Fail2ban Configuration for NGINX anomalies

Fail2ban is a really cool log analyzer (mostly) that can block ips using several different methods (iptables, ipfw, ip route blackhole, etc.). The problem is that you have to define filters (regexes in fact) that will trigger the ban for each service, because each one has a different way to report anomalies. There are not so much given examples on the official wiki. On other websites I couldn’t find anything about nginx filters. Even worse, several websites report that you can use the filters defined ¬†for Apache2, which is false, they will NOT work, the logs are very different. For example, here is a trace for a non existent requested resource: 2011/12/29 16:13:33 [error] 3212#0: *241787 open() "/opt/foo/default/admin/phpmyadmin/index.php" failed (2: No such file or directory), client: 58.19.239.205, server: , request: "GET //admin/phpmyadmin/index.php HTTP/1.1", host: "88.191.135.71" So, to be able to detect such hack tentative and block it, create a file ...(Read More)

Default behaviour in implementation of STOMP protocol in RabbitMQ with python

Why STOMP? Why STOMP, and not directly AMQP, as I’m using RabbitMQ. No real reason, but the fact that there are less dependencies on a STOMP client, as it’s just a socket with text sent. Implementations There are several implementations of the STOMP protocol for Python. The module I chose is python-stomp (version 0.2.9), from Benjamin W. Smith. It’s simple and easy to understand. Simple Code Examples sto_send.py: [crayon-572c2b540b2cd866861213/] sto_receive.py: [crayon-572c2b540b2d7214384513/] Everything is working fine, when launching sto_receive.py, I receive the message. But when I launched several receivers, I noticed, that ONLY ONE programs received the message! After some research, I found the answer: As documented in the RabbitMQ wiki, the default exchange is ‘direct’: […]when messages leave a queue for a consumer, they are not duplicated. One message, sitting on a queue, is delivered to only one of the available consumers. […] If there are multiple clients, all SUBSCRIBEing ...(Read More)

Puppet: Files found in modules without specifying ‘modules’ in file path will be deprecated in the next major release

DEPRECATION NOTICE: Files found in modules without specifying ‘modules’ in file path will be deprecated in the next major release. If you get this warning in your puppet logs, you should take action (only if you don’t have any Puppet agent with a version

How to understand the ARP queries and replies fields with pypcap

I had a hard time understanding the function of each field in an ARP packet. The problem is that the fields change of meaning, depending on the opcode field. The two useful ones are for ARP queries (what is the ethernet address of the ip address I’m giving now) and ARP replies (that ip address is located at this ethernet address). So to fix this problem once for all, I decided to write a python script that shows the different field values when an ARP packet is captured. There are several libraries available to the pythonista to manipulate network packets. The most known is certainly pylibpcap which is quite old now, and not really object oriented. It is more an adaptation one-to-one of the C libpcap library, which may be useful for some people. Another library is pypcap, which is like pylibpcap, but much much more object oriented. pypcap includes ...(Read More)