All posts by rbowen

fail2ban filter: Block based on mod_security failures

I wanted to write a fail2ban filter which watched my mod_security log file, and added repeat offenders to the firewall block list. I looked at several tutorials/howtos about writing filters, and they were all amazingly complicated, and most of them devoid of useful examples.

After some experimentation, I got something working, and it was remarkably simple. So here goes.

First, the mod_security rule itself.

# Block malicious bots
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile /etc/httpd/modsecurity.d/badbots.txt" "id:5000025,rev:1,severity:2,log,msg:'BAD BOT - Detected and Blocked. '"

The line that starts with SecRule is all one line.

badbots.txt is a text file containing the names of annoying/malicious bots. Specifically I noticed that almost all of the traffic to one of my sites was from a bot named ahrefbot which was making very suspicious requests.

Now, I have entries in my error log that look like:

[Wed Feb 19 16:29:44.363193 2020] [:error] [pid 19321:tid 140221286971136] [client 46.229.168.131:47466] [client 46.229.168.131] ModSecurity: Access denied with code 406 (phase 2). Matched phrase "SemrushBot" at REQUEST_HEADERS:User-Agent. [file "/etc/httpd/conf.d/vhosts/drbacchus.conf"] [line "33"] [id "5000025"] [rev "1"] [msg "BAD BOT - Detected and Blocked. "] [severity "CRITICAL"] [hostname "drbacchus.com"] [uri "/"] [unique_id "Xk1ieF8Z-mVmfnUdi8jliwAAAEA"]

(SemrushBot is another frequent offender.)

The important bits in that line are the client address, and the fact that this triggered the particular rule that I care about. I’ll come back to that in a second.

Step two is to create a new “Jail” in fail2ban. I did this by adding a block to the end of my /etc/fail2ban/jail.local file that looks like:

[modsec]
enabled = true
filter = modsec
action = iptables-multiport[name=ModSec, port="http,https"]
logpath = /var/log/httpd/drbacchus-ssl.error_log
bantime = 10800
maxretry = 1

This creates a jail named modsec. It points to a filter named modsec. It references the log file that I want to watch, and it specifies a ban time of 3 hours.

It’s also very aggressive in that it bans them the first time. You might want to be more lenient with other filters.

Finally, I define the filter itself, by creating a file called modsec.conf in my filter.d directory, with the regex that I wish to match in the referenced log file.

[definition]
failregex = [client <HOST>] ModSecurity: Access denied with code 406.+BAD BOT
ignoreregex =

The line that begins with ‘failregex’ is all one line – it’s just wrapped on your screen here.

The magic bit is the <HOST> which says “the IP address that I want to block will be *here*. The rest of the line is standard regex syntax.

The docs say that you want the regex to be as specific as possible, so that it doesn’t match unexpected things. In this case, I want anything that has the ModSecurity access denied message, followed by some stuff (.+) and BAD BOT from my modsec rule. Many of the examples online appear to have been written by people who were perhaps not very familiar with how regexes work, and so go a bit nuts with the special characters and stuff. That’s really not necessary.

Now, restart fail2ban, and watch the results with fail2ban-client status modsec

Daniel Moi

The conversation about the death of former Kenyan President Daniel Toroitich arap Moi is complicated, from where I sit. His death is the end of an era, in many ways – the last of the colonial era African strongmen. But he’s also one of the very few powerful African presidents who stepped down at the end of his term, and let the new president peacefully take over. Yes, “he followed the law” seems like an awfully low bar, but at the time, it was a really big deal.

The conversation that’s happening on Twitter is, for the most part, focusing on the terrible parts of his legacy. The torture. The murder and incarceration of his enemies. And, truly, there’s no excuse for that. Only that he apologized, and stepped out of the public eye to let his successors carry on.

But, for me, there’s another layer. When I was a kid, you didn’t speak ill of Mzee. Heck, you didn’t *think* ill of him. You didn’t criticize him in the most private of private places, because you knew that the CID would come drag you away. BBC had a good article today about how Kenyans learned to laugh at Moi.

And I also remember when Amnesty International issued a statement condemning Daniel Moi, I was aghast, and refused to believe the things that they asserted about him, even though I now know them all to be not only true, but probably only a fraction of what he actually did.

When Moi became president, in 1978, upon the death of President Kenyatta, he had a lot of opposition from people who had someone else in mind. Over the years, he became more and more dictatorial, and his government more and more repressive, particularly after the failed coup attempt in 1982.

Meanwhile, in the USA, we are moving into an era where a senator is vilified, and threatened with removal from office, for voting his conscience against his Great Leader, and the days of us mocking third-world countries for this kind of reprehensible behavior seem a long time ago.

At his funeral yesterday, while dignitaries spoke glowingly about the Great Man from the podium, someone in the crowd dared to heckle, and was dragged away, just like in the old days. Some things don’t change so much.

Switched to Metronet

Yesterday, the folks from Metronet came by and ran fiber into my office. I now have (theoretically) gigabit symmetric (ie, up is the same as down). In reality, as was explained to me in exhausting detail by the Spectrum guy this morning, as I was trying to cancel my Spectrum service, you seldom actually get the full gigabit. Down varies between about 700 and about 900. Up varies between about 400 and 600. Note that this is, respectively, twice and 40+ times, what I had with Spectrum, for about half the price, so I’m pleased.

If you are interested in switching, it would be awesome if you mention me as having referred you. I get a small kickback from that.

You can determine your availability, and sign up, at https://www.metronetinc.com/

 

Why do I have this business card?

I’m not much for “life hack” kinds of articles, but …

I come back from every conference I go to with a stack of business cards, and the question “why do I have these cards?”

I have tried so many ways to remember why I have particular cards, and ensure actual followup. Write a note on the card. (Invariably it gets smudged, or the available space isn’t enough to actually communicate what I’m supposed to do with the card.) Scan it into Evernote (Kinda sorta works, but somehow I never follow up n them.) Email myself a photo of the card with some notes. (This is pretty good, but involves actually doing it immediately after the conversation, so that I don’t forget, which seldom works at conferences.)

This week I tried something different.

This is a staple-less stapler. You can get one on Amazon HERE.

And I always carry a notebook.

So at FOSDEM I did this:

In case you can’t tell from the photo, I stapled the card to a page in my notebook, and wrote the notes right there. Since my book is always with me, I’m pretty sure I’m not going to forget, this time. And I have room for all of the notes that I need, right there with the contact information I need to follow up.

You can see how the back of the page looks, here.

If you’re curious how the stapler works, you can watch here:

You could, of course, use an actual stapler. It’s just messier and you end up with staples that can tear the page.

 

Unhelpful feedback

The CentOS project just tweeted an announcement :

The feedback was mostly positive, but two negative responses caught my eye.

The first:

Curved edges on this do not scale down well at small sizes. It's a very busy design for something which will likely be used a lot on screen/small sizes. A step in the right direction but needs more refinement IMO. Solved the colour repo headache, but potentially creating another.

Feedback is specific and seems to indicate actual expertise.

The next:

Feedback is useless, and incorporates a personal attack (designer should be fired) which is just rude.

I’m left wondering if this person thought that this was in any way helpful or that this is in any way an appropriate way to engage with a stranger. Would they talk with a human in person like this? Do they have any friends?

And even without the rudeness, the response is completely worthless and unactionable. So, one deeply unpleasant person didn’t like it, while 100 others did. Why should I care?

I also wonder if there is a way to respond to this person without returning their vitriol.

The email not sent

I frequently say (and write, and tweet) “there is honor in the email not sent.”

The corollary, of course, which is both obvious and perhaps people don’t think about, is that I often write those emails.

Several times a week I write an email, to work through my frustration, anger, whatever, and then delete it, because I recognize that sending it will do more damage.

Today I accidentally pressed send on one of those emails. I’m ashamed, and also not sorry. Because I meant every word of it. But I’m not sure that it will do more good than harm.

Writing these emails is very cathartic. It helps me understand why I’m angry. And more often than not it help me understand that there’s more than one side to the issue, and maybe I’m not all in the right after all. Thus, there’s honor in not sending it.

And, often, it’s just feeding the troll – giving the angry, irritating, poisonous person on the receiving end justification for their vitriol. In which case, it’s just making things worse.

But, sometimes, it’s important to stand up for yourself, too. Even when it doesn’t actually solve anything.

Ten Albums

There’s a thing on Facebook right now where you’re supposed to post ten albums that influenced your musical tastes. This got me thinking, not so much about what I like and listen to now, but the music that surrounded me growing up, and, I presume, influenced my tastes in some way. So here they are. (Not sure if there’s actually ten.)

  1. Barbershop

Barbershop. Not sure it was this one in particular, but Barbershop Quartet was a staple in our home when we were kids. Tapes, records, and a few 8-Tracks, and an entire box set of the SPEBSQSA (Society for the Preservation and Encouragement of Barber Shop Quartet Singing in America) champions.

2) Them Mushrooms

There were a lot of bands that played the standard Kenyan tourist tunes – Hakuna Matata (no, not the Lion King one), Lala Salama, and so on – but in my mind it’s always Them Mushrooms.

3) Dr. Hook

I don’t know that I could even name one of their songs at this point, but there was a Dr. Hook album, and dad played it a lot. Might have been this one. I don’t know.

4) Mlimani Park Orchestra

Many Americans, on hearing Mlimani Park Orchestra, say “that sounds like mariachi!” And I suppose there may be similar roots, if you go back far enough. This was mostly on the radio, and I don’t think I ever actually had it on tape or LP until after I moved to the USA and missed it so much.

5) Graceland

Someone (probably my sister?) brought Graceland back to Kenya with them. This was the first I had heard of this Paul Simon fellow, but he was playing music with Ladysmith Black Mambazo, so it seemed like he might be worth listening to. And I don’t think I had heard of Graceland, or Memphis, before, either. But “Homeless” and “Under African Skies” and the one about the angels in the architecture, opened new worlds of music to me.

6) Rush

Of course, I have to mention Rush. In 1985 (about?) Kristina Silva sent me a mix tape of this new band she had just discovered, and I’ve been listening to them ever since. I couldn’t find that original tape, but I know it’s around here somewhere.

7) Mix tapes

Growing up in the 80s, you cannot really ignore the influence of mix tapes, passed around between friends. This particular one was also from Kristina, and there’s pretty much nothing on this one that I even remember, much less still listen to. But a steady supply of mix tapes that she sent me (this one was apparently during college, but most were while I was in Kenya, and didn’t have a local radio station that played top 40 stuff) definitely shaped my tastes.

And of course kids these days swap Spotify playlists, which is even more amazing, because it leads to discovery of other tracks that neither you nor your friends had heard of. But, of course, mix tapes hold a strong nostalgic corner of the 80’s kids’ hearts.

8) The Joshua Tree

Yes, I’m one of the people who discovered U2 when The Joshua Tree came out, and I was hooked. But then I discovered their older stuff, and was even more hooked. This one gets two images:

I don’t remember where this particular mix tape came from. I probably recorded it off of LPs at Bobby’s house.

9) Watermark

Enya’s album Watermark was where I learned that, for some reason, the radio people always choose a middle-of-the-pack song from an album to give air time. Meanwhile, the rest of this album was really amazing, in a weird sort of way that was completely unlike everything else I listened to at the time.

10) The Other Side of the Mirror

Back in the 90s there were tape/record clubs where you got a dozen tapes for one penny (!!!!) and then there was the small print about buying a million other tapes at full price over the course of the year. This was one of my dozen.

Growing up outside of the top 40 radio scene, I hadn’t heard of Fleetwood Mac, and I didn’t know who Stevie Nicks was.

This was another album that strongly influenced my taste. Here was Stevie, who was beautiful, had this amazing smoky voice, and sang songs that actually meant something, and were poetic. Amazing.

This quickly led me to Fleetwood Mac, of course.

11 and beyond …)

And the rest … well, picking just 10 is always hard. I didn’t even mention Men at Work, and the “Willie Nelson, Waylon Jennings Outlaw Reunion” tape that was one of my first two album purchases *ever* (the other was the Ghostbusters movie sound track!) and Roger Whittaker and … well, so many others.

Draw what you want

I checked this book out from the library about sketching. It started with saying don’t let anybody tell you you’re doing it wrong. If they spent 40 pages telling me that I’m doing everything wrong.

There were a few good tips hiding in among that. But mostly it was just frustrating.

Hunting the Ibis

Hunting the Ibis
October 27th, 2019
Charles de Gaulle Airport, Paris

Even Google is in on it.
The recommended route from
Terminal 3 to Terminal 2
involves a train ride
a bus, an Uber
and a 37 minute walk.

I am, as Dave Barry might assure us,
not making this up.

Samuel Johnson not withstanding,
I am tired of Paris.

Not the Champs Elysees
or l’Arc —
I never made it that far.

CDG strives to offset
any good memories of Paris itself.
Life, it says, is not all roses.
Here, have some thorns.

During the war,
they painted over the road signs
to keep the enemy from
finding their way.

I come in peace.
The war is long over.
I seek only a place to sleep.

Hell is not, as JP tells us
other people.
No, it is wandering
Charles de Gaulle at 11:30,
looking for the Ibis,
as though it were not a cheap hotel,
but rather the bird of legend
flying mournfully over the rolling waves
looking for somewhere,
anywhere,
to land for the night.

Windstream is on my blacklist

Today I spent 90 minutes on the phone with Windstream Support for a 2-minute problem.

My dad bought a new DSL modem to replace the one that Windstream provided, so that he could own it and not have to pay a monthly rental fee. Smart move.

Ordinarily, the way these things work is that you unplug the old one and plug in the new one and everything just works. When this did not happen, I called Windstream Support, and there The Saga Begins.

The DSL light kept blinking for several minutes, indicating that it was not getting a connection to the internet service provider.

The first person that I talked to, told me that I needed to contact the hardware manufacturer who would connect in to the modem and change the configuration settings.

This is plainly not true. It is impossible for the hardware manufacturer to connect in if the modem is not connecting to the internet in the first place.

I called back and got a different person, who insisted that the problem was that I had a temporary email address attached to the account. That, also, was not true. And finally after over an hour of pointless back and forth, he finally escalated me to a level 2 network engineer.

The level 2 engineer looked up the model number of the modem that I was using and said that it was an ADSL modem and I needed a VDSL modem, and recommended an option. This took about 2 minutes.

I don’t know the difference between ADSL and VDSL, and, of course, as a customer, I shouldn’t have to.

My beef here is not with incompetent first line support. Of course they’re not competent. I don’t blame them for that. I understand that they are following a script to solve common problems. But intentionally training them to give misleading – and even completely false – answers is not okay.

My objection, rather, is with policies specifically designed to discourage people from owning their own hardware. If they make it as complicated as possible, they can continue to charge a monthly rental fee for equipment, rather than allowing people to control their own network infrastructure.

Someone without a technical background would simply give up at the first hurdle, and not bother trying to buy their own hardware. By making my parents feel stupid and incompetent, they could probably have tricked them into spending more money for something they didn’t actually need. This behavior is predatory and unethical.

Buying a new DSL modem should not be any more complicated than buying a new phone. You plug it in and it just works. Windstream is intentionally creating a situation where people pay more money for things they don’t need. Someone shouldn’t need a technical background or network engineer training in order to connect to the internet.