gushi: (tall no good)

TL;DR: If you have a thing that's broken for you, contact me and we'll figure out a fix. If you have a DB-based thing or a PHP-based thing, this is likely.

If you have a thing that's broken for you, contact me and we'll figure out a fix. If you have a DB-based thing or a PHP-based thing, this is likely.

Upgrades last night went well, but a few things are being weird.

BSD Stupidity

  • For some reason, pkg upgrade didn't reinstall proftpd. Easily enough fixed, but if it missed that, it may have missed other things.

  • Mysql didn't get upgraded from 5.5 to 5.6, but all the php stuff was linked against 5.6, so I manually upgraded mysql-server to 5.6 and ran a bunch of upgrade scripts.

  • Stupidly, the FreeBSD installer removed named.conf because BIND is no longer part of the base tree. DUMB. Like, there's no other reason a person would want that file? (Luckily, I had backed it up).

  • Also stupidly, trying to install bind9.11 tries to uninstall zkt. WTaF?

  • Freebsd-update wanting to overwrite my sendmail.cf (not MC, CF) was just plain dumb. Same with my ntp.conf. I think I'm just going to globally call a /usr/local/etc/ntp.conf in rc.conf, and let it stop complaining about any local changes.

  • Something tickles the password file that causes pkg's user-manipulations to fail, somehow getting the DB and the textfile out of sync.

  • People had warned me about my disk devices changing names, but as this is a VM with scsi-based vdisks this didn't affect me.

PHP Stupidity

  • PHP no longer likes mysql's built-in "old style" passwords. If you have a site that's DB-based and you've been hosted by me for like a LONG time, I'll need to do some tweaking on the backend for you.

  • PHP's session dir got weird again. I may need to define a startup script to fix perms on that. (Come to think of it, I should define a crontab to do cleanup on that anyway).

  • As usual, there's a number of deprecated and "removed" PHP functions. I'm vaguely contemplating building static versions of older versions of PHP from scratch to try and resolve these. Because I use suPHP, it lets me determine the PHP interpeter at a per-site or even per-file level. In a past life, this let me run php4 and php5 at the same time.

(Yes, an unstable version of php5.4 sticking around is arguably bad, but if it's a thing I only turned on for a given site that was otherwise broken and that site runs only as that user, I consider this fairly low risk).

Future Work

  • I've accepted that there's always going to be a couple of packages I need to build myself. That said, I should act like a proper port maintainer, and maintain "diff" files for them that are easily applied. I might even reach out to the official package maintainers on some of this stuff and see if they can be included.

  • Because this system started life using ports and pkg-classic, my packages have no idea which packages are "automatic" (i.e. were not explicitly installed, but merely installed as dependencies), so pkg autoremove may not work so well for me. At some point, I'll manually audit the dependency tree.

  • Squirrelmail's cert is marked as insecure because it's SHA1. I've put in for a reissue, but Geotrust is taking their sweet-ass time on it.

  • Now that I can support current state-of-the-art crypto, I'll likely do some cert tweaking for those things that use SSL. (Webmin, proftpd, Squirrelmail).

  • At some point, I really want to do a proof-of-concept that lets you accept weaker SSL settings, but redirect to a framed warning page. Because the default behavior of this (connection failed) just sucks.

gushi: (Default)

So, I just got this amusing email...

From slackerng@gmail.com Thu Jul  2 02:08:05 2009
Date: Thu, 2 Jul 2009 01:07:54 -0500
From: Cody Grunenwald <slackerng@gmail.com>
To: "root@gushi.org" <root@gushi.org>
Subject: I really need help

I saw that you had a crash file that you can crash wc3 users only by whispering
them. Now im a noob with technology and stuff so i was wondering if you could
get on battle.net and go to Channel CLAN STN and crash anybody in that channel
with praetor in their name. Long story short they hacked themselves into OP and
were a new clan so we have no shamans or anything and hes holding our clan
hostage. please help us.

Note that they emailed root@gushi.org. Now, there's only one place I use that. root@prime.gushi.org is common, but root@gushi.org was ONLY used, for a while, as the ServerAdmin for the gushi.org domain (as in, ONLY my personal domain). Thing is, it also shows up as the serveradmin for people who use www.gushi.org/~username aliases...and a quick google revealed the problem.

A user I had kicked off a while ago, who was using prime as his location for starcraft hacking tools (I know because I heard from Blizzard about it).

Remember fun LJ entries like this?

So, obviously what's happening is people are finding some webpage that links to this, getting a 403, and then EMAILING ME.

Gee, how ever could I find out who this is? Oh wait, look, I have my webserver logs!

%tail -1000000 access_log|grep -i celeron
gushi.org 75.72.94.81 - - [01/Jul/2009:20:48:09 -0400] "GET /~celeron/hacks/Exended1.4.zip HTTP/1.1" 403 345 "http://gaminkings.tripod.com/id8.html" 
"Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5"
gushi.org 97.83.163.193 - - [02/Jul/2009:01:56:50 -0400] "GET /~celeron/hacks/SCCRASH.zip HTTP/1.1" 403 342 "http://gaminkings.tripod.com/id8.html" 
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; FunWebProducts; GTB6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)"
gushi.org 97.83.163.193 - - [02/Jul/2009:02:05:37 -0400] "GET /~celeron/hacks/SCCRASH.zip HTTP/1.1" 403 342 "http://gaminkings.tripod.com/id8.html" 
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; FunWebProducts; GTB6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)"
%

So I checked out the tripod page (I especially love that the banners on the webpage are offering a DEGREE IN HACKING), and there they are.

Now, the question is, what to do with them?

  • Tell them "it's a game, there really are more important things"
  • Tell them "STFU NOOB!"
  • Tell them I'll hack THEM for disturbing me! (Mess with the best, die with the rest!)
  • Tell them I'll do it for 1000 gold, sent to the WOW account of anyone I don't particularly like?
  • Forward the tripod hacks page on to Blizzard?
  • Compain to tripod myself, as it's causing me negative traffic, perhaps threatening that if they don't take the page down, I will POPULATE those links?
  • Since they seem so willing to download and run files, send them a nicely wrapped boot sector rewriter?
  • Two words: mod_rewrite.
  • Send them a link to this entry.
  • Do nothing but blog about it, sigh, and shake my head sadly.

Yeah, probably that last one, but you never know. *sigh* *shakes head sadly*

gushi: (Default)

So as some of you know, I've been playing with Greylisting recently.

Greylisting is the practice of telling a server that tries to deliver mail with a certain "tuple" (say, sender's-server-ip, sender's-email-address, recipient-email-address). "Okay, let's see if you follow the standards, and retry this address for an hour." Programs that spammers use to send mail, such as Dark Mailer, just fire fast and continuously, and do not re-queue.

If the same tuple comes up an hour later, it's let through.

However, this gets annoying for most people because it makes email that-much less instant.

There are two solutions here:

First, is that upon a successful delivery (i.e. a retry-after-an-hour with a matching tuple, the server can then WHITELIST you (i.e. not force you to delay again -- as long as a message is between that recipient, that sender, and from that mail server IP).

The second, is that the program I'm using milter-greylist, lets you ALSO make use of DNS blacklists, so that the default policy is "let mail through, unless they're on this list, then make them wait an hour"

So, recently, I started using one of the most obnoxious blacklists I could find (APEWS, formerly the SPEWS blacklist), on my inbound mail port, 25.

Spews (Site Archive HERE) has had a reputation for being obnoxious, hard-to-get-off-of, and has had a reputation for listing entire carriers if even a small segment were spammish. APEWS follows in a similar suit. Normally, only an insane person would use it to blacklist people.

Fortunately, one of the cool things about Greylisting, is that it can turn what would normally be a high-collateral-damage blacklist into something perfectly serviceable (so odd to hear a ferret say serviceable...). Mail's not actually rejected, just told "come back later". (Of course, there ARE some blacklists that I actually use as BLACKLISTS -- but those are the more carefully maintained ones.)

My normal "MSA" on port 587 did not have the restriction (since the MSA requires that you auth), so even if spammers know I'm listening on port 587 they can't send anything to it.

Here's what I've discovered:

1) There are still a few ISPs out there who are not blocking port 25, outbound (they SHOULD!).

2) Those users that were ON those ISPs, are also listed in APEWS (probably BECAUSE those ISPs don't block things).

3) My auth-detector wasn't working properly (the port 25 users were authing, but the greylist wasn't recognizing it) and was thus giving the message meant for mail servers to a few of you.

Of course, I've fixed it.

Maybe at some point I'll make a flowchart for all this stuff, and how my mail works.

gushi: (Default)

So as some of you know, I've been playing with Greylisting recently.

Greylisting is the practice of telling a server that tries to deliver mail with a certain "tuple" (say, sender's-server-ip, sender's-email-address, recipient-email-address). "Okay, let's see if you follow the standards, and retry this address for an hour." Programs that spammers use to send mail, such as Dark Mailer, just fire fast and continuously, and do not re-queue.

If the same tuple comes up an hour later, it's let through.

However, this gets annoying for most people because it makes email that-much less instant.

There are two solutions here:

First, is that upon a successful delivery (i.e. a retry-after-an-hour with a matching tuple, the server can then WHITELIST you (i.e. not force you to delay again -- as long as a message is between that recipient, that sender, and from that mail server IP).

The second, is that the program I'm using milter-greylist, lets you ALSO make use of DNS blacklists, so that the default policy is "let mail through, unless they're on this list, then make them wait an hour"

So, recently, I started using one of the most obnoxious blacklists I could find (APEWS, formerly the SPEWS blacklist), on my inbound mail port, 25.

Spews (Site Archive HERE) has had a reputation for being obnoxious, hard-to-get-off-of, and has had a reputation for listing entire carriers if even a small segment were spammish. APEWS follows in a similar suit. Normally, only an insane person would use it to blacklist people.

Fortunately, one of the cool things about Greylisting, is that it can turn what would normally be a high-collateral-damage blacklist into something perfectly serviceable (so odd to hear a ferret say serviceable...). Mail's not actually rejected, just told "come back later". (Of course, there ARE some blacklists that I actually use as BLACKLISTS -- but those are the more carefully maintained ones.)

My normal "MSA" on port 587 did not have the restriction (since the MSA requires that you auth), so even if spammers know I'm listening on port 587 they can't send anything to it.

Here's what I've discovered:

1) There are still a few ISPs out there who are not blocking port 25, outbound (they SHOULD!).

2) Those users that were ON those ISPs, are also listed in APEWS (probably BECAUSE those ISPs don't block things).

3) My auth-detector wasn't working properly (the port 25 users were authing, but the greylist wasn't recognizing it) and was thus giving the message meant for mail servers to a few of you.

Of course, I've fixed it.

Maybe at some point I'll make a flowchart for all this stuff, and how my mail works.

gushi: (Default)
Guys,

phpBB 2.0.16 is out. Mass upgrades will be ensuing tonight. If you don't want this, upgrade on your own.

-Dan
gushi: (Default)
But I'm pleased to announce that imap and pop3 now support SSL and IPv6 Natively. Stunnel is gone.

Please report any issues ASAP, to the usual channels.

I've also made SpamAssassin's spamd module support SSL, for the hell of it.

Other geekly thoughts follow this pattern.

August 2017

S M T W T F S
  12345
678 9101112
13141516171819
20212223242526
27 28293031  

Syndicate

RSS Atom

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Sep. 26th, 2017 07:17 am
Powered by Dreamwidth Studios