-: brycec has just blocked China. Nothing good comes from China, at least not over the Internet. mercutio: i hope that doesnt' mean apnic in general :) -: mercutio has been hit by that before brycec: mercutio: As long as you're not on http://www.ipdeny.com/ipblocks/data/aggregated/cn-aggregated.zone, we're good :) -: mercutio checks just in case mercutio: nah i'm not brycec: heh. ipdeny.com is reasonably well respected. And I compared lists from a couple of sources and they matched. mercutio: yeah
as long as it's not blanket block it's fine
i suppose that's less common now
but you see how many 202. address ranges there are?
and i'm on an ip address beginning with 202 brycec: I just got sick and tired of individual IP's triggering my filters here and there only to be followed by another IP in the same block. So then I started manually blocking the whole IP's subnet, but that's time-consuming for me to look up. So I just fed that into pf and life should be great. mercutio: i seem to get hacking atteampts from leaseweb myself
and spam from gmail brycec: It's mostly ssh brute-force attempts. mercutio: go figure brycec: (for me) mercutio: ahh
yeh they may come from china
lots of the hacking type stuff seems to come from the US, Germany, etcf.
etc. brycec: Spam is taken care-of in other ways for me, and doesn't usually go so far as to trigger a pf block. mercutio: probably because someone is using an interactive shell
whereas the ssh bruteforce is just a worm brycec: but ssh... I get brute-force attempts every few minutes when it's "quiet" mercutio: someone's probably got numbers somewhere. brycec: (It doesn't help that I run an shell provider, so running on 22/tcp is sorta "required") mercutio: yeah that's been around for years
you run a shell provider? brycec: Not on ARP, mind you. But yes, I (along with some friends) run http://devio.us mercutio: i thought that'd be nifty oonce upon a time.
oh i think i have a shell on ther brycec: lol mercutio: or had
it still looks like it works brycec: I don't necessarily suggest starting one up. But I signed up once upon a time, and then ended up befriending the right people and ended up an admin, volunteering my tiome. mercutio: Last login: Fri Feb 18 22:03:45 2011 from meh-2-pt.tunnel.tserv15.lax1.ipv6.he.net
haha
so not only was it 4 years ago
but it was on he.net ipv6 tunnel
oh you're even on the same host as me brycec: There's just the one host :p mercutio: h
oh
oh i see you're usueing arp ipv6 brycec: write+tmux does not work well mercutio: i'm such a geek that i notice the ip address block :) brycec: It's very noticeable mercutio: ok i can notice the ipv4 too
why is reverse lookup not working on ipv4 for the arp address? brycec: Because those are connections on a separate sshd that has NoDNS enabled mercutio: ahh brycec: (Admins have our own sshd) mercutio: that's the new default btwr brycec: Yep, so I hear.
I kindof want to block North Korea just for the heck of it... Whole country under a single /22 block. mercutio: is that orlando?
it feels laggy
oh i can test my script brycec: The host is located just outside Orlando, FL, yes mercutio: yip as i suspected a little variable
actually not that bad
but it's higher than the ping
is it going to get upgraded to openbsd 5.6? brycec: Probably not any time soon.
Too many big things break between 5.4 and 5.5 and we just don't have the time to deal with that. mercutio: debian, openbsd, ubuntu are all coming out with new versions at once. brycec: (uninstall/reinstall all packages, php changes versions and package names, etc) mercutio: php is the big one
this is really old server isn't it brycec: I mean, it's definitely not impossible to upgrade. But it's risky enough as it is (we have no remote console/kvm, all upgrades are 100% headless in the running/old kernel) mercutio: like dual dual core pentium4 brycec: hw.model=Intel(R) Xeon(TM) CPU 2.80GHz ("GenuineIntel" 686-class)
quad-core mercutio: you sure? brycec: I'm just relaying what sysctl hw shows :p
hw.product=X5DPA-TGM+ mercutio: as opposed to dual dual cores brycec: Ah on that front, I have no idea
just going by hw.ncpu mercutio: ddr1 :) brycec: just "ddr" :p mercutio: yeah brycec: (it was never called "ddr1") mercutio: it'll be slower than xeon 5060 probably
it is like sata1 is sata 1 :/
i wonder if people will start saying http1
to mean http/1.0 or /1.1
there was a 0.9..
1.0 is much simpler[00:27] <mercutio> so sometimes it's used on purpose brycec: True
(looking at dmesg suggests that yes it is 2x dual-core Xeons) mercutio: it's amazing how much faster openbsd feels on old harwdare compared to linux
arch linux is better than most distributions.
but even that computer if lightly loaded would seem like a "fast" server probably.
dns resoluution doesn't work in mtr? brycec: Not on OpenBSD mercutio: weird
it works on my openbsd box brycec: http://comments.gmane.org/gmane.os.openbsd.ports/64403
You're not running 5.4 are you? mercutio: oh just broken in 5.4
nah i'm current 5.7-current apparently brycec: And possibly earlier
But it was fixed after 5.4 mercutio: cool project though ***: Guest6327 is now known as easymac
easymac is now known as Guest57394 mercutio: hmm there's packet loss on mtr from arp to devio.us on ipv6 brycec: Oh? My mtr has been running for 14,600 packets and dropped just 62. mercutio: maybe just my luck brycec: (and none of those in the last 10 seconds) mercutio: mine was 1600 with 2 dropped
but it shows as 0.1%
and the best to average is kind of high
even for first hop
i don't think ipv6 has deprioristiation
yeah throughput is shot too
hmm it's on/off
curl -6O https://weallsee.net/10m brycec: 130 packets, no loss anywhere mercutio: the current one is stalled
it seems to be every 2nd connection is slow
but maybe juust luck brycec: I've run it twice in a row now, never stuck. mercutio: there's two ip's
2400:cb00:2048:1::681c:67e...
i think that's the slow one
i don't know how to makoe curl pick one address
my usual trick of -x doesn't work with cloudflare
yeah it's not based on ip anyway it looks liek
and now it's going fine
it was < 10k/sec before
now it's over 600k/sec ***: Guest57394 is now known as easymac
easymac is now known as Guest93 up_the_irons: what the hell level3... mercutio: what's level3 doing? ***: Guest93 is now known as easymac
easymac is now known as Guest31109
ziyourenxiang has joined #arpnetworks
Guest31109 is now known as easymac
easymac is now known as Guest4079
ziyourenxiang has quit IRC (Quit: ziyourenxiang)
ziyourenxiang has joined #arpnetworks
ziyourenxiang has quit IRC (Quit: ziyourenxiang)
Guest4079 is now known as easymac
easymac has quit IRC (Quit: leaving)
mike-bur1 is now known as mike-burns
temporary4242 has joined #arpnetworks temporary4242: hi, do you guys get a certificate error when you go to https://portal.arpnetworks.com ? mercutio: i don't.
it's not even yellow in chrome like some web sites have been recently
what date does your computer say it is? temporary4242: okay thanks meructio. think it must be me then. the date on my computer is current. my cellphone browser gives me a certificate error as well. mercutio: because the certificate is only valid from one month ago, so if your date is off by a month it could be reason? temporary4242: maybe it's a problem with my cache. mercutio: that's strange.
cert info isn't usually cached afaik
it's a rapidssl cert.
they're pretty common.
my friend had cert issues with a few sites recently, and he found that os x had somehow got some weird verisign certificate installed.
which was in a chain
which made like no sense to me, but apparently you can click and it can replace certs.
but when it's happening on two devices that kind of thing seems unlikely.
i duunno if it's chained ant: temporary4242: i get an error, too
running ssltest now
looks like an intermediate cert is missing
yup
https://www.ssllabs.com/ssltest/analyze.html?d=portal.arpnetworks.com&hideResults=on temporary4242: yes. i think so too. ant: up_the_irons: portal.arpnetworks.com is missing the intermediate cert: https://www.ssllabs.com/ssltest/analyze.html?d=portal.arpnetworks.com&hideResults=on ***: poulsen has joined #arpnetworks
temporary4242 has quit IRC (Quit: http://www.kiwiirc.com/ - A hand crafted IRC client)
RandalSchwartz has joined #arpnetworks
RandalSchwartz has quit IRC (Changing host)
RandalSchwartz has joined #arpnetworks brycec: up_the_irons: Also, what gives with the lack of TLSv1.2?
or v1.1 for that matter
And all these old, insecure cipher suites that are supported still...
My ssl test gives a pretty simple error: "Provided certificate issuer does not match issuer in certificate. Sent chain order wrong." ***: poulsen has quit IRC (Ping timeout: 248 seconds) RandalSchwartz: I got a PCI compliance alert... had to disable all SSL versions
so its only TLS here out brycec: Many PCI scans flag TLS1.0 usage too
We had to add a checkbox to our firewall product to allow customers to disable TLSv1.0 in order to pass their PCI scans (at the expense of breaking slightly-old browsers) mercutio: shouldn't the intermediate cert be pulled in automatically?
is the reason it's working for me because i've visited non portal sites first? brycec: mercutio: Welcome to certificate chains! It is also downloaded, but a proper chain means that the client has the root cert and your server provides the rest of the links in the chain including its own cert (of course). Otherwise, the intermediate certs could be MITM'd.
It's a soft-error, generally.
And certificates are not [supposed to be] cached, so no that wouldn't explain it. mercutio: hmm
why's chrome accepting it for me?
is it because the intermediate is stored locally or something? brycec: Could be. (Why Chrome does anything wrt SSL is often a mystery :p) mercutio: weird
it says geotrust on firefox, and rapidssl on chrome
but both look normal to me brycec: ssllabs shows two paths, one with GeoTrust being the CA in the trust store. (aka cacert.pem) and the other path shows the GeoTrust CA (with a different fingerprint) as being sent from ARP, and rooted with Equifax
it's definitely a bit screwy ;p
RapidSSL is still the intermediate either way mercutio: ok brycec: I'd assume that Chrome opts to show the intermedia as that's most likely the reseller used mercutio: yeah i must admit i'm not that clued up on ssl brycec: *intermediate mercutio: i still don't see how a certificate being signed by any of a nuumber of signers really does anything
you just trust to some random company
adn they don't make sure you're who you say you are? brycec: Exactly. SSL is effectively broken.
Well they're supposed to, to varying degrees mercutio: freak attack sounds like a real issue because you can decrypt brycec: For instance websites with "the big green bar" (eg. github.com) have an "extended validation" cert, where they pay gobs of money and go through extensive background checks. mercutio: but as far as validating domains shouuldn't there just be a key in dns or something?
lots of sites are yellow for me in chrome recently brycec: The most basic certificates are issued with just domain-ownership verification (eg. startssl's free certs) wherein they verify that you receive an email sent to one of the addresses on the domain registration. mercutio: yeah that sounds dodgy
so you could register gmail.com by having an email address @ gmail.com? brycec: But there's nothing really stopping a rogue CA from just blindly giving out certificates, which has happened... and then that CA's cert is revoked. But if your client machines don't get the memo (eg. Windows Update) then they're still susceptible. mercutio: oh
one of the ones on whois brycec: mercutio: has to be in the domain's registration, eg whois mercutio: i'm surprised i don't get more spam with my normal email address being in my whois for my domain names :) brycec: So I have proven to a company that I own (who really owns domains??) brycec.ninja so they will give me certificates that say they've verified that much.
I'm surprised too. mercutio: ewll it's only nz ones
i think they're blocked from international actually brycec: Nope, not blocked. mercutio: hmm brycec: (which you could test from your devio.us shell too :P) mercutio: heh
devio.us has level3 back to arp
you know how i was searching for level3 test sites? :) brycec: lol mercutio: hmm i could smokeping it?
it was showing loss before starting at a hop that said cogent xe or something brycec: You could smokeping at it. I'm already running a smokeping slave on it.
(we don't have a great connection, mind you.) mercutio: but seemed to be the entry point to their provider
and so it was uusing their forward path
which is level3
well yeh the provider has cogent :/ brycec: I meant internally. For the longest time, the our link to the switch was 10baseT/half-duplex :P mercutio: oh
ouch
what is it now? brycec: (And then one day it magically fixed itself, 100/FD, yay) mercutio: heh brycec: https://smokeping.cobryce.com/?target=Slaves.wolfman when it works... Often the log-rotate ends up killing smokeping entirely and I just don't notice. mercutio: yeah 10 megabit kind of sucks now adys
even if it's full duplex
but for a shell it really shouldn't matter most of the time brycec: half-duplex limited us to about 250kB/s effectively :( mercutio: it's still slow network wise it seemed brycec: which meant offsite backups were horrriible
Yep mercutio: but i wonder if that's partially to do with old cpus and the system cpu usage being high :/ brycec: loadav 1.68 and all 4 cores about 90% idle? I don't consider that high. mercutio: being that vintage it's likely to be scsi disks though
so it's not so easy to upgrade cpu brycec: SATA in BIOS IDE mode actually mercutio: weird i saw high cpu suage on top when i checked
and commands seemed to pause part way through
oh
woah
it's way faster than it was last time brycec: ^ that just sounds like network "pause" not execution pause. mercutio: nah multiple little times
like top and w and so on were slow
so was logging in
and there was a delay before showiong shell etc brycec: well sure, both dump a ton of text to the screen mercutio: it's /way/ faster now brycec: I get about 60ms from ARP to devio.us, worst was 244ms according to mtr mercutio: i have my cl command on there :)
it's about 6 msec higher than ping for ssh latency
but it's reasonably stable
so i don't think it's network
cur: 213.824msec, min: 213.562msec, max: 217.260msec, avg: 214.050msec
it was slightly quicker bouncing via arp
but more spikes brycec: 2 minutes of mtr - 60.0 +- .2ms
from my ARP VPS to devio.us, ipv4
240 60.2ms +- 1.66
300: 60.1 +- 1.4ms
(And https://smokeping.cobryce.com/?target=Slaves.wolfman is repoting once again)
*reporting mercutio: i probably logged in when it was doing backup or something
and i dunno why i thought about moving drives. you ucan just copy something onto new drives brycec: (nope, no system backups. Next backup runs in 1h15) mercutio: oh weird brycec: (570: 60.0 +- 1.1ms)
That's not to say a user wasn't copying files or the like... mercutio: i often seem to be around US 1 am etc :) brycec: Well it's 10.46-13.46 in the mainland US now :p mercutio: yaeh, weird time for a backup
i shouldn't be up
i went to bed but got up again heh brycec: lol
You do seem to always be on IRC :p mercutio: yeah i've been bad recently brycec: twss BryceBot: Okay! twss! 'yeah i've been bad recently' mercutio: servers aren't as cheap on ebay as i thought they were
http://www.ebay.com/itm/HP-ProLiant-DL360-G6-Server-w-Quad-Core-2-67GHz-Intel-Xeon-X5550-2GB-RAM-/251918227028?pt=LH_DefaultDomain_0&hash=item3aa77f1654
$200 for dl360 g6
with shit all ram
most are more than that though mnathani: brycec: Thanks for that Amazon suggestion http://www.amazon.com/WeMo-Electronics-Anywhere-Automation-Smartphones/dp/B00BB2MMNE WeMo switch. I set it up and it works great BryceBot: Amazon: "Belkin WeMo Switch, Control Your Electronics From Anywhere with the Home Automation App for Smartphones and Tablets, Wi-Fi Enabled" brycec: Super, glad to hear that, mnathani ***: mnathani_ has joined #arpnetworks
mnathani__ has joined #arpnetworks
mnathani_ has quit IRC (Ping timeout: 246 seconds)
poulsen has joined #arpnetworks
poulsen has quit IRC (Remote host closed the connection) up_the_irons: ant: hmm seltsam ***: qbit has quit IRC (Quit: leaving) up_the_irons: ant: brycec : OK cert chain order should be fixed ***: qbit has joined #arpnetworks
qbit is now known as Guest81417
Guest81417 is now known as qbitr
qbitr is now known as qbit
qbit has quit IRC (Quit: leaving)
qbit has joined #arpnetworks brycec: Confirmed, cert order is correct.
Still can't imagine why you wouldn't enable TLSv1.1 and 1.2.
But that's a "fight" for another day I suppose :p
Server: Apache/2.2.14 (Ubuntu) mod_fastcgi/2.4.6 Phusion_Passenger/3.0.11 PHP/5.3.2-1ubuntu4.27 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k mod_wsgi/2.8 Python/2.6.5
wow, that's an ancient server to have OpenSSL/0.9.8k and Python/2.6.5 mercutio: pre exploit
is it lucid? up_the_irons: lucid, yeah mercutio: precise is still php 5.3 mnathani: is there a way to install Archlinux without having to manually create partitions and install a bootloader and get into internal details of the system? mercutio: mnathani: that's actually pretty easy
i mean to install
i mean manually creating a partition or two isn't very complicated.
it's slightly more complicated with uefi
it was much easier than ubuntu for raid setup for me
if you have a reasonable knowledge of linux i wouldn't say it's any more time consuming than ubuntu install
(which has questions.. then does stuff... then questions etc) mnathani: ubuntu install is pretty straightforward mercutio: so is arch mnathani: dont have to manually setup a bootloader mercutio: just follow the install guide brycec: Gentoo was the same way... though I think there are a couple of derivatives that have sprung up since I last used it that made the install process "user-friendly" mnathani: from the last time I tried mercutio: https://wiki.archlinux.org/index.php/Installation_guide
if things like "grub-mkconfig -o /boot/grub.cfg" are easy for you it's easy.
the network configuration is the hardest part imo brycec: Has Arch settled on a singular way to configure networking yet? mercutio: nope brycec: Well sorta hard to wrap a simple installer around that :p mercutio: grub etc is the same amongst all the linux
network config in general is different betwen them
like centos, arch, openbsd, ubuntu/debian are totally different
also arch doesn't have ifconfig by default
so you need net-tools package if you want ifconfig mnathani: do you guys know how to use iptables to do load balancing and other advanced networking? mercutio: i wouldn't use iptables for load balancing
i know how to do redirect :/
if you mean load balancing for web servers or something, then i'd go for layer 7 load balancing
if you mean for adsl connections or the like there are huge caveats like having different ipa ddreses normally mnathani: yea, web server load balancing mercutio: yeah go layer 7
use linux virtual server or the like
i just use relayd fwiw
but that's bsd mnathani: what software do you use for the transparent proxy? mercutio: trafficserver
i used to use squid
but i have relayd going to trafficserver
in layer 7 mode
and passing through the original ip
layer 7 makes things a lot simpler
the only caveat is you don't get the users original ip address.
but you can get it to just add it
if you have more than one "entry point" it just makes sense a lot easier with layer 7
you don't have to share state etc
but it does still mean that things can get screwy if it changes entry point
but yeah i'm sure you can find lots of information about linux virtual server if you want to go down that path
it suupports fancy modes like being able to act only on the forward path and return bypassing the load balancer, but i wouldn't recommend for complexity reasons
but they're definitely aiming for high performance, and to be able to have a lot of ways of doing things
http://www.linuxvirtualserver.org/VS-DRouting.html
ahh this is what i was thinking of
like that's the highest performance way, but complexity raises
http://www.linuxvirtualserver.org/software/ktcpvs/ktcpvs.html
looks like this is one layer 7 way
hmm last released 2004
relayed is a lot simpler :)
haproxy looks like another alternative brycec: You're not supposed to want deprecated programs. That's like choosing to run ssh1 :p 18:38:34 ⤷ | so you need net-tools package if you want ifconfig mercutio: brycec: heh
brycec: a lot of people still expect it
just like lots of people still use bash :/
even though zsh is out and way better brycec: (or ksh...) mercutio: btw, you know fdisk is deprecated? brycec: (though I personally use zsh) mercutio: fdisk is still usued a lot too brycec: Not as much as disklabel where I work :P mercutio: heh
i hate dladm
why does everything have to be different
when ubuntuu etc maintain php 5.3, how well do they maintain it?
considering it's eol upstream m0unds: seems they do ok with it, but i never ran super intensive php tasks, just webapps mercutio: it's only been eol for 8 months m0unds: oh, missed the 5.3 part mercutio: i'm a bit uuncomfortable with long term support type things by vendors over large amounts of packages m0unds: completely unrelated, we've been feeding our cats w/food made by some company in new zealand mercutio: heh. m0unds: kangaroo and brushtail, haha mercutio: we don't have kangaroos here. m0unds: company is in NZ
so apparently, they import them mercutio: haha
i wonder if they sell it locally m0unds: dunno mercutio: Addiction Foods is the only worldwide pet food manufacturer to use the NZ Brushtail / Possum and Australian kangaroo m0unds: yea, that's one mercutio: i can't say i've heard of it :)
oh the idea if they're pests :/
i didn't know kangaroos were pests. m0unds: we've fed our cats addiction stuff and mauri is the other mercutio: i wonder what it tastes like m0unds: dunno, doesn't smell horrible though mercutio: http://www.quora.com/What-does-kangaroo-meat-taste-like m0unds: in pet food
haha mercutio: yeh i've never eaten it m0unds: cats like it though mercutio: i hate the smell of catfood normally m0unds: yep, me too. i don't really like the smell of meat in general (not a meat eater) but this stuff isn't awful
smell-wise mercutio: cool.
do you get nz meat there? m0unds: don't think so, but i haven't bought meat in years
never remembered seeing it mercutio: i remember reading somewhwere that some places sell lots of tongues, brains, etc. .
we don't really sell that stuff much here. m0unds: they sell tongue here, it's used in some mexican cuisine mercutio: i've never had tongueu BryceBot: That's what she said!! m0unds: tripe too, and intestine
used in a thing called menudo
http://en.wikipedia.org/wiki/Menudo_(soup) BryceBot: Menudo (soup) :: Menudo is a traditional Mexican soup (also known as pancita) made with beef stomach (tripe) in broth with a red chili pepper base. Usually, lime, chopped onions, and chopped cilantro are added, as well as crushed oregano and crushed red chili peppers. Menudo is usually eaten with tortillas or other breads, such as bolillo. It is often chilled and reheated, which results in a more concentrated flavor. The popularity of... mercutio: i've had tortillas :/ BryceBot: That's what she said!! mercutio: but yeah i've never heard of that m0unds: BryceBot: no BryceBot: Oh, okay... I'm sorry. 'i've had tortillas :/' m0unds: wtf, lol mercutio: i think the only mexican places i've been to aren't that authentic. BryceBot: That's what she said!! m0unds: BryceBot: no BryceBot: Oh, okay... I'm sorry. 'i think the only mexican places i've been to aren't that authentic.' mercutio: i heard that indian food is totally different to what people in india eat. m0unds: yeah, it's odd to find absolutely authentic anything outside of the place where you find it normally
s/odd/hard BryceBot: <m0unds> yeah, it's hard to find absolutely authentic anything outside of the place where you find it normally ***: NiTeMaRe is now known as NiTe mercutio: yeah
indian is my favourite ethnic food. m0unds: yea, one of mine for sure
i like indian and thai a lot mercutio: and it's become really popular here.
i like thai too, but there's no good thai places i can find around here
and heaps of good indian.
it's really weird. m0unds: http://www.chaishoppe.com/ i like this place mercutio: this reminds me of hare krishna's :)
looks interersting
butu expensive looking too :) m0unds: yeah, a bit mercutio: by presentation rather than price :) m0unds: gotcha mercutio: it's hard to tell portion size . m0unds: american portions are stupid usually, haha ***: NiTe is now known as NiTeMare
NiTeMare is now known as NiTeMaRe
NiTe has joined #arpnetworks
gizmoguy has quit IRC (Ping timeout: 272 seconds)
himuraken has quit IRC (Quit: No Ping reply in 180 seconds.)
himuraken has joined #arpnetworks
poulsen has joined #arpnetworks
poulsen has quit IRC (Read error: Connection reset by peer)
poulsen has joined #arpnetworks