycottnovell is: TechRights.org | Channel #boycottnovell for http://TechRights.org | Free Software Sentry – watching and reporting maneuvers of those who oppose software freedom :: please also join channels #techrights and #boycottnovell-socialOct 04 16:18
*Topic for #boycottnovell set by schestowitz at Thu May 6 23:19:56 2010Oct 04 16:18
*schestowitz_log_ (~schestowi@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovellOct 04 16:19
*schestowitz_log_ has quit (Changing host)Oct 04 16:19
*schestowitz_log_ (~schestowi@unaffiliated/schestowitz) has joined #boycottnovellOct 04 16:19
*ChanServ gives channel operator status to schestowitz_log_Oct 04 16:19
-ChanServ-[#boycottnovell] Welcome to the #boycottnovell channelOct 04 16:19
*ChanServ gives channel operator status to schestowitz_logOct 04 16:19
*pidgin_log (~roy@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovellOct 04 16:20
*Disconnected (Connection timed out).Oct 04 16:39
**** ENDING LOGGING AT Sat Oct 4 16:39:34 2014
**** BEGIN LOGGING AT Sat Oct 4 16:40:02 2014
*Now talking on #boycottnovellOct 04 16:40
*Topic for #boycottnovell is: TechRights.org | Channel #boycottnovell for http://TechRights.org | Free Software Sentry – watching and reporting maneuvers of those who oppose software freedom :: please also join channels #techrights and #boycottnovell-socialOct 04 16:40
*Topic for #boycottnovell set by schestowitz at Thu May 6 23:19:56 2010Oct 04 16:40
-ChanServ-[#boycottnovell] Welcome to the #boycottnovell channelOct 04 16:40
*ChanServ gives channel operator status to schestowitz_logOct 04 16:40
*schestowitz__ has quit (Ping timeout: 244 seconds)Oct 04 16:40
*schestowitz__ (~schestowi@unaffiliated/schestowitz) has joined #boycottnovellOct 04 16:40
*ChanServ gives channel operator status to schestowitz__Oct 04 16:40
*pidgin_log (~roy@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovellOct 04 16:41
*Disconnected ().Oct 04 17:08
**** ENDING LOGGING AT Sat Oct 4 17:08:18 2014
**** BEGIN LOGGING AT Sat Oct 4 17:08:58 2014
*Now talking on #boycottnovellOct 04 17:08
*Topic for #boycottnovell is: TechRights.org | Channel #boycottnovell for http://TechRights.org | Free Software Sentry – watching and reporting maneuvers of those who oppose software freedom :: please also join channels #techrights and #boycottnovell-socialOct 04 17:08
*Topic for #boycottnovell set by schestowitz at Thu May 6 23:19:56 2010Oct 04 17:08
-ChanServ-[#boycottnovell] Welcome to the #boycottnovell channelOct 04 17:08
*ChanServ gives channel operator status to logbot2Oct 04 17:08
*pidgin_log has quit (Ping timeout: 240 seconds)Oct 04 17:09
*pidgin_log (~roy@host109-155-92-45.range109-155.btcentralplus.com) has joined #boycottnovellOct 04 17:09
*pidgin_log has quit (Client Quit)Oct 04 17:10
*schestowitz_log_ (~schestowi@unaffiliated/schestowitz) has joined #boycottnovellOct 04 17:23
*ChanServ gives channel operator status to schestowitz_log_Oct 04 17:23
schestowitz_bed2> Hi,Oct 04 17:23
schestowitz_bed2> Oct 04 17:23
schestowitz_bed2> Is the DDOS attack over? We're having no trouble reaching either of yourOct 04 17:23
schestowitz_bed2> sites now.Oct 04 17:23
schestowitz_bed2TM was down for 10 minutes or so until around 5 minutes ago when I added new rules. TR has not been knocked so far today, but definitely these attacks are not over. Sometimes we nearly run out of swap (4 GB), which puts the server at risk of falling over completely.Oct 04 17:23
schestowitz_bed2I hope the attacker if getting bored and will move on soon.Oct 04 17:23
schestowitz_bed2>>> I've looked at Apache2 on CentOS6 now and see that mod_evasive is not inOct 04 17:28
schestowitz_bed2>>> the repositories.  It is in the EPEL repository, though.Oct 04 17:28
schestowitz_bed2>>>Oct 04 17:28
schestowitz_bed2>>> http://xmodulo.com/harden-apache-web-server-mod_security-mod_evasive-centos.htmlOct 04 17:28
schestowitz_bed2>>>Oct 04 17:28
schestowitz_bed2>>> It might do the job with the 20/s ... BUT unfortunately, it works per-ipOct 04 17:28
schestowitz_bed2>>> address and varnish is hiding that.  I spent some time trying to findOct 04 17:28
schestowitz_bed2>>> ways to rewrite the REMOTE_ADDR header, but no luck yet.  There areOct 04 17:28
schestowitz_bed2>>> still a few ways to try though and I'm looking into one.Oct 04 17:28
schestowitz_bed2>>>Oct 04 17:28
schestowitz_bed2>>> iptables rate limiting on the varnish server would also prevent the 20/sOct 04 17:28
schestowitz_bed2>>> attacks.Oct 04 17:28
schestowitz_bed2>>Oct 04 17:28
schestowitz_bed2>> Most of the attacks are not fact but persistent, they build up the loadOct 04 17:28
schestowitz_bed2>> by picking RAM- and CPU-heavy pages that are not in cache.Oct 04 17:28
schestowitz_bed2> Oct 04 17:28
schestowitz_bed2> Yes, but you should add per-ip rate limiting to the varnish server, ifOct 04 17:28
schestowitz_bed2> you are allowed.  That's the easiest and most adjustable option and willOct 04 17:28
schestowitz_bed2> prevent one of their attack methods.Oct 04 17:28
schestowitz_bed2> Oct 04 17:28
schestowitz_bed2> On CentOS6 there are iptables rules for the system in this file:Oct 04 17:28
schestowitz_bed2> Oct 04 17:28
schestowitz_bed2> /etc/sysconfig/iptablesOct 04 17:28
schestowitz_bed2> Oct 04 17:28
schestowitz_bed2> and they can be edited via this script:Oct 04 17:28
schestowitz_bed2> Oct 04 17:28
schestowitz_bed2> system-config-firewallOct 04 17:28
schestowitz_bed2> Oct 04 17:29
schestowitz_bed2> though it is possible to manually customize the iptables configuration.Oct 04 17:29
schestowitz_bed2> Oct 04 17:29
schestowitz_bed2> Either way, after thisOct 04 17:29
schestowitz_bed2> Oct 04 17:29
schestowitz_bed2> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPTOct 04 17:29
schestowitz_bed2> Oct 04 17:29
schestowitz_bed2> but before thisOct 04 17:29
schestowitz_bed2> Oct 04 17:29
schestowitz_bed2> -A INPUT -j REJECT --reject-with icmp-host-prohibitedOct 04 17:29
schestowitz_bed2> Oct 04 17:29
schestowitz_bed2> something like this (limits a guess here) is neededOct 04 17:29
schestowitz_bed2> Oct 04 17:29
schestowitz_bed2>  iptables  -I INPUT -p TCP --dport 80 -m state --state NEW \Oct 04 17:29
schestowitz_bed2> -m limit --limit 10/second --limit-burst 20 -j ACCEPTOct 04 17:29
schestowitz_bed2Thanks, I will ask Tracy before making changes on the Varnish host because several sites are hosted through it, inc. some of his clients.Oct 04 17:29
schestowitz_bed2>> At this stage both TR and TM go offline sometimes. Someone told me inOct 04 17:29
schestowitz_bed2>> Twitter that El Reg too was attacked last week. Oct 04 17:29
schestowitz_bed2> Oct 04 17:29
schestowitz_bed2> But TheReg is rather Pro-M$ for a long time.Oct 04 17:29
schestowitz_bed2Maybe. Not always. Not so much anymore.Oct 04 17:29
schestowitz_bed2 Oct 04 17:29
schestowitz_bed2>> FOSS Force has a newOct 04 17:29
schestowitz_bed2>> article.Oct 04 17:29
schestowitz_bed2>>Oct 04 17:29
schestowitz_bed2> I see.  M$ has no qualms about going after family.Oct 04 17:29
schestowitz_bed2The number of attacks today was less than yesterday. TR was only offline a few times last night. This morning it was doing fine.Oct 04 17:29
schestowitz_bed2> Hi, Roy,Oct 04 18:16
schestowitz_bed2> Oct 04 18:16
schestowitz_bed2> There is a way to install mod_evasive in CentOS 6, but I do not knowOct 04 18:16
schestowitz_bed2> enough C to modify it to use the right environment variable to get theOct 04 18:17
schestowitz_bed2> offending client's address.  Same for the defunct Apache module, rpaf,Oct 04 18:17
schestowitz_bed2> which also is in C, which would have provided the right variable, too.Oct 04 18:17
schestowitz_bed2Someone told me about rpaf in TM last year. It was a reader. I looked into it, but anything that involved messing with the Varnish level I need to be careful with because many sites depend on that host and I'm more of a guest on Tracy's network. Maybe if I can host locally (or at your end) some static pages, then I can redirect to them in cases of high load. I recently implemented this for a big client, using AWS as a cushion Oct 04 18:17
schestowitz_bed2for static pages. Of course this would only help if you can make static a page (quickly changing page like TM front page changes too often). If many different pages are hit, that too is a problem.Oct 04 18:17
schestowitz_bed2> However, even if mod_evasive had the name or ip of the offending clientOct 04 18:17
schestowitz_bed2> it would still have to call a script which then communicates back to theOct 04 18:17
schestowitz_bed2> varnish server where the actual blocking needs to take place, a taskOct 04 18:17
schestowitz_bed2> which would be unnecessarily complex.Oct 04 18:17
schestowitz_bed2Varnish has been truly powerful and it helped us serve at unbelievable  speeds. Watching in real time how quickly it serves images and stuff is amazing! The back end too; GNU/Linux is quite the beast. But they too have their limits and Varnish can make life hard and take a long time to configure when you want some pages not cached of conditionally cached. One client at my employer had many layers of cache: Clouflare, then Oct 04 18:17
schestowitz_bed2Varnish, then Drupal cache, maybe MySQL internal caching also...Oct 04 18:17
schestowitz_bed2It made it quite a nightmare to handle IP-based rules... exclusions, admin-only, VPN, etc. We still haven't resolved it.Oct 04 18:17
schestowitz_bed2> So here is another sketch in perl.  This one is aimed at duplicatingOct 04 18:17
schestowitz_bed2> some of the functionality of mod_evasive.Oct 04 18:17
schestowitz_bed2> Oct 04 18:17
schestowitz_bed2> The script loops through piped output of varnish logs.  There are threeOct 04 18:17
schestowitz_bed2> configuration variables.  One is for the total number of site accessesOct 04 18:17
schestowitz_bed2> allowed per designated time interval, the second is for the total numberOct 04 18:17
schestowitz_bed2> of site accesses per url per time interval, the third is the timeOct 04 18:17
schestowitz_bed2> interval itself.  The function block_ip() currently only echo's outputOct 04 18:17
schestowitz_bed2> to stdout with a block in iptables.  The rule is set to insert after theOct 04 18:17
schestowitz_bed2> 3rd rule so that allows established states in first.  It is labeled withOct 04 18:17
schestowitz_bed2> DDOSn where n is the tens of minutes of the hour.  That allows the rulesOct 04 18:17
schestowitz_bed2> to be purged after 50 minutes with 6 different cron jobs.Oct 04 18:17
schestowitz_bed2> Oct 04 18:17
schestowitz_bed2> iptables-save | grep -v DDOS0 | iptables-restoreOct 04 18:17
schestowitz_bed2> orOct 04 18:17
schestowitz_bed2> iptables-save | grep -v DDOS1 | iptables-restoreOct 04 18:17
schestowitz_bed2> etcOct 04 18:17
schestowitz_bed2> Oct 04 18:17
schestowitz_bed2> If a longer time is needed, that can be done with modification.  OnlyOct 04 18:17
schestowitz_bed2> one instance of the script needs to run at a time so the system loadOct 04 18:17
schestowitz_bed2> should be low.  The hashes use some memory but are "limited" by theOct 04 18:17
schestowitz_bed2> number of attackers and the number of urls on the site.Oct 04 18:17
schestowitz_bed2Excellent. I have saved the script. Next time the attacks begin (yesterday they were 10 minutes apart and today they are sometimes an hour apart) I will have a go at it.Oct 04 18:17
schestowitz_bed2Meanwhile I've managed to tweet a lot and also write several articles... lack of posts is a sign of weakness that the attacker may interpret as his victory over the target. And that's what scares me the most.Oct 04 18:17
schestowitz_bed2https://joindiaspora.com/posts/4847647Oct 04 18:47
-TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: People Still Want Ubuntu Edge to Happen http://news.softpedia.com/news/People-Still-Want-Ubuntu-Edge-to-Happen-460754.shtml #ubuntu #canonical #gnu #linuxOct 04 18:47
-TechrightsBN/#boycottnovell--> news.softpedia.com | People Still Want Ubuntu Edge to Happen - Softpedia [ http://ur1.ca/ian7v ]Oct 04 18:47
schestowitz_bed2"I also want it to happen!!!"Oct 04 18:47
schestowitz_bed2"me too"Oct 04 18:47
schestowitz_bed2https://joindiaspora.com/posts/4853866Oct 04 18:52
-TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: #google blamed rather than stupid celebrities who take naked photos, use "the Cloud", and #apple being incompetent http://www.eweek.com/security/google-threatened-with-100-million-lawsuit-over-hacked-celebrity-pictures.htmlOct 04 18:52
schestowitz_bed2"If I take some naked photos and somehow end in the Internet, might I sue Google too?"Oct 04 18:52
-TechrightsBN/#boycottnovell--> www.eweek.com | Google Threatened With $100 Million Lawsuit Over Hacked Celebrity Pictures [ http://ur1.ca/ian9c ]Oct 04 18:52
schestowitz_bed2Only if you are very, VERY famous. Obviously! :-)Oct 04 18:53
schestowitz_bed2https://joindiaspora.com/posts/4854843Oct 04 18:53
-TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com reshared: why would people post their health info to social networks? Oct 04 18:53
schestowitz_bed2"Worse, why would people search medical advice on social networks?"Oct 04 18:53
schestowitz_bed2They might get a "like" or two...Oct 04 18:53
*schestowitz_bed2 has quit (Quit: Konversation term)Oct 04 19:07
*schestowitz (~schestowi@unaffiliated/schestowitz) has joined #boycottnovellOct 04 19:08
*ChanServ gives channel operator status to schestowitzOct 04 19:08
schestowitz>>> I've been thinking about rpaf + mod_evasive some more.  I think youOct 04 19:21
schestowitz>>> could try it on the VM you set up to experiment with.  If the load onOct 04 19:21
schestowitz>>> the web server is from PHP+db then that should take care of it, mostly,Oct 04 19:21
schestowitz>>> without need of contacting the varnish server at all.  The downsides areOct 04 19:21
schestowitz>>> that mod_evasive is in the EPEL repository and that rpaf is more or lessOct 04 19:21
schestowitz>>> abandoned.Oct 04 19:21
schestowitz>>>Oct 04 19:21
schestowitz>>> About the perl script, if you do consider trying it, the varnishncsaOct 04 19:21
schestowitz>>> pipe needs a -m option to limit it to queries to TM and TR.Oct 04 19:21
schestowitz>>Oct 04 19:21
schestowitz>> I reckon we'll use it soon. Maybe the attacker is asleep or away. MaybeOct 04 19:21
schestowitz>> the zombies PCs were partly switched off for the weekend.Oct 04 19:21
schestowitz>>Oct 04 19:21
schestowitz> Oct 04 19:21
schestowitz> Here is one with some changes to hopefully deal better with the shareOct 04 19:21
schestowitz> varnish environment.  Also, there was an off-by-one error in counting.Oct 04 19:21
schestowitz> Where the host is given as 10.0.2.40, substitute techrights.org orOct 04 19:21
schestowitz> whatever is showing up in "RxHeader     c Host:" from regular varnishlogOct 04 19:21
schestowitz> Oct 04 19:22
schestowitz> Also, as mentioned in the other message, I've revisited rpaf+mod_evasiveOct 04 19:22
schestowitz> and now think that it might help.  If the load is because of the db + php.Oct 04 19:22
schestowitzThank you so much. You should probably publish a wiki or article about this. It's stuff that ought to be out there for others to use as well.Oct 04 19:22
schestowitzhttps://joindiaspora.com/posts/4855510Oct 04 19:24
-TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: #nsa helps create jobs in #germany http://www.techweekeurope.co.uk/news/oracle-data-centres-152984Oct 04 19:24
-TechrightsBN/#boycottnovell--> www.techweekeurope.co.uk | Oracle To Open Two German Data Centres Following NSA Spying Scandal [ http://ur1.ca/ianix ]Oct 04 19:24
schestowitz"How is that gona help ? Amerikan company implanting spyware in heart of eurooe ?"Oct 04 19:24
schestowitzhttps://joindiaspora.com/posts/4857477Oct 04 19:25
-TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: Another opportunity for #facebook to compile lists of people to sell to marketing firms and sharks http://consumerist.com/2014/10/03/facebook-wants-to-be-your-source-for-healthcare-info/Oct 04 19:25
-TechrightsBN/#boycottnovell--> consumerist.com | Facebook Wants To Be Your Source For Healthcare Info – Consumerist [ http://ur1.ca/ian4d ]Oct 04 19:25
schestowitz"I'm glad escaped from FaceBook 3 years ago!"Oct 04 19:25
schestowitz>>>>> >>>> I've been thinking about rpaf + mod_evasive some more.  I think youOct 04 19:35
schestowitz>>>>> >>>> could try it on the VM you set up to experiment with.  If the load onOct 04 19:35
schestowitz>>>>> >>>> the web server is from PHP+db then that should take care of it, mostly,Oct 04 19:35
schestowitz>>>>> >>>> without need of contacting the varnish server at all.  The downsides areOct 04 19:35
schestowitz>>>>> >>>> that mod_evasive is in the EPEL repository and that rpaf is more or lessOct 04 19:35
schestowitz>>>>> >>>> abandoned.Oct 04 19:35
schestowitz>>>>> >>>>Oct 04 19:35
schestowitz>>>>> >>>> About the perl script, if you do consider trying it, the varnishncsaOct 04 19:35
schestowitz>>>>> >>>> pipe needs a -m option to limit it to queries to TM and TR.Oct 04 19:35
schestowitz>>>> >>>Oct 04 19:35
schestowitz>>>> >>> I reckon we'll use it soon. Maybe the attacker is asleep or away. MaybeOct 04 19:35
schestowitz>>>> >>> the zombies PCs were partly switched off for the weekend.Oct 04 19:35
schestowitz>>>> >>>Oct 04 19:35
schestowitz>>> >> Oct 04 19:35
schestowitz>>> >> Here is one with some changes to hopefully deal better with the shareOct 04 19:35
schestowitz>>> >> varnish environment.  Also, there was an off-by-one error in counting.Oct 04 19:35
schestowitz>>> >> Where the host is given as 10.0.2.40, substitute techrights.org orOct 04 19:35
schestowitz>>> >> whatever is showing up in "RxHeader     c Host:" from regular varnishlogOct 04 19:35
schestowitz>>> >> Oct 04 19:35
schestowitz>>> >> Also, as mentioned in the other message, I've revisited rpaf+mod_evasiveOct 04 19:35
schestowitz>>> >> and now think that it might help.  If the load is because of the db + php.Oct 04 19:35
schestowitz>> > Oct 04 19:35
schestowitz>> > Thank you so much.Oct 04 19:35
schestowitz> My style with perl has tended to readability or over-simplicity.  So, IOct 04 19:35
schestowitz> hope it's readable and that there are no mistakes.  I've tested it in aOct 04 19:35
schestowitz> simulated environment, but treat it as probationary in a live setting ifOct 04 19:35
schestowitz> you do test it.  A sucessful block with iptables should prevent runawayOct 04 19:35
schestowitz> addition of duplicate rules.  If not, then that can be added in.Oct 04 19:35
schestowitz> Oct 04 19:35
schestowitz>> > You should probably publish a wiki or article aboutOct 04 19:35
schestowitz>> > this. It's stuff that ought to be out there for others to use as well.Oct 04 19:35
schestowitz> It's only a variation of most of what mod_evasive does, but for varnishOct 04 19:35
schestowitz> instead.  Besides, writing's hard for me, especially these days.Oct 04 19:35
schestowitz>Oct 04 19:35
schestowitz> PS.  I'm about done for the day in a few minutes.Oct 04 19:35
schestowitzI will keep an eye on the site the rest of the day and tomorrow we stay home all day, so at least we're covered in the vigilance sense, for now...Oct 04 19:36
schestowitz>>> It's only a variation of most of what mod_evasive does, but for varnishOct 04 22:19
schestowitz>>> instead.  Besides, writing's hard for me, especially these days.Oct 04 22:19
schestowitz>>>Oct 04 22:19
schestowitz>>> PS.  I'm about done for the day in a few minutes.Oct 04 22:19
schestowitz>>Oct 04 22:19
schestowitz>> I will keep an eye on the site the rest of the day and tomorrow we stayOct 04 22:19
schestowitz>> home all day, so at least we're covered in the vigilance sense, for now...Oct 04 22:19
schestowitz> Oct 04 22:20
schestowitz> Ok.Oct 04 22:20
schestowitz> Oct 04 22:20
schestowitz> Just two last things.  Lines 14 and 15 need to be edited to make theOct 04 22:20
schestowitz> script active, if you think the rest is ok.  Also, the existing iptablesOct 04 22:20
schestowitz> rules on the server might not be the default any more so the insertionOct 04 22:20
schestowitz> point for the REJECT rule might not be the 4th line.Oct 04 22:20
schestowitzThe attacks are resuming now, so I'll give it a go.Oct 04 22:20
schestowitzhttps://joindiaspora.com/posts/4854823Oct 04 22:22
-TechrightsBN/#boycottnovell-@unlearn@diasp.org: why would people post their health info to social networks? Oct 04 22:22
schestowitz"One of the people the spouse follows on a popular social network is posting everything about her battle with cancer. She's also taking donations. So for her, losing information about her health derives sympathy and money."Oct 04 22:22
schestowitzhttps://joindiaspora.com/posts/4852407Oct 04 22:22
-TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: #steam now promotes #drm for music, too http://www.themukt.com/2014/10/03/steam-music-available-one-comes-free-music/ the rot spreads...Oct 04 22:22
-TechrightsBN/#boycottnovell--> www.themukt.com | Steam Music available to one and all! Comes with Free Music too! - The Mukt [ http://ur1.ca/ian6z ]Oct 04 22:22
schestowitz"Well it is. However, my impression so far is that the music itself is not copy protected by Steam; It just provides access to soundtracks buried in the game directories and to the player's actual music collection."Oct 04 22:22
schestowitzhttps://joindiaspora.com/posts/4855523Oct 04 22:23
-TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: "Apple is truly ramping up the PR machine and has even managed to get a few people in government to" help the PR http://www.decryptedtech.com/news/nsa-proof-ios-8-claims-we-have-heard-them-beforeOct 04 22:23
schestowitz"Blind mice..."Oct 04 22:23
-TechrightsBN/#boycottnovell--> www.decryptedtech.com | NSA Proof" iOS 8 claims... We have heard them before... [ http://ur1.ca/iaopk ]Oct 04 22:23
schestowitzhttps://joindiaspora.com/posts/4857956Oct 04 22:24
-TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: People who say that fasting (ritual) has "health benefit" are the same people who say female and male genital mutilation is "health benefit"Oct 04 22:24
schestowitz"What? Where did that one come from? I understand why would you not post a link here, but I got genuinely interested in the topic. I do want to know more about this topic."Oct 04 22:24
schestowitz"Some crazy people I guess."Oct 04 22:24
schestowitz"Wait a second... is it about Jewish practices? I have little knowledge, that is why I am asking.'Oct 04 22:24
schestowitz"Are you Jewish?"Oct 04 22:24
schestowitz"I am not. But I am curious where such statement came from. You know, Diaspora has no text length limit, so this single sentence made me curious. I mean, Why did Dr. Roy even write it for? What is the reasoning and sought result?Oct 04 22:25
schestowitzIt's about Muslims too (Eid and female genital mutilation)  https://en.wikipedia.org/wiki/Female_genital_mutilationOct 04 22:25
-TechrightsBN/#boycottnovell-en.wikipedia.org | Female genital mutilation - Wikipedia, the free encyclopedia [ http://ur1.ca/iaopr ]Oct 04 22:25
schestowitz,e: I am trying to reduce the impact of DDOS attacks after two weeks of them not stopping. I don't think I can do this without dealing with Varnish (IP addresses), but I don't want to do any work on it without prior permissions from you because it's shared among sites.Oct 04 22:34

Generated by irclog2html.py 2.6 by Marius Gedminas - find it at mg.pov.lt!