i hope that doesnt' mean apnic in general :) mercutio: As long as you're not on http://www.ipdeny.com/ipblocks/data/aggregated/cn-aggregated.zone, we're good :) nah i'm not heh. ipdeny.com is reasonably well respected. And I compared lists from a couple of sources and they matched. yeah as long as it's not blanket block it's fine i suppose that's less common now but you see how many 202. address ranges there are? and i'm on an ip address beginning with 202 I just got sick and tired of individual IP's triggering my filters here and there only to be followed by another IP in the same block. So then I started manually blocking the whole IP's subnet, but that's time-consuming for me to look up. So I just fed that into pf and life should be great. i seem to get hacking atteampts from leaseweb myself and spam from gmail It's mostly ssh brute-force attempts. go figure (for me) ahh yeh they may come from china lots of the hacking type stuff seems to come from the US, Germany, etcf. etc. Spam is taken care-of in other ways for me, and doesn't usually go so far as to trigger a pf block. probably because someone is using an interactive shell whereas the ssh bruteforce is just a worm but ssh... I get brute-force attempts every few minutes when it's "quiet" someone's probably got numbers somewhere. (It doesn't help that I run an shell provider, so running on 22/tcp is sorta "required") yeah that's been around for years you run a shell provider? Not on ARP, mind you. But yes, I (along with some friends) run http://devio.us i thought that'd be nifty oonce upon a time. oh i think i have a shell on ther lol or had it still looks like it works I don't necessarily suggest starting one up. But I signed up once upon a time, and then ended up befriending the right people and ended up an admin, volunteering my tiome. Last login: Fri Feb 18 22:03:45 2011 from meh-2-pt.tunnel.tserv15.lax1.ipv6.he.net haha so not only was it 4 years ago but it was on he.net ipv6 tunnel oh you're even on the same host as me There's just the one host :p h oh oh i see you're usueing arp ipv6 write+tmux does not work well i'm such a geek that i notice the ip address block :) It's very noticeable ok i can notice the ipv4 too why is reverse lookup not working on ipv4 for the arp address? Because those are connections on a separate sshd that has NoDNS enabled ahh (Admins have our own sshd) that's the new default btwr Yep, so I hear. I kindof want to block North Korea just for the heck of it... Whole country under a single /22 block. is that orlando? it feels laggy oh i can test my script The host is located just outside Orlando, FL, yes yip as i suspected a little variable actually not that bad but it's higher than the ping is it going to get upgraded to openbsd 5.6? Probably not any time soon. Too many big things break between 5.4 and 5.5 and we just don't have the time to deal with that. debian, openbsd, ubuntu are all coming out with new versions at once. (uninstall/reinstall all packages, php changes versions and package names, etc) php is the big one this is really old server isn't it I mean, it's definitely not impossible to upgrade. But it's risky enough as it is (we have no remote console/kvm, all upgrades are 100% headless in the running/old kernel) like dual dual core pentium4 hw.model=Intel(R) Xeon(TM) CPU 2.80GHz ("GenuineIntel" 686-class) quad-core you sure? I'm just relaying what sysctl hw shows :p hw.product=X5DPA-TGM+ as opposed to dual dual cores Ah on that front, I have no idea just going by hw.ncpu ddr1 :) just "ddr" :p yeah (it was never called "ddr1") it'll be slower than xeon 5060 probably it is like sata1 is sata 1 :/ i wonder if people will start saying http1 to mean http/1.0 or /1.1 there was a 0.9.. 1.0 is much simpler\ so sometimes it's used on purpose True (looking at dmesg suggests that yes it is 2x dual-core Xeons) it's amazing how much faster openbsd feels on old harwdare compared to linux arch linux is better than most distributions. but even that computer if lightly loaded would seem like a "fast" server probably. dns resoluution doesn't work in mtr? Not on OpenBSD weird it works on my openbsd box http://comments.gmane.org/gmane.os.openbsd.ports/64403 You're not running 5.4 are you? oh just broken in 5.4 nah i'm current 5.7-current apparently And possibly earlier But it was fixed after 5.4 cool project though hmm there's packet loss on mtr from arp to devio.us on ipv6 Oh? My mtr has been running for 14,600 packets and dropped just 62. maybe just my luck (and none of those in the last 10 seconds) mine was 1600 with 2 dropped but it shows as 0.1% and the best to average is kind of high even for first hop i don't think ipv6 has deprioristiation yeah throughput is shot too hmm it's on/off curl -6O https://weallsee.net/10m 130 packets, no loss anywhere the current one is stalled it seems to be every 2nd connection is slow but maybe juust luck I've run it twice in a row now, never stuck. there's two ip's 2400:cb00:2048:1::681c:67e... i think that's the slow one i don't know how to makoe curl pick one address my usual trick of -x doesn't work with cloudflare yeah it's not based on ip anyway it looks liek and now it's going fine it was < 10k/sec before now it's over 600k/sec what the hell level3... what's level3 doing? hi, do you guys get a certificate error when you go to https://portal.arpnetworks.com ? i don't. it's not even yellow in chrome like some web sites have been recently what date does your computer say it is? okay thanks meructio. think it must be me then. the date on my computer is current. my cellphone browser gives me a certificate error as well. because the certificate is only valid from one month ago, so if your date is off by a month it could be reason? maybe it's a problem with my cache. that's strange. cert info isn't usually cached afaik it's a rapidssl cert. they're pretty common. my friend had cert issues with a few sites recently, and he found that os x had somehow got some weird verisign certificate installed. which was in a chain which made like no sense to me, but apparently you can click and it can replace certs. but when it's happening on two devices that kind of thing seems unlikely. i duunno if it's chained temporary4242: i get an error, too running ssltest now looks like an intermediate cert is missing yup https://www.ssllabs.com/ssltest/analyze.html?d=portal.arpnetworks.com&hideResults=on yes. i think so too. up_the_irons: portal.arpnetworks.com is missing the intermediate cert: https://www.ssllabs.com/ssltest/analyze.html?d=portal.arpnetworks.com&hideResults=on up_the_irons: Also, what gives with the lack of TLSv1.2? or v1.1 for that matter And all these old, insecure cipher suites that are supported still... My ssl test gives a pretty simple error: "Provided certificate issuer does not match issuer in certificate. Sent chain order wrong." I got a PCI compliance alert... had to disable all SSL versions so its only TLS here out Many PCI scans flag TLS1.0 usage too We had to add a checkbox to our firewall product to allow customers to disable TLSv1.0 in order to pass their PCI scans (at the expense of breaking slightly-old browsers) shouldn't the intermediate cert be pulled in automatically? is the reason it's working for me because i've visited non portal sites first? mercutio: Welcome to certificate chains! It is also downloaded, but a proper chain means that the client has the root cert and your server provides the rest of the links in the chain including its own cert (of course). Otherwise, the intermediate certs could be MITM'd. It's a soft-error, generally. And certificates are not [supposed to be] cached, so no that wouldn't explain it. hmm why's chrome accepting it for me? is it because the intermediate is stored locally or something? Could be. (Why Chrome does anything wrt SSL is often a mystery :p) weird it says geotrust on firefox, and rapidssl on chrome but both look normal to me ssllabs shows two paths, one with GeoTrust being the CA in the trust store. (aka cacert.pem) and the other path shows the GeoTrust CA (with a different fingerprint) as being sent from ARP, and rooted with Equifax it's definitely a bit screwy ;p RapidSSL is still the intermediate either way ok I'd assume that Chrome opts to show the intermedia as that's most likely the reseller used yeah i must admit i'm not that clued up on ssl *intermediate i still don't see how a certificate being signed by any of a nuumber of signers really does anything you just trust to some random company adn they don't make sure you're who you say you are? Exactly. SSL is effectively broken. Well they're supposed to, to varying degrees freak attack sounds like a real issue because you can decrypt For instance websites with "the big green bar" (eg. github.com) have an "extended validation" cert, where they pay gobs of money and go through extensive background checks. but as far as validating domains shouuldn't there just be a key in dns or something? lots of sites are yellow for me in chrome recently The most basic certificates are issued with just domain-ownership verification (eg. startssl's free certs) wherein they verify that you receive an email sent to one of the addresses on the domain registration. yeah that sounds dodgy so you could register gmail.com by having an email address @ gmail.com? But there's nothing really stopping a rogue CA from just blindly giving out certificates, which has happened... and then that CA's cert is revoked. But if your client machines don't get the memo (eg. Windows Update) then they're still susceptible. oh one of the ones on whois mercutio: has to be in the domain's registration, eg whois i'm surprised i don't get more spam with my normal email address being in my whois for my domain names :) So I have proven to a company that I own (who really owns domains??) brycec.ninja so they will give me certificates that say they've verified that much. I'm surprised too. ewll it's only nz ones i think they're blocked from international actually Nope, not blocked. hmm (which you could test from your devio.us shell too :P) heh devio.us has level3 back to arp you know how i was searching for level3 test sites? :) lol hmm i could smokeping it? it was showing loss before starting at a hop that said cogent xe or something You could smokeping at it. I'm already running a smokeping slave on it. (we don't have a great connection, mind you.) but seemed to be the entry point to their provider and so it was uusing their forward path which is level3 well yeh the provider has cogent :/ I meant internally. For the longest time, the our link to the switch was 10baseT/half-duplex :P oh ouch what is it now? (And then one day it magically fixed itself, 100/FD, yay) heh https://smokeping.cobryce.com/?target=Slaves.wolfman when it works... Often the log-rotate ends up killing smokeping entirely and I just don't notice. yeah 10 megabit kind of sucks now adys even if it's full duplex but for a shell it really shouldn't matter most of the time half-duplex limited us to about 250kB/s effectively :( it's still slow network wise it seemed which meant offsite backups were horrriible Yep but i wonder if that's partially to do with old cpus and the system cpu usage being high :/ loadav 1.68 and all 4 cores about 90% idle? I don't consider that high. being that vintage it's likely to be scsi disks though so it's not so easy to upgrade cpu SATA in BIOS IDE mode actually weird i saw high cpu suage on top when i checked and commands seemed to pause part way through oh woah it's way faster than it was last time ^ that just sounds like network "pause" not execution pause. nah multiple little times like top and w and so on were slow so was logging in and there was a delay before showiong shell etc well sure, both dump a ton of text to the screen it's /way/ faster now I get about 60ms from ARP to devio.us, worst was 244ms according to mtr i have my cl command on there :) it's about 6 msec higher than ping for ssh latency but it's reasonably stable so i d\on't think it's network cur: 213.824msec, min: 213.562msec, max: 217.260msec, avg: 214.050msec it was slightly quicker bouncing via arp but more spikes 2 minutes of mtr - 60.0 +- .2ms from my ARP VPS to devio.us, ipv4 240 60.2ms +- 1.66 300: 60.1 +- 1.4ms (And https://smokeping.cobryce.com/?target=Slaves.wolfman is repoting once again) *reporting i probably logged in when it was doing backup or something and i dunno why i thought about moving drives. you ucan just copy something onto new drives (nope, no system backups. Next backup runs in 1h15) oh weird (570: 60.0 +- 1.1ms) That's not to say a user wasn't copying files or the like... i often seem to be around US 1 am etc :) Well it's 10.46-13.46 in the mainland US now :p yaeh, weird time for a backup i shouldn't be up i went to bed but got up again heh lol You do seem to always be on IRC :p yeah i've been bad recently twss Okay! twss! 'yeah i've been bad recently' servers aren't as cheap on ebay as i thought they were http://www.ebay.com/itm/HP-ProLiant-DL360-G6-Server-w-Quad-Core-2-67GHz-Intel-Xeon-X5550-2GB-RAM-/251918227028?pt=LH_DefaultDomain_0&hash=item3aa77f1654 $200 for dl360 g6 with shit all ram most are more than that though brycec: Thanks for that Amazon suggestion http://www.amazon.com/WeMo-Electronics-Anywhere-Automation-Smartphones/dp/B00BB2MMNE WeMo switch. I set it up and it works great Amazon: "Belkin WeMo Switch, Control Your Electronics From Anywhere with the Home Automation App for Smartphones and Tablets, Wi-Fi Enabled" Super, glad to hear that, mnathani ant: hmm seltsam ant: brycec : OK cert chain order should be fixed Confirmed, cert order is correct. Still can't imagine why you wouldn't enable TLSv1.1 and 1.2. But that's a "fight" for another day I suppose :p Server: Apache/2.2.14 (Ubuntu) mod_fastcgi/2.4.6 Phusion_Passenger/3.0.11 PHP/5.3.2-1ubuntu4.27 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k mod_wsgi/2.8 Python/2.6.5 wow, that's an ancient server to have OpenSSL/0.9.8k and Python/2.6.5 pre exploit is it lucid? lucid, yeah precise is still php 5.3 is there a way to install Archlinux without having to manually create partitions and install a bootloader and get into internal details of the system? mnathani: that's actually pretty easy i mean to install i mean manually creating a partition or two isn't very complicated. it's slightly more complicated with uefi it was much easier than ubuntu for raid setup for me if you have a reasonable knowledge of linux i wouldn't say it's any more time consuming than ubuntu install (which has questions.. then does stuff... then questions etc) ubuntu install is pretty straightforward so is arch dont have to manually setup a bootloader just follow the install guide Gentoo was the same way... though I think there are a couple of derivatives that have sprung up since I last used it that made the install process "user-friendly" from the last time I tried https://wiki.archlinux.org/index.php/Installation_guide if things like "grub-mkconfig -o /boot/grub.cfg" are easy for you it's easy. the network configuration is the hardest part imo Has Arch settled on a singular way to configure networking yet? nope Well sorta hard to wrap a simple installer around that :p grub etc is the same amongst all the linux network config in general is different betwen them like centos, arch, openbsd, ubuntu/debian are totally different also arch doesn't have ifconfig by default so you need net-tools package if you want ifconfig do you guys know how to use iptables to do load balancing and other advanced networking? i wouldn't use iptables for load balancing i know how to do redirect :/ if you mean load balancing for web servers or something, then i'd go for layer 7 load balancing if you mean for adsl connections or the like there are huge caveats like having different ipa ddreses normally yea, web server load balancing yeah go layer 7 use linux virtual server or the like i just use relayd fwiw but that's bsd what software do you use for the transparent proxy? trafficserver i used to use squid but i have relayd going to trafficserver in layer 7 mode and passing through the original ip layer 7 makes things a lot simpler the only caveat is you don't get the users original ip address. but you can get it to just add it if you have more than one "entry point" it just makes sense a lot easier with layer 7 you don't have to share state etc but it does still mean that things can get screwy if it changes entry point but yeah i'm sure you can find lots of information about linux virtual server if you want to go down that path it suupports fancy modes like being able to act only on the forward path and return bypassing the load balancer, but i wouldn't recommend for complexity reasons but they're definitely aiming for high performance, and to be able to have a lot of ways of doing things http://www.linuxvirtualserver.org/VS-DRouting.html ahh this is what i was thinking of like that's the highest performance way, but complexity raises http://www.linuxvirtualserver.org/software/ktcpvs/ktcpvs.html looks like this is one layer 7 way hmm last released 2004 relayed is a lot simpler :) haproxy looks like another alternative You're not supposed to want deprecated programs. That's like choosing to run ssh1 :p 18:38:34 ⤷ | so you need net-tools package if you want ifconfig brycec: heh brycec: a lot of people still expect it just like lots of people still use bash :/ even though zsh is out and way better (or ksh...) btw, you know fdisk is deprecated? (though I personally use zsh) fdisk is still usued a lot too Not as much as disklabel where I work :P heh i hate dladm why does everything have to be different when ubuntuu etc maintain php 5.3, how well do they maintain it? considering it's eol upstream seems they do ok with it, but i never ran super intensive php tasks, just webapps it's only been eol for 8 months oh, missed the 5.3 part i'm a bit uuncomfortable with long term support type things by vendors over large amounts of packages completely unrelated, we've been feeding our cats w/food made by some company in new zealand heh. kangaroo and brushtail, haha we don't have kangaroos here. company is in NZ so apparently, they import them haha i wonder if they sell it locally dunno Addiction Foods is the only worldwide pet food manufacturer to use the NZ Brushtail / Possum and Australian kangaroo yea, that's one i can't say i've heard of it :) oh the idea if they're pests :/ i didn't know kangaroos were pests. we've fed our cats addiction stuff and mauri is the other i wonder what it tastes like dunno, doesn't smell horrible though http://www.quora.com/What-does-kangaroo-meat-taste-like in pet food haha yeh i've never eaten it cats like it though i hate the smell of catfood normally yep, me too. i don't really like the smell of meat in general (not a meat eater) but this stuff isn't awful smell-wise cool. do you get nz meat there? don't think so, but i haven't bought meat in years never remembered seeing it i remember reading somewhwere that some places sell lots of tongues, brains, etc. . we don't really sell that stuff much here. they sell tongue here, it's used in some mexican cuisine i've never had tongueu That's what she said!! tripe too, and intestine used in a thing called menudo http://en.wikipedia.org/wiki/Menudo_(soup) Menudo (soup) :: Menudo is a traditional Mexican soup (also known as pancita) made with beef stomach (tripe) in broth with a red chili pepper base. Usually, lime, chopped onions, and chopped cilantro are added, as well as crushed oregano and crushed red chili peppers. Menudo is usually eaten with tortillas or other breads, such as bolillo. It is often chilled and reheated, which results in a more concentrated flavor. The popularity of... i've had tortillas :/ That's what she said!! but yeah i've never heard of that BryceBot: no Oh, okay... I'm sorry. 'i've had tortillas :/' wtf, lol i think the only mexican places i've been to aren't that authentic. That's what she said!! BryceBot: no Oh, okay... I'm sorry. 'i think the only mexican places i've been to aren't that authentic.' i heard that indian food is totally different to what people in india eat. yeah, it's odd to find absolutely authentic anything outside of the place where you find it normally s/odd/hard yeah, it's hard to find absolutely authentic anything outside of the place where you find it normally yeah indian is my favourite ethnic food. yea, one of mine for sure i like indian and thai a lot and it's become really popular here. i like thai too, but there's no good thai places i can find around here and heaps of good indian. it's really weird. http://www.chaishoppe.com/ i like this place this reminds me of hare krishna's :) looks interersting butu expensive looking too :) yeah, a bit by presentation rather than price :) gotcha it's hard to tell portion size . american portions are stupid usually, haha