Life, The Universe, and Everything

[Donovan Ready]

I will attempt to raise my old server from the dead and send you the last iptables drop file soon.

As far as using iptables and the ifconfig file, (sorry if it's a different filename, I don't know nginx), versus host.allow and hosts.deny, it seems to me that a couple of things work well.

No open ports at the router, of course. Do a sysconfig hardening. Then use iptables to reduce calls to the web server. Hosts.allow and deny are better used as specifics rather than general drops.

You can do a search for Chinese block assignments, for instance.

I know you know this stuff better than I, since I haven't done anything remotely like it for two years, but there's what I dredged up...

[Doug Coulter]

Just learning the syntaxes involved - a pain but better than a DOS I guess.
I'm writing a script to go through the access logs - now is a good time to see who's just out there hitting me randomly and trying to hack, because this isn't even a domain, just a raw dotted quad and no one at all should be hitting it other than the couple people who know the non-static address. Anyone hitting me is at best scanning randomly...

The hope is I can ID the baddies and update some firewall rules with at least some automation. The remaining issue would be figuring out range type blocks for the really horrible actors out there - mainly so you don't wind up blocking a /16 or /24 one by one.

Got hung up in figuring out that it'd make things a lot simpler to tell NGINX to format its access logs to make the script simpler, and then that unexpected old-man nap stopped me for the day.

I like NGINX...I don't (think/hope) I need all of apache's hooks, and I sure don't need the learning curve. NGINX is a lot simpler from what I can tell...for most things. It's a lot less resource intensive so it runs blazingly fast on tiny computers.

Yeah, a file of known bad actors should be real useful...This all seems to be a balancing act. I don't want to block too many legit potential users, nor just block such a long list that blocking takes longer than emitting a 404...though I guess dropping the bad guys with no response at least doesn't let them know when they have a live one.

[Donovan Ready]

I'll try to get that for you soon. Let's trust that the machine will post...

[Bob Reite]

I've been used to apache all my life, so I never swiched to NGINX, but I hear that it does scale better for heavy traffic.

[Doug Coulter]

Right, it's a case of what you're used to, and what features you've used, as everything is a little bit different, IMO simpler when going from scratch in NGINX, but...unless you need it, no point in switching, they're both good.
When I'm serving from things like raspberry pies - not the latest ones, well...every little bit helps. Since I never got into Apache, and never needed the tons of fancy hooks at every step of the request/response thing it offers (NGINX has most of that stuff but if you don't need it, there's nothing to learn. I bet switching could be a bear.).

The big boys are all using NGINX (facefart, gaggle and so on). At any rate, it works well. There are some tricky rewrite types of things you can do for load balancing and redirection I'm about to start learning to get forums served from "not the same machine that the web server is on" as one of the ones I want to serve is on another machine - I have my own forums here for my own notes on how all this junk works, sysadmin tips and so on, and why not put that up too? It's its own world, so it should be a separate forum/subforums, and if I can pull it off, it'd be nice not to have to sweat having two instances of phpbb on the same box trying not to stomp on one another's files and database tables, since they assume naming....

We'll see. One thing at a time, and I have till they get here with fiber (gigabit...) to get it done, so I'm doing it. I have an interesting log parser going now and have customized the access log format to make that easy, the idea being to build up a database hash of the hits that are obvious hackers and then to write something that shoves them into firewall rules.

One big difference is age, and it's not unique to this. Anything that's been around a long time has evolved - that's as it should be. There will be endless tips and examples online on how to get this or that done, work around some bug and so on. Also good. But if the thing is old, and a lot of that helpful online stuff isn't marked with dates, boy can you get tied in knots and pounded over on both sides of the hole, working around what you think is a bug - that was fixed long since, and the real problem isn't the thing you saw on google....newer stuff suffers a little less from this issue.

[Doug Coulter]

I'll just leave this here. It's a schiz for a "VT" fuze, named variable timing because the fact that it was actually a proximity fuze was super secret.
As far as I can tell, it was in use for quite awhile before being acknowledged at all, even by the deliberate misnaming. But for example, Drachinifel mentions in his latest about how the anti-air fire "suddenly become a lot more effective" but then quotes an officer saying it's going to get better once some new shells arrive. Pretty much all other sources say...no one was told of these until they arrived and put in use. such is the nature of secrets and national security limitations. If you did something "cool" in that context, it's even more of a secret. Bragging about it generates a lot of motivation for countermeasures - better to let "them" think there's not a problem, then when they make a noise, misrepresent what it actually was in some relatively believeable way. War's a dirty game. Here's one historian's take, but the schiz came from one I can't find again just now - which was a LOT More detailed and informative about the thing, as well as the dates involved.

Looks more like a thermin than a radar to me...or just something that notices the bounceback interfering with the goes-outa.
You can type in that URL if you want. Good luck with that. Kinda hard to cut-paste from a picture.

Or maybe it just went out of oscillation when it go close to something?

At any rate, historians not in the secrecy/tradecraft game loop argue about this stuff....endlessly. And governments (remember history is written by the winners) brag about their successes, but omit things like the fact that "the desert fox" was in part foxy because unlike the Brits claiming total intelligence superiority, the code named "black" was broken and info was being fed to him in the desert, helping him make those lucky guesses....you can read a heck of a lot about Rommel without ever hearing about that one, because, well, it was kind of embarrassing to the governments who control what we know when they can.

There's quite a lot of that.

All those guy who died on long rang bombing in WWII because the US bomber mafia was more than a little disingenuous about the existence and availability of drop tanks for P47s...because they didn't want any resources diverted to other than their bombers until it was undeniable and there were P51's whether they liked it or not. Like I said, war is dirty...

[Doug Coulter]

As to how I know the above:

Lots of this stuff has my name on it.

And...

My Dad told me a lot about his consulting on combustion acoustics stability in the F1. Pretty sure we actually went...

Just having a little fun here.

[Roberto Ferrari]

Hi Doug

What a story!
I was unaware of that device.
Thanks for sharing,
best
Roberto

[Doug Coulter]

Sitting in hospital waiting for the f18 tracer to work...pic taken, now to cardio stress after bag lunch.

[Roberto Ferrari]

Ouch, good luck!!!