--- Log opened mar abr 26 00:00:50 2022 10:17 < opendoor[m]> Hi - is there an option to disable the calendar in friendica? 10:43 < fikabot> πŸ’¬ Hello 10:43 < fikabot> πŸ’¬ Our matrix room is #friendi.ca:matrix.org 10:44 < fikabot> πŸ’¬ But what would you like to disable exactly, the tab on top where you and your network can add social events? 10:57 < fikabot> πŸ’¬ thanks for reopen. 10:58 < fikabot> πŸ’¬ Yes, first the top menue for example 11:01 < fikabot> πŸ’¬ Are you operating your own instance or are you just a user on the instance of someone else? You are using the interface built into the website, right? 11:08 < fikabot> πŸ’¬ You can find this in the config: https://github.com/friendica/friendica/blob/960d440ab6e68987892ec679c1436e5388f350a1/static/defaults.config.php#L601 11:08 < fikabot> πŸ’¬ ``` 11:08 < fikabot> πŸ’¬ 'theme' => [ 11:08 < fikabot> πŸ’¬ // hide_eventlist (Boolean) 11:08 < fikabot> πŸ’¬ // Don't show the birthdays and events on the profile and network page. 11:09 < fikabot> πŸ’¬ 'hide_eventlist' => false, 11:09 < fikabot> πŸ’¬ ``` 11:36 < fikabot> πŸ’¬ And of course it would be trivial to adjust the themes themselves for it as well. 11:48 < fikabot> πŸ’¬ it my own testing instance for now. Does hide_eventlist means /events in the frontend? 11:58 < fikabot> πŸ’¬ I was changing defaults.config.php to hide_eventlist' => true and cleared the cache with the console. /events is still there. I am missing someting, must read more doku. 12:17 < fikabot> πŸ’¬ `defaults.config.php` only serves as documentation 12:17 < fikabot> πŸ’¬ It's `config/local.config.php` where you need to copy it. 12:18 < fikabot> πŸ’¬ But if it still won't work there, it might already have a value, in which case you may need to change it in the config database table. 12:18 < fikabot> πŸ’¬ opendoor: 15:24 < fikabot> πŸ’¬ I think the /events page will still exist after the config change. But the events will not additionally be shown on the profile and network page. 15:28 < fikabot> πŸ’¬ By the way, I use Stylus UserCSS & ViolentMonkey UserJS managers - you can hide absolutely anything using those! πŸ˜‰ 15:52 < fikabot> πŸ’¬ Today I detected an increase of gremlins testing my server (port scanner, open vulnarabilities scanner) 15:52 < fikabot> πŸ’¬ Friendica is running well behind Nginx with ModSecurity Web Application Firewall. πŸ˜€ 16:02 < fikabot> πŸ’¬ Hely, we're seeing a great influx of active users nowadays: 16:02 < fikabot> πŸ’¬ - https://friendica.fediverse.observer/stats 16:03 < fikabot> πŸ’¬ - https://the-federation.info/friendica 16:03 < fikabot> πŸ’¬ > <@es2543:matrix.org> Today I detected an increase of gremlins testing my server (port scanner, open vulnarabilities scanner) 16:03 < fikabot> πŸ’¬ > Friendica is running well behind Nginx with ModSecurity Web Application Firewall. πŸ˜€ 16:03 < fikabot> πŸ’¬ 16:03 < fikabot> πŸ’¬ See also: fail2ban 16:04 < fikabot> πŸ’¬ And I also put a rule on the web server that double checks whether they know they `Host:` correctly that also catches the majority of such probing. They seem to be probing random IP addresses without even knowing the domain name in many cases! 16:04 < fikabot> πŸ’¬ And with docker (php-fpm image) setup is easy. Simply replace nginx container with owasp/modsecurity-crs container and add a few lines to nginx.conf plus a small modsecurity conf file. 16:04 < fikabot> πŸ’¬ And I also put a rule on the web server that double checks whether they know the `Host:` correctly that also catches the majority of such probing. They seem to be probing random IP addresses without even knowing the domain name in many cases! 16:04 < fikabot> πŸ’¬ Yeah that reminds me I'm 99% sure I put fail2ban on my machine but let me check now 16:05 < fikabot> πŸ’¬ As an experiment I put a random machine up public but not linked to a DNS and it started getting random attacks relatively quickly 16:06 < fikabot> πŸ’¬ > <@bkil:grin.hu> And I also put a rule on the web server that double checks whether they know the `Host:` correctly that also catches the majority of such probing. They seem to be probing random IP addresses without even knowing the domain name in many cases! 16:06 < fikabot> πŸ’¬ 16:06 < fikabot> πŸ’¬ I use CrowdSecurity instead of fail2ban. ModSecurity gives much more checks compared to fail2ban . It really different ... IDS vs WAF. 16:07 < fikabot> πŸ’¬ > <@es2543:matrix.org> I use CrowdSecurity instead of fail2ban. ModSecurity gives much more checks compared to fail2ban . It really different ... IDS vs WAF. 16:07 < fikabot> πŸ’¬ 16:07 < fikabot> πŸ’¬ Who said you shouldn't be using security in depth? 16:07 < fikabot> πŸ’¬ Oh damn at some point Friendica started making the startup of fail2ban fail 16:07 < fikabot> πŸ’¬ "Failed during configuration: Have not found any log file for friendica jail" 16:07 < fikabot> πŸ’¬ wth does that even mean? 16:09 < fikabot> πŸ’¬ CrowdSec bouncer blocks by 200 ips per day on the router, I also have fail2ban on the reverse proxy, blocking another 20. ModSecurity still detects another 30 per day. 16:12 < fikabot> πŸ’¬ It's mostly ip scanners, the 30 on the Friendica instance come with correct server name ... so its really testing Friendica for stuff Owasp rule set detects ... Sql injection, xss attacks, file access. 16:12 < fikabot> πŸ’¬ fixed 16:13 < fikabot> πŸ’¬ I doubt that was ever working 16:13 < fikabot> πŸ’¬ I just assumed that it was 16:13 < fikabot> πŸ’¬ now is my site still working...lol 16:13 < fikabot> πŸ’¬ yup lol 16:13 < fikabot> πŸ’¬ Take a look at CrowdSecurity. I think it's worth it. 16:14 < fikabot> πŸ’¬ > <@es2543:matrix.org> It's mostly ip scanners, the 30 on the Friendica instance come with correct server name ... so its really testing Friendica for stuff Owasp rule set detects ... Sql injection, xss attacks, file access. 16:14 < fikabot> πŸ’¬ 16:14 < fikabot> πŸ’¬ Again, you should set up fail2ban so that _any_ such injection should blacklist that IP 16:14 < fikabot> πŸ’¬ So you should not see many attempts for that. How often are they rotating their IP? 16:15 < fikabot> πŸ’¬ Is fail2ban not setup like that by default? 16:15 < fikabot> πŸ’¬ No 16:15 < fikabot> πŸ’¬ I think it only checks for ssh by default and such. 16:15 < fikabot> πŸ’¬ But you can add a bunch of interesting rules to trigger upon. 16:16 < fikabot> πŸ’¬ CrowdSecurity is my fail2ban replacement. It blocks all detected by CrowdSecurity scenarios and all detected by ModSecurity OWASP core rule set. 16:17 < fikabot> πŸ’¬ ModSecurity is testing request and response, not log files. 16:18 < fikabot> πŸ’¬ If you are seeing these requests reaching Friendica, it is doing a lousy job. 16:18 < fikabot> πŸ’¬ And CrowdSec shares bad IPs ... 16:19 < fikabot> πŸ’¬ No, they are not getting to friendica. ModSecurity is running on the nginx on the friendica pod, in front of friendica. 16:21 < fikabot> πŸ’¬ 1st line: firewall bouncer with shared ips from CrowdSecurity. 2nd line: fail2ban on the reverse proxy. 3rd line: ModSecurity WAF and CrowdSec agent in front of Friendica. 16:22 < fikabot> πŸ’¬ They all log, so I see what attacks get blocked where. 16:44 < fikabot> πŸ’¬ > <@bkil:grin.hu> If you are seeing these requests reaching Friendica, it is doing a lousy job. 16:45 < fikabot> πŸ’¬ 16:45 < fikabot> πŸ’¬ With fail2ban a lot of requests reach Friendica, where they then (hopefully) get logged and if detected by fail2ban in the logs afterwards fail2ban blocks further requests from that ip. 16:45 < fikabot> πŸ’¬ Or a few standard errors are detected on the reverse proxy ... 16:45 < fikabot> πŸ’¬ But many attacks with requests are not logged by the application or reverseproxy or handled by fail2ban. Think of sql injection, xss attacks, .. those atracks are well known as owasp top 10. 16:45 < fikabot> πŸ’¬ ModSecurity analyses the request before it reaches the application and can block those attacks before the request reaches the application .. 16:50 < fikabot> πŸ’¬ Friendica is not a stand-alone web application server - you hook it up to apache2 or nginx. You should follow _those_ logs, not the one produced by Friendica. 16:52 < fikabot> πŸ’¬ And I believe in that every web server should be shipped with routing that includes well defined, well structured and locked down whitelist about the endpoints it is able to route so banning everything else is easy. I do this for all services I implement. 16:52 < fikabot> πŸ’¬ It is unfortunate that routing in Friendica is implemented via a trigger-happy fashion at the moment. I.e., if a static file does not exist, it invokes PHP, reads a bunch of files and serves a bunch of requests (causing a 404 to be served within 10 seconds tops!). 16:54 < fikabot> πŸ’¬ So for such applications, I understand the benefit a web application firewall has to offer. Shared hosting providers also has these enabled and I did need to work around one such rule in the past, but thankfully it was trivial - just had to concatenate an ID and execute it via `eval`... 16:55 < fikabot> πŸ’¬ But they should catch script kiddies, and those are the one causing the most scans I think (along with bots like shodan). 16:58 < fikabot> πŸ’¬ Actually, I think it should be trivial to generate a `.htaccess` file based on a Swagger REST API specifications, but I don't think we have those. We might be able to reverse engineer something like that from the static endpoints list and some extra annotations perhaps 16:58 < fikabot> πŸ’¬ - https://en.wikipedia.org/wiki/Swagger_(software) 16:58 < fikabot> πŸ’¬ - https://github.com/friendica/friendica/blob/develop/static/routes.config.php 16:59 < fikabot> πŸ’¬ Actually, I think it should be trivial to generate a `.htaccess` file based on Swagger REST API specifications, but we don't have those. We might be able to reverse engineer something like that from the static endpoints list, traversing the function definitions as well and with some added comment annotations perhaps 16:59 < fikabot> πŸ’¬ 16:59 < fikabot> πŸ’¬ - https://en.wikipedia.org/wiki/Swagger\_(software) 16:59 < fikabot> πŸ’¬ - https://github.com/friendica/friendica/blob/develop/static/routes.config.php 17:00 < fikabot> πŸ’¬ I wonder whether such a big regexp would slow down request handling through apache2/nginx, though 17:04 < fikabot> πŸ’¬ The problem with general web application firewalls is that they are mostly _Enumerating Badness_ℒ️ and that is not a good design. 17:04 < fikabot> πŸ’¬ The problem with general web application firewalls is that they are mostly _Enumerating Badnessℒ️_ and that is not a good design. 18:48 < fikabot> πŸ’¬ The problem with general web application firewalls is that they are mostly _Enumerating Badnessℒ️_ and that is not a good design. 18:48 < fikabot> πŸ’¬ - https://lwn.net/Articles/293059/ 18:48 < fikabot> πŸ’¬ - http://www.ranum.com/security/computer_security/editorials/dumb/ --- Log closed miΓ© abr 27 00:00:51 2022