My personal preference is to 'ip route add blackhole ${net}' as it has the lowest CPU overhead and I can add hundreds of thousands of CIDR blocks with no noticeable impact. The only downside is that it won't stop UDP packets from getting to a UDP listener. There will not be a response but the application will still see it. For my TCP daemons it's great.
Those 426951 blackhole routes include data-centers, VPS providers, botnets, AI datacenters that ignore robots.txt, search engines, abused CDN's, known bad residential nodes and much more. I still see a few residential proxy bots that do a halfway decent job of pretending to be real people at times but the feds are playing whack-a-mole with them. The bots self report to my silly blog so I can block them elsewhere on systems I might care a little bit about. Happy to share them if anyone is remotely interested.
I also use a couple generalized rules in nftables raw table that keeps a lot of beyond poorly written bots away including hping3 tcp floods and masscan. My rules to port 443 are stateless. One must not taunt the state table.
The only IP's that come and go are the Tor 30 day blocklist though I will sometimes leave the last entries live until reboot. I do not really need to block tor but I use this silly blog as a testing ground. Tor and some known abusers come from a git repo I refresh periodically.
The data-centers, VPS providers, CDNs, known botnets are perma-banned. For my hobby nodes I personally find this acceptable. I would not do this in a professionally managed data-center. There are better methods for those cases especially for B2B corporate arrangements. Regardless of what daemons I run I never have external dependencies that need to be accessed from my node or from the client with exception of stratum-1 time servers.
I do have to periodically update the CIDR blocks for given ASN's. I have not automated this but I probably should some day. It's not hard to automate, I am just excessively "efficient". I was told to stop calling myself lazy, but I am.
Methods 2, 3 and 5 are the ones I talk about here. [1]
That's interesting. I haven't used fail2ban for a long time, but reaction is worth evaluating. Unfortunately, that post does not describe their full configuration. Maybe it's on purpose, so that attackers can't adjust to fit.
My experience is that modern web scraping had no obvious pattern, since it is proxied through many IPs. The last time a server was failing to handle the pressure, we decided to temporarily ban IPs from some Asian regions. How does the FSF decide to ban an IP?
Why do they use iptables + ipset instead of nftables? Is there a technical reason or is it just legacy? AFAIK, Nftables is more performant, and IMO simpler. And it has native sets, see https://wiki.nftables.org/wiki-nftables/index.php/Sets
> This software is gay, trans and anticolonialist. If you're uncomfortable with that, please don't use it
Weird message to include in AGPLv3 licensed software (which explicitly allows people to use software however they like, regardless of their beliefs or feelings).
You can, but if the exact quote in the GP is correct the claim is claiming the software is "gay, trans and anti-colonialist" and asks you not to use it. Why use a license that is designed to be politically neutral and then ask some people not to use it?
What I can see is a fairly clear indication that they do not want contributions from people whose politics differ from theirs. I would also question whether government funding of a project with political policies about who can participate is appropriate. The political stance is also rooted in a particular culture so is unwelcoming to people from other cultures.
Of course people can political views and preferences, but they presumably have some aim in mind when making that statement in the README. What is that aim?
> What I can see is a fairly clear indication that they do not want contributions from people whose politics differ from theirs
This is the same FSF that in the past has refused contributions from people whose politics include "I would like this software to run on my windows/apple/other proprietary platform". They're extremely political.
When did this occur? I am a GNU maintainer, and have never heard such a thing from the FSF. The GNU Coding Standards and other similar texts leave the decision to support non-free platforms up to the maintainer.
The aim is to reduce the number of users of the software who are uncomfortable with those who are gay, trans, and/or anticolonial, probably because dealing with such people is a heavier burden than the other kind.
How would a you even know whether a user was uncomfortable with any of those things? Why would someone with a particular political stance be a heavier burden on maintainers? How would you even know how someone felt - if someone reports a bug it is highly unlikely they are going to add something like "I am uncomfortable with gays" are they? Nor is it going to be in the comments in contributed code. It sounds more like that the maintainers are uncomfortable with people who are not like themselves.
It's somewhat interesting to see the FSF's approach to this. From what I understand they can't really use something like anubis since they want their websites to be accessible without javascript:
Users can't consent to running a page's javascript the way they can consent to running a program they've intentionally downloaded, so it's effectively "non-free" regardless of license.
The meta refresh challenge actually uses time as the proof! It makes sure you wait for at least 75% of the time the administrator configured and adds client side smear to ensure that browser temporal randomization doesn't trigger a false failure.
> We placed our regular expressions in fail2ban, and found that we were hitting the maximum rules that could be added to UFW firewall rules on our systems which showed degradation around 65,000 rules
Firewalld had a similar issue up until recently as well.
I get they're DDoS; but take the mask off, and arn't they just the AI monied interests that fund the FSF? and a lot of them are just active inference, eg, the user is trying to ask about something and the AI monied interests setup a web scraper to go and get that data.
Just seems like no one wants to call out the hand that feeds them in a human centipede that's best described as the torment nexus.
Anything which fills my logs with garbage is unwanted. Your cat could have fallen asleep on the keyboard, I don't care. If you want to use the internet as a giant petri dish, that's on you; but the cat box is elsewhere. I can freed you garbage or block you because your code is shit, or I don't like your style.
I also use a couple generalized rules in nftables raw table that keeps a lot of beyond poorly written bots away including hping3 tcp floods and masscan. My rules to port 443 are stateless. One must not taunt the state table.
I'm most concerned about blocking innocent users, currently I use Cloudflare to block known bad ASNs using a list I found on GitHub.
The only IP's that come and go are the Tor 30 day blocklist though I will sometimes leave the last entries live until reboot. I do not really need to block tor but I use this silly blog as a testing ground. Tor and some known abusers come from a git repo I refresh periodically.
The data-centers, VPS providers, CDNs, known botnets are perma-banned. For my hobby nodes I personally find this acceptable. I would not do this in a professionally managed data-center. There are better methods for those cases especially for B2B corporate arrangements. Regardless of what daemons I run I never have external dependencies that need to be accessed from my node or from the client with exception of stratum-1 time servers.
I do have to periodically update the CIDR blocks for given ASN's. I have not automated this but I probably should some day. It's not hard to automate, I am just excessively "efficient". I was told to stop calling myself lazy, but I am.
Methods 2, 3 and 5 are the ones I talk about here. [1]
[1] - https://nochan.net/b/Internet-Crap/20260606-How-To-Block-Som...
My experience is that modern web scraping had no obvious pattern, since it is proxied through many IPs. The last time a server was failing to handle the pressure, we decided to temporarily ban IPs from some Asian regions. How does the FSF decide to ban an IP?
Why do they use iptables + ipset instead of nftables? Is there a technical reason or is it just legacy? AFAIK, Nftables is more performant, and IMO simpler. And it has native sets, see https://wiki.nftables.org/wiki-nftables/index.php/Sets
Weird message to include in AGPLv3 licensed software (which explicitly allows people to use software however they like, regardless of their beliefs or feelings).
What I can see is a fairly clear indication that they do not want contributions from people whose politics differ from theirs. I would also question whether government funding of a project with political policies about who can participate is appropriate. The political stance is also rooted in a particular culture so is unwelcoming to people from other cultures.
Of course people can political views and preferences, but they presumably have some aim in mind when making that statement in the README. What is that aim?
This is the same FSF that in the past has refused contributions from people whose politics include "I would like this software to run on my windows/apple/other proprietary platform". They're extremely political.
https://www.gnu.org/philosophy/javascript-trap.html
Users can't consent to running a page's javascript the way they can consent to running a program they've intentionally downloaded, so it's effectively "non-free" regardless of license.
Won't, they call it malware: https://www.fsf.org/blogs/sysadmin/our-small-team-vs-million...
https://anubis.techaro.lol/docs/admin/configuration/challeng...
I guess for the meta refresh challenge it's less "proof of work" and more "proof of patience".
Firewalld had a similar issue up until recently as well.
I get they're DDoS; but take the mask off, and arn't they just the AI monied interests that fund the FSF? and a lot of them are just active inference, eg, the user is trying to ask about something and the AI monied interests setup a web scraper to go and get that data.
Just seems like no one wants to call out the hand that feeds them in a human centipede that's best described as the torment nexus.
Can you elaborate on who these interests are precisely?