Thursday, 2025-12-11

« Wednesday, 2025-12-10 Index Friday, 2025-12-12 »
mnasiadkaI think somebody took the approach of small patches easy to review too much into his heart :)05:21
*** ykarel__ is now known as ykarel08:01
fricklerI really like this stack, even if it puts zuul to a test. also the good news is that the kolla CI seems to be very stable, seems there was only a single unrelated failure08:32
clarkbya I think its fine to exercise zuul. That said I think linter updates like that are often better done in one go that way you don't have half the codebase in one state and another half in another while slowly backsliding against the rule you're trying to fix15:48
clarkbit did seem to confuse my firefox browser and now it keeps thinking zuul wants to open pop ups15:50
clarkblooks like it is trying to open change links. I wonder if I managed to accidentally click on a bunch when the browser was chugging away at processing hte page or something15:51
clarkbcorvus: after some breakfast I'm going to create teh statusbot account finally. I notice in the statusbot code update for matrix support your example has password=PASSWORD. I think matrix will give us both an account password and a token? Are they interchangeable here or is the password specifically what we need?15:54
corvusclarkb: i think it wants the password (which it uses to get tokens)... possible we could add a token support at some point?  only 80% confidence in this answer.15:58
clarkbgot it thanks15:58
clarkb`Failed to add user - MAS GraphQL operation AddEmail failed. Expected status ADDED, got DENIED`16:19
clarkbhowever, the user account shows up in the user list16:19
clarkbif I pull it up the email address is blank like the other accounts. Weird16:19
clarkbI was then able to reset the password to a value I know. So I think I'm just going to roll with it16:21
clarkbI stored the account info in the typical location and then updated private ansible vars so https://review.opendev.org/c/opendev/system-config/+/969328 and parent should also be good to go now16:33
clarkbas for the email address add operation failure my best guess is that they are mistaken that plus addressing is supported or that using a plus address shared with the top level management account's email address doesn't count as unique enough16:34
clarkbfungi: are there rename prep changes yet? I'm trying to remember the process. Its basically have change with the data structure to input to the rename playbook and also general records keeping info. Then we put services in the emergency file, run the playbook with that input, then we land the change to reflect that in project-config gerrit/projcets.yaml, then we clean up emergency16:44
clarkbfile (possibly before landing the prior change to check it noops) and we land our records keeping change?16:44
fungihttps://review.opendev.org/97030716:45
clarkbthanks that change lgtm when compared against its depends on16:48
clarkbit is probably worth a quick read through of the rename playbook just to ensure none of the tasks have bitrotted away (our testing of it only covers its execution against gerrit)16:50
clarkbfor example I think we rename the zuul secrets. I assume that command still works16:50
fungihttps://etherpad.opendev.org/p/opendev-project-renames-20240422 looks like the last time we did it?16:52
clarkbPretty sure we didn't do any in 2025 so that seems likely16:53
clarkbfyi more docs.openstack.org woes though I've asked for florian to confirm it is since we bumped up server limits https://lists.openstack.org/archives/list/openstack-discuss@lists.openstack.org/thread/SRGBA7QFQEEAKQMSOTP35AYJDXZ2GZA4/17:20
clarkbwe're currently at about 70% of capacity17:20
fungii still like the honeypot idea. create a tripwire url that we don't link from other documents, add a disallow rule for it in our robots.txt, then inject short-term block rules for any ip address that requests it17:33
fungicurious if anyone's seen a solution like that employed in the wild yet17:34
clarkbfungi: yes there is a tool to do it too but the author indicates they think it may haev legal implications for some reason17:35
clarkbI do think that is likely to be more effective than anubis though17:35
clarkbbut you may need to sprinkle honeypot changes over time17:35
fungiif you're talking about the one i'm thinking of, that directs the abuser to a malicious stream of tarpitted nonsense output rather than just blocking their ip address17:35
fungiso i can understand why it may be of dubious legality17:36
clarkboh ya that is the one and ya maybe that is the difference that is problematic17:36
clarkbfungi: what would that look like with our current apache2 based system on static.o.o with afs backed content. Put a specific file rule in each vhost for something like info-uuid4.html and then how do you track who requests that to block them?17:42
clarkbwould we need to write a small wsgi server or something like that to track the requests and filter them? I assume apache has some sort of mechanism for doing this17:42
clarkbessentially we need some way of maintaining a database of requests to the honeypot and a way for apache2 to check that database before deciding if requests can proceed to other data17:43
fungiyeah, i was hoping there might already be some sort of existing application that does it, otherwise would require some development17:43
fungithough fail2ban could probably be tuned to do it17:44
fungijust watch the access log, then insert nft rules17:44
fungiit wouldn't work as well behind haproxy though, so e.g. gitea couldn't take advantage of it17:45
clarkbwe could run it on the haproxy frontend though17:45
clarkbthe other issue with that approach is all the nat users we have17:45
clarkbideally we'd be filtering by more than just ip address17:45
clarkbbut maybe we're to the point where that is what we can do so we do it17:45
fungiwell, problem with running on gitea-lb is that we don't terminate ssl/tls there17:46
fungiso that machine doesn't know what urls clients are hitting17:46
fungiand yes, an abuser running some bot behind a nat that also has legitimate users can lead to blocking them as collateral damage, but most other services out there on the internet seem to accept that risk already17:47
fungiif some shady bot running behind red hat's corporate nat crawls content we've explicitly disallowed in robots.txt, then that'll provide some pretty quick feedback to folks there, for example17:49
clarkbya I'm more worried about NAT happenign at the isp level17:50
clarkbhttps://www.haproxy.com/blog/use-haproxy-response-policies-to-stop-threats haproxy could do it for us17:52
clarkbI think you'd use stick table entries to record who is requesting the honeypot then deny all requests for entries in that table17:52
clarkb(but I'm not sure if you can add entries there based on request path)17:52
fungibut yeah, we'd have to switch to terminating https in haproxy17:54
fungiwhich might be a little more reasonable these days, since we started blocking direct requests to the backend servers anyway17:55
clarkbmod_security is another option looks like but I can't find configuration docs on what it supports doing17:57
clarkbyes looks like mod security supports tables that we can then modify based on conditions17:59
clarkbso that is probably the easiest solution with our existing apache vhost setup if someone is able to figure out the syntax to do so18:00
clarkbhttps://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29-Configuration-Directives#secaction initcol is the persistent collection/table action18:03
clarkbthen you have a SecRule that adds entries to the collection/table if the request url is the honeypot path. Then you Have another SecRule that blocks requests if the ip/requestor is in that collection/table18:04
clarkband then you can set things up to expire out of the table after some time period18:05
fungiyeah, i've used it before, but it's been well over a decade18:11
fungigonna go grab some lunch, bbiab18:11
opendevreviewClark Boylan proposed opendev/system-config master: Add modsecurity waf rules to docs.openstack.org  https://review.opendev.org/c/opendev/system-config/+/97067418:44
clarkbI don't expect that to work on a first pass18:44
clarkbbut I think the general shape is there if others want to weigh in on the approach18:44
opendevreviewClark Boylan proposed opendev/system-config master: Add modsecurity waf rules to docs.openstack.org  https://review.opendev.org/c/opendev/system-config/+/97067419:14
opendevreviewClark Boylan proposed opendev/system-config master: Add modsecurity waf rules to docs.openstack.org  https://review.opendev.org/c/opendev/system-config/+/97067420:01
opendevreviewClark Boylan proposed opendev/system-config master: Add modsecurity waf rules to docs.openstack.org  https://review.opendev.org/c/opendev/system-config/+/97067420:50
clarkbthe config loads now but testing shows it doesn't work as expected. That last patchset is more ah unch than anything else after noticing the reference manual using lower case references for the collection when initing it and modifying its attributes20:51
clarkbif that doesn't fix it the next step is to update the rules with log entries so that the apache error log contains info on what is happening20:51
opendevreviewClark Boylan proposed opendev/system-config master: Add modsecurity waf rules to docs.openstack.org  https://review.opendev.org/c/opendev/system-config/+/97067421:26
clarkbapparently the rule needs to be =+1 not +=121:26
clarkbI'm somewhat surprised it parsed ok prevuously though so maybe this isn't it21:26
clarkbI'm going to pop out for a bike ride now. Feel free to update ^ if anyone else is interested in making that work21:26
mnaserlol, looks like opendev isn't the only one struggling with scrapers.. evn at the bigger scales - https://www.githubstatus.com/incidents/40730vhmg6y823:34
fungilovely23:42
« Wednesday, 2025-12-10 Index Friday, 2025-12-12 »

Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!