From 1ef64cadc74e856b58499913e2496517fc0ae73c Mon Sep 17 00:00:00 2001 From: Priit Tark Date: Tue, 14 Jul 2015 10:54:11 +0300 Subject: [PATCH 1/7] Convert all frames to string #2757 --- config/initializers/filter_parameter_logging.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/initializers/filter_parameter_logging.rb b/config/initializers/filter_parameter_logging.rb index bdc362174..41a0eef24 100644 --- a/config/initializers/filter_parameter_logging.rb +++ b/config/initializers/filter_parameter_logging.rb @@ -4,5 +4,5 @@ Rails.application.config.filter_parameters += [:password] Rails.application.config.filter_parameters << lambda do |key, value| - value.gsub!(/pw>.+<\//, 'pw>[FILTERED].+<\//, 'pw>[FILTERED] Date: Tue, 14 Jul 2015 11:04:23 +0300 Subject: [PATCH 2/7] Filter only frame and raw_frame and not parsed_frame #2757 --- config/initializers/filter_parameter_logging.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/initializers/filter_parameter_logging.rb b/config/initializers/filter_parameter_logging.rb index 41a0eef24..30327efd5 100644 --- a/config/initializers/filter_parameter_logging.rb +++ b/config/initializers/filter_parameter_logging.rb @@ -4,5 +4,5 @@ Rails.application.config.filter_parameters += [:password] Rails.application.config.filter_parameters << lambda do |key, value| - value.to_s.gsub!(/pw>.+<\//, 'pw>[FILTERED].+<\//, 'pw>[FILTERED] Date: Wed, 15 Jul 2015 12:52:04 +0300 Subject: [PATCH 3/7] Updated email whitelist, added Timo second email #2771 --- config/initializers/settings.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/config/initializers/settings.rb b/config/initializers/settings.rb index 8a222b617..f121e3816 100644 --- a/config/initializers/settings.rb +++ b/config/initializers/settings.rb @@ -1,5 +1,6 @@ TEST_EMAILS = %w( timo.vohmar@internet.ee + timo.vohmar@eestiinternet.ee rene.vahtel@internet.ee martin.mettig@internet.ee hannes.klausen@internet.ee From 3652c776051744dd8ed10dc8f2cb6852d9e0ad2f Mon Sep 17 00:00:00 2001 From: Priit Tark Date: Wed, 15 Jul 2015 13:52:19 +0300 Subject: [PATCH 4/7] Fix cron job method #2784 --- app/models/domain.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/app/models/domain.rb b/app/models/domain.rb index e6bf2ea41..9f78327b2 100644 --- a/app/models/domain.rb +++ b/app/models/domain.rb @@ -199,7 +199,6 @@ class Domain < ActiveRecord::Base count += 1 domain.clean_pendings! end - STDOUT << "#{Time.zone.now.utc} - Successfully cancelled #{count} domain pendings\n" unless Rails.env.test? count end @@ -213,7 +212,7 @@ class Domain < ActiveRecord::Base domain.set_expired! end - STDOUT << "#{Time.zone.now.utc} - Successfully expired #{d.count} domains\n" unless Rails.env.test? + STDOUT << "#{Time.zone.now.utc} - Successfully expired #{domain.count} domains\n" unless Rails.env.test? end def start_redemption_grace_period From b083449c3b484941b7f286338226fba56b7e4108 Mon Sep 17 00:00:00 2001 From: Priit Tark Date: Wed, 15 Jul 2015 14:00:46 +0300 Subject: [PATCH 5/7] Typo fix #2784 --- app/models/domain.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/models/domain.rb b/app/models/domain.rb index 9f78327b2..9a475f7f9 100644 --- a/app/models/domain.rb +++ b/app/models/domain.rb @@ -212,7 +212,7 @@ class Domain < ActiveRecord::Base domain.set_expired! end - STDOUT << "#{Time.zone.now.utc} - Successfully expired #{domain.count} domains\n" unless Rails.env.test? + STDOUT << "#{Time.zone.now.utc} - Successfully expired #{domains.count} domains\n" unless Rails.env.test? end def start_redemption_grace_period From e7d6342bc489978ad89826e0fe93ee08752e35c2 Mon Sep 17 00:00:00 2001 From: Georg Kahest Date: Thu, 16 Jul 2015 13:40:53 +0300 Subject: [PATCH 6/7] recent kernel module config and iptables rules --- doc/debian_build_doc.md | 70 +++++++++++------------------------------ 1 file changed, 18 insertions(+), 52 deletions(-) diff --git a/doc/debian_build_doc.md b/doc/debian_build_doc.md index 505e8f80a..2de7b1410 100644 --- a/doc/debian_build_doc.md +++ b/doc/debian_build_doc.md @@ -9,7 +9,7 @@ however officially Debian 7 is supported and tested. * Consider using [RBENV](https://github.com/sstephenson/rbenv) * Compile requried [ruby version](https://github.com/internetee/registry/blob/master/.ruby-version) * [Phusion passenger](https://www.phusionpassenger.com/documentation/Users%20guide%20Apache.html) -* [Postgresql](http://www.postgresql.org/docs/) +* [Postgresql](http://www.postgresql.org/docs/) (requires postgresql-contrib package) Registry application is not tested with multi-threaded system (such as Puma) and it's not officially supported. Please use multi-process system instead (Passenger, Unicorn, Mongrel) @@ -43,11 +43,11 @@ Please install following lib, otherwise your bundler install might not be succes ### Firewall rate limit config First increase the maximum possible value form 20 to 100 of the hitcount parameter. -ip_pkt_list_tot of the xt_recent kernel module. +ip_pkt_list_tot of the xt_recent kernel module. Secondly change /proc/xt_recent/ permissions so, epp user can modify the tables. This can be done by creating an ip_pkt_list_tot.conf file in /etc/modeprobe.d/ which contains: ```` -options xt_recent ip_pkt_list_tot=100 +options xt_recent ip_pkt_list_tot=100 ip_list_uid=eppuseruid ip_list_gid=eppusergid ```` Once the file is created, reload the xt_recent kernel module via modprobe -r xt_recent && modprobe xt_recent or reboot the system. @@ -56,69 +56,35 @@ Once the file is created, reload the xt_recent kernel module via modprobe -r xt_ ```` #!/bin/bash -# Inspired and credits to Vivek Gite: http://www.cyberciti.biz/faq/iptables-connection-limits-howto/ -IPT=/sbin/iptables -# Max connection in seconds -SECONDS=60 -# Max connections per IP -BLOCKCOUNT=100 -# default action can be DROP or REJECT or something else. -DACTION="REJECT" -$IPT -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set -$IPT -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --rcheck --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION} +iptables -A INPUT -p tcp --dport 443 -m recent --name repp --rcheck --seconds 60 --hitcount 25 -j DROP +iptables -A INPUT -p tcp --dport 443 -m state --state NEW -m recent --set --rsource --name repp -j ACCEPT +iptables -A INPUT -p tcp --dport 443 -m recent --name rwhois --rcheck --seconds 60 --hitcount 25 -j DROP +iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --set --rsource --name rwhois -j ACCEPT + ```` #### Whois ```` #!/bin/bash -# Inspired and credits to Vivek Gite: http://www.cyberciti.biz/faq/iptables-connection-limits-howto/ -IPT=/sbin/iptables -# Max connection in seconds -SECONDS=60 -# Max connections per IP -BLOCKCOUNT=100 -# default action can be DROP or REJECT or something else. -DACTION="REJECT" -$IPT -A INPUT -p tcp --dport 43 -i eth0 -m state --state NEW -m recent --set -$IPT -A INPUT -p tcp --dport 43 -i eth0 -m state --state NEW -m recent --rcheck --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION} +iptables -A INPUT -p tcp --dport 43 -m recent --name whois --rsource --rcheck --seconds 60 --hitcount 25 -j LOG --log-prefix "whois limit: " --log-level warning +iptables -A INPUT -p tcp --dport 43 -m recent --name whois --rsource --rcheck --seconds 60 --hitcount 25 -j REJECT +iptables -A INPUT -p tcp --dport 43 -m recent --set --rsource --name whois -j ACCEPT + ```` #### EPP -Iptables hitcounter is updated by application. +Iptables hitcounter is updated by application. For every registrar there is one recent table, where the request counters are stored, registrar handles and sources ips are "connected" with iptables rules. ```` #!/bin/bash -# Inspired and credits to Vivek Gite: http://www.cyberciti.biz/faq/iptables-connection-limits-howto/ -IPT=/sbin/iptables -# Registrar handler -REGISTRAR_CODE="test" -# Max connection in seconds -SECONDS=60 -# Max connections per IP -BLOCKCOUNT=100 -# Source specification. Address can be either a network name, a hostname, a network IP address -# (with /mask), or a plain IP address. Hostnames will be resolved once only, before the rule -# is submitted to the kernel. Please note that specifying any name to be resolved with -# a remote query such as DNS is a really bad idea. The mask can be either a network mask or -# a plain number, specifying the number of 1's at the left side of the network mask. -# Thus, a mask of 24 is equivalent to 255.255.255.0. A "!" argument before -# the address specification inverts the sense of the address. -# The flag --src is an alias for this option. Multiple addresses can be specified, -# but this will expand to multiple rules (when adding with -A), -# or will cause multiple rules to be deleted (with -D). -REGISTRAR_HANDLE_SOURCE="x.x.x.x" -# default action can be DROP or REJECT or something else. -DACTION="REJECT" -$IPT -A INPUT -p tcp --dport 700 -i eth0 -m state --state NEW -m recent --set -$IPT -A INPUT -p tcp --dport 700 -s $REGISTRAR_HANDLE_SOURCE -m recent --name $REGISTRAR_CODE --rdest --rcheck --hitcount ${BLOCKCOUNT} --seconds ${SECONDS} -j ${DACTION} -```` -After adding iptable counters, please add correct permissions to proc files at path /proc/net/xt_recent +iptables -A INPUT -p tcp --dport 700 -s $REGISTRAR_SOURCE -m recent --name $REGISTRAR_CODE --rdest --rcheck --hitcount 100 --seconds 60 -j DROP +iptables -A INPUT -p tcp --dport 700 -s $REGISTRAR_SOURCE2 -m recent --name $REGISTRAR_CODE --rdest --rcheck --hitcount 100 --seconds 60 -j DROP +iptables -A INPUT -p tcp --dport 700 -s $REGISTRAR2_SOURCE -m recent --name $REGISTRAR2_CODE --rdest --rcheck --hitcount 100 --seconds 60 -j DROP +iptables -A INPUT -p tcp --dport 700 -s $REGISTRAR2_SOURCE2 -m recent --name $REGISTRAR2_CODE --rdest --rcheck --hitcount 100 --seconds 60 -j DROP -Example command: ```` -sudo chown registry /proc/net/xt_recent/* -```` + From 28f7146c532033dfed4520125ae405d6d1a37945 Mon Sep 17 00:00:00 2001 From: Georg Kahest Date: Thu, 16 Jul 2015 13:44:39 +0300 Subject: [PATCH 7/7] typo fix --- doc/debian_build_doc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/debian_build_doc.md b/doc/debian_build_doc.md index 2de7b1410..5ee934097 100644 --- a/doc/debian_build_doc.md +++ b/doc/debian_build_doc.md @@ -58,7 +58,7 @@ Once the file is created, reload the xt_recent kernel module via modprobe -r xt_ #!/bin/bash iptables -A INPUT -p tcp --dport 443 -m recent --name repp --rcheck --seconds 60 --hitcount 25 -j DROP iptables -A INPUT -p tcp --dport 443 -m state --state NEW -m recent --set --rsource --name repp -j ACCEPT -iptables -A INPUT -p tcp --dport 443 -m recent --name rwhois --rcheck --seconds 60 --hitcount 25 -j DROP +iptables -A INPUT -p tcp --dport 80 -m recent --name rwhois --rcheck --seconds 60 --hitcount 25 -j DROP iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --set --rsource --name rwhois -j ACCEPT ````