Join us now at the IRC channel.
| *schestowitz_log_ has quit (Remote host closed the connection) | Sep 28 09:35 | |
| *schestowitz has quit (Read error: Connection reset by peer) | Sep 28 09:35 | |
| *schestowitz (~schestowi@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovell | Sep 28 09:35 | |
| *schestowitz has quit (Changing host) | Sep 28 09:35 | |
| *schestowitz (~schestowi@unaffiliated/schestowitz) has joined #boycottnovell | Sep 28 09:35 | |
| *ChanServ gives channel operator status to schestowitz | Sep 28 09:35 | |
| *schestowitz_log_ (~schestowi@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovell | Sep 28 09:35 | |
| *schestowitz_log_ has quit (Changing host) | Sep 28 09:35 | |
| *schestowitz_log_ (~schestowi@unaffiliated/schestowitz) has joined #boycottnovell | Sep 28 09:35 | |
| *ChanServ gives channel operator status to schestowitz_log_ | Sep 28 09:35 | |
| *cubelog has quit (Ping timeout: 272 seconds) | Sep 28 11:46 | |
| *cubelog (~cubeman@maxhost.org) has joined #boycottnovell | Sep 28 14:06 | |
| *cubelog has quit (Remote host closed the connection) | Sep 28 20:59 | |
| *cubelog (~cubeman@maxhost.org) has joined #boycottnovell | Sep 28 21:45 | |
| *edanny101_ (~edanny101@175.144.248.66) has joined #boycottnovell | Sep 29 05:22 | |
| *edanny101_ has quit (Quit: AndroIRC - Android IRC Client ( http://www.androirc.com )) | Sep 29 05:27 | |
| *freedomrun (~quassel@unaffiliated/freedomrun) has joined #boycottnovell | Sep 29 06:31 | |
| *freedomrun has quit (Remote host closed the connection) | Sep 29 07:35 | |
| *freedomrun (~quassel@unaffiliated/freedomrun) has joined #boycottnovell | Sep 29 07:40 | |
| *freedomrun has quit (Remote host closed the connection) | Sep 29 09:10 | |
| *pidgin_log1 has quit (Quit: Leaving.) | Sep 29 09:26 | |
| *schestowitz__ has quit (Quit: Konversation term) | Sep 29 09:35 | |
| *schestowitz__ (~schestowi@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovell | Sep 29 14:00 | |
| *schestowitz__ has quit (Changing host) | Sep 29 14:00 | |
| *schestowitz__ (~schestowi@unaffiliated/schestowitz) has joined #boycottnovell | Sep 29 14:00 | |
| *ChanServ gives channel operator status to schestowitz__ | Sep 29 14:00 | |
| *pidgin_log (~roy@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovell | Sep 29 14:00 | |
| *freedomrun (~quassel@unaffiliated/freedomrun) has joined #boycottnovell | Sep 29 16:00 | |
| *freedomrun has quit (Read error: Connection reset by peer) | Sep 29 19:14 | |
| schestowitz__ | http://www.youtube.com/watch?v=ZcgTog780bs&list=UU0znI3dRWpNF8lvbPBTlzyw | Sep 30 01:00 |
|---|---|---|
| -TechrightsBN/#boycottnovell-www.youtube.com | Selfridges, BOY, The Third Reich and the Self Hating Gays - YouTube [ http://ur1.ca/i9jnm ] | Sep 30 01:00 | |
| schestowitz__ | > He's mostly been very well behaved on our site. Again, I've never met | Sep 30 01:15 |
| schestowitz__ | > him face to face, so I don't know why he turned bitter -- maybe he was | Sep 30 01:15 |
| schestowitz__ | > always like that. With me, he's always as nice as can be | Sep 30 01:15 |
| schestowitz__ | > | Sep 30 01:15 |
| schestowitz__ | > He gets accused of being a Microsoft shill a lot. Since quitting at | Sep 30 01:15 |
| schestowitz__ | > Fuduntu, he's taken to defending Microsoft a lot, which doesn't play | Sep 30 01:15 |
| schestowitz__ | > well on FOSS forums. You're free to call him to task in the comments, | Sep 30 01:15 |
| schestowitz__ | > although I'm not sure that would be productive. | Sep 30 01:15 |
| schestowitz__ | > | Sep 30 01:15 |
| schestowitz__ | > I'm sorry for any grief this has caused you. | Sep 30 01:15 |
| schestowitz__ | I never saw him accused of that. | Sep 30 01:15 |
| schestowitz__ | Either way, this didn't cause grief. I was just struggling to figure out who I could have said that about. Turns out, the error was his, not mine. | Sep 30 01:15 |
| schestowitz__ | https://joindiaspora.com/posts/4824143 | Sep 30 01:21 |
| -TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: #gnu #linux #pdf readers like #evince and #okular are mature enough and they make #adobe obsolete http://news.softpedia.com/news/Linux-No-Longer-Listed-as-Supported-Platform-for-Adobe-Reader-460372.shtml | Sep 30 01:21 | |
| -TechrightsBN/#boycottnovell--> news.softpedia.com | Linux No Longer Listed as Supported Platform for Adobe Reader - Softpedia [ http://ur1.ca/i9k58 ] | Sep 30 01:21 | |
| schestowitz__ | "Agreed. I wouldn't use Adobe's Reader on my system at all. If someone required me to use it for work, I would find another way around the problem." | Sep 30 01:21 |
| schestowitz__ | "You don't even need a PDF reader. Firefox has pdf.js, and while I wouldn't recommend Chrome that has a PDF reader too." | Sep 30 01:21 |
| schestowitz__ | "Okular is still way more performant for huge PDFs which contain a lot of scanned images. But pdf.js is still great to have.' | Sep 30 01:22 |
| *libertybox_ has quit (Remote host closed the connection) | Sep 30 02:37 | |
| *libertyboxes (~liberty@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovell | Sep 30 02:38 | |
| *TechrightsBN has quit (Read error: Connection reset by peer) | Sep 30 03:10 | |
| *freedomrun (~quassel@unaffiliated/freedomrun) has joined #boycottnovell | Sep 30 04:26 | |
| schestowitz__ | > If you don't mind, keep me updated on the Tux Machines situation. When | Sep 30 08:43 |
| schestowitz__ | > you're back up and running we'll help get the word out. | Sep 30 08:43 |
| schestowitz__ | I have just checked again. The botnet is still active, but the bursts gradually reduce in terms of scale, not enough to unblock parts of the site. | Sep 30 08:43 |
| *TechrightsBN (~b0t@mail.copilotco.com) has joined #boycottnovell | Sep 30 08:48 | |
| TechrightsBN | Hello World! I'm TechrightsBN running phIRCe v0.75 | Sep 30 08:48 |
| schestowitz__ | https://joindiaspora.com/posts/4825946 | Oct 01 01:14 |
| -TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: I find is utterly astounding the Western media spends more time bemoaning trauma of 'pilots', not victims on ground http://www.huffingtonpost.com/2014/09/29/military-drone-operators_n_5899478.html?utm_hp_ref=politics | Oct 01 01:14 | |
| -TechrightsBN/#boycottnovell--> www.huffingtonpost.com | Military Drone Operators Can Feel Emotional Strains Of War [ http://ur1.ca/i9omn ] | Oct 01 01:14 | |
| schestowitz__ | "Cry me a river." | Oct 01 01:14 |
| schestowitz__ | https://joindiaspora.com/posts/4825863 | Oct 01 01:16 |
| -TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: 'Hunting' with automatic rifles http://earthisland.org/elist/graphics/DehogaflierTruck.jpg | Oct 01 01:16 | |
| schestowitz__ | "Maybe animals are a lot more smart than those hunters so they need high-tech gear to level the field." | Oct 01 01:16 |
| **** BEGIN LOGGING AT Wed Oct 1 01:59:53 2014 | ||
| *Now talking on #boycottnovell | Oct 01 01:59 | |
| *Topic for #boycottnovell is: TechRights.org | Channel #boycottnovell for http://TechRights.org | Free Software Sentry – watching and reporting maneuvers of those who oppose software freedom :: please also join channels #techrights and #boycottnovell-social | Oct 01 01:59 | |
| *Topic for #boycottnovell set by schestowitz at Fri May 7 00:19:56 2010 | Oct 01 01:59 | |
| -ChanServ-[#boycottnovell] Welcome to the #boycottnovell channel | Oct 01 02:00 | |
| *libertyboxes (~liberty@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovell | Oct 01 02:00 | |
| *freedomrun has quit (Remote host closed the connection) | Oct 01 10:44 | |
| *pidgin_log has quit (Ping timeout: 272 seconds) | Oct 01 13:11 | |
| *schestowitz_log has quit (Ping timeout: 260 seconds) | Oct 01 13:12 | |
| *schestowitz__ has quit (Ping timeout: 272 seconds) | Oct 01 13:13 | |
| *schestowitz_log (~schestowi@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovell | Oct 01 13:13 | |
| *schestowitz_log has quit (Changing host) | Oct 01 13:13 | |
| *schestowitz_log (~schestowi@unaffiliated/schestowitz) has joined #boycottnovell | Oct 01 13:13 | |
| *ChanServ gives channel operator status to schestowitz_log | Oct 01 13:13 | |
| *pidgin_log (~roy@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovell | Oct 01 13:13 | |
| *schestowitz__ (~schestowi@unaffiliated/schestowitz) has joined #boycottnovell | Oct 01 13:13 | |
| *ChanServ gives channel operator status to schestowitz__ | Oct 01 13:13 | |
| *pidgin_log has quit (Quit: Leaving.) | Oct 01 13:22 | |
| *pidgin_log (~roy@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovell | Oct 01 13:24 | |
| *freedomrun (~quassel@unaffiliated/freedomrun) has joined #boycottnovell | Oct 01 14:45 | |
| *MinceR_ (~mincer@unaffiliated/mincer) has joined #boycottnovell | Oct 01 17:16 | |
| *ChanServ gives channel operator status to MinceR_ | Oct 01 17:18 | |
| *MinceR has quit (Read error: Connection reset by peer) | Oct 01 17:19 | |
| *MinceR_ is now known as MinceR | Oct 01 17:20 | |
| *freedomrun has quit (Read error: Connection reset by peer) | Oct 01 17:24 | |
| *freedomrun (~quassel@unaffiliated/freedomrun) has joined #boycottnovell | Oct 01 22:39 | |
| *freedomrun has quit (Remote host closed the connection) | Oct 02 01:34 | |
| *schestowitz_log has quit (Ping timeout: 272 seconds) | Oct 02 03:08 | |
| *schestowitz_log (~schestowi@unaffiliated/schestowitz) has joined #boycottnovell | Oct 02 03:09 | |
| *ChanServ gives channel operator status to schestowitz_log | Oct 02 03:09 | |
| schestowitz__ | https://joindiaspora.com/posts/4833576 | Oct 02 06:00 |
| -TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: More trolling from Brian Fagioli, who calls #microsoft "hero", said #firefox was anti-gay, and Linux anti-women http://betanews.com/2014/09/30/sorry-linux-fans-windows-10-will-continue-microsofts-desktop-domination/ | Oct 02 06:00 | |
| schestowitz__ | "Sounds like an Italian dish." | Oct 02 06:00 |
| -TechrightsBN/#boycottnovell--> betanews.com | Sorry Linux fans, Windows 10 will continue Microsoft's desktop domination [ http://ur1.ca/ia203 ] | Oct 02 06:00 | |
| schestowitz__ | "What low life." | Oct 02 06:00 |
| schestowitz__ | > Hi, Roy,> | Oct 02 14:18 |
| schestowitz__ | > I see that Tuxmachines has been down for a DDOS for many days. There is | Oct 02 14:18 |
| schestowitz__ | > a redirect to TR and Fossforce even had an article. | Oct 02 14:18 |
| schestowitz__ | The front page is redirected because it's the main target. There's some junk in referrer (well, I know there is always some junk there), which I think Varnish might interpret as unique and then pass to Apache. I am thinking it's about time to make better workarounds because the attacks don't just stop. | Oct 02 14:18 |
| schestowitz__ | Oct 02 14:18 | |
| schestowitz__ | > Is there an equivalent of fail2ban for Varnish that triggers on server | Oct 02 14:18 |
| schestowitz__ | > response codes? I'm guessing that to get through the varnish cache they | Oct 02 14:18 |
| schestowitz__ | > are sending junk URLs. Or is it varnish that is DDOSed? If it is junk | Oct 02 14:18 |
| schestowitz__ | > URLs a script can scan the log output and fire up an iptables rule to | Oct 02 14:18 |
| schestowitz__ | > block and then expire the block later. That is something which is | Oct 02 14:18 |
| schestowitz__ | > easier in PF but I think is doable with iptables. | Oct 02 14:18 |
| schestowitz__ | I didn't like pfsense when we set it us for a client because it caused some major cryptic issues and we ended up replacing it with Linux-based firewall. | Oct 02 14:18 |
| schestowitz__ | > To digress about the wiki, I remember that it was not possible to block | Oct 02 14:18 |
| schestowitz__ | > ip addresses in the wiki because it looked like everything was coming | Oct 02 14:18 |
| schestowitz__ | > from the varnish server. I found a possible way around that. | Oct 02 14:18 |
| schestowitz__ | > mod_setenv might be able to assign the HTTP header "X-Forwarded-For" to | Oct 02 14:18 |
| schestowitz__ | > an environment variable that the wiki could be then modified to swap in | Oct 02 14:18 |
| schestowitz__ | > for the source address: | Oct 02 14:18 |
| schestowitz__ | > | Oct 02 14:18 |
| schestowitz__ | > %{VARNAME}i The contents of VARNAME: header line(s) in the | Oct 02 14:18 |
| schestowitz__ | > request sent to the server. Changes made by other modules (e.g. | Oct 02 14:18 |
| schestowitz__ | > mod_headers) affect this. If you're interested in what the | Oct 02 14:18 |
| schestowitz__ | > request header was prior to when most modules would have | Oct 02 14:18 |
| schestowitz__ | > modified it, use mod_setenvif to copy the header into an | Oct 02 14:18 |
| schestowitz__ | > internal environment variable and log that value with the | Oct 02 14:18 |
| schestowitz__ | > %{VARNAME}e described above. | Oct 02 14:18 |
| schestowitz__ | > | Oct 02 14:19 |
| schestowitz__ | > - https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats | Oct 02 14:19 |
| -TechrightsBN/#boycottnovell-httpd.apache.org | mod_log_config - Apache HTTP Server Version 2.4 [ http://ur1.ca/iacww ] | Oct 02 14:19 | |
| schestowitz__ | > | Oct 02 14:19 |
| schestowitz__ | > That should be easy in Apache2 and the wiki would only need one line | Oct 02 14:19 |
| schestowitz__ | > added if the contents of one variable is substituted for another. | Oct 02 14:19 |
| schestowitz__ | > | Oct 02 14:19 |
| schestowitz__ | > But that would be for after things are settled with TM. | Oct 02 14:19 |
| schestowitz__ | People in TM told me that it's possible to address issues with Varnish and stats, for example, but I never found them crucial enough to do lots of work for. The Wiki of the site did get spam even if one had to sign up. | Oct 02 14:19 |
| schestowitz__ | On the other hand, a large client of ours is unable to do lots of staff due to caching, e.g. polls. I just wish Varnish didn't have this kind of weakness, or came with IP diversity solutions out of the box. | Oct 02 14:19 |
| *freedomrun (~quassel@unaffiliated/freedomrun) has joined #boycottnovell | Oct 02 14:27 | |
| *freedomrun has quit (Read error: Connection reset by peer) | Oct 02 19:06 | |
| schestowitz__ | https://twitter.com/sgviews/status/517685775060963329 | Oct 02 21:26 |
| -TechrightsBN/#boycottnovell-@sgviews: @schestowitz Thank you for sharing | Oct 02 21:26 | |
| schestowitz__ | https://joindiaspora.com/posts/4841498 | Oct 02 22:21 |
| -TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: "ownCloud is one of the biggest open source project written in PHP if you look into the latest statistics" http://karlitschek.de/2014/10/a-possible-future-for-php/http://karlitschek.de/2014/10/a-possible-future-for-php/ | Oct 02 22:21 | |
| schestowitz__ | "https://n-1.cc/ is also written in PHP" | Oct 02 22:21 |
| -TechrightsBN/#boycottnovell--> karlitschek.de | Frank Karlitschek_ » A possible future for PHP [ http://ur1.ca/iaf2a ] | Oct 02 22:21 | |
| schestowitz__ | "I love ownCloud, but I wish PHP apps were more secure :)" | Oct 02 22:21 |
| -TechrightsBN/#boycottnovell-n-1.cc | N-1 | Oct 02 22:21 | |
| schestowitz__ | Drupal and WordPress are PHP | Oct 02 22:21 |
| schestowitz__ | https://joindiaspora.com/posts/4841427 | Oct 02 22:22 |
| -TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: "most powerful instrument of freedom and democracy ever seen, which is the Internet." http://www.laquadrature.net/en/open-letter-to-the-council-of-the-european-union-on-net-neutrality but also used for #surveillance | Oct 02 22:22 | |
| -TechrightsBN/#boycottnovell--> www.laquadrature.net | Open Letter to the Council of the European Union on Net Neutrality | La Quadrature du Net [ http://ur1.ca/iaf2f ] | Oct 02 22:22 | |
| schestowitz__ | "Indeed! The most powerful surveillance platform ever developed by humans." | Oct 02 22:22 |
| schestowitz__ | https://joindiaspora.com/posts/4841484 | Oct 02 22:22 |
| -TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: #ddos attacks (exclusively by #microsoft #windows botnets) have not stopped; #tuxmachines now 10 days under attack. Trying to mitigate. | Oct 02 22:22 | |
| schestowitz__ | "Someone is paying attention to your posts, at least you're not being ignored." | Oct 02 22:22 |
| schestowitz__ | https://joindiaspora.com/posts/4845186 | Oct 02 22:23 |
| schestowitz__ | "It's my favorite audio software. The only thing I don't like, it's the equalizer don't work in real time and this it's a big problem for me. I will view if the 2.0.6 solve this when will be available in my packets manager." | Oct 02 22:23 |
| -TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: #Audacity 2.0.6 http://www.neowin.net/news/audacity-206 | Oct 02 22:23 | |
| -TechrightsBN/#boycottnovell--> www.neowin.net | Audacity 2.0.6 - Neowin | Oct 02 22:23 | |
| schestowitz__ | I used it for all episodes of techbytes | Oct 02 22:23 |
| *freedomrun (~quassel@unaffiliated/freedomrun) has joined #boycottnovell | Oct 02 22:25 | |
| schestowitz__ | https://twitter.com/sgviews/status/517685775060963329 | Oct 02 22:27 |
| *MinceR_ (~mincer@unaffiliated/mincer) has joined #boycottnovell | Oct 03 03:37 | |
| *MinceR has quit (Ping timeout: 260 seconds) | Oct 03 03:39 | |
| *pidgin_log has quit (Quit: Leaving.) | Oct 03 04:56 | |
| *pidgin_log (~roy@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovell | Oct 03 04:57 | |
| schestowitz__ | https://joindiaspora.com/posts/4839958 | Oct 03 05:11 |
| -TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: #freebsd embraces #uefi patent and restrictions mess from #intel http://news.softpedia.com/news/FreeBSD-10-1-Beta-3-Features-Even-More-UEFI-Improvements-460651.shtml | Oct 03 05:11 | |
| schestowitz__ | "There's not much choice. My Asus, for example, won't even boot FreeBSD 10.1 Beta 2. I hope it will do Beta 3. (I'm using kFreeBSD's install disk because its GRUB will boot my FreeBSD installation.)" | Oct 03 05:11 |
| -TechrightsBN/#boycottnovell--> news.softpedia.com | FreeBSD 10.1 Beta 3 Features Even More UEFI Improvements - Softpedia [ http://ur1.ca/iag0g ] | Oct 03 05:11 | |
| schestowitz__ | https://joindiaspora.com/posts/4840300 | Oct 03 05:11 |
| -TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: elementary OS: Don't Hate Me Because I'm Beautiful http://news.softpedia.com/news/elementary-OS-Don-t-Hate-Me-Because-I-m-Beautiful-460713.shtml #gnu #linux | Oct 03 05:11 | |
| -TechrightsBN/#boycottnovell--> news.softpedia.com | elementary OS: Don't Hate Me Because I'm Beautiful - Softpedia [ http://ur1.ca/iacvh ] | Oct 03 05:11 | |
| schestowitz__ | "Unity is awesome. I'm using (sometime) multiple display, it is still verry usable and you can alwase add a dock like plank" | Oct 03 05:11 |
| schestowitz__ | https://joindiaspora.com/posts/4840408 | Oct 03 05:12 |
| -TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: CUPS Turn 15 Years Old, CUPS 2.0 Released http://www.phoronix.com/scan.php?page=news_item&px=MTgwMjE #cups #unix | Oct 03 05:12 | |
| -TechrightsBN/#boycottnovell--> www.phoronix.com | [Phoronix] CUPS Turn 15 Years Old, CUPS 2.0 Released [ http://ur1.ca/iag0k ] | Oct 03 05:12 | |
| schestowitz__ | "Thank you Apple." | Oct 03 05:12 |
| schestowitz__ | https://joindiaspora.com/posts/4845186 | Oct 03 05:12 |
| schestowitz__ | "I too say +1 for #Audacity. It's the best." | Oct 03 05:12 |
| schestowitz__ | "The EPO's corruption, as I witnessed in 2008, is best understood by insiders. Every Monday I published one part (next Monday is part 5), so this too I will study and do a post about. Keep em coming :-)" | Oct 03 05:28 |
| schestowitz__ | -me | Oct 03 05:28 |
| schestowitz__ | -me | Oct 03 06:20 |
| schestowitz__ | #!/usr/bin/perl -T | Oct 03 06:20 |
| schestowitz__ | use strict; | Oct 03 06:20 |
| schestowitz__ | use warnings; | Oct 03 06:20 |
| schestowitz__ | # see https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats | Oct 03 06:20 |
| -TechrightsBN/#boycottnovell-httpd.apache.org | mod_log_config - Apache HTTP Server Version 2.4 [ http://ur1.ca/iacww ] | Oct 03 06:20 | |
| schestowitz__ | my $varnish = qq(/usr/bin/varnishncsa -F "%h\t%l\t%u\t%t\t%r\t%s\t%b\t%{Referer}i\t%{User-agent}i" -m TxStatus:404); | Oct 03 06:20 |
| schestowitz__ | my $iptables = qq(/bin/echo); | Oct 03 06:20 |
| schestowitz__ | #/sbin/iptables); | Oct 03 06:20 |
| schestowitz__ | $ENV{PATH}=qq(/bin:/sbin:/usr/bin:/usr/sbin); # don't trust the provided path | Oct 03 06:20 |
| schestowitz__ | open( VARNISHLOG, "$varnish |" ) or die( "Could not run '$varnish' : $!\n" ); | Oct 03 06:20 |
| schestowitz__ | while ( my $line = <VARNISHLOG> ) { | Oct 03 06:20 |
| schestowitz__ | my ( $remote, undef, undef, $time, $request, $status, $size, $referer, $agent ) = split( /\t/, $line ); | Oct 03 06:20 |
| schestowitz__ | # proceed only with untainted $rhost if ( ( my $rhost ) = $remote =~ m/^([\w\.\-\_]*)$/s ) { | Oct 03 06:20 |
| schestowitz__ | my @args = ( | Oct 03 06:20 |
| schestowitz__ | '-A INPUT', | Oct 03 06:21 |
| schestowitz__ | '-p tcp', | Oct 03 06:21 |
| schestowitz__ | '-i eth0', | Oct 03 06:21 |
| schestowitz__ | '-m comment --comment "limit DDOS"', | Oct 03 06:21 |
| schestowitz__ | qq(--source $rhost), | Oct 03 06:21 |
| schestowitz__ | '--dport 80', | Oct 03 06:21 |
| schestowitz__ | '-j REJECT' | Oct 03 06:21 |
| schestowitz__ | ); | Oct 03 06:21 |
| schestowitz__ | system( $iptables, @args ) == 0 or die( "Could not run '$iptables' : $1 \n" ); | Oct 03 06:21 |
| schestowitz__ | } | Oct 03 06:21 |
| schestowitz__ | } | Oct 03 06:21 |
| schestowitz__ | close( VARNISHLOG ); | Oct 03 06:21 |
| *freedomrun has quit (Read error: Connection reset by peer) | Oct 03 06:28 | |
| *schestowitz__ has quit (Quit: Konversation term) | Oct 03 06:48 | |
| *schestowitz__ (~schestowi@unaffiliated/schestowitz) has joined #boycottnovell | Oct 03 06:49 | |
| *ChanServ gives channel operator status to schestowitz__ | Oct 03 06:49 | |
| *MinceR_ is now known as MinceR | Oct 03 07:09 | |
| *ChanServ gives channel operator status to MinceR | Oct 03 07:09 | |
| schestowitz__ | > On 10/03/2014 11:20 AM, Roy Schestowitz wrote: | Oct 03 09:38 |
| schestowitz__ | >>> >> There shouldn't be a line break but it works in 2.4.7-1ubuntu4.1 in | Oct 03 09:38 |
| schestowitz__ | >>> >> Ubuntu 14.04 LTS. I could test in CentOS tomorrow, if needed, but | Oct 03 09:38 |
| schestowitz__ | >>> >> Apache2 should be the same in both. The location of the configuration | Oct 03 09:38 |
| schestowitz__ | >>> >> files would be different between Ubuntu and CentOS | Oct 03 09:38 |
| schestowitz__ | >> > | Oct 03 09:38 |
| schestowitz__ | >> > Does that go strictly in apache config file or can that also go into | Oct 03 09:38 |
| schestowitz__ | >> > .htaccess. I only tried the latter. | Oct 03 09:38 |
| schestowitz__ | > It has to go into the regular configuration file for that vhost. I just | Oct 03 09:38 |
| schestowitz__ | > tried it now in .htaccess and it had no effect. | Oct 03 09:38 |
| schestowitz__ | > | Oct 03 09:38 |
| schestowitz__ | > The Options for .htaccess are intentionally limited: | Oct 03 09:38 |
| schestowitz__ | > | Oct 03 09:38 |
| schestowitz__ | > https://httpd.apache.org/docs/2.4/mod/core.html#options | Oct 03 09:38 |
| schestowitz__ | I can try to put that in the vhost. I think the requirements quickly change however. i managed to redeem the front page temporarily as the attacker is targeting other pages now. Let's see if he returns to knocking on the front page. | Oct 03 09:38 |
| -TechrightsBN/#boycottnovell-httpd.apache.org | core - Apache HTTP Server Version 2.4 [ http://ur1.ca/iaggb ] | Oct 03 09:38 | |
| schestowitz__ | TM lost many visitors, inc. regulars, since the attacks began. So I can say the attacks were effective. | Oct 03 09:38 |
| schestowitz__ | Oct 03 09:38 | |
| schestowitz__ | > If you have access to the configuration file, then use of .htaccess | Oct 03 09:38 |
| schestowitz__ | > should be avoided anyway. | Oct 03 09:38 |
| schestowitz__ | > | Oct 03 09:38 |
| schestowitz__ | >> > Also, it would be wiser to block for | Oct 03 09:39 |
| schestowitz__ | >> > any referrer (referer [sic]) containing "aggregator" | Oct 03 09:39 |
| schestowitz__ | > As far as I can tell, it will take any PCRE syntax: | Oct 03 09:39 |
| schestowitz__ | > | Oct 03 09:39 |
| schestowitz__ | > https://httpd.apache.org/docs/2.4/glossary.html#regex | Oct 03 09:39 |
| schestowitz__ | > | Oct 03 09:39 |
| -TechrightsBN/#boycottnovell-httpd.apache.org | Glossary - Apache HTTP Server Version 2.4 [ http://ur1.ca/iagge ] | Oct 03 09:39 | |
| schestowitz__ | > and multiple instances of setenvif can be used. | Oct 03 09:39 |
| schestowitz__ | I will give that a go if the attack method becomes consistent, it changes every hour today. A good thing I was up all night... | Oct 03 09:39 |
| schestowitz__ | >> > the attacker now targets other landing points, inc. signup, register, | Oct 03 09:39 |
| schestowitz__ | >> > aggregator (blocked for 2 weeks), and forums (was blocked earlier). At | Oct 03 09:39 |
| schestowitz__ | >> > one stage he (of she? Unlikely!) bombarded many different nodes that are | Oct 03 09:39 |
| schestowitz__ | >> > real pages, which would pose a greater issue if that persisted (hard to | Oct 03 09:39 |
| schestowitz__ | >> > block). | Oct 03 09:39 |
| schestowitz__ | > Ok. The setenvif directive sent earlier matches on Referer {sic} so the | Oct 03 09:39 |
| schestowitz__ | > target URL is not relevant. | Oct 03 09:39 |
| schestowitz__ | > | Oct 03 09:39 |
| schestowitz__ | > Have you or your wife been nagging the ISPs of the guilty machines? | Oct 03 09:39 |
| schestowitz__ | Nagging ISPs about windows microsoft (exclusively) machines that attack my sites exercise in futility. New Windows PCs too easy to hijack. | Oct 03 09:39 |
| schestowitz__ | >> ... | Oct 03 10:04 |
| schestowitz__ | >>> https://httpd.apache.org/docs/2.4/mod/core.html#options | Oct 03 10:04 |
| -TechrightsBN/#boycottnovell-httpd.apache.org | core - Apache HTTP Server Version 2.4 [ http://ur1.ca/iaggb ] | Oct 03 10:04 | |
| schestowitz__ | >> | Oct 03 10:04 |
| schestowitz__ | >> I can try to put that in the vhost. I think the requirements quickly | Oct 03 10:04 |
| schestowitz__ | >> change however. i managed to redeem the front page temporarily as the | Oct 03 10:04 |
| schestowitz__ | >> attacker is targeting other pages now. Let's see if he returns to | Oct 03 10:04 |
| schestowitz__ | >> knocking on the front page. | Oct 03 10:05 |
| schestowitz__ | > | Oct 03 10:05 |
| schestowitz__ | > I can't think of another way around using the configuration file. | Oct 03 10:05 |
| schestowitz__ | It seems like a powerful tool. I'm prepared to use it shortly; for now, I think the attacker is not sure why he can't bring down the site... might take some hours to catch up. | Oct 03 10:05 |
| schestowitz__ | >> TM lost many visitors, inc. regulars, since the attacks began. So I can | Oct 03 10:05 |
| schestowitz__ | >> say the attacks were effective. | Oct 03 10:05 |
| schestowitz__ | > | Oct 03 10:05 |
| schestowitz__ | > :( They will come back, but first the DDOS has to be neutralized. | Oct 03 10:05 |
| schestowitz__ | Yes, I suppose the sympathy quotient might help. Still, many hours of work fighting DDOS, not posting articles... | Oct 03 10:05 |
| schestowitz__ | > I've looked around and preliminarily it looks like iptables can do | Oct 03 10:05 |
| schestowitz__ | > passive OS fingerprinting like PF can. That would make it possible to | Oct 03 10:05 |
| schestowitz__ | > do rate limiting on Windows machines, in theory. If that is possible, | Oct 03 10:05 |
| schestowitz__ | > it should be able to find a rate per second plus burst rate that allows | Oct 03 10:05 |
| schestowitz__ | > users to load a page but prevents a rapidfire attack. | Oct 03 10:05 |
| schestowitz__ | Maybe I can rate-limit for a particular URL, regardless of referer? If the attacker starts hammering on random pages (been done before), this would not work. | Oct 03 10:05 |
| schestowitz__ | >>> and multiple instances of setenvif can be used. | Oct 03 10:05 |
| schestowitz__ | >> | Oct 03 10:05 |
| schestowitz__ | >> I will give that a go if the attack method becomes consistent, it | Oct 03 10:05 |
| schestowitz__ | >> changes every hour today. A good thing I was up all night... | Oct 03 10:05 |
| schestowitz__ | >> ... | Oct 03 10:05 |
| schestowitz__ | > | Oct 03 10:05 |
| schestowitz__ | > How many hosts appear to be involved? I think that blocking the | Oct 03 10:05 |
| schestowitz__ | > incoming ip at the varnish server would be the way to go, or at least | Oct 03 10:05 |
| schestowitz__ | > one layer in the defense. | Oct 03 10:05 |
| schestowitz__ | It's possible that only a dozen machines are used. They target a particular area every ten minutes at the same time; they don't have the same HTTP headers. | Oct 03 10:05 |
| schestowitz__ | >>> I can't think of another way around using the configuration file.>> | Oct 03 10:18 |
| schestowitz__ | >> It seems like a powerful tool. I'm prepared to use it shortly; for now, | Oct 03 10:18 |
| schestowitz__ | >> I think the attacker is not sure why he can't bring down the site... | Oct 03 10:18 |
| schestowitz__ | >> might take some hours to catch up. | Oct 03 10:18 |
| schestowitz__ | > | Oct 03 10:18 |
| schestowitz__ | > Working more upstream, on the varnish server, would help because that is | Oct 03 10:18 |
| schestowitz__ | > the one that has direct contact with the offending machines. | Oct 03 10:18 |
| schestowitz__ | I'm not too good with varnish but I have full (root) access to the varnish server. Does that work with iptables? | Oct 03 10:18 |
| schestowitz__ | >>>> TM lost many visitors, inc. regulars, since the attacks began. So I can | Oct 03 10:18 |
| schestowitz__ | >>>> say the attacks were effective. | Oct 03 10:18 |
| schestowitz__ | >>> | Oct 03 10:18 |
| schestowitz__ | >>> :( They will come back, but first the DDOS has to be neutralized. | Oct 03 10:18 |
| schestowitz__ | >> | Oct 03 10:18 |
| schestowitz__ | >> Yes, I suppose the sympathy quotient might help. Still, many hours of | Oct 03 10:18 |
| schestowitz__ | >> work fighting DDOS, not posting articles... | Oct 03 10:18 |
| schestowitz__ | > | Oct 03 10:18 |
| schestowitz__ | > | Oct 03 10:18 |
| schestowitz__ | > | Oct 03 10:18 |
| schestowitz__ | >>> I've looked around and preliminarily it looks like iptables can do | Oct 03 10:18 |
| schestowitz__ | >>> passive OS fingerprinting like PF can. That would make it possible to | Oct 03 10:18 |
| schestowitz__ | >>> do rate limiting on Windows machines, in theory. If that is possible, | Oct 03 10:18 |
| schestowitz__ | >>> it should be able to find a rate per second plus burst rate that allows | Oct 03 10:18 |
| schestowitz__ | >>> users to load a page but prevents a rapidfire attack. | Oct 03 10:18 |
| schestowitz__ | >> | Oct 03 10:18 |
| schestowitz__ | >> Maybe I can rate-limit for a particular URL, regardless of referer? If | Oct 03 10:18 |
| schestowitz__ | >> the attacker starts hammering on random pages (been done before), this | Oct 03 10:18 |
| schestowitz__ | >> would not work. | Oct 03 10:18 |
| schestowitz__ | > | Oct 03 10:18 |
| schestowitz__ | > That would in some ways make it easer to DOS a particular URL, but it | Oct 03 10:18 |
| schestowitz__ | > might reduce the overall load on the machine. | Oct 03 10:18 |
| schestowitz__ | > | Oct 03 10:18 |
| schestowitz__ | > I see mod_evasive is in the Ubuntu repository as libapache2-mod-evasive. | Oct 03 10:18 |
| schestowitz__ | > The docs show that it might help with that, a problem I can predict is | Oct 03 10:18 |
| schestowitz__ | > that currently all the requests are coming to Apache fro the same IP | Oct 03 10:18 |
| schestowitz__ | > address -- the Varnish server. The module might be able in CentOS, too. | Oct 03 10:19 |
| schestowitz__ | > You are on CentOS 6? | Oct 03 10:19 |
| schestowitz__ | Yes | Oct 03 10:19 |
| schestowitz__ | > When I get home in aboiut 8 hours I can try | Oct 03 10:19 |
| schestowitz__ | > setting up CentOS on the LAN and trying a few things with limiting. | Oct 03 10:19 |
| schestowitz__ | I think I've managed to defeat the attacker, for now... logins and registrations are blocked (not a huge deal), but the front page is now accessible and load is OK. | Oct 03 10:19 |
| *freedomrun (~quassel@unaffiliated/freedomrun) has joined #boycottnovell | Oct 03 10:34 | |
| schestowitz__ | >> I'm not too good with varnish but I have full (root) access to the | Oct 03 12:09 |
| schestowitz__ | >> varnish server. Does that work with iptables? | Oct 03 12:09 |
| schestowitz__ | > | Oct 03 12:09 |
| schestowitz__ | > If the OS has the Linux kernel (since 2.4) then it is using iptables. | Oct 03 12:09 |
| schestowitz__ | > Most mitigations I have been able to think of do not need to work with | Oct 03 12:09 |
| schestowitz__ | > the varnish configuration itself. But most parse the logs and you do | Oct 03 12:09 |
| schestowitz__ | > not have to be root to parse the varnish logs (a minor privacy and | Oct 03 12:09 |
| schestowitz__ | > security bug) but root accesses, or tweaked sudoers, is needed for | Oct 03 12:09 |
| schestowitz__ | > iptables configurations. | Oct 03 12:09 |
| schestowitz__ | > | Oct 03 12:09 |
| schestowitz__ | > Working with raw iptables on the varnish server, one needs a rule at the | Oct 03 12:09 |
| schestowitz__ | > top to allow established connections. | Oct 03 12:09 |
| schestowitz__ | > | Oct 03 12:09 |
| schestowitz__ | > iptables -I INPUT -i eth0 -m state --state ESTABLISHED,RELATED \ | Oct 03 12:09 |
| schestowitz__ | > -j ACCEPT | Oct 03 12:09 |
| schestowitz__ | > | Oct 03 12:09 |
| schestowitz__ | > Then near the top allowing incoming with some rate limiting. | Oct 03 12:09 |
| schestowitz__ | > | Oct 03 12:09 |
| schestowitz__ | > iptables -A INPUT -p icmp --icmp-type echo-request \ | Oct 03 12:09 |
| schestowitz__ | > -m limit --limit 1/s -i eth0 -j ACCEPT | Oct 03 12:10 |
| schestowitz__ | > | Oct 03 12:10 |
| schestowitz__ | > iptables -I INPUT -p TCP --dport 80 -m state --state NEW \ | Oct 03 12:10 |
| schestowitz__ | > -m limit --limit 60/minute --limit-burst 100 -j ACCEPT | Oct 03 12:10 |
| schestowitz__ | > | Oct 03 12:10 |
| schestowitz__ | > The --limit and --limit-burst would depend on the profile for normal use | Oct 03 12:10 |
| schestowitz__ | > for an incoming ip number. | Oct 03 12:10 |
| schestowitz__ | > | Oct 03 12:10 |
| schestowitz__ | > If you do try to adjust iptables, I would recommend using either an at | Oct 03 12:10 |
| schestowitz__ | > job to restore the last known working settings or else iptables-apply, | Oct 03 12:10 |
| schestowitz__ | > to prevent getting locked out. | Oct 03 12:10 |
| schestowitz__ | Can a command be crafted to tie burst limiting on a per-URL/request basis? Right now I managed to narrowly defeat bursts that mostly (not only) target the front page. If I could limit varnish access to this page to one per second, that would help solve the problem. I am observing the attacks in real time every 10 minutes to better understand them. It's like a game of Chess now and I win most rounds (rounds 10 minutes apart), but | Oct 03 12:10 |
| schestowitz__ | not all.. | Oct 03 12:10 |
| schestowitz__ | https://twitter.com/Metztli_IT/status/517998739911237633 | Oct 03 12:32 |
| -TechrightsBN/#boycottnovell-@Metztli_IT: ♺@schestowitz On Occupy Central’s Ties w/the #NED http://t.co/JxjNqkiudG #US pursues #oppression at home & #chaos abroad…#UmbrellaRevolution | Oct 03 12:32 | |
| -TechrightsBN/#boycottnovell--> www.commondreams.org | On Occupy Central’s Ties with the NED | Common Dreams | Breaking News & Views for the Progressive Community | Oct 03 12:32 | |
| schestowitz__ | I could use a script that checks average and when it rises above some number, it would swap a file (.htaccess), reload apache, then swap it back when the load is low again. Has this been done before? | Oct 03 13:05 |
| schestowitz__ | https://twitter.com/ender2038/status/518009453166465025 | Oct 03 13:09 |
| -TechrightsBN/#boycottnovell-@ender2038: @schestowitz then all the others are pro dem | Oct 03 13:09 | |
| *libertyboxes has quit (Quit: Konversation terminated!) | Oct 03 14:17 | |
| **** BEGIN LOGGING AT Sat Oct 11 09:36:22 2014 | ||
| BACKUP | ||
| *schestowitz_log_ has quit (Remote host closed the connection) | Sep 28 08:38 | |
| *schestowitz has quit (Read error: Connection reset by peer) | Sep 28 08:38 | |
| *schestowitz (~schestowi@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovell | Sep 28 08:38 | |
| *schestowitz has quit (Changing host) | Sep 28 08:38 | |
| *schestowitz (~schestowi@unaffiliated/schestowitz) has joined #boycottnovell | Sep 28 08:38 | |
| *ChanServ gives channel operator status to schestowitz | Sep 28 08:38 | |
| *schestowitz_log_ (~schestowi@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovell | Sep 28 08:38 | |
| *schestowitz_log_ has quit (Changing host) | Sep 28 08:38 | |
| *schestowitz_log_ (~schestowi@unaffiliated/schestowitz) has joined #boycottnovell | Sep 28 08:38 | |
| *ChanServ gives channel operator status to schestowitz_log_ | Sep 28 08:38 | |
| *cubelog has quit (Ping timeout: 272 seconds) | Sep 28 10:49 | |
| *cubelog (~cubeman@maxhost.org) has joined #boycottnovell | Sep 28 13:09 | |
| *cubelog has quit (Remote host closed the connection) | Sep 28 20:02 | |
| *cubelog (~cubeman@maxhost.org) has joined #boycottnovell | Sep 28 20:48 | |
| *edanny101_ (~edanny101@175.144.248.66) has joined #boycottnovell | Sep 29 04:25 | |
| *edanny101_ has quit (Quit: AndroIRC - Android IRC Client ( http://www.androirc.com )) | Sep 29 04:30 | |
| *freedomrun (~quassel@unaffiliated/freedomrun) has joined #boycottnovell | Sep 29 05:34 | |
| *freedomrun has quit (Remote host closed the connection) | Sep 29 06:38 | |
| *freedomrun (~quassel@unaffiliated/freedomrun) has joined #boycottnovell | Sep 29 06:43 | |
| *freedomrun has quit (Remote host closed the connection) | Sep 29 08:14 | |
| *pidgin_log1 has quit (Quit: Leaving.) | Sep 29 08:29 | |
| *schestowitz__ has quit (Quit: Konversation term) | Sep 29 08:38 | |
| *schestowitz__ (~schestowi@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovell | Sep 29 13:03 | |
| *schestowitz__ has quit (Changing host) | Sep 29 13:03 | |
| *schestowitz__ (~schestowi@unaffiliated/schestowitz) has joined #boycottnovell | Sep 29 13:03 | |
| *ChanServ gives channel operator status to schestowitz__ | Sep 29 13:03 | |
| *pidgin_log (~roy@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovell | Sep 29 13:03 | |
| *freedomrun (~quassel@unaffiliated/freedomrun) has joined #boycottnovell | Sep 29 15:03 | |
| *freedomrun has quit (Read error: Connection reset by peer) | Sep 29 18:17 | |
| schestowitz__ | http://www.youtube.com/watch?v=ZcgTog780bs&list=UU0znI3dRWpNF8lvbPBTlzyw | Sep 30 00:03 |
| -TechrightsBN/#boycottnovell-www.youtube.com | Selfridges, BOY, The Third Reich and the Self Hating Gays - YouTube [ http://ur1.ca/i9jnm ] | Sep 30 00:03 | |
| schestowitz__ | > He's mostly been very well behaved on our site. Again, I've never met | Sep 30 00:18 |
| schestowitz__ | > him face to face, so I don't know why he turned bitter -- maybe he was | Sep 30 00:18 |
| schestowitz__ | > always like that. With me, he's always as nice as can be | Sep 30 00:18 |
| schestowitz__ | > | Sep 30 00:18 |
| schestowitz__ | > He gets accused of being a Microsoft shill a lot. Since quitting at | Sep 30 00:18 |
| schestowitz__ | > Fuduntu, he's taken to defending Microsoft a lot, which doesn't play | Sep 30 00:18 |
| schestowitz__ | > well on FOSS forums. You're free to call him to task in the comments, | Sep 30 00:18 |
| schestowitz__ | > although I'm not sure that would be productive. | Sep 30 00:18 |
| schestowitz__ | > | Sep 30 00:18 |
| schestowitz__ | > I'm sorry for any grief this has caused you. | Sep 30 00:18 |
| schestowitz__ | I never saw him accused of that. | Sep 30 00:18 |
| schestowitz__ | Either way, this didn't cause grief. I was just struggling to figure out who I could have said that about. Turns out, the error was his, not mine. | Sep 30 00:18 |
| schestowitz__ | https://joindiaspora.com/posts/4824143 | Sep 30 00:24 |
| -TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: #gnu #linux #pdf readers like #evince and #okular are mature enough and they make #adobe obsolete http://news.softpedia.com/news/Linux-No-Longer-Listed-as-Supported-Platform-for-Adobe-Reader-460372.shtml | Sep 30 00:24 | |
| -TechrightsBN/#boycottnovell--> news.softpedia.com | Linux No Longer Listed as Supported Platform for Adobe Reader - Softpedia [ http://ur1.ca/i9k58 ] | Sep 30 00:24 | |
| schestowitz__ | "Agreed. I wouldn't use Adobe's Reader on my system at all. If someone required me to use it for work, I would find another way around the problem." | Sep 30 00:24 |
| schestowitz__ | "You don't even need a PDF reader. Firefox has pdf.js, and while I wouldn't recommend Chrome that has a PDF reader too." | Sep 30 00:24 |
| schestowitz__ | "Okular is still way more performant for huge PDFs which contain a lot of scanned images. But pdf.js is still great to have.' | Sep 30 00:25 |
| *libertybox_ has quit (Remote host closed the connection) | Sep 30 01:40 | |
| *libertyboxes (~liberty@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovell | Sep 30 01:41 | |
| *TechrightsBN has quit (Read error: Connection reset by peer) | Sep 30 02:13 | |
| *freedomrun (~quassel@unaffiliated/freedomrun) has joined #boycottnovell | Sep 30 03:29 | |
| schestowitz__ | > If you don't mind, keep me updated on the Tux Machines situation. When | Sep 30 07:46 |
| schestowitz__ | > you're back up and running we'll help get the word out. | Sep 30 07:46 |
| schestowitz__ | I have just checked again. The botnet is still active, but the bursts gradually reduce in terms of scale, not enough to unblock parts of the site. | Sep 30 07:46 |
| *TechrightsBN (~b0t@mail.copilotco.com) has joined #boycottnovell | Sep 30 07:51 | |
| TechrightsBN | Hello World! I'm TechrightsBN running phIRCe v0.75 | Sep 30 07:51 |
| schestowitz__ | https://joindiaspora.com/posts/4825946 | Oct 01 00:17 |
| -TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: I find is utterly astounding the Western media spends more time bemoaning trauma of 'pilots', not victims on ground http://www.huffingtonpost.com/2014/09/29/military-drone-operators_n_5899478.html?utm_hp_ref=politics | Oct 01 00:17 | |
| -TechrightsBN/#boycottnovell--> www.huffingtonpost.com | Military Drone Operators Can Feel Emotional Strains Of War [ http://ur1.ca/i9omn ] | Oct 01 00:17 | |
| schestowitz__ | "Cry me a river." | Oct 01 00:17 |
| schestowitz__ | https://joindiaspora.com/posts/4825863 | Oct 01 00:19 |
| -TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: 'Hunting' with automatic rifles http://earthisland.org/elist/graphics/DehogaflierTruck.jpg | Oct 01 00:19 | |
| schestowitz__ | "Maybe animals are a lot more smart than those hunters so they need high-tech gear to level the field." | Oct 01 00:19 |
| *liberty_back has quit (Ping timeout: 258 seconds) | Oct 01 00:44 | |
| *libertyboxes has quit (Ping timeout: 240 seconds) | Oct 01 00:45 | |
| *liberty_back (~Liberium@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovell | Oct 01 01:03 | |
| *libertyboxes (~liberty@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovell | Oct 01 01:03 | |
| *freedomrun has quit (Remote host closed the connection) | Oct 01 09:47 | |
| *Disconnected (). | Oct 01 12:13 | |
| **** ENDING LOGGING AT Wed Oct 1 12:13:05 2014 | ||
| **** BEGIN LOGGING AT Wed Oct 1 12:17:02 2014 | ||
| *Now talking on #boycottnovell | Oct 01 12:17 | |
| *Topic for #boycottnovell is: TechRights.org | Channel #boycottnovell for http://TechRights.org | Free Software Sentry – watching and reporting maneuvers of those who oppose software freedom :: please also join channels #techrights and #boycottnovell-social | Oct 01 12:17 | |
| *Topic for #boycottnovell set by schestowitz at Thu May 6 23:19:56 2010 | Oct 01 12:17 | |
| -ChanServ-[#boycottnovell] Welcome to the #boycottnovell channel | Oct 01 12:17 | |
| *ChanServ gives channel operator status to schestowitz_log | Oct 01 12:17 | |
| *pidgin_log (~roy@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovell | Oct 01 12:17 | |
| *schestowitz__ (~schestowi@unaffiliated/schestowitz) has joined #boycottnovell | Oct 01 12:17 | |
| *ChanServ gives channel operator status to schestowitz__ | Oct 01 12:17 | |
| *pidgin_log has quit (Quit: Leaving.) | Oct 01 12:25 | |
| *pidgin_log (~roy@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovell | Oct 01 12:27 | |
| *freedomrun (~quassel@unaffiliated/freedomrun) has joined #boycottnovell | Oct 01 13:48 | |
| *MinceR_ (~mincer@unaffiliated/mincer) has joined #boycottnovell | Oct 01 16:20 | |
| *ChanServ gives channel operator status to MinceR_ | Oct 01 16:21 | |
| *MinceR has quit (Read error: Connection reset by peer) | Oct 01 16:22 | |
| *MinceR_ is now known as MinceR | Oct 01 16:23 | |
| *freedomrun has quit (Read error: Connection reset by peer) | Oct 01 16:27 | |
| *freedomrun (~quassel@unaffiliated/freedomrun) has joined #boycottnovell | Oct 01 21:42 | |
| *freedomrun has quit (Remote host closed the connection) | Oct 02 00:37 | |
| *Disconnected (Connection reset by peer). | Oct 02 02:11 | |
| **** ENDING LOGGING AT Thu Oct 2 02:11:55 2014 | ||
| **** BEGIN LOGGING AT Thu Oct 2 02:12:23 2014 | ||
| *Now talking on #boycottnovell | Oct 02 02:12 | |
| *Topic for #boycottnovell is: TechRights.org | Channel #boycottnovell for http://TechRights.org | Free Software Sentry – watching and reporting maneuvers of those who oppose software freedom :: please also join channels #techrights and #boycottnovell-social | Oct 02 02:12 | |
| *Topic for #boycottnovell set by schestowitz at Thu May 6 23:19:56 2010 | Oct 02 02:12 | |
| -ChanServ-[#boycottnovell] Welcome to the #boycottnovell channel | Oct 02 02:12 | |
| *ChanServ gives channel operator status to schestowitz_log | Oct 02 02:12 | |
| schestowitz__ | https://joindiaspora.com/posts/4833576 | Oct 02 05:04 |
| -TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: More trolling from Brian Fagioli, who calls #microsoft "hero", said #firefox was anti-gay, and Linux anti-women http://betanews.com/2014/09/30/sorry-linux-fans-windows-10-will-continue-microsofts-desktop-domination/ | Oct 02 05:04 | |
| schestowitz__ | "Sounds like an Italian dish." | Oct 02 05:04 |
| -TechrightsBN/#boycottnovell--> betanews.com | Sorry Linux fans, Windows 10 will continue Microsoft's desktop domination [ http://ur1.ca/ia203 ] | Oct 02 05:04 | |
| schestowitz__ | "What low life." | Oct 02 05:04 |
| schestowitz__ | > Hi, Roy,> | Oct 02 13:21 |
| schestowitz__ | > I see that Tuxmachines has been down for a DDOS for many days. There is | Oct 02 13:21 |
| schestowitz__ | > a redirect to TR and Fossforce even had an article. | Oct 02 13:21 |
| schestowitz__ | The front page is redirected because it's the main target. There's some junk in referrer (well, I know there is always some junk there), which I think Varnish might interpret as unique and then pass to Apache. I am thinking it's about time to make better workarounds because the attacks don't just stop. | Oct 02 13:21 |
| schestowitz__ | Oct 02 13:21 | |
| schestowitz__ | > Is there an equivalent of fail2ban for Varnish that triggers on server | Oct 02 13:21 |
| schestowitz__ | > response codes? I'm guessing that to get through the varnish cache they | Oct 02 13:21 |
| schestowitz__ | > are sending junk URLs. Or is it varnish that is DDOSed? If it is junk | Oct 02 13:21 |
| schestowitz__ | > URLs a script can scan the log output and fire up an iptables rule to | Oct 02 13:21 |
| schestowitz__ | > block and then expire the block later. That is something which is | Oct 02 13:21 |
| schestowitz__ | > easier in PF but I think is doable with iptables. | Oct 02 13:21 |
| schestowitz__ | I didn't like pfsense when we set it us for a client because it caused some major cryptic issues and we ended up replacing it with Linux-based firewall. | Oct 02 13:21 |
| schestowitz__ | > To digress about the wiki, I remember that it was not possible to block | Oct 02 13:22 |
| schestowitz__ | > ip addresses in the wiki because it looked like everything was coming | Oct 02 13:22 |
| schestowitz__ | > from the varnish server. I found a possible way around that. | Oct 02 13:22 |
| schestowitz__ | > mod_setenv might be able to assign the HTTP header "X-Forwarded-For" to | Oct 02 13:22 |
| schestowitz__ | > an environment variable that the wiki could be then modified to swap in | Oct 02 13:22 |
| schestowitz__ | > for the source address: | Oct 02 13:22 |
| schestowitz__ | > | Oct 02 13:22 |
| schestowitz__ | > %{VARNAME}i The contents of VARNAME: header line(s) in the | Oct 02 13:22 |
| schestowitz__ | > request sent to the server. Changes made by other modules (e.g. | Oct 02 13:22 |
| schestowitz__ | > mod_headers) affect this. If you're interested in what the | Oct 02 13:22 |
| schestowitz__ | > request header was prior to when most modules would have | Oct 02 13:22 |
| schestowitz__ | > modified it, use mod_setenvif to copy the header into an | Oct 02 13:22 |
| schestowitz__ | > internal environment variable and log that value with the | Oct 02 13:22 |
| schestowitz__ | > %{VARNAME}e described above. | Oct 02 13:22 |
| schestowitz__ | > | Oct 02 13:22 |
| schestowitz__ | > - https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats | Oct 02 13:22 |
| schestowitz__ | > | Oct 02 13:22 |
| -TechrightsBN/#boycottnovell-httpd.apache.org | mod_log_config - Apache HTTP Server Version 2.4 [ http://ur1.ca/iacww ] | Oct 02 13:22 | |
| schestowitz__ | > That should be easy in Apache2 and the wiki would only need one line | Oct 02 13:22 |
| schestowitz__ | > added if the contents of one variable is substituted for another. | Oct 02 13:22 |
| schestowitz__ | > | Oct 02 13:22 |
| schestowitz__ | > But that would be for after things are settled with TM. | Oct 02 13:22 |
| schestowitz__ | People in TM told me that it's possible to address issues with Varnish and stats, for example, but I never found them crucial enough to do lots of work for. The Wiki of the site did get spam even if one had to sign up. | Oct 02 13:22 |
| schestowitz__ | On the other hand, a large client of ours is unable to do lots of staff due to caching, e.g. polls. I just wish Varnish didn't have this kind of weakness, or came with IP diversity solutions out of the box. | Oct 02 13:22 |
| *freedomrun (~quassel@unaffiliated/freedomrun) has joined #boycottnovell | Oct 02 13:30 | |
| *freedomrun has quit (Read error: Connection reset by peer) | Oct 02 18:09 | |
| schestowitz__ | https://twitter.com/sgviews/status/517685775060963329 | Oct 02 20:29 |
| -TechrightsBN/#boycottnovell-@sgviews: @schestowitz Thank you for sharing | Oct 02 20:29 | |
| schestowitz__ | https://joindiaspora.com/posts/4841498 | Oct 02 21:24 |
| -TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: "ownCloud is one of the biggest open source project written in PHP if you look into the latest statistics" http://karlitschek.de/2014/10/a-possible-future-for-php/http://karlitschek.de/2014/10/a-possible-future-for-php/ | Oct 02 21:24 | |
| schestowitz__ | "https://n-1.cc/ is also written in PHP" | Oct 02 21:24 |
| -TechrightsBN/#boycottnovell--> karlitschek.de | Frank Karlitschek_ » A possible future for PHP [ http://ur1.ca/iaf2a ] | Oct 02 21:24 | |
| schestowitz__ | "I love ownCloud, but I wish PHP apps were more secure :)" | Oct 02 21:24 |
| -TechrightsBN/#boycottnovell-n-1.cc | N-1 | Oct 02 21:24 | |
| schestowitz__ | Drupal and WordPress are PHP | Oct 02 21:24 |
| schestowitz__ | https://joindiaspora.com/posts/4841427 | Oct 02 21:25 |
| -TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: "most powerful instrument of freedom and democracy ever seen, which is the Internet." http://www.laquadrature.net/en/open-letter-to-the-council-of-the-european-union-on-net-neutrality but also used for #surveillance | Oct 02 21:25 | |
| -TechrightsBN/#boycottnovell--> www.laquadrature.net | Open Letter to the Council of the European Union on Net Neutrality | La Quadrature du Net [ http://ur1.ca/iaf2f ] | Oct 02 21:25 | |
| schestowitz__ | "Indeed! The most powerful surveillance platform ever developed by humans." | Oct 02 21:25 |
| schestowitz__ | https://joindiaspora.com/posts/4841484 | Oct 02 21:26 |
| -TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: #ddos attacks (exclusively by #microsoft #windows botnets) have not stopped; #tuxmachines now 10 days under attack. Trying to mitigate. | Oct 02 21:26 | |
| schestowitz__ | "Someone is paying attention to your posts, at least you're not being ignored." | Oct 02 21:26 |
| schestowitz__ | https://joindiaspora.com/posts/4845186 | Oct 02 21:26 |
| schestowitz__ | "It's my favorite audio software. The only thing I don't like, it's the equalizer don't work in real time and this it's a big problem for me. I will view if the 2.0.6 solve this when will be available in my packets manager." | Oct 02 21:26 |
| -TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: #Audacity 2.0.6 http://www.neowin.net/news/audacity-206 | Oct 02 21:26 | |
| -TechrightsBN/#boycottnovell--> www.neowin.net | Audacity 2.0.6 - Neowin | Oct 02 21:26 | |
| schestowitz__ | I used it for all episodes of techbytes | Oct 02 21:27 |
| *freedomrun (~quassel@unaffiliated/freedomrun) has joined #boycottnovell | Oct 02 21:28 | |
| schestowitz__ | https://twitter.com/sgviews/status/517685775060963329 | Oct 02 21:30 |
| *MinceR_ (~mincer@unaffiliated/mincer) has joined #boycottnovell | Oct 03 02:40 | |
| *MinceR has quit (Ping timeout: 260 seconds) | Oct 03 02:42 | |
| *pidgin_log has quit (Quit: Leaving.) | Oct 03 04:00 | |
| *pidgin_log (~roy@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovell | Oct 03 04:00 | |
| schestowitz__ | https://joindiaspora.com/posts/4839958 | Oct 03 04:14 |
| -TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: #freebsd embraces #uefi patent and restrictions mess from #intel http://news.softpedia.com/news/FreeBSD-10-1-Beta-3-Features-Even-More-UEFI-Improvements-460651.shtml | Oct 03 04:14 | |
| schestowitz__ | "There's not much choice. My Asus, for example, won't even boot FreeBSD 10.1 Beta 2. I hope it will do Beta 3. (I'm using kFreeBSD's install disk because its GRUB will boot my FreeBSD installation.)" | Oct 03 04:14 |
| -TechrightsBN/#boycottnovell--> news.softpedia.com | FreeBSD 10.1 Beta 3 Features Even More UEFI Improvements - Softpedia [ http://ur1.ca/iag0g ] | Oct 03 04:14 | |
| schestowitz__ | https://joindiaspora.com/posts/4840300 | Oct 03 04:15 |
| -TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: elementary OS: Don't Hate Me Because I'm Beautiful http://news.softpedia.com/news/elementary-OS-Don-t-Hate-Me-Because-I-m-Beautiful-460713.shtml #gnu #linux | Oct 03 04:15 | |
| -TechrightsBN/#boycottnovell--> news.softpedia.com | elementary OS: Don't Hate Me Because I'm Beautiful - Softpedia [ http://ur1.ca/iacvh ] | Oct 03 04:15 | |
| schestowitz__ | "Unity is awesome. I'm using (sometime) multiple display, it is still verry usable and you can alwase add a dock like plank" | Oct 03 04:15 |
| schestowitz__ | https://joindiaspora.com/posts/4840408 | Oct 03 04:15 |
| -TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: CUPS Turn 15 Years Old, CUPS 2.0 Released http://www.phoronix.com/scan.php?page=news_item&px=MTgwMjE #cups #unix | Oct 03 04:15 | |
| -TechrightsBN/#boycottnovell--> www.phoronix.com | [Phoronix] CUPS Turn 15 Years Old, CUPS 2.0 Released [ http://ur1.ca/iag0k ] | Oct 03 04:15 | |
| schestowitz__ | "Thank you Apple." | Oct 03 04:15 |
| schestowitz__ | https://joindiaspora.com/posts/4845186 | Oct 03 04:16 |
| schestowitz__ | "I too say +1 for #Audacity. It's the best." | Oct 03 04:16 |
| schestowitz__ | "The EPO's corruption, as I witnessed in 2008, is best understood by insiders. Every Monday I published one part (next Monday is part 5), so this too I will study and do a post about. Keep em coming :-)" | Oct 03 04:31 |
| schestowitz__ | -me | Oct 03 04:31 |
| schestowitz__ | -me | Oct 03 05:24 |
| schestowitz__ | #!/usr/bin/perl -T | Oct 03 05:24 |
| schestowitz__ | use strict; | Oct 03 05:24 |
| schestowitz__ | use warnings; | Oct 03 05:24 |
| schestowitz__ | # see https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats | Oct 03 05:24 |
| -TechrightsBN/#boycottnovell-httpd.apache.org | mod_log_config - Apache HTTP Server Version 2.4 [ http://ur1.ca/iacww ] | Oct 03 05:24 | |
| schestowitz__ | my $varnish = qq(/usr/bin/varnishncsa -F "%h\t%l\t%u\t%t\t%r\t%s\t%b\t%{Referer}i\t%{User-agent}i" -m TxStatus:404); | Oct 03 05:24 |
| schestowitz__ | my $iptables = qq(/bin/echo); | Oct 03 05:24 |
| schestowitz__ | #/sbin/iptables); | Oct 03 05:24 |
| schestowitz__ | $ENV{PATH}=qq(/bin:/sbin:/usr/bin:/usr/sbin); # don't trust the provided path | Oct 03 05:24 |
| schestowitz__ | open( VARNISHLOG, "$varnish |" ) or die( "Could not run '$varnish' : $!\n" ); | Oct 03 05:24 |
| schestowitz__ | while ( my $line = <VARNISHLOG> ) { | Oct 03 05:24 |
| schestowitz__ | my ( $remote, undef, undef, $time, $request, $status, $size, $referer, $agent ) = split( /\t/, $line ); | Oct 03 05:24 |
| schestowitz__ | # proceed only with untainted $rhost if ( ( my $rhost ) = $remote =~ m/^([\w\.\-\_]*)$/s ) { | Oct 03 05:24 |
| schestowitz__ | my @args = ( | Oct 03 05:24 |
| schestowitz__ | '-A INPUT', | Oct 03 05:24 |
| schestowitz__ | '-p tcp', | Oct 03 05:24 |
| schestowitz__ | '-i eth0', | Oct 03 05:24 |
| schestowitz__ | '-m comment --comment "limit DDOS"', | Oct 03 05:24 |
| schestowitz__ | qq(--source $rhost), | Oct 03 05:24 |
| schestowitz__ | '--dport 80', | Oct 03 05:24 |
| schestowitz__ | '-j REJECT' | Oct 03 05:24 |
| schestowitz__ | ); | Oct 03 05:24 |
| schestowitz__ | system( $iptables, @args ) == 0 or die( "Could not run '$iptables' : $1 \n" ); | Oct 03 05:24 |
| schestowitz__ | } | Oct 03 05:24 |
| schestowitz__ | } | Oct 03 05:24 |
| schestowitz__ | close( VARNISHLOG ); | Oct 03 05:24 |
| *freedomrun has quit (Read error: Connection reset by peer) | Oct 03 05:32 | |
| *schestowitz__ has quit (Quit: Konversation term) | Oct 03 05:51 | |
| *schestowitz__ (~schestowi@unaffiliated/schestowitz) has joined #boycottnovell | Oct 03 05:52 | |
| *ChanServ gives channel operator status to schestowitz__ | Oct 03 05:52 | |
| *MinceR_ is now known as MinceR | Oct 03 06:12 | |
| *ChanServ gives channel operator status to MinceR | Oct 03 06:12 | |
| schestowitz__ | > On 10/03/2014 11:20 AM, Roy Schestowitz wrote: | Oct 03 08:41 |
| schestowitz__ | >>> >> There shouldn't be a line break but it works in 2.4.7-1ubuntu4.1 in | Oct 03 08:41 |
| schestowitz__ | >>> >> Ubuntu 14.04 LTS. I could test in CentOS tomorrow, if needed, but | Oct 03 08:42 |
| schestowitz__ | >>> >> Apache2 should be the same in both. The location of the configuration | Oct 03 08:42 |
| schestowitz__ | >>> >> files would be different between Ubuntu and CentOS | Oct 03 08:42 |
| schestowitz__ | >> > | Oct 03 08:42 |
| schestowitz__ | >> > Does that go strictly in apache config file or can that also go into | Oct 03 08:42 |
| schestowitz__ | >> > .htaccess. I only tried the latter. | Oct 03 08:42 |
| schestowitz__ | > It has to go into the regular configuration file for that vhost. I just | Oct 03 08:42 |
| schestowitz__ | > tried it now in .htaccess and it had no effect. | Oct 03 08:42 |
| schestowitz__ | > | Oct 03 08:42 |
| schestowitz__ | > The Options for .htaccess are intentionally limited: | Oct 03 08:42 |
| schestowitz__ | > | Oct 03 08:42 |
| schestowitz__ | > https://httpd.apache.org/docs/2.4/mod/core.html#options | Oct 03 08:42 |
| schestowitz__ | I can try to put that in the vhost. I think the requirements quickly change however. i managed to redeem the front page temporarily as the attacker is targeting other pages now. Let's see if he returns to knocking on the front page. | Oct 03 08:42 |
| -TechrightsBN/#boycottnovell-httpd.apache.org | core - Apache HTTP Server Version 2.4 [ http://ur1.ca/iaggb ] | Oct 03 08:42 | |
| schestowitz__ | TM lost many visitors, inc. regulars, since the attacks began. So I can say the attacks were effective. | Oct 03 08:42 |
| schestowitz__ | Oct 03 08:42 | |
| schestowitz__ | > If you have access to the configuration file, then use of .htaccess | Oct 03 08:42 |
| schestowitz__ | > should be avoided anyway. | Oct 03 08:42 |
| schestowitz__ | > | Oct 03 08:42 |
| schestowitz__ | >> > Also, it would be wiser to block for | Oct 03 08:42 |
| schestowitz__ | >> > any referrer (referer [sic]) containing "aggregator" | Oct 03 08:42 |
| schestowitz__ | > As far as I can tell, it will take any PCRE syntax: | Oct 03 08:42 |
| schestowitz__ | > | Oct 03 08:42 |
| schestowitz__ | > https://httpd.apache.org/docs/2.4/glossary.html#regex | Oct 03 08:42 |
| schestowitz__ | > | Oct 03 08:42 |
| -TechrightsBN/#boycottnovell-httpd.apache.org | Glossary - Apache HTTP Server Version 2.4 [ http://ur1.ca/iagge ] | Oct 03 08:42 | |
| schestowitz__ | > and multiple instances of setenvif can be used. | Oct 03 08:42 |
| schestowitz__ | I will give that a go if the attack method becomes consistent, it changes every hour today. A good thing I was up all night... | Oct 03 08:42 |
| schestowitz__ | >> > the attacker now targets other landing points, inc. signup, register, | Oct 03 08:42 |
| schestowitz__ | >> > aggregator (blocked for 2 weeks), and forums (was blocked earlier). At | Oct 03 08:42 |
| schestowitz__ | >> > one stage he (of she? Unlikely!) bombarded many different nodes that are | Oct 03 08:42 |
| schestowitz__ | >> > real pages, which would pose a greater issue if that persisted (hard to | Oct 03 08:42 |
| schestowitz__ | >> > block). | Oct 03 08:42 |
| schestowitz__ | > Ok. The setenvif directive sent earlier matches on Referer {sic} so the | Oct 03 08:42 |
| schestowitz__ | > target URL is not relevant. | Oct 03 08:42 |
| schestowitz__ | > | Oct 03 08:42 |
| schestowitz__ | > Have you or your wife been nagging the ISPs of the guilty machines? | Oct 03 08:42 |
| schestowitz__ | Nagging ISPs about windows microsoft (exclusively) machines that attack my sites exercise in futility. New Windows PCs too easy to hijack. | Oct 03 08:42 |
| schestowitz__ | >> ... | Oct 03 09:08 |
| schestowitz__ | >>> https://httpd.apache.org/docs/2.4/mod/core.html#options | Oct 03 09:08 |
| -TechrightsBN/#boycottnovell-httpd.apache.org | core - Apache HTTP Server Version 2.4 [ http://ur1.ca/iaggb ] | Oct 03 09:08 | |
| schestowitz__ | >> | Oct 03 09:08 |
| schestowitz__ | >> I can try to put that in the vhost. I think the requirements quickly | Oct 03 09:08 |
| schestowitz__ | >> change however. i managed to redeem the front page temporarily as the | Oct 03 09:08 |
| schestowitz__ | >> attacker is targeting other pages now. Let's see if he returns to | Oct 03 09:08 |
| schestowitz__ | >> knocking on the front page. | Oct 03 09:08 |
| schestowitz__ | > | Oct 03 09:08 |
| schestowitz__ | > I can't think of another way around using the configuration file. | Oct 03 09:08 |
| schestowitz__ | It seems like a powerful tool. I'm prepared to use it shortly; for now, I think the attacker is not sure why he can't bring down the site... might take some hours to catch up. | Oct 03 09:08 |
| schestowitz__ | >> TM lost many visitors, inc. regulars, since the attacks began. So I can | Oct 03 09:08 |
| schestowitz__ | >> say the attacks were effective. | Oct 03 09:08 |
| schestowitz__ | > | Oct 03 09:08 |
| schestowitz__ | > :( They will come back, but first the DDOS has to be neutralized. | Oct 03 09:08 |
| schestowitz__ | Yes, I suppose the sympathy quotient might help. Still, many hours of work fighting DDOS, not posting articles... | Oct 03 09:08 |
| schestowitz__ | > I've looked around and preliminarily it looks like iptables can do | Oct 03 09:08 |
| schestowitz__ | > passive OS fingerprinting like PF can. That would make it possible to | Oct 03 09:08 |
| schestowitz__ | > do rate limiting on Windows machines, in theory. If that is possible, | Oct 03 09:08 |
| schestowitz__ | > it should be able to find a rate per second plus burst rate that allows | Oct 03 09:08 |
| schestowitz__ | > users to load a page but prevents a rapidfire attack. | Oct 03 09:08 |
| schestowitz__ | Maybe I can rate-limit for a particular URL, regardless of referer? If the attacker starts hammering on random pages (been done before), this would not work. | Oct 03 09:08 |
| schestowitz__ | >>> and multiple instances of setenvif can be used. | Oct 03 09:08 |
| schestowitz__ | >> | Oct 03 09:08 |
| schestowitz__ | >> I will give that a go if the attack method becomes consistent, it | Oct 03 09:08 |
| schestowitz__ | >> changes every hour today. A good thing I was up all night... | Oct 03 09:08 |
| schestowitz__ | >> ... | Oct 03 09:08 |
| schestowitz__ | > | Oct 03 09:08 |
| schestowitz__ | > How many hosts appear to be involved? I think that blocking the | Oct 03 09:08 |
| schestowitz__ | > incoming ip at the varnish server would be the way to go, or at least | Oct 03 09:08 |
| schestowitz__ | > one layer in the defense. | Oct 03 09:09 |
| schestowitz__ | It's possible that only a dozen machines are used. They target a particular area every ten minutes at the same time; they don't have the same HTTP headers. | Oct 03 09:09 |
| schestowitz__ | >>> I can't think of another way around using the configuration file.>> | Oct 03 09:21 |
| schestowitz__ | >> It seems like a powerful tool. I'm prepared to use it shortly; for now, | Oct 03 09:21 |
| schestowitz__ | >> I think the attacker is not sure why he can't bring down the site... | Oct 03 09:21 |
| schestowitz__ | >> might take some hours to catch up. | Oct 03 09:21 |
| schestowitz__ | > | Oct 03 09:21 |
| schestowitz__ | > Working more upstream, on the varnish server, would help because that is | Oct 03 09:21 |
| schestowitz__ | > the one that has direct contact with the offending machines. | Oct 03 09:21 |
| schestowitz__ | I'm not too good with varnish but I have full (root) access to the varnish server. Does that work with iptables? | Oct 03 09:21 |
| schestowitz__ | >>>> TM lost many visitors, inc. regulars, since the attacks began. So I can | Oct 03 09:21 |
| schestowitz__ | >>>> say the attacks were effective. | Oct 03 09:21 |
| schestowitz__ | >>> | Oct 03 09:21 |
| schestowitz__ | >>> :( They will come back, but first the DDOS has to be neutralized. | Oct 03 09:21 |
| schestowitz__ | >> | Oct 03 09:21 |
| schestowitz__ | >> Yes, I suppose the sympathy quotient might help. Still, many hours of | Oct 03 09:21 |
| schestowitz__ | >> work fighting DDOS, not posting articles... | Oct 03 09:21 |
| schestowitz__ | > | Oct 03 09:21 |
| schestowitz__ | > | Oct 03 09:21 |
| schestowitz__ | > | Oct 03 09:22 |
| schestowitz__ | >>> I've looked around and preliminarily it looks like iptables can do | Oct 03 09:22 |
| schestowitz__ | >>> passive OS fingerprinting like PF can. That would make it possible to | Oct 03 09:22 |
| schestowitz__ | >>> do rate limiting on Windows machines, in theory. If that is possible, | Oct 03 09:22 |
| schestowitz__ | >>> it should be able to find a rate per second plus burst rate that allows | Oct 03 09:22 |
| schestowitz__ | >>> users to load a page but prevents a rapidfire attack. | Oct 03 09:22 |
| schestowitz__ | >> | Oct 03 09:22 |
| schestowitz__ | >> Maybe I can rate-limit for a particular URL, regardless of referer? If | Oct 03 09:22 |
| schestowitz__ | >> the attacker starts hammering on random pages (been done before), this | Oct 03 09:22 |
| schestowitz__ | >> would not work. | Oct 03 09:22 |
| schestowitz__ | > | Oct 03 09:22 |
| schestowitz__ | > That would in some ways make it easer to DOS a particular URL, but it | Oct 03 09:22 |
| schestowitz__ | > might reduce the overall load on the machine. | Oct 03 09:22 |
| schestowitz__ | > | Oct 03 09:22 |
| schestowitz__ | > I see mod_evasive is in the Ubuntu repository as libapache2-mod-evasive. | Oct 03 09:22 |
| schestowitz__ | > The docs show that it might help with that, a problem I can predict is | Oct 03 09:22 |
| schestowitz__ | > that currently all the requests are coming to Apache fro the same IP | Oct 03 09:22 |
| schestowitz__ | > address -- the Varnish server. The module might be able in CentOS, too. | Oct 03 09:22 |
| schestowitz__ | > You are on CentOS 6? | Oct 03 09:22 |
| schestowitz__ | Yes | Oct 03 09:22 |
| schestowitz__ | > When I get home in aboiut 8 hours I can try | Oct 03 09:22 |
| schestowitz__ | > setting up CentOS on the LAN and trying a few things with limiting. | Oct 03 09:22 |
| schestowitz__ | I think I've managed to defeat the attacker, for now... logins and registrations are blocked (not a huge deal), but the front page is now accessible and load is OK. | Oct 03 09:22 |
| *freedomrun (~quassel@unaffiliated/freedomrun) has joined #boycottnovell | Oct 03 09:37 | |
| schestowitz__ | >> I'm not too good with varnish but I have full (root) access to the | Oct 03 11:12 |
| schestowitz__ | >> varnish server. Does that work with iptables? | Oct 03 11:12 |
| schestowitz__ | > | Oct 03 11:13 |
| schestowitz__ | > If the OS has the Linux kernel (since 2.4) then it is using iptables. | Oct 03 11:13 |
| schestowitz__ | > Most mitigations I have been able to think of do not need to work with | Oct 03 11:13 |
| schestowitz__ | > the varnish configuration itself. But most parse the logs and you do | Oct 03 11:13 |
| schestowitz__ | > not have to be root to parse the varnish logs (a minor privacy and | Oct 03 11:13 |
| schestowitz__ | > security bug) but root accesses, or tweaked sudoers, is needed for | Oct 03 11:13 |
| schestowitz__ | > iptables configurations. | Oct 03 11:13 |
| schestowitz__ | > | Oct 03 11:13 |
| schestowitz__ | > Working with raw iptables on the varnish server, one needs a rule at the | Oct 03 11:13 |
| schestowitz__ | > top to allow established connections. | Oct 03 11:13 |
| schestowitz__ | > | Oct 03 11:13 |
| schestowitz__ | > iptables -I INPUT -i eth0 -m state --state ESTABLISHED,RELATED \ | Oct 03 11:13 |
| schestowitz__ | > -j ACCEPT | Oct 03 11:13 |
| schestowitz__ | > | Oct 03 11:13 |
| schestowitz__ | > Then near the top allowing incoming with some rate limiting. | Oct 03 11:13 |
| schestowitz__ | > | Oct 03 11:13 |
| schestowitz__ | > iptables -A INPUT -p icmp --icmp-type echo-request \ | Oct 03 11:13 |
| schestowitz__ | > -m limit --limit 1/s -i eth0 -j ACCEPT | Oct 03 11:13 |
| schestowitz__ | > | Oct 03 11:13 |
| schestowitz__ | > iptables -I INPUT -p TCP --dport 80 -m state --state NEW \ | Oct 03 11:13 |
| schestowitz__ | > -m limit --limit 60/minute --limit-burst 100 -j ACCEPT | Oct 03 11:13 |
| schestowitz__ | > | Oct 03 11:13 |
| schestowitz__ | > The --limit and --limit-burst would depend on the profile for normal use | Oct 03 11:13 |
| schestowitz__ | > for an incoming ip number. | Oct 03 11:13 |
| schestowitz__ | > | Oct 03 11:13 |
| schestowitz__ | > If you do try to adjust iptables, I would recommend using either an at | Oct 03 11:13 |
| schestowitz__ | > job to restore the last known working settings or else iptables-apply, | Oct 03 11:13 |
| schestowitz__ | > to prevent getting locked out. | Oct 03 11:13 |
| schestowitz__ | Can a command be crafted to tie burst limiting on a per-URL/request basis? Right now I managed to narrowly defeat bursts that mostly (not only) target the front page. If I could limit varnish access to this page to one per second, that would help solve the problem. I am observing the attacks in real time every 10 minutes to better understand them. It's like a game of Chess now and I win most rounds (rounds 10 minutes apart), but | Oct 03 11:13 |
| schestowitz__ | not all.. | Oct 03 11:13 |
| schestowitz__ | https://twitter.com/Metztli_IT/status/517998739911237633 | Oct 03 11:35 |
| -TechrightsBN/#boycottnovell-@Metztli_IT: ♺@schestowitz On Occupy Central’s Ties w/the #NED http://t.co/JxjNqkiudG #US pursues #oppression at home & #chaos abroad…#UmbrellaRevolution | Oct 03 11:35 | |
| -TechrightsBN/#boycottnovell--> www.commondreams.org | On Occupy Central’s Ties with the NED | Common Dreams | Breaking News & Views for the Progressive Community | Oct 03 11:35 | |
| schestowitz__ | I could use a script that checks average and when it rises above some number, it would swap a file (.htaccess), reload apache, then swap it back when the load is low again. Has this been done before? | Oct 03 12:09 |
| schestowitz__ | https://twitter.com/ender2038/status/518009453166465025 | Oct 03 12:12 |
| -TechrightsBN/#boycottnovell-@ender2038: @schestowitz then all the others are pro dem | Oct 03 12:12 | |
| *libertyboxes has quit (Quit: Konversation terminated!) | Oct 03 13:21 | |
| *liberty_back has quit (Remote host closed the connection) | Oct 03 13:21 | |
| *freedomrun has quit (Remote host closed the connection) | Oct 03 18:02 | |
| schestowitz__ | > It's been 10+ years since I've dealt with RPM. But despite that I got | Oct 03 20:12 |
| schestowitz__ | > CentOS 6 installed (it would not boot initially) and Apache2 with | Oct 03 20:12 |
| schestowitz__ | > Varnish, though the latter was not in the repository. The repo is also | Oct 03 20:12 |
| schestowitz__ | > missing tmux. I'll be able to get varnish working with apache tomorrow | Oct 03 20:12 |
| schestowitz__ | > after some sleep. | Oct 03 20:12 |
| schestowitz__ | These are very sought-after skills. You'd easily find a sysadmin job in the UK. | Oct 03 20:12 |
| *roy (~schestowi@unaffiliated/schestowitz) has joined #boycottnovell | Oct 04 02:47 | |
| *ChanServ gives channel operator status to roy | Oct 04 02:47 | |
| *schestowitz has quit (*.net *.split) | Oct 04 03:00 | |
| *cubelog has quit (Read error: Connection reset by peer) | Oct 04 08:04 | |
| *cubelog (~cubeman@maxhost.org) has joined #boycottnovell | Oct 04 08:04 | |
| roy | getting warnings about the disk filling up on the server | Oct 04 08:16 |
| roy | [09:12] <roy> I will take a look | Oct 04 08:16 |
| schestowitz__ | > I've looked at Apache2 on CentOS6 now and see that mod_evasive is not in | Oct 04 08:27 |
| schestowitz__ | > the repositories. It is in the EPEL repository, though. | Oct 04 08:27 |
| schestowitz__ | > | Oct 04 08:28 |
| schestowitz__ | > http://xmodulo.com/harden-apache-web-server-mod_security-mod_evasive-centos.html | Oct 04 08:28 |
| -TechrightsBN/#boycottnovell-xmodulo.com | How to harden Apache web server with mod_security and mod_evasive on CentOS - Xmodulo [ http://ur1.ca/iaktp ] | Oct 04 08:28 | |
| schestowitz__ | > | Oct 04 08:28 |
| schestowitz__ | > It might do the job with the 20/s ... BUT unfortunately, it works per-ip | Oct 04 08:28 |
| schestowitz__ | > address and varnish is hiding that. I spent some time trying to find | Oct 04 08:28 |
| schestowitz__ | > ways to rewrite the REMOTE_ADDR header, but no luck yet. There are | Oct 04 08:28 |
| schestowitz__ | > still a few ways to try though and I'm looking into one. | Oct 04 08:28 |
| schestowitz__ | > | Oct 04 08:28 |
| schestowitz__ | > iptables rate limiting on the varnish server would also prevent the 20/s | Oct 04 08:28 |
| schestowitz__ | > attacks. | Oct 04 08:28 |
| schestowitz__ | Most of the attacks are not fact but persistent, they build up the load by picking RAM- and CPU-heavy pages that are not in cache. | Oct 04 08:28 |
| schestowitz__ | At this stage both TR and TM go offline sometimes. Someone told me in Twitter that El Reg too was attacked last week. FOSS Force has a new article. | Oct 04 08:28 |
| roy | Both sites have been under attack and I don't know if you have some tools for the varnish side that can help reduce the floods of Windows botnets http://fossforce.com/2014/10/tux-machines-ddos-attack-moves-to-techrights/ | Oct 04 08:30 |
| -TechrightsBN/#boycottnovell-fossforce.com | 'Tux Machines' DDOS Attack Moves to 'TechRights' | FOSS Force [ http://ur1.ca/iaku3 ] | Oct 04 08:30 | |
| *roy has quit (Read error: No route to host) | Oct 04 09:52 | |
| *schestowitz_log_ has quit (Read error: Connection reset by peer) | Oct 04 09:52 | |
| *schestowitz_log_ (~schestowi@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovell | Oct 04 09:52 | |
| *schestowitz_log_ has quit (Changing host) | Oct 04 09:52 | |
| *schestowitz_log_ (~schestowi@unaffiliated/schestowitz) has joined #boycottnovell | Oct 04 09:52 | |
| *ChanServ gives channel operator status to schestowitz_log_ | Oct 04 09:52 | |
| *schestowitz (~schestowi@unaffiliated/schestowitz) has joined #boycottnovell | Oct 04 09:52 | |
| *ChanServ gives channel operator status to schestowitz | Oct 04 09:52 | |
| *Disconnected (Connection timed out). | Oct 04 10:49 | |
| **** ENDING LOGGING AT Sat Oct 4 10:49:18 2014 | ||
| **** BEGIN LOGGING AT Sat Oct 4 10:49:46 2014 | ||
| *Now talking on #boycottnovell | Oct 04 10:49 | |
| *Topic for #boycottnovell is: TechRights.org | Channel #boycottnovell for http://TechRights.org | Free Software Sentry – watching and reporting maneuvers of those who oppose software freedom :: please also join channels #techrights and #boycottnovell-social | Oct 04 10:49 | |
| *Topic for #boycottnovell set by schestowitz at Thu May 6 23:19:56 2010 | Oct 04 10:49 | |
| -ChanServ-[#boycottnovell] Welcome to the #boycottnovell channel | Oct 04 10:49 | |
| *ChanServ gives channel operator status to schestowitz_log | Oct 04 10:49 | |
| *pidgin_log (~roy@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovell | Oct 04 10:50 | |
| *Disconnected (). | Oct 04 14:43 | |
| **** ENDING LOGGING AT Sat Oct 4 14:43:58 2014 | ||
| **** BEGIN LOGGING AT Sat Oct 4 14:44:18 2014 | ||
| *Now talking on #boycottnovell | Oct 04 14:44 | |
| *Topic for #boycottnovell is: TechRights.org | Channel #boycottnovell for http://TechRights.org | Free Software Sentry – watching and reporting maneuvers of those who oppose software freedom :: please also join channels #techrights and #boycottnovell-social | Oct 04 14:44 | |
| *Topic for #boycottnovell set by schestowitz at Thu May 6 23:19:56 2010 | Oct 04 14:44 | |
| -ChanServ-[#boycottnovell] Welcome to the #boycottnovell channel | Oct 04 14:44 | |
| *ChanServ gives channel operator status to schestowitz_log | Oct 04 14:44 | |
| *schestowitz_log_ (~schestowi@unaffiliated/schestowitz) has joined #boycottnovell | Oct 04 14:54 | |
| *ChanServ gives channel operator status to schestowitz_log_ | Oct 04 14:54 | |
| *pidgin_log (~roy@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovell | Oct 04 14:57 | |
| *pidgin_log has quit (Ping timeout: 260 seconds) | Oct 04 15:19 | |
| *schestowitz_log_ has quit (Ping timeout: 272 seconds) | Oct 04 15:20 | |
| *pidgin_log (~roy@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovell | Oct 04 15:33 | |
| *schestowitz_log_ (~schestowi@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovell | Oct 04 15:33 | |
| *schestowitz_log_ has quit (Changing host) | Oct 04 15:33 | |
| *schestowitz_log_ (~schestowi@unaffiliated/schestowitz) has joined #boycottnovell | Oct 04 15:33 | |
| *ChanServ gives channel operator status to schestowitz_log_ | Oct 04 15:33 | |
| *benJIman has quit (Ping timeout: 245 seconds) | Oct 04 15:36 | |
| *benJIman (~benji@li273-180.members.linode.com) has joined #boycottnovell | Oct 04 15:37 | |
| *Disconnected (Connection timed out). | Oct 04 16:17 | |
| **** ENDING LOGGING AT Sat Oct 4 16:17:34 2014 | ||
| **** BEGIN LOGGING AT Sat Oct 4 16:18:04 2014 | ||
| *Now talking on #boycottnovell | Oct 04 16:18 | |
| *Topic for #boycottnovell is: TechRights.org | Channel #boycottnovell for http://TechRights.org | Free Software Sentry – watching and reporting maneuvers of those who oppose software freedom :: please also join channels #techrights and #boycottnovell-social | Oct 04 16:18 | |
| *Topic for #boycottnovell set by schestowitz at Thu May 6 23:19:56 2010 | Oct 04 16:18 | |
| *schestowitz_log_ (~schestowi@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovell | Oct 04 16:19 | |
| *schestowitz_log_ has quit (Changing host) | Oct 04 16:19 | |
| *schestowitz_log_ (~schestowi@unaffiliated/schestowitz) has joined #boycottnovell | Oct 04 16:19 | |
| *ChanServ gives channel operator status to schestowitz_log_ | Oct 04 16:19 | |
| -ChanServ-[#boycottnovell] Welcome to the #boycottnovell channel | Oct 04 16:19 | |
| *ChanServ gives channel operator status to schestowitz_log | Oct 04 16:19 | |
| *pidgin_log (~roy@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovell | Oct 04 16:20 | |
| *Disconnected (Connection timed out). | Oct 04 16:39 | |
| **** ENDING LOGGING AT Sat Oct 4 16:39:34 2014 | ||
| **** BEGIN LOGGING AT Sat Oct 4 16:40:02 2014 | ||
| *Now talking on #boycottnovell | Oct 04 16:40 | |
| *Topic for #boycottnovell is: TechRights.org | Channel #boycottnovell for http://TechRights.org | Free Software Sentry – watching and reporting maneuvers of those who oppose software freedom :: please also join channels #techrights and #boycottnovell-social | Oct 04 16:40 | |
| *Topic for #boycottnovell set by schestowitz at Thu May 6 23:19:56 2010 | Oct 04 16:40 | |
| -ChanServ-[#boycottnovell] Welcome to the #boycottnovell channel | Oct 04 16:40 | |
| *ChanServ gives channel operator status to schestowitz_log | Oct 04 16:40 | |
| *schestowitz__ has quit (Ping timeout: 244 seconds) | Oct 04 16:40 | |
| *schestowitz__ (~schestowi@unaffiliated/schestowitz) has joined #boycottnovell | Oct 04 16:40 | |
| *ChanServ gives channel operator status to schestowitz__ | Oct 04 16:40 | |
| *pidgin_log (~roy@host109-155-95-145.range109-155.btcentralplus.com) has joined #boycottnovell | Oct 04 16:41 | |
| *Disconnected (). | Oct 04 17:08 | |
| **** ENDING LOGGING AT Sat Oct 4 17:08:18 2014 | ||
| **** BEGIN LOGGING AT Sat Oct 4 17:08:58 2014 | ||
| *Now talking on #boycottnovell | Oct 04 17:08 | |
| *Topic for #boycottnovell is: TechRights.org | Channel #boycottnovell for http://TechRights.org | Free Software Sentry – watching and reporting maneuvers of those who oppose software freedom :: please also join channels #techrights and #boycottnovell-social | Oct 04 17:08 | |
| *Topic for #boycottnovell set by schestowitz at Thu May 6 23:19:56 2010 | Oct 04 17:08 | |
| -ChanServ-[#boycottnovell] Welcome to the #boycottnovell channel | Oct 04 17:08 | |
| *ChanServ gives channel operator status to logbot2 | Oct 04 17:08 | |
| *pidgin_log has quit (Ping timeout: 240 seconds) | Oct 04 17:09 | |
| *pidgin_log (~roy@host109-155-92-45.range109-155.btcentralplus.com) has joined #boycottnovell | Oct 04 17:09 | |
| *pidgin_log has quit (Client Quit) | Oct 04 17:10 | |
| *schestowitz_log_ (~schestowi@unaffiliated/schestowitz) has joined #boycottnovell | Oct 04 17:23 | |
| *ChanServ gives channel operator status to schestowitz_log_ | Oct 04 17:23 | |
| schestowitz_bed2 | > Hi, | Oct 04 17:23 |
| schestowitz_bed2 | > | Oct 04 17:23 |
| schestowitz_bed2 | > Is the DDOS attack over? We're having no trouble reaching either of your | Oct 04 17:23 |
| schestowitz_bed2 | > sites now. | Oct 04 17:23 |
| schestowitz_bed2 | TM was down for 10 minutes or so until around 5 minutes ago when I added new rules. TR has not been knocked so far today, but definitely these attacks are not over. Sometimes we nearly run out of swap (4 GB), which puts the server at risk of falling over completely. | Oct 04 17:23 |
| schestowitz_bed2 | I hope the attacker if getting bored and will move on soon. | Oct 04 17:23 |
| schestowitz_bed2 | >>> I've looked at Apache2 on CentOS6 now and see that mod_evasive is not in | Oct 04 17:28 |
| schestowitz_bed2 | >>> the repositories. It is in the EPEL repository, though. | Oct 04 17:28 |
| schestowitz_bed2 | >>> | Oct 04 17:28 |
| schestowitz_bed2 | >>> http://xmodulo.com/harden-apache-web-server-mod_security-mod_evasive-centos.html | Oct 04 17:28 |
| schestowitz_bed2 | >>> | Oct 04 17:28 |
| schestowitz_bed2 | >>> It might do the job with the 20/s ... BUT unfortunately, it works per-ip | Oct 04 17:28 |
| schestowitz_bed2 | >>> address and varnish is hiding that. I spent some time trying to find | Oct 04 17:28 |
| schestowitz_bed2 | >>> ways to rewrite the REMOTE_ADDR header, but no luck yet. There are | Oct 04 17:28 |
| schestowitz_bed2 | >>> still a few ways to try though and I'm looking into one. | Oct 04 17:28 |
| schestowitz_bed2 | >>> | Oct 04 17:28 |
| schestowitz_bed2 | >>> iptables rate limiting on the varnish server would also prevent the 20/s | Oct 04 17:28 |
| schestowitz_bed2 | >>> attacks. | Oct 04 17:28 |
| schestowitz_bed2 | >> | Oct 04 17:28 |
| schestowitz_bed2 | >> Most of the attacks are not fact but persistent, they build up the load | Oct 04 17:28 |
| schestowitz_bed2 | >> by picking RAM- and CPU-heavy pages that are not in cache. | Oct 04 17:28 |
| schestowitz_bed2 | > | Oct 04 17:28 |
| schestowitz_bed2 | > Yes, but you should add per-ip rate limiting to the varnish server, if | Oct 04 17:28 |
| schestowitz_bed2 | > you are allowed. That's the easiest and most adjustable option and will | Oct 04 17:28 |
| schestowitz_bed2 | > prevent one of their attack methods. | Oct 04 17:28 |
| schestowitz_bed2 | > | Oct 04 17:28 |
| schestowitz_bed2 | > On CentOS6 there are iptables rules for the system in this file: | Oct 04 17:28 |
| schestowitz_bed2 | > | Oct 04 17:28 |
| schestowitz_bed2 | > /etc/sysconfig/iptables | Oct 04 17:28 |
| schestowitz_bed2 | > | Oct 04 17:28 |
| schestowitz_bed2 | > and they can be edited via this script: | Oct 04 17:28 |
| schestowitz_bed2 | > | Oct 04 17:28 |
| schestowitz_bed2 | > system-config-firewall | Oct 04 17:28 |
| schestowitz_bed2 | > | Oct 04 17:29 |
| schestowitz_bed2 | > though it is possible to manually customize the iptables configuration. | Oct 04 17:29 |
| schestowitz_bed2 | > | Oct 04 17:29 |
| schestowitz_bed2 | > Either way, after this | Oct 04 17:29 |
| schestowitz_bed2 | > | Oct 04 17:29 |
| schestowitz_bed2 | > -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | Oct 04 17:29 |
| schestowitz_bed2 | > | Oct 04 17:29 |
| schestowitz_bed2 | > but before this | Oct 04 17:29 |
| schestowitz_bed2 | > | Oct 04 17:29 |
| schestowitz_bed2 | > -A INPUT -j REJECT --reject-with icmp-host-prohibited | Oct 04 17:29 |
| schestowitz_bed2 | > | Oct 04 17:29 |
| schestowitz_bed2 | > something like this (limits a guess here) is needed | Oct 04 17:29 |
| schestowitz_bed2 | > | Oct 04 17:29 |
| schestowitz_bed2 | > iptables -I INPUT -p TCP --dport 80 -m state --state NEW \ | Oct 04 17:29 |
| schestowitz_bed2 | > -m limit --limit 10/second --limit-burst 20 -j ACCEPT | Oct 04 17:29 |
| schestowitz_bed2 | Thanks, I will ask Tracy before making changes on the Varnish host because several sites are hosted through it, inc. some of his clients. | Oct 04 17:29 |
| schestowitz_bed2 | >> At this stage both TR and TM go offline sometimes. Someone told me in | Oct 04 17:29 |
| schestowitz_bed2 | >> Twitter that El Reg too was attacked last week. | Oct 04 17:29 |
| schestowitz_bed2 | > | Oct 04 17:29 |
| schestowitz_bed2 | > But TheReg is rather Pro-M$ for a long time. | Oct 04 17:29 |
| schestowitz_bed2 | Maybe. Not always. Not so much anymore. | Oct 04 17:29 |
| schestowitz_bed2 | Oct 04 17:29 | |
| schestowitz_bed2 | >> FOSS Force has a new | Oct 04 17:29 |
| schestowitz_bed2 | >> article. | Oct 04 17:29 |
| schestowitz_bed2 | >> | Oct 04 17:29 |
| schestowitz_bed2 | > I see. M$ has no qualms about going after family. | Oct 04 17:29 |
| schestowitz_bed2 | The number of attacks today was less than yesterday. TR was only offline a few times last night. This morning it was doing fine. | Oct 04 17:29 |
| schestowitz_bed2 | > Hi, Roy, | Oct 04 18:16 |
| schestowitz_bed2 | > | Oct 04 18:16 |
| schestowitz_bed2 | > There is a way to install mod_evasive in CentOS 6, but I do not know | Oct 04 18:16 |
| schestowitz_bed2 | > enough C to modify it to use the right environment variable to get the | Oct 04 18:17 |
| schestowitz_bed2 | > offending client's address. Same for the defunct Apache module, rpaf, | Oct 04 18:17 |
| schestowitz_bed2 | > which also is in C, which would have provided the right variable, too. | Oct 04 18:17 |
| schestowitz_bed2 | Someone told me about rpaf in TM last year. It was a reader. I looked into it, but anything that involved messing with the Varnish level I need to be careful with because many sites depend on that host and I'm more of a guest on Tracy's network. Maybe if I can host locally (or at your end) some static pages, then I can redirect to them in cases of high load. I recently implemented this for a big client, using AWS as a cushion | Oct 04 18:17 |
| schestowitz_bed2 | for static pages. Of course this would only help if you can make static a page (quickly changing page like TM front page changes too often). If many different pages are hit, that too is a problem. | Oct 04 18:17 |
| schestowitz_bed2 | > However, even if mod_evasive had the name or ip of the offending client | Oct 04 18:17 |
| schestowitz_bed2 | > it would still have to call a script which then communicates back to the | Oct 04 18:17 |
| schestowitz_bed2 | > varnish server where the actual blocking needs to take place, a task | Oct 04 18:17 |
| schestowitz_bed2 | > which would be unnecessarily complex. | Oct 04 18:17 |
| schestowitz_bed2 | Varnish has been truly powerful and it helped us serve at unbelievable speeds. Watching in real time how quickly it serves images and stuff is amazing! The back end too; GNU/Linux is quite the beast. But they too have their limits and Varnish can make life hard and take a long time to configure when you want some pages not cached of conditionally cached. One client at my employer had many layers of cache: Clouflare, then | Oct 04 18:17 |
| schestowitz_bed2 | Varnish, then Drupal cache, maybe MySQL internal caching also... | Oct 04 18:17 |
| schestowitz_bed2 | It made it quite a nightmare to handle IP-based rules... exclusions, admin-only, VPN, etc. We still haven't resolved it. | Oct 04 18:17 |
| schestowitz_bed2 | > So here is another sketch in perl. This one is aimed at duplicating | Oct 04 18:17 |
| schestowitz_bed2 | > some of the functionality of mod_evasive. | Oct 04 18:17 |
| schestowitz_bed2 | > | Oct 04 18:17 |
| schestowitz_bed2 | > The script loops through piped output of varnish logs. There are three | Oct 04 18:17 |
| schestowitz_bed2 | > configuration variables. One is for the total number of site accesses | Oct 04 18:17 |
| schestowitz_bed2 | > allowed per designated time interval, the second is for the total number | Oct 04 18:17 |
| schestowitz_bed2 | > of site accesses per url per time interval, the third is the time | Oct 04 18:17 |
| schestowitz_bed2 | > interval itself. The function block_ip() currently only echo's output | Oct 04 18:17 |
| schestowitz_bed2 | > to stdout with a block in iptables. The rule is set to insert after the | Oct 04 18:17 |
| schestowitz_bed2 | > 3rd rule so that allows established states in first. It is labeled with | Oct 04 18:17 |
| schestowitz_bed2 | > DDOSn where n is the tens of minutes of the hour. That allows the rules | Oct 04 18:17 |
| schestowitz_bed2 | > to be purged after 50 minutes with 6 different cron jobs. | Oct 04 18:17 |
| schestowitz_bed2 | > | Oct 04 18:17 |
| schestowitz_bed2 | > iptables-save | grep -v DDOS0 | iptables-restore | Oct 04 18:17 |
| schestowitz_bed2 | > or | Oct 04 18:17 |
| schestowitz_bed2 | > iptables-save | grep -v DDOS1 | iptables-restore | Oct 04 18:17 |
| schestowitz_bed2 | > etc | Oct 04 18:17 |
| schestowitz_bed2 | > | Oct 04 18:17 |
| schestowitz_bed2 | > If a longer time is needed, that can be done with modification. Only | Oct 04 18:17 |
| schestowitz_bed2 | > one instance of the script needs to run at a time so the system load | Oct 04 18:17 |
| schestowitz_bed2 | > should be low. The hashes use some memory but are "limited" by the | Oct 04 18:17 |
| schestowitz_bed2 | > number of attackers and the number of urls on the site. | Oct 04 18:17 |
| schestowitz_bed2 | Excellent. I have saved the script. Next time the attacks begin (yesterday they were 10 minutes apart and today they are sometimes an hour apart) I will have a go at it. | Oct 04 18:17 |
| schestowitz_bed2 | Meanwhile I've managed to tweet a lot and also write several articles... lack of posts is a sign of weakness that the attacker may interpret as his victory over the target. And that's what scares me the most. | Oct 04 18:17 |
| schestowitz_bed2 | https://joindiaspora.com/posts/4847647 | Oct 04 18:47 |
| -TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: People Still Want Ubuntu Edge to Happen http://news.softpedia.com/news/People-Still-Want-Ubuntu-Edge-to-Happen-460754.shtml #ubuntu #canonical #gnu #linux | Oct 04 18:47 | |
| -TechrightsBN/#boycottnovell--> news.softpedia.com | People Still Want Ubuntu Edge to Happen - Softpedia [ http://ur1.ca/ian7v ] | Oct 04 18:47 | |
| schestowitz_bed2 | "I also want it to happen!!!" | Oct 04 18:47 |
| schestowitz_bed2 | "me too" | Oct 04 18:47 |
| schestowitz_bed2 | https://joindiaspora.com/posts/4853866 | Oct 04 18:52 |
| -TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: #google blamed rather than stupid celebrities who take naked photos, use "the Cloud", and #apple being incompetent http://www.eweek.com/security/google-threatened-with-100-million-lawsuit-over-hacked-celebrity-pictures.html | Oct 04 18:52 | |
| schestowitz_bed2 | "If I take some naked photos and somehow end in the Internet, might I sue Google too?" | Oct 04 18:52 |
| -TechrightsBN/#boycottnovell--> www.eweek.com | Google Threatened With $100 Million Lawsuit Over Hacked Celebrity Pictures [ http://ur1.ca/ian9c ] | Oct 04 18:52 | |
| schestowitz_bed2 | Only if you are very, VERY famous. Obviously! :-) | Oct 04 18:53 |
| schestowitz_bed2 | https://joindiaspora.com/posts/4854843 | Oct 04 18:53 |
| -TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com reshared: why would people post their health info to social networks? | Oct 04 18:53 | |
| schestowitz_bed2 | "Worse, why would people search medical advice on social networks?" | Oct 04 18:53 |
| schestowitz_bed2 | They might get a "like" or two... | Oct 04 18:53 |
| *schestowitz_bed2 has quit (Quit: Konversation term) | Oct 04 19:07 | |
| *schestowitz (~schestowi@unaffiliated/schestowitz) has joined #boycottnovell | Oct 04 19:08 | |
| *ChanServ gives channel operator status to schestowitz | Oct 04 19:08 | |
| schestowitz | >>> I've been thinking about rpaf + mod_evasive some more. I think you | Oct 04 19:21 |
| schestowitz | >>> could try it on the VM you set up to experiment with. If the load on | Oct 04 19:21 |
| schestowitz | >>> the web server is from PHP+db then that should take care of it, mostly, | Oct 04 19:21 |
| schestowitz | >>> without need of contacting the varnish server at all. The downsides are | Oct 04 19:21 |
| schestowitz | >>> that mod_evasive is in the EPEL repository and that rpaf is more or less | Oct 04 19:21 |
| schestowitz | >>> abandoned. | Oct 04 19:21 |
| schestowitz | >>> | Oct 04 19:21 |
| schestowitz | >>> About the perl script, if you do consider trying it, the varnishncsa | Oct 04 19:21 |
| schestowitz | >>> pipe needs a -m option to limit it to queries to TM and TR. | Oct 04 19:21 |
| schestowitz | >> | Oct 04 19:21 |
| schestowitz | >> I reckon we'll use it soon. Maybe the attacker is asleep or away. Maybe | Oct 04 19:21 |
| schestowitz | >> the zombies PCs were partly switched off for the weekend. | Oct 04 19:21 |
| schestowitz | >> | Oct 04 19:21 |
| schestowitz | > | Oct 04 19:21 |
| schestowitz | > Here is one with some changes to hopefully deal better with the share | Oct 04 19:21 |
| schestowitz | > varnish environment. Also, there was an off-by-one error in counting. | Oct 04 19:21 |
| schestowitz | > Where the host is given as 10.0.2.40, substitute techrights.org or | Oct 04 19:21 |
| schestowitz | > whatever is showing up in "RxHeader c Host:" from regular varnishlog | Oct 04 19:21 |
| schestowitz | > | Oct 04 19:22 |
| schestowitz | > Also, as mentioned in the other message, I've revisited rpaf+mod_evasive | Oct 04 19:22 |
| schestowitz | > and now think that it might help. If the load is because of the db + php. | Oct 04 19:22 |
| schestowitz | Thank you so much. You should probably publish a wiki or article about this. It's stuff that ought to be out there for others to use as well. | Oct 04 19:22 |
| schestowitz | https://joindiaspora.com/posts/4855510 | Oct 04 19:24 |
| -TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: #nsa helps create jobs in #germany http://www.techweekeurope.co.uk/news/oracle-data-centres-152984 | Oct 04 19:24 | |
| -TechrightsBN/#boycottnovell--> www.techweekeurope.co.uk | Oracle To Open Two German Data Centres Following NSA Spying Scandal [ http://ur1.ca/ianix ] | Oct 04 19:24 | |
| schestowitz | "How is that gona help ? Amerikan company implanting spyware in heart of eurooe ?" | Oct 04 19:24 |
| schestowitz | https://joindiaspora.com/posts/4857477 | Oct 04 19:25 |
| -TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: Another opportunity for #facebook to compile lists of people to sell to marketing firms and sharks http://consumerist.com/2014/10/03/facebook-wants-to-be-your-source-for-healthcare-info/ | Oct 04 19:25 | |
| -TechrightsBN/#boycottnovell--> consumerist.com | Facebook Wants To Be Your Source For Healthcare Info – Consumerist [ http://ur1.ca/ian4d ] | Oct 04 19:25 | |
| schestowitz | "I'm glad escaped from FaceBook 3 years ago!" | Oct 04 19:25 |
| schestowitz | >>>>> >>>> I've been thinking about rpaf + mod_evasive some more. I think you | Oct 04 19:35 |
| schestowitz | >>>>> >>>> could try it on the VM you set up to experiment with. If the load on | Oct 04 19:35 |
| schestowitz | >>>>> >>>> the web server is from PHP+db then that should take care of it, mostly, | Oct 04 19:35 |
| schestowitz | >>>>> >>>> without need of contacting the varnish server at all. The downsides are | Oct 04 19:35 |
| schestowitz | >>>>> >>>> that mod_evasive is in the EPEL repository and that rpaf is more or less | Oct 04 19:35 |
| schestowitz | >>>>> >>>> abandoned. | Oct 04 19:35 |
| schestowitz | >>>>> >>>> | Oct 04 19:35 |
| schestowitz | >>>>> >>>> About the perl script, if you do consider trying it, the varnishncsa | Oct 04 19:35 |
| schestowitz | >>>>> >>>> pipe needs a -m option to limit it to queries to TM and TR. | Oct 04 19:35 |
| schestowitz | >>>> >>> | Oct 04 19:35 |
| schestowitz | >>>> >>> I reckon we'll use it soon. Maybe the attacker is asleep or away. Maybe | Oct 04 19:35 |
| schestowitz | >>>> >>> the zombies PCs were partly switched off for the weekend. | Oct 04 19:35 |
| schestowitz | >>>> >>> | Oct 04 19:35 |
| schestowitz | >>> >> | Oct 04 19:35 |
| schestowitz | >>> >> Here is one with some changes to hopefully deal better with the share | Oct 04 19:35 |
| schestowitz | >>> >> varnish environment. Also, there was an off-by-one error in counting. | Oct 04 19:35 |
| schestowitz | >>> >> Where the host is given as 10.0.2.40, substitute techrights.org or | Oct 04 19:35 |
| schestowitz | >>> >> whatever is showing up in "RxHeader c Host:" from regular varnishlog | Oct 04 19:35 |
| schestowitz | >>> >> | Oct 04 19:35 |
| schestowitz | >>> >> Also, as mentioned in the other message, I've revisited rpaf+mod_evasive | Oct 04 19:35 |
| schestowitz | >>> >> and now think that it might help. If the load is because of the db + php. | Oct 04 19:35 |
| schestowitz | >> > | Oct 04 19:35 |
| schestowitz | >> > Thank you so much. | Oct 04 19:35 |
| schestowitz | > My style with perl has tended to readability or over-simplicity. So, I | Oct 04 19:35 |
| schestowitz | > hope it's readable and that there are no mistakes. I've tested it in a | Oct 04 19:35 |
| schestowitz | > simulated environment, but treat it as probationary in a live setting if | Oct 04 19:35 |
| schestowitz | > you do test it. A sucessful block with iptables should prevent runaway | Oct 04 19:35 |
| schestowitz | > addition of duplicate rules. If not, then that can be added in. | Oct 04 19:35 |
| schestowitz | > | Oct 04 19:35 |
| schestowitz | >> > You should probably publish a wiki or article about | Oct 04 19:35 |
| schestowitz | >> > this. It's stuff that ought to be out there for others to use as well. | Oct 04 19:35 |
| schestowitz | > It's only a variation of most of what mod_evasive does, but for varnish | Oct 04 19:35 |
| schestowitz | > instead. Besides, writing's hard for me, especially these days. | Oct 04 19:35 |
| schestowitz | > | Oct 04 19:35 |
| schestowitz | > PS. I'm about done for the day in a few minutes. | Oct 04 19:35 |
| schestowitz | I will keep an eye on the site the rest of the day and tomorrow we stay home all day, so at least we're covered in the vigilance sense, for now... | Oct 04 19:36 |
| schestowitz | >>> It's only a variation of most of what mod_evasive does, but for varnish | Oct 04 22:19 |
| schestowitz | >>> instead. Besides, writing's hard for me, especially these days. | Oct 04 22:19 |
| schestowitz | >>> | Oct 04 22:19 |
| schestowitz | >>> PS. I'm about done for the day in a few minutes. | Oct 04 22:19 |
| schestowitz | >> | Oct 04 22:19 |
| schestowitz | >> I will keep an eye on the site the rest of the day and tomorrow we stay | Oct 04 22:19 |
| schestowitz | >> home all day, so at least we're covered in the vigilance sense, for now... | Oct 04 22:19 |
| schestowitz | > | Oct 04 22:20 |
| schestowitz | > Ok. | Oct 04 22:20 |
| schestowitz | > | Oct 04 22:20 |
| schestowitz | > Just two last things. Lines 14 and 15 need to be edited to make the | Oct 04 22:20 |
| schestowitz | > script active, if you think the rest is ok. Also, the existing iptables | Oct 04 22:20 |
| schestowitz | > rules on the server might not be the default any more so the insertion | Oct 04 22:20 |
| schestowitz | > point for the REJECT rule might not be the 4th line. | Oct 04 22:20 |
| schestowitz | The attacks are resuming now, so I'll give it a go. | Oct 04 22:20 |
| schestowitz | https://joindiaspora.com/posts/4854823 | Oct 04 22:22 |
| -TechrightsBN/#boycottnovell-@unlearn@diasp.org: why would people post their health info to social networks? | Oct 04 22:22 | |
| schestowitz | "One of the people the spouse follows on a popular social network is posting everything about her battle with cancer. She's also taking donations. So for her, losing information about her health derives sympathy and money." | Oct 04 22:22 |
| schestowitz | https://joindiaspora.com/posts/4852407 | Oct 04 22:22 |
| -TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: #steam now promotes #drm for music, too http://www.themukt.com/2014/10/03/steam-music-available-one-comes-free-music/ the rot spreads... | Oct 04 22:22 | |
| -TechrightsBN/#boycottnovell--> www.themukt.com | Steam Music available to one and all! Comes with Free Music too! - The Mukt [ http://ur1.ca/ian6z ] | Oct 04 22:22 | |
| schestowitz | "Well it is. However, my impression so far is that the music itself is not copy protected by Steam; It just provides access to soundtracks buried in the game directories and to the player's actual music collection." | Oct 04 22:22 |
| schestowitz | https://joindiaspora.com/posts/4855523 | Oct 04 22:23 |
| -TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: "Apple is truly ramping up the PR machine and has even managed to get a few people in government to" help the PR http://www.decryptedtech.com/news/nsa-proof-ios-8-claims-we-have-heard-them-before | Oct 04 22:23 | |
| schestowitz | "Blind mice..." | Oct 04 22:23 |
| -TechrightsBN/#boycottnovell--> www.decryptedtech.com | NSA Proof" iOS 8 claims... We have heard them before... [ http://ur1.ca/iaopk ] | Oct 04 22:23 | |
| schestowitz | https://joindiaspora.com/posts/4857956 | Oct 04 22:24 |
| -TechrightsBN/#boycottnovell-@schestowitz@joindiaspora.com: People who say that fasting (ritual) has "health benefit" are the same people who say female and male genital mutilation is "health benefit" | Oct 04 22:24 | |
| schestowitz | "What? Where did that one come from? I understand why would you not post a link here, but I got genuinely interested in the topic. I do want to know more about this topic." | Oct 04 22:24 |
| schestowitz | "Some crazy people I guess." | Oct 04 22:24 |
| schestowitz | "Wait a second... is it about Jewish practices? I have little knowledge, that is why I am asking.' | Oct 04 22:24 |
| schestowitz | "Are you Jewish?" | Oct 04 22:24 |
| schestowitz | "I am not. But I am curious where such statement came from. You know, Diaspora has no text length limit, so this single sentence made me curious. I mean, Why did Dr. Roy even write it for? What is the reasoning and sought result? | Oct 04 22:25 |
| schestowitz | It's about Muslims too (Eid and female genital mutilation) https://en.wikipedia.org/wiki/Female_genital_mutilation | Oct 04 22:25 |
| -TechrightsBN/#boycottnovell-en.wikipedia.org | Female genital mutilation - Wikipedia, the free encyclopedia [ http://ur1.ca/iaopr ] | Oct 04 22:25 | |
| schestowitz | ,e: I am trying to reduce the impact of DDOS attacks after two weeks of them not stopping. I don't think I can do this without dealing with Varnish (IP addresses), but I don't want to do any work on it without prior permissions from you because it's shared among sites. | Oct 04 22:34 |
Generated by irclog2html.py 2.6 by Marius Gedminas - find it at mg.pov.lt!
