Re: [gentoo-user] apache blocking access based country
On Tue, Dec 08, 2020 at 11:18:49PM -0700, thelma wrote in <94662af9-b159-65ca-371d-1521ab4fa...@sys-concept.com>: Steve, suggested a good alternative database of IP's with two letter country beside them. It can be sorted by country in a spreadsheet. This 16MB file would seem like an ideal solution; but checking is it is missing 212.114.17 number I've checked earlier from the other source. The number 212.114.16 correctly identified as "FR" (France). deny from 212.114.16.0/24 deny from 212.114.17.0/24 The dbip-country-lite-2020-12.csv lists: 212.114.10.0212.114.15.255 RU 212.114.16.0212.114.31.255 FR 212.114.32.0212.114.49.39 DE Just wanted to point out that "212.114.17.0/24" is included in the "212.114.16.0 212.114.31.255 FR" entry you show, so it doesn't seem to be missing at all. For reasons of efficiency, it is preferable to have blocks listed that are bigger than /24's if they roll up to bigger blocks per country.
Re: [gentoo-user] apache blocking access based country
On 12/08/2020 05:25 PM, Steve Wilson wrote: > > On 09/12/2020 00:01, Grant Taylor wrote: >> On 12/8/20 4:44 PM, Steve Wilson wrote: >>> I use this as the first step to limit ssh access to one of my >>> servers: `iptables -A INPUT -p tcp -m tcp --dport 22 -m geoip ! >>> --src-cc GB -m comment --comment "Drop SSH from outside GB" -j DROP` >> >> Has the geoip match extension been updated to take into account >> MaxMind discontinuing their GeoLite database and the need to support >> GeoLite2? >> > The xt_geoip_dl script grabs a csv from > https://db-ip.com/db/download/ip-to-country-lite. I imagine there's a > method for dealing with maxmind's new version and converting to csv if > they don't already provide one for the paid service. > > Steve Steve, suggested a good alternative database of IP's with two letter country beside them. It can be sorted by country in a spreadsheet. This 16MB file would seem like an ideal solution; but checking is it is missing 212.114.17 number I've checked earlier from the other source. The number 212.114.16 correctly identified as "FR" (France). deny from 212.114.16.0/24 deny from 212.114.17.0/24 The dbip-country-lite-2020-12.csv lists: 212.114.10.0212.114.15.255 RU 212.114.16.0212.114.31.255 FR 212.114.32.0212.114.49.39 DE In addition all numbers 2.61.192.0 is missing as well.
Re: [gentoo-user] apache blocking access based country
P.S. You might also be interested in some of the feeds that Team Cymru has to offer. I think they are more friendly to scripted querying. Link - IP to ASN Mapping Service - https://team-cymru.com/community-services/ip-asn-mapping/ -- Grant. . . . unix || die
Re: [gentoo-user] apache blocking access based country
On 12/8/20 9:59 PM, the...@sys-concept.com wrote: I'll write a script to check, all the IP's from at text file with "whois" and write the output out to another file, just to be sure. I don't know how long will it take, the file contains 26611-entries (IP addresses). ProTip: Don't parse the output from WhoIs directly. Instead save it to a file. Come up with some file naming scheme that encodes the IPs and date. That way you can easily reference them in the future. Or decide that what you have cached is too old and that you need to update it. I say this because a number of WhoIs servers get fairly upset if they think they are being scripted against. So ... space out the queries and save the output for future re-use. You might be correct, Grant. Putting the IP's in apache .config file could be more efficient, instead of .htaccess file. ;-) -- Grant. . . . unix || die
Re: [gentoo-user] apache blocking access based country
On 12/8/20 8:50 PM, the...@sys-concept.com wrote: Creating ACL based on those internet sources eg. https://www.countryipblocks.net/acl.php is not reliable. I pulled a list of Russian and Ukrainian IPs from the above link and checking some of them, I found these two (and possibly more) are French IPs: deny from 212.114.16.0/24 deny from 212.114.17.0/24 I can't say as I'm surprised. IMHO GeoIP feeds are, and always have been, somewhat suspect. You can get information from RIRs based on who the allocated blocks to originally (or last update by them). Or you can get information from a service that tries to be much more accurate. Or you can get information from a Default Free Zone BGP feed. Or any combination of the above. But each thing is different quality and different amounts of work. RIPE's extended delegation list shows 212.114.16.0/21 as being delegated to France. I trust the RIR feeds more. Though, they might not be updated with IPv4 trading and resale market. Personally, I'd extract prefixes of ASNs from a DFZ BGP feed and use that to filter. It will be the most up to date of what a given provider (ASN) is advertising. If "geoip" database is based on similar sources the hole project is not a reliable control method. GeoIP is ... nebulous. You need to consider if you want to proceed with imperfect (or completely wrong data). -- Grant. . . . unix || die
Re: [gentoo-user] apache blocking access based country
On 12/08/2020 08:50 PM, the...@sys-concept.com wrote: [snip] > Creating ACL based on those internet sources eg. > https://www.countryipblocks.net/acl.php > is not reliable. I pulled a list of Russian and Ukrainian IPs from the > above link and checking some of them, I found these two (and possibly > more) are French IPs: > > deny from 212.114.16.0/24 > deny from 212.114.17.0/24 > > If "geoip" database is based on similar sources the hole project is not > a reliable control method. I'll write a script to check, all the IP's from at text file with "whois" and write the output out to another file, just to be sure. I don't know how long will it take, the file contains 26611-entries (IP addresses). You might be correct, Grant. Putting the IP's in apache .config file could be more efficient, instead of .htaccess file.
Re: [gentoo-user] apache blocking access based country
On 12/8/20 6:17 PM, the...@sys-concept.com wrote: so it might be easier to for apache, am I correct? Apache vs iptables is somewhat a preference. Though with Apache, chances are good that you would need to ban in multiple locations, possibly multiple VHOSTs or server wide. (See more below.) Either way, the apache would have to access the database where all the codes are stored or .htaccess file. Or is it easier if I incorporate the IP addressed into main .config file (in apache)? I personally prefer to put things in files that are included directly from the main Apache config file in lieu of .htaccess files. This harks back to a time when checking for a .htaccess file per page request had measurable impact. It just seemed easier to put the content in the main config file and skip looking for and processing .htaccess files on each request. I don't know what would be more efficient, storing the data somewhere outside of Apache and having it check that -or- putting the data in the config / .htaccess file(s). -- Grant. . . . unix || die
Re: [gentoo-user] apache blocking access based country
On 12/08/2020 05:25 PM, Steve Wilson wrote: > > On 09/12/2020 00:01, Grant Taylor wrote: >> On 12/8/20 4:44 PM, Steve Wilson wrote: >>> I use this as the first step to limit ssh access to one of my >>> servers: `iptables -A INPUT -p tcp -m tcp --dport 22 -m geoip ! >>> --src-cc GB -m comment --comment "Drop SSH from outside GB" -j DROP` >> >> Has the geoip match extension been updated to take into account >> MaxMind discontinuing their GeoLite database and the need to support >> GeoLite2? >> > The xt_geoip_dl script grabs a csv from > https://db-ip.com/db/download/ip-to-country-lite. I imagine there's a > method for dealing with maxmind's new version and converting to csv if > they don't already provide one for the paid service. > > Steve Creating ACL based on those internet sources eg. https://www.countryipblocks.net/acl.php is not reliable. I pulled a list of Russian and Ukrainian IPs from the above link and checking some of them, I found these two (and possibly more) are French IPs: deny from 212.114.16.0/24 deny from 212.114.17.0/24 If "geoip" database is based on similar sources the hole project is not a reliable control method.
Re: [gentoo-user] apache blocking access based country
On 12/08/2020 05:25 PM, Steve Wilson wrote: > > On 09/12/2020 00:01, Grant Taylor wrote: >> On 12/8/20 4:44 PM, Steve Wilson wrote: >>> I use this as the first step to limit ssh access to one of my >>> servers: `iptables -A INPUT -p tcp -m tcp --dport 22 -m geoip ! >>> --src-cc GB -m comment --comment "Drop SSH from outside GB" -j DROP` >> >> Has the geoip match extension been updated to take into account >> MaxMind discontinuing their GeoLite database and the need to support >> GeoLite2? >> > The xt_geoip_dl script grabs a csv from > https://db-ip.com/db/download/ip-to-country-lite. I imagine there's a > method for dealing with maxmind's new version and converting to csv if > they don't already provide one for the paid service. > > Steve Thanks. The dbip-country-lite-2020-12.csv is 16MB (file) though, it includes all the countries. The country I want to ban file is only 697kB so it might be easier to for apache, am I correct? Either way, the apache would have to access the database where all the codes are stored or .htaccess file. Or is it easier if I incorporate the IP addressed into main .config file (in apache)?
Re: [gentoo-user] apache blocking access based country
On 09/12/2020 00:01, Grant Taylor wrote: On 12/8/20 4:44 PM, Steve Wilson wrote: I use this as the first step to limit ssh access to one of my servers: `iptables -A INPUT -p tcp -m tcp --dport 22 -m geoip ! --src-cc GB -m comment --comment "Drop SSH from outside GB" -j DROP` Has the geoip match extension been updated to take into account MaxMind discontinuing their GeoLite database and the need to support GeoLite2? The xt_geoip_dl script grabs a csv from https://db-ip.com/db/download/ip-to-country-lite. I imagine there's a method for dealing with maxmind's new version and converting to csv if they don't already provide one for the paid service. Steve
Re: [gentoo-user] apache blocking access based country
On 12/8/20 4:44 PM, Steve Wilson wrote: I use this as the first step to limit ssh access to one of my servers: `iptables -A INPUT -p tcp -m tcp --dport 22 -m geoip ! --src-cc GB -m comment --comment "Drop SSH from outside GB" -j DROP` Has the geoip match extension been updated to take into account MaxMind discontinuing their GeoLite database and the need to support GeoLite2? This has the advantage that apache doesn't need to process the request, but a possible downside that you won't be able to display a message if that's a requirement. You could probably DNAT / REDIRECT to an alternate port that is a different virtual host that serves up a 403 page. -- Grant. . . . unix || die
Re: [gentoo-user] apache blocking access based country
On 08/12/2020 22:55, the...@sys-concept.com wrote: What are my options apache blocking access based on country? So fare I run onto something "geoip" or ACL (long list of IP's provided by eg:) https://www.ip2location.com/free/visitor-blocker We geoip I think I will need to install some module for apache (apache 2.2). It is using geoip.dat so it must be a long list of as well. But they are not offering any free version. wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz (doesn't work) If you don't need to provide information in the browser to blocked users, you could look at net-firewall/xtables-addons with XTABLES_ADDONS="geoip". This will allow you to block access to apache at the network level. I use this as the first step to limit ssh access to one of my servers: `iptables -A INPUT -p tcp -m tcp --dport 22 -m geoip ! --src-cc GB -m comment --comment "Drop SSH from outside GB" -j DROP` This has the advantage that apache doesn't need to process the request, but a possible downside that you won't be able to display a message if that's a requirement. Steve
Re: [gentoo-user] apache blocking access based country
On 12/08/2020 03:55 PM, the...@sys-concept.com wrote: > What are my options apache blocking access based on country? > So fare I run onto something "geoip" or ACL (long list of IP's provided by > eg:) > https://www.ip2location.com/free/visitor-blocker > > We geoip I think I will need to install some module for apache (apache 2.2). > It is using geoip.dat so it must be a long list of as well. But they are not > offering any free version. > wget > http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz > (doesn't work) Just access to the web-page that is hosted by apache. Looking at the IP addresses generated by some of those links, the document is 10-pages long.
Re: [gentoo-user] apache blocking access based country
On 12/8/20 3:55 PM, the...@sys-concept.com wrote: What are my options apache blocking access based on country? Do you want to block connections to /just/ Apache and /nothing/ else on the system? Or do you want to block connections from specified sources to anything and everything on the system? -- Grant. . . . unix || die
[gentoo-user] apache blocking access based country
What are my options apache blocking access based on country? So fare I run onto something "geoip" or ACL (long list of IP's provided by eg:) https://www.ip2location.com/free/visitor-blocker We geoip I think I will need to install some module for apache (apache 2.2). It is using geoip.dat so it must be a long list of as well. But they are not offering any free version. wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz (doesn't work) -- Thelma
Re: [gentoo-user] ghostview (gv) doesn't seem to work
On 12/8/20 7:08 PM, n952162 wrote: I always get a blank page, even with the output of groff. Or, just a watch-face. No relevant USE flags. Anybody have an idea? Okay, I figured it out. gv doesn't have any relevant USE flags, but ghostscript does. And trying to emerge ghostscript won't get you far because emerge's heuristics can't make out that ghostscript really means ghostscript-gpl. That has lots of good USE variables.
[gentoo-user] ghostview (gv) doesn't seem to work
I always get a blank page, even with the output of groff. Or, just a watch-face. No relevant USE flags. Anybody have an idea?
Re: [gentoo-user] portage blocking portage update
On Tue, Dec 08, 2020 at 10:38:43AM +0100, Arve Barsnes wrote > On Tue, 8 Dec 2020 at 10:07, Walter Dnes wrote: > > I just did an "emerge --sync", and was told to update portage. But it > > seems that portage 3.0.8 built with python 3.7 is blocking portage 3.0.9 > > with python 3.8. I obviously can't remove portage to fix the block . > > Note "grep -i python /etc/portage/make.conf" shows no output at all. In > > package.use, PYTHON_TARGETS: and PYTHON_SINGLE_TARGET: are commented out. > > It's a dependency problem that I find that it is not worth to > untangle. I had the exact same problem yesterday on a different > machine. > > My advice: skip this and go straight to world update. portage will > most likely figure out the tangle for you, and update itself during > the world update. Thank you. That fixed the problem. After updating world portage-3.0.9 is now installed, built against PYTHON_TARGETS="python3_8" -- Walter Dnes I don't run "desktop environments"; I run useful applications
Re: [gentoo-user] eselect news read new
Am 08.12.2020 um 14:41 schrieb Dr Rainer Woitok: Greetings, running the command eselect news read new always returns "No news is good news" regarless of whether I run it from my own account or from "root". And running eselect news list currently lists 17 news items, none of which is flagged "N" even though I cannot remember having read them all. Maybe, my brain slowly starts failing, but where is the "brain" of "eselect"? Where does it store what's already read? Sincerely, Rainer You can read old news, too. #eselect news read [no from list]
Re: [gentoo-user] eselect news read new
Greetings, On Tuesday, 2020-12-08 14:48:40 +0100, netfab wrote: > ... > > Where does it store what's already read? > > /var/lib/gentoo/news/ Thank you for the quick response. Sincerely, Rainer
Re: [gentoo-user] eselect news read new
Le 08/12/20 à 14:41, Dr Rainer Woitok a tapoté : > Where does it store what's already read? /var/lib/gentoo/news/
[gentoo-user] eselect news read new
Greetings, running the command eselect news read new always returns "No news is good news" regarless of whether I run it from my own account or from "root". And running eselect news list currently lists 17 news items, none of which is flagged "N" even though I cannot remember having read them all. Maybe, my brain slowly starts failing, but where is the "brain" of "eselect"? Where does it store what's already read? Sincerely, Rainer
Re: [gentoo-user] portage blocking portage update
On Tuesday, 8 December 2020 09:38:43 GMT Arve Barsnes wrote: > On Tue, 8 Dec 2020 at 10:07, Walter Dnes wrote: > > I just did an "emerge --sync", and was told to update portage. But it > > > > seems that portage 3.0.8 built with python 3.7 is blocking portage 3.0.9 > > with python 3.8. I obviously can't remove portage to fix the block . > > Note "grep -i python /etc/portage/make.conf" shows no output at all. In > > package.use, PYTHON_TARGETS: and PYTHON_SINGLE_TARGET: are commented out. > > It's a dependency problem that I find that it is not worth to > untangle. I had the exact same problem yesterday on a different > machine. > > My advice: skip this and go straight to world update. portage will > most likely figure out the tangle for you, and update itself during > the world update. Agreed. That's what I did: just updated as usual and all went tickety-boo. -- Regards, Peter.
Re: [gentoo-user] Gentoo on Raspberry Pi 400?
On Tuesday, 8 December 2020 00:34:53 GMT Neil Bothwick wrote: > On Tue, 8 Dec 2020 00:30:12 +0100, Teru Yuu wrote: > > As long as you boot into any system, you will be able to install gentoo. > > For rpi4 I used alpine linux (mainly because it already had write-up > > on wiki for headless boot with sshd enabled) > > You can do that with Raspbian too. Mount the boot partition of the SD > card on your computer and create a file called ssh. Then Raspbian will > boot with SSH enabled. I'll try that - thanks! -- Regards, Peter.
Re: [gentoo-user] Gentoo on Raspberry Pi 400?
On Tuesday, 8 December 2020 06:51:25 GMT Andrew Lowe wrote: > There is always this option: > > https://github.com/sakaki-/gentoo-on-rpi-64bit Nope. Tried that first. As I said, the boot process in Pi 400 differs from the others. -- Regards, Peter.
Re: [gentoo-user] portage blocking portage update
On Tue, 8 Dec 2020 at 10:07, Walter Dnes wrote: > I just did an "emerge --sync", and was told to update portage. But it > seems that portage 3.0.8 built with python 3.7 is blocking portage 3.0.9 > with python 3.8. I obviously can't remove portage to fix the block . > Note "grep -i python /etc/portage/make.conf" shows no output at all. In > package.use, PYTHON_TARGETS: and PYTHON_SINGLE_TARGET: are commented out. It's a dependency problem that I find that it is not worth to untangle. I had the exact same problem yesterday on a different machine. My advice: skip this and go straight to world update. portage will most likely figure out the tangle for you, and update itself during the world update. Regards, Arve
[gentoo-user] portage blocking portage update
I just did an "emerge --sync", and was told to update portage. But it seems that portage 3.0.8 built with python 3.7 is blocking portage 3.0.9 with python 3.8. I obviously can't remove portage to fix the block . Note "grep -i python /etc/portage/make.conf" shows no output at all. In package.use, PYTHON_TARGETS: and PYTHON_SINGLE_TARGET: are commented out. [i3][root][~] grep -i python /etc/portage/make.conf [i3][root][~] grep -i python /etc/portage/package.use/package.use # */* PYTHON_TARGETS: python3_6 python3_7 # */* PYTHON_SINGLE_TARGET: -* python3_6 app-emulation/qemu aio alsa fdt opengl usb vhost-net gtk sdl curl ssh -bluetooth -iscsi -pulseaudio -rbd -smartcard -usbredir -spice -accessibility -caps -debug -glusterfs -filecaps -ncurses -pin-upstream-blobs -python -sasl -sdl2 -seccomp -selinux -static -static -static-softmmu -static-user -tci -test -tls -vde -virtfs -xattr -xen -xfs dev-lang/python sqlite dev-libs/libxml2 python media-gfx/gimp exif python tiff Any ideas? The build attempt follows... [i3][root][~] emerge --oneshot sys-apps/portage Calculating dependencies... done! [ebuild U ] sys-apps/portage-3.0.9 [3.0.8] PYTHON_TARGETS="python3_8* -python3_7*" !!! Multiple package instances within a single package slot have been pulled !!! into the dependency graph, resulting in a slot conflict: sys-apps/portage:0 (sys-apps/portage-3.0.9:0/0::gentoo, ebuild scheduled for merge) USE="(ipc) native-extensions xattr -apidoc -build -doc -gentoo-dev -rsync-verify (-selinux) -test" PYTHON_TARGETS="python3_8 (-pypy3) -python3_6 -python3_7 -python3_9" pulled in by sys-apps/portage (Argument) (sys-apps/portage-3.0.8:0/0::gentoo, installed) USE="(ipc) native-extensions xattr -apidoc -build -doc -gentoo-dev -rsync-verify (-selinux) -test" PYTHON_TARGETS="python3_7 (-pypy3) -python3_6 -python3_8 -python3_9" pulled in by sys-apps/portage[python_targets_pypy3(-)?,python_targets_python3_6(-)?,python_targets_python3_7(-)?,python_targets_python3_8(-)?,python_targets_python3_9(-)?,-python_single_target_pypy3(-),-python_single_target_python3_6(-),-python_single_target_python3_7(-),-python_single_target_python3_8(-),-python_single_target_python3_9(-)] required by (app-portage/gentoolkit-0.5.0-r2:0/0::gentoo, installed) USE="-test" PYTHON_TARGETS="python3_7 (-pypy3) -python3_6 -python3_8 -python3_9" -- Walter Dnes I don't run "desktop environments"; I run useful applications