Back to Home / #linode / 2021 / 11 / Prev Day | Next Day
#linode IRC Logs for 2021-11-14

---Logopened Sun Nov 14 00:00:02 2021
00:12-!-lex [~lex@static209-34-99-81.r.rev.accesscomm.ca] has joined #linode
00:12-!-lex is "Despite All My Rage.." on #oftc #linode
00:13-!-lex is now known as Guest5832
00:15-!-Guest5793 [~lex@static209-34-99-81.r.rev.accesscomm.ca] has quit [Ping timeout: 480 seconds]
00:21-!-lex_ [~lex@static96-63-165-208.r.rev.accesscomm.ca] has joined #linode
00:21-!-lex_ is "Despite All My Rage.." on #oftc #linode
00:27-!-Guest5832 [~lex@static209-34-99-81.r.rev.accesscomm.ca] has quit [Ping timeout: 480 seconds]
01:15-!-MaXi32 [~oftc-webi@2001:e68:543c:a8f0:b92b:a751:ced5:8e45] has joined #linode
01:15-!-MaXi32 is "OFTC WebIRC Client" on #linode
01:15-!-MaXi32 [~oftc-webi@2001:e68:543c:a8f0:b92b:a751:ced5:8e45] has left #linode []
02:06-!-lonewulf` [~lonewulf@00020897.user.oftc.net] has quit [Quit: leaving]
02:06-!-lonewulf` [~lonewulf@00020897.user.oftc.net] has joined #linode
02:06-!-lonewulf` is "U-lonewulf-PC\lonewulf" on #linode #debian-offtopic #debian #oftc
02:40-!-aliayaydin [~oftc-webi@46.1.111.240] has joined #linode
02:40-!-aliayaydin is "OFTC WebIRC Client" on #linode
02:40<aliayaydin>hi
02:44-!-aliayaydin [~oftc-webi@46.1.111.240] has quit []
03:22-!-aliayaydin [~oftc-webi@46.1.111.240] has joined #linode
03:22-!-aliayaydin is "OFTC WebIRC Client" on #linode
03:22<aliayaydin>hi
04:06-!-aliayaydin [~oftc-webi@46.1.111.240] has quit [Remote host closed the connection]
07:31<linbot>New news from community: How do i delete unused disk after restoring an image? <https://www.linode.com/community/questions/22106>
09:21-!-sebastianos_ [~sebastian@103.203.72.126] has joined #linode
09:21-!-sebastianos_ is "Sebastian B" on #ceph #postmarketos-offtopic #postmarketos #linode #fdroid #docker
09:23-!-sebastianos [~sebastian@45.115.91.30] has quit [Ping timeout: 480 seconds]
10:38-!-Redentor [~armando@2600:3c01:e000:20c:4dff:fe7f:cbb:6424] has joined #linode
10:38-!-Redentor is "realname" on #linode #debian-next #debian-mx #debian
11:53<linbot>New news from community: How do I open port 44158? <https://www.linode.com/community/questions/22108> || NordVPN on Linode <https://www.linode.com/community/questions/22107>
13:10-!-patrick_here_ [~oftc-webi@c-24-19-156-53.hsd1.wa.comcast.net] has joined #linode
13:10-!-patrick_here_ is "OFTC WebIRC Client" on #linode
13:10-!-J-Node [~root@136.49.108.80] has quit [Read error: No route to host]
13:11-!-J-Node [~root@136.49.108.80] has joined #linode
13:11-!-J-Node is "root" on #linode
13:11<patrick_here_>Question about the Linode Cloud Firewall: is it possible to block specific countries? (and if so, is it possible to block those countries only from specific pages? )
13:12<dwfreed>no and no
13:13<patrick_here_>OK - thanks!
13:13<Peng>It's not possible to do the latter with a network-level firewall
13:13<dwfreed>the firewall only operates on IP addresses
13:13<dwfreed>so you'd need to maintain lists of IP addresses by country
13:14<Peng>which are always inaccurate
13:14<dwfreed>Also true
13:17<DrJ>patrick_here: if this to prevent malicious stuff (spam, scams, etc), you can possibly look into blacklist apis or use a cdn
13:18<patrick_here_>Fail2ban question: I have my fail2ban configured so that any IP address that attempts to touch the xmlrpc.php on any of my wordpress websites gets added to a blocklist (for 2 days) immediately. But I can see that there is some attacker(s) who has a botnet or something so that within a matter of five or ten minutes he attacks that file from about 250 distinct addresses.
13:18<patrick_here_>I'm thinking that I need to approach this in some other way because a list of 250 banned addresses is starting to get a bit too big.
13:19<patrick_here_>I'm using xmlrps.php as bait because no one other than an attacker would want to access that file.
13:24<@_brian>is xmlrpc.php necessary to the function of your site? its a commonly exploited file and worth removing/disabling if not
13:25<@_brian>alternatively consider reducing your fail2ban jail timer to something lower to prevent such a large list
13:27<@_brian>also you could set your web server to only respond to requests that specify a domain to weed out the people just curling IP addresses to see if they'll serve the file
13:28<patrick_here_>It's not needed but I guess I was thinking that I remove/disable xmlrpc.php, potential attackers will just attack some other page on the site.
13:29<patrick_here_>yes, I'm thinking that I need to think of Apache based solutions. What Apache configs should I be looking at to do what you are recommending?
13:30-!-Redentor [~armando@2600:3c01:e000:20c:4dff:fe7f:cbb:6424] has quit []
13:30<@_brian>it should be somewhere in your vhosts iirc, i'll see if i can find a resource
13:32<@_brian>also while possible attackers might target something else, its more common that adversaries just scan our ranges looking for commonly exploitable files like xmlrpc.php
13:32<patrick_here_>Also, when I mention IP Addresses, I don't mean that they are requesting my site resources by MY IP address - I'm referring to diverse SOURCE IP addresses coming from (presumably) a single attacker.
13:34<patrick_here_>If it was the SAME SOURCE IP address hitting the site multiple times in rapid succession then the fail2ban solution would be straightforward.
13:35<DrJ>patrick_here_, here is a hard reality: if you do have any exploits publically available, one of the bots scanning your site will find it before it triggers your fail2ban
13:35<DrJ>in other words, I think what you are trying to do IS NOT a solution
13:36<patrick_here_>Yes, I understand that. That's why I'm here asking about possible alternate solutions.
13:36<@_brian>i understand. we're a public cloud provider and our IP ranges are public knowledge. attackers know this and scan them frequently, the behavior you're seeing isn't unexpected
13:36<DrJ>sounds like this is wordpress
13:36<DrJ>first off, lock down the wp-admin to just the IP addresses that need it
13:37<DrJ>and make sure you do not use any sketchy plugins
13:37<patrick_here_>Attacks on wp-admin are already minimal
13:37<patrick_here_>plgins are not a problem now
13:37<DrJ>yes, but you can safely lock it down and it will prevent the next zero-day exploit
13:37<DrJ>and I assure you with my life: there will be one of those pop up eventually
13:37<patrick_here_>safely lock what down?
13:38<DrJ>the entire wp-admin directory
13:40<patrick_here_>The xmlrpc.php file is not in wp-admin/ directory
13:40<DrJ>I didn't say that was a solution to all
13:41<patrick_here_>The sites are very locked-down as-is. This one problem is the only one.
13:41<DrJ>the xmlrpc thing is simple, do you use it? no? disabled it
13:41<patrick_here_>Okay, I'll give that a try then.
13:41<DrJ>do it the sure fire way, through you vhost
13:41<patrick_here_>I don't use it.
13:41<patrick_here_>Ok
13:41<DrJ><Files "xmlrpc.php">Require all denied</files>
13:42<DrJ>add that to the vhost for the site
13:42<DrJ>problem solved
13:43<patrick_here_>I think there's a single apache2 file where I could block it for all sites, ...isn't there?
13:44<DrJ>if you do that and then also restrict the wp-admin directory in your vhost... you then mostly just have your plugins and themes to worry about. Those can't be locked down, but as long as you aren't installing sketchy stuff, you should be fine for the most part
13:44<DrJ>I don't use apache, I know you can place that in the vhost
13:45<patrick_here_>Okay, thanks.
13:46<DrJ>my ultimate suggestion would be to avoid things like wordpress
13:47<DrJ>especially so if security is a top concern
13:50<patrick_here_>Yes, I think there's a way to do it in apache2.conf for all (twenty) of my sites.
13:51<@_brian>https://serverfault.com/questions/744191/apache-2-4-block-access-to-xmlrpc-php-of-all-domains
13:51<patrick_here_>Great...thanks!
13:52<@_brian>for sure
14:03<linbot>New news from community: apt-get apt install not working when Linode Firewall is enabled <https://www.linode.com/community/questions/22109>
14:21-!-sebastianos [~sebastian@45.115.91.173] has joined #linode
14:21-!-sebastianos is "Sebastian B" on #ceph #postmarketos-offtopic #postmarketos #linode #fdroid #docker
14:23-!-sebastianos_ [~sebastian@103.203.72.126] has quit [Ping timeout: 480 seconds]
14:28-!-patrick_here_ [~oftc-webi@c-24-19-156-53.hsd1.wa.comcast.net] has quit [Quit: Page closed]
14:33<linbot>New news from community: How do I make a GRE tunnel <https://www.linode.com/community/questions/22110>
15:01-!-sebastianos [~sebastian@45.115.91.173] has quit [Ping timeout: 480 seconds]
17:12-!-lonewulf` [~lonewulf@00020897.user.oftc.net] has quit [Quit: leaving]
17:17-!-Redentor [~armando@2600:3c01:e000:20c:4dff:fe7f:cbb:6424] has joined #linode
17:17-!-Redentor is "realname" on #linode #debian-next #debian-mx #debian
18:09-!-patrick_here [~oftc-webi@c-24-19-156-53.hsd1.wa.comcast.net] has quit [Quit: Page closed]
18:43-!-lex [~lex@static209-34-99-81.r.rev.accesscomm.ca] has joined #linode
18:43-!-lex is "Despite All My Rage.." on #oftc #linode
18:44-!-lex is now known as Guest5881
18:44-!-alyx [alyx@45.79.28.74] has quit [Quit: Ping timeout (120 seconds)]
18:44-!-dwfreed [~dwfreed@dwfreed.noc.oftc.net] has quit [Quit: ZNC - http://znc.in]
18:44-!-dwfreed [~dwfreed@dwfreed.noc.oftc.net] has joined #linode
18:44-!-dwfreed is "dwfreed" on #virt #uno #tor-project #tor-dev #tor #redditprivacy #pulseaudio #privacytech #pax #osm-fi #openttd #openjdk #oftc #msys2 #moocows #llvm #linux #linode #jmc #https-everywhere #help #freedombox #dot #debian-voip #debian-perl #debian-next #debian-kde #debian-ctte #debian #dcs #ck #ceph-orchestrators #ceph-devel #ceph-backports #ceph-ansible #ceph #OpenRailwayMap #open-xchange
18:45-!-alyx [alyx@45.79.28.74] has joined #linode
18:45-!-alyx is "alyx" on #linode
18:45<bencc1>is there a problem with the Object Storage page in the admin dashboard?
18:45-!-nuevu [~nuevu@00028774.user.oftc.net] has quit [Remote host closed the connection]
18:45<bencc1>now it works
18:45<bencc1>but was loading few minutes ago
18:45-!-nuevu [~nuevu@00028774.user.oftc.net] has joined #linode
18:45-!-nuevu is "Nuevu" on #linode
18:49-!-lex_ [~lex@static96-63-165-208.r.rev.accesscomm.ca] has quit [Ping timeout: 480 seconds]
18:50<dwfreed>there may have been a blip in dallas
18:50<dwfreed>which would explain why I reconnected
18:56<Peng>My logs show unhappiness starting at like 23:40 UTC
18:57<Peng>e.g. timeouts to DigitalOcean NYC
18:58<Peng>Not everything went down but some things did
19:08<millisa>(can confirm)
19:08<millisa>the phone got very noisy
19:49-!-el [~elky@00026a4b.user.oftc.net] has quit [Ping timeout: 480 seconds]
20:00-!-el [~elky@00026a4b.user.oftc.net] has joined #linode
20:00-!-el is "elky (pronoun.is/she/:OR/they)" on #linode #oftc
20:32-!-trippeh [~atomt@2a0a:2780:4f8f:44:e2d2:a7f7:e1dc:4200] has quit [Ping timeout: 480 seconds]
20:39-!-trippeh [~atomt@2a0a:2780:4f8f:44:e2d2:a7f7:e1dc:4200] has joined #linode
20:39-!-trippeh is "Andre Tomt" on #pipewire #nuug #linode
21:29-!-callmepk [~callmepk@n1164961222.netvigator.com] has joined #linode
21:29-!-callmepk is "Patrick Wu" on #linode #alpine-linux
21:49-!-fergtm [~fergtm@2806:2f0:51e0:d72:817c:6049:5f1d:69cd] has joined #linode
21:49-!-fergtm is "Fernando" on #linode
21:56-!-Cruiser` [Cruiser@136.34.115.83] has quit []
21:58-!-satanpol [~satanpol@108-249-13-211.lightspeed.bcvloh.sbcglobal.net] has joined #linode
21:58-!-satanpol is "satanpol" on #linode #linux
21:59-!-Cruiser` [Cruiser@136.34.115.83] has joined #linode
21:59-!-Cruiser` is "Cruiser" on #linode
21:59-!-satanpol [~satanpol@108-249-13-211.lightspeed.bcvloh.sbcglobal.net] has quit []
22:07-!-lonewulf` [~lonewulf@00020897.user.oftc.net] has joined #linode
22:07-!-lonewulf` is "U-lonewulf-PC\lonewulf" on #linode #debian-offtopic #debian #oftc
23:51-!-Edgeman [~edgeman@ip-45-74-112-51.user.start.ca] has quit [Ping timeout: 480 seconds]
23:54-!-Redentor [~armando@2600:3c01:e000:20c:4dff:fe7f:cbb:6424] has quit []
---Logclosed Mon Nov 15 00:00:04 2021