I don’t want it to be 2026 🤣

@bmallred@staystrong.run You can probably recover missing twts from our caches if you need to…

Hey this could be good news for self-hosters and folks that want to run their own yarnd? 🤔 Vultr is offering 1 vCPU, 500MB Memory and 10GB Storage for FREE! That’s right $0.00 🤣

Image

@aelaraji@aelaraji.com Man I’m sorry to hear this. 😢 Whatever it is you’re going through, things will get better I promise you 🤗

@aelaraji@aelaraji.com Same, I hope things get much better for you bud 🤗

No more stupid little DDoS(s) from fucking China now 🤣

Note for reference I was trying to write and fix this rule (fixed version below):

# Ignore Content-Type restrictions for Git
SecRule REQUEST_HEADERS:Host "@streq git.mills.io" "id:101,phase:1,t:none,nolog,ctl:ruleRemoveById=920420"

Notably the custom operator @lookupASN

I’ll try to add a README for caddy-waf soon™ (going back to bed now) at least document the customizations I’ve made to this WAF (which I forked from caddy-coraza)

This is how I build my caddy:

proxy-1:~# cat build.caddy.sh
#!/bin/sh

xcaddy build \
	--with github.com/caddy-dns/cloudflare \
	--with github.com/caddyserver/cache-handler \
	--with git.mills.io/prologic/caddy-ratelimit \
	--with git.mills.io/prologic/caddy-waf
proxy-1:~#

Ahh fuck! Sorry I was fixing a rule 🤣 This is much better!

proxy-1:~# grep -c 'Bad ASN' /var/log/caddy/caddy.log
2441

@bender@twtxt.net Yes they are rather large 🤣 Here you go:

proxy-1:~# cat /etc/caddy/waf/bad_asns.txt
# CHINANET-BACKBONE No.31,Jin-rong Street, CN
# Why: DDoS
4134

# CHINA169-BACKBONE CHINA UNICOM China169 Backbone, CN
# Why: DDoS
4837

# CHINAMOBILE-CN China Mobile Communications Group Co., Ltd., CN
# Why: DDoS
9808

# FACEBOOK, US
# Why: Bad Bots
32934
proxy-1:~#

@bender@twtxt.net AS Number:

An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain, that presents a common and clearly defined routing policy to the Internet.[1] Each AS is assigned an autonomous system number (ASN), for use in Border Gateway Protocol (BGP) routing. Autonomous System Numbers are assigned to Local Internet Registries (LIRs) and end-user organizations by their respective Regional Internet Registries (RIRs), which in turn receive blocks of ASNs for reassignment from the Internet Assigned Numbers Authority (IANA). The IANA also maintains a registry of ASNs which are reserved for private use (and should therefore not be announced to the global Internet).

Cool! 😎 So I can now block ASN(s) 🤣 (And I bet no-one noticed anything)

@kat I love blue 🤣

@aelaraji@aelaraji.com Still in my cache 🤣

@aelaraji@aelaraji.com Bahahaha, you know where the default theme lives 🤣 PRs welcome!

It’s nice to see that some Crawlers actaully respect rate limits and respect a 429 Too many requests response 👌 Thank you Google! 🙌

Image

Image

@bender@twtxt.net So you mean, get failtb2n to look at my Caddy audit logs for violations and then just block at the firewall level for repeated violations? 🤔

@kat token will still be valid 👌

@kat 🙌

@kat Yeah that’s what the admin function does. Normal user password reset is different but requires working email 🤣

@kat Speaking of KVM, Tiny Pilot and Jet KVM look really good!

@kat It’ll be whatever the actual server’s time zone is.

@kat Temporally change the admin account on your pod to another account. Then login with that and reset the password on your main account.

What didn’t work? Hmmm 🤔

Hmm? 🤔

@seabirdie 👋 Welcome to Yarn.social 🙌

@kat Haha 🤣

Also yarnd supports video too 🤣

@kat Thanks! I built my own video hosting platform too but not nearly as fancy as what you use 🤣

@ 👋 Welcome to Yarn.social 🙌

@bender@twtxt.net Wre I’m talking about Web right? 🤣

@aelaraji@aelaraji.com Nice! 🙌

@bender@twtxt.net you’re right the scale wasn’t that large, but analyzing the logs. It definitely was a detox attack. 🤣 I woke up this morning to see six other small spikes like this which I’ll have to analyze later tonight…

@movq@www.uninformativ.de Yes

@kat What do you use for this btw? 🤔

So I need to figure out how to block ASN(s)…

Additionally, I’ thinking of; How to detect DDoS attachs?

Here’s one way I’ve come up that’s quite simple:

Detecting DDoS attacks by tracking requests across multiple IPs in a sliding window. If total requests exceed a threshold in a given time, flag as potential DDoS.

Image

@lyse@lyse.isobeef.org Cool 👌

Hmmm so I’ve sustained two DDoS attacks on my Gitea server today. A few hours apar. Still analyzing the traffic…

For the time being… I’ve just blocked all of OpenAI(s) Bots. They (thankfully) publish a JSON endpoint that you can use to block all OpenAI crawlers from reaching your server (in my case, blocking it at the edge). Example:

proxy-1:~# curl -qs https://openai.com/gptbot.json | jq -r '.prefixes[].ipv4Prefix' | xargs -I{} ./block-ip.sh {}

Where block-ip.sh is simply:

#!/bin/sh

ufw insert 1 deny from "$1" to any

@aelaraji@aelaraji.com Yes! 👏 This is exactly what it is! 🤣 I will of course soon™ be hosting this service, likely at validator.twtxt.net 😅😅

@kat Haha 🤣 If someone figures this out, please let me know 🙏🙏 – In the meantime, I’m going to very soon™ write a daemon that will watch the audit log for repeated violations and add to the network firewall.

This is better:

proxy-1:~# ./audit-log-by-ip.sh 4.227.36.76 | coraza-log-formatter -m -
2025/01/04 23:17:04 4.227.36.76 58982 GET /external?aff-HY0BLO=&f=mediaonly&f=noreplies&nick=g1n&uri=https%3A%2F%2Fthe-president-codes.linegames.org null 0  On OWASP_CRS/4.7.0
Actionset: OWASP_CRS/4.7.0
Message: Bad User Agent
Severity: 0
Raw: SecRule REQUEST_HEADERS:User-Agent "@pmFromFile /etc/caddy/waf/bad_user_agents.txt" "id:2000,log,phase:1,deny,msg:'Bad User Agent'"

Nice! I wrote another useful tool 👌

proxy-1:~# ./audit-log-by-ip.sh 4.227.36.76 | coraza-log-formatter -m -
Actionset: OWASP_CRS/4.7.0
Message: Bad User Agent
Severity: 0
Raw: SecRule REQUEST_HEADERS:User-Agent "@pmFromFile /etc/caddy/waf/bad_user_agents.txt" "id:2000,log,phase:1,deny,msg:'Bad User Agent'"

How in da fuq do you actually make these fucking useless AI bots go way?

proxy-1:~# jq '. | select(.request.remote_ip=="4.227.36.76")' /var/log/caddy/access/mills.io.log | jq -s '. | last' | caddy-log-formatter -
4.227.36.76 - [2025-01-05 04:05:43.971 +0000] "GET /external?aff-QNAXWV=&f=mediaonly&f=noreplies&nick=g1n&uri=https%3A%2F%2Fmy-hero-ultra-impact-codes.linegames.org HTTP/2.0" 0 0
proxy-1:~# date
Sun Jan  5 04:05:49 UTC 2025

😱

Done.

@lyse@lyse.isobeef.org Oh good! It works haha 🤣 I’ll bump it up a bit 👌

And now I’ve applied rate limits on every site to reasonable values 👌