Un point singulier, une frontière.
Un autre monde, stérile, ou luxuriant.
Traversons la singularité
Quote
Reply
Author Archives: gawen
Today’s game: Hotline Miami
Do you like hurting other people?
A LSD-based brutal murder simulator.
Just letting the steam off, you think. You will quickly find yourself enjoying slaughtering people in the most gruesome way. Then it will be all sort of mechanical. And you’ll feel really bad about this.
But that’s what this game is all about, and it’s really good at it.
Why is there something rather than nothing?
Why not?
IPs ban on Linux
Who needs a quick ban?
Today we had a bruteforce attack on our nginx server. Well cannot say he was anywhere near successful though, the guy did POST /wp-login.php several times per second and all he got as an answer was 404. Fat chance…
But still, he had our access logs growing far larger than they usually do. So I tried to ban him. Unfortunately nginx does not use TCP wrappers by default (you can use ngx_tcpwrappers although it will have to be rebuilt from source).
So I made a little script, called ban-hammer to temporarily ban IPs using IPTables. There is also a cron.daily script to unban IPs each day. The script requires rpnc, but it is easy to adapt without it.
These scripts add and remove the IPs into a special IPT chain (which you can configure in the script). So you also have to configure your firewall to jump to the two chains and load banned IPs on boot:
echo "Bans"
load_bans() {
ban_table=$1
ban_chain=$2
iptables=$3
$iptables -N $ban_chain
while read ban
do
ip=$(echo "$ban" | cut -d'=' -f 1)
$iptables -A $ban_chain -s "$ip" -j DROP
done < "$ban_table"
$iptables -A INPUT -j $ban_chain
}
load_bans /etc/firewall/ip4.ban IP4BAN iptables
load_bans /etc/firewall/ip6.ban IP6BAN ip6tables
FP comparison in Shell
People tend to not like Shell. But I do!
Here is a simple example, try this floating point comparison:
$ [ 0.1 -gt 0.01 ] [: 0.1: bad number
The shell itself cannot use float.
But there are multiple workarounds. Here is the one I prefer:
if rpnc "$a" "$b" - | grep "^-" > /dev/null then echo "a < b" fi
Although you may not have the rpnc command, so here is another one:
if [ $(echo "$a < $b" | bc) -eq 1 ] then echo "a < b" fi
With our heads up in the clouds
Quote
Today people are connected together with the cloud… You mean Internet, right?
ISP y u no DNSSEC?
Unbound is a secure, lightweight and high performance validating, recursive, and caching DNS resolver. It performs DNSSEC validation and it is also really easy to configure. Although it cannot act as a full fledged authoritative server, you may take a look at NSD, which is, on the contrary, authoritative only. For a nice tutorial about unbound configuration, see this post.
Today I discovered local_unbound on FreeBSD. This script generates a configuration suitable for running unbound as a forwarding resolver. It also uses resolveconf to update the list of forwarders. This means that it is automatically configured with the name servers provided by the DHCP offer.
By default, unbound is configured to withheld the reply from the client when the validation fails. Unfortunately most of the name servers provided by home routers and ISPs do not support DNSSEC. Even worse, some ISPs redirect all queries to their own name servers which of course do not support DNSSEC either. You can check if it is the case with this command:
dig @8.8.8.8 +short test.dnssec-or-not.net TXT
As Google public DNS support DNSSEC. If it does not show you anything, it is OK. If instead it says something like: “Nope! DO bit not set in your query” then your query has been forwarded to a server which is not DNSSEC capable.
Because of this, you often end up with a nice caching forwarding resolver which does not seem to resolve anything (at least on the client side) because of bogus validations.
You have two solutions to overcome this. First you can force your forwarders to DNSSEC capable servers such as Google public DNS (8.8.8.8 / 8.8.4.4). However, as mentioned above this does not work when your ISP redirect all queries to its own server. The second solution is to configure unbound into permissive mode (/etc/unbound/unbound.conf):
server:
(...)
val-permissive-mode: yes
In that case, replies to queries that did not pass validation are not longer withheld from the client but the Authenticated Data bit is not set in the reply.
Today’s movie: Interstellar
We start this new series with Interstellar by Christopher Nolan. I did not expect to watch this movie. Actually you must know that I was somewhat apprehensive. To me this movie was a direct inspiration from The Songs of Distant Earth by Arthur C. Clarke. This book stirred me so hard. To the point it has partly shaped my vision of life, and of the place we have here. I felt that no movie could ever render this. And I (deeply) feared to see one of my favorite science fiction novel trampled on by yet another gargantuan sf blockbuster overflowing with CGI in every possible direction with a bunch of heroes saving the world (again) because you know that’s just what heroes are for anyway.
Well I must admit, this is what I just saw, yet I was agreeably surprised. And the emotional impact that built all along the movie far outreached my expectations. I found myself multiple times begging for the storyline not to slip into one direction or another, because I felt that all this tension would deflate grotesquely like a dismaying soufflé, only to find minutes later that it was still ok.
The movie itself is not without fails. It is extremely ambitious. And as someone would naturally expect, it misses the point from time to time. It sometimes drew itself too far into the drama to the point that the story was loosing its legitimacy. Some scenes deserved to be more explored, and the fast paced rhythm contrasted too much with the heavy atmosphere of interstellar travel through the vastness and solitude of space combined to the ultimate hope of humanity that the movie tried to convey. These two themes go very well together. But they must be treated with due respect and certainly not as a way to blow up things and acting as a show-off.
Best acting goes for Anne Hathaway (Brand). On the other hand Cooper, Matthew McConaughey’s personnage, sometimes lacks conviction that would benefit to some key parts of the movie. Dialogues are somewhat clunky, and that certainly didn’t help. There are multiple unassuming nods to other sf movies. 2001 being one of them though both movies are still far apart. I was also pleased to see another nod to Arthur C. Clarke, The Garden of Rama.
In conclusion, my impression is that this movie could have been something awfully good. But it is not bad either. I’d even go to say that it is good up to very good.
Popularity
Quote
Being overwhelmingly popular is not a pledge of quality
but rather a clue of commonness.
New series: Today’s movie
In a preceding article (ChangeLog), I said that I might post more on different subjects than what I usually post. So as part of this perpetual opening initiative, I will soon start a new series called “Today’s movie“. In which I tell you about a movie I am about to watch, what I thought of it (for what it’s worth), why you should drop everything you are doing right now to see it, or not.
You may like this, or not.
And you may also flame in the comments if you don’t agree.
Well I hope you’ll like it though.
As for me it will be an opportunity to revisit movies I didn’t see in a while.