On Tue, Jul 01, 2008 at 11:31:12AM -0500, Will Maier via UW-HEP Help System wrote:
> Dan's been surveying directories with condor-hosts ACLs. In addition
> to that, it would be nice to move away from using the wildcard '0'
> in the pts group. One option would be to automatically generate the
> membership for the condor-hosts group based on the output of
> condor_status. This is certainly doable from a Condor perspective.
> 
> Steve: would adding 2000 < N < 5000 pts entries be a Bad Thing?

Any thoughts on this?

-- 

o--------------------------{ Will Maier }--------------------------o
| jabber:...wcmaier@xmpp.lfod.us | email:..will.maier@hep.wisc.edu |
| office:...........608.263.9692 | cell:..............608.438.6162 |
*--------------------[ UW High Energy Physics ]--------------------*

On Wed, Jul 02, 2008 at 08:34:26AM -0500, Will Maier via UW-HEP Help System wrote:
> Bah; I should've looked first. It doesn't seem like our httpd was
> compiled with libwrap support. Unless we want to fire up iptables, I
> guess we should leave it as-is for now.
> 
> If the logging becomes a problem again, the following in httpd.conf
> might help:
> 
>     SetEnvIf Request_URI "^/dasu/rootFiles$" dontlog
>     CustomLog logs/access_log common env=!dontlog

For now, I've simply added /var/log/httpd/*log to the nightly
logrotate (which had been ignoring the httpd logs for some reason). 

-- 

o--------------------------{ Will Maier }--------------------------o
| jabber:...wcmaier@xmpp.lfod.us | email:..will.maier@hep.wisc.edu |
| office:...........608.263.9692 | cell:..............608.438.6162 |
*--------------------[ UW High Energy Physics ]--------------------*

On Wed, Jul 02, 2008 at 08:13:33AM -0500, rader@hep.wisc.edu wrote:
>  > ---- Original Message ----
>  > From: Will Maier via UW-HEP Help System <help@hep.wisc.edu>
>  > These two account for 99.5% of the recent bad traffic:
>  > 
>  >     216.104.34.62
>  >     206.225.81.178
>  > 
>  > Shall I add those to /etc/hosts.deny?
> 
> Yes, please.

Bah; I should've looked first. It doesn't seem like our httpd was
compiled with libwrap support. Unless we want to fire up iptables, I
guess we should leave it as-is for now.

If the logging becomes a problem again, the following in httpd.conf
might help:

    SetEnvIf Request_URI "^/dasu/rootFiles$" dontlog
    CustomLog logs/access_log common env=!dontlog

-- 

o--------------------------{ Will Maier }--------------------------o
| jabber:...wcmaier@xmpp.lfod.us | email:..will.maier@hep.wisc.edu |
| office:...........608.263.9692 | cell:..............608.438.6162 |
*--------------------[ UW High Energy Physics ]--------------------*

> ---- Original Message ----
 > From: Will Maier via UW-HEP Help System <help@hep.wisc.edu>
 > 
 > On Mon, Jun 30, 2008 at 07:50:19PM -0500, Steve Rader via UW-HEP Help System wrote:
 > > I guess we're okay now, but we should be aware that it seems
 > > there's someobody out there who understands AFS and is using loose
 > > ACLs to "own" us.
 > 
 > This is ongoing; we're still seeing numerous hosts GETing
 > http://www.hep.wisc.edu/dasu/rootFiles/, though they're getting 404s
 > now that Steve's removed it. The traffic caused Apache to nearly
 > fill the root disk with log events. I rotated and bzip2ed the log
 > files, but it might be prudent to block the most egregious IPs.
 > 
 > These two account for 99.5% of the recent bad traffic:
 > 
 >     216.104.34.62
 >     206.225.81.178
 > 
 > Shall I add those to /etc/hosts.deny?

Yes, please.

steve
--

On Mon, Jun 30, 2008 at 07:50:19PM -0500, Steve Rader via UW-HEP Help System wrote:
> I guess we're okay now, but we should be aware that it seems
> there's someobody out there who understands AFS and is using loose
> ACLs to "own" us.

This is ongoing; we're still seeing numerous hosts GETing
http://www.hep.wisc.edu/dasu/rootFiles/, though they're getting 404s
now that Steve's removed it. The traffic caused Apache to nearly
fill the root disk with log events. I rotated and bzip2ed the log
files, but it might be prudent to block the most egregious IPs.

These two account for 99.5% of the recent bad traffic:

    216.104.34.62
    206.225.81.178

Shall I add those to /etc/hosts.deny?

-- 

o--------------------------{ Will Maier }--------------------------o
| jabber:...wcmaier@xmpp.lfod.us | email:..will.maier@hep.wisc.edu |
| office:...........608.263.9692 | cell:..............608.438.6162 |
*--------------------[ UW High Energy Physics ]--------------------*

On Tue, Jul 01, 2008 at 09:49:32AM -0500, Dan Bradley via UW-HEP Help System wrote:
> Yes.  I think we should do a search for all cases where this ACL
> is being used.  I bet we can narrow down the range of allowed
> hosts in most or all cases.  We have been encouraging people to
> use condor file transfers to local scratch directories for a long
> time now, so I doubt there are a lot of legitimate needs for
> condor-hosts anymore.

Dan's been surveying directories with condor-hosts ACLs. In addition
to that, it would be nice to move away from using the wildcard '0'
in the pts group. One option would be to automatically generate the
membership for the condor-hosts group based on the output of
condor_status. This is certainly doable from a Condor perspective.

Steve: would adding 2000 < N < 5000 pts entries be a Bad Thing?

-- 

o--------------------------{ Will Maier }--------------------------o
| jabber:...wcmaier@xmpp.lfod.us | email:..will.maier@hep.wisc.edu |
| office:...........608.263.9692 | cell:..............608.438.6162 |
*--------------------[ UW High Energy Physics ]--------------------*

Steve Rader via UW-HEP Help System wrote:
>> The condor-hosts ACL does include the web server.  It is just this:
>>     
>  > 
>  >   128.104.28.0
>  >   128.104.29.0
>  >   128.105.0.0
>  >   198.51.254.0
>  >   198.51.255.0
>  >   128.104.3.0
>  >   128.104.202.0
>  >   128.104.32.0
>  >   144.92.101.0
>  >   144.92.180.0
>  >   144.92.181.0
>  >   144.92.182.0
>  >   144.92.183.0
>  >   128.104.55.0
>
> "just"??  That's potentially over 3500 systems!

Yes.  I think we should do a search for all cases where this ACL is 
being used.  I bet we can narrow down the range of allowed hosts in most 
or all cases.  We have been encouraging people to use condor file 
transfers to local scratch directories for a long time now, so I doubt 
there are a lot of legitimate needs for condor-hosts anymore.

>  
>
> Access to the web server is very tight.  The RW access only
> matters if you all have some cgi-kinda-thing that allows uploads?
>   

I'm not aware of any web-accessible scripts used by us that would allow 
uploads.  However, we should review what's there and remove anything 
that is not needed.

--Dan

> The condor-hosts ACL does include the web server.  It is just this:
 > 
 >   128.104.28.0
 >   128.104.29.0
 >   128.105.0.0
 >   198.51.254.0
 >   198.51.255.0
 >   128.104.3.0
 >   128.104.202.0
 >   128.104.32.0
 >   144.92.101.0
 >   144.92.180.0
 >   144.92.181.0
 >   144.92.182.0
 >   144.92.183.0
 >   128.104.55.0

"just"??  That's potentially over 3500 systems! 

Access to the web server is very tight.  The RW access only
matters if you all have some cgi-kinda-thing that allows uploads?

steve
--

> This is quite disturbing.  The loose ACLs (i.e., free write access to  
 > all nodes in condor-hosts) were set because we are using that method  
 > for shared file system across multiple DNs of GLOW.  I put those  
 > directories on web for convenience long ago but I don't really need  
 > them now.  Your removing the link is just fine. It appears to me that  
 > the "attack" is from one of the condor-hosts as I believe we don't let  
 > the web server post files to our directories, do we?

No, we don't directly allow uploading files.

We are not the only group to have loose AFS ACLs exploited, btw.

steve
--

Dear Dan:
Could we remove the web-server? What would be the consequence?
Regards,
Wesley

On Jul 1, 2008, at 3:34 PM, Dan Bradley via UW-HEP Help System wrote:

>
> The condor-hosts ACL does include the web server.  It is just this:
>
>  128.104.28.0
>  128.104.29.0
>  128.105.0.0
>  198.51.254.0
>  198.51.255.0
>  128.104.3.0
>  128.104.202.0
>  128.104.32.0
>  144.92.101.0
>  144.92.180.0
>  144.92.181.0
>  144.92.182.0
>  144.92.183.0
>  128.104.55.0
>
> --Dan
>
> Sridhara Dasu via UW-HEP Help System wrote:
>> Dear Steve,
>>
>> This is quite disturbing.  The loose ACLs (i.e., free write access to
>> all nodes in condor-hosts) were set because we are using that method
>> for shared file system across multiple DNs of GLOW.  I put those
>> directories on web for convenience long ago but I don't really need
>> them now.  Your removing the link is just fine. It appears to me that
>> the "attack" is from one of the condor-hosts as I believe we don't  
>> let
>> the web server post files to our directories, do we?
>>
>> Regards,
>> Sridhara
>>
>> ---------------------------------------------------------------------
>> Prof. Sridhara Rao Dasu                         Department of Physics
>> dasu@hep.wisc.edu                             University of Wisconsin
>> http://www.hep.wisc.edu/~dasu                    4289 Chamberlin Hall
>> 608-262-3678 ( Office )                        1150 University Avenue
>> 408-829-6625 (Wireless)                        Madison, WI 53706, USA
>>
>>
>> On Jun 30, 2008, at 5:50 PM, rader@hep.wisc.edu wrote:
>>
>>
>>> It happened again--the cause was: the index.html I created
>>> *disappeared*!
>>>
>>> It appears the person abusing our system has exploited the
>>> ACLs on /afs/hep.wisc.edu/cms/data/rootFiles.
>>>
>>> Since /afs/hep/home/dasu/www/rootFiles was a symlink to the
>>> directory above, so I just removed it (the symlink.)  The
>>> loadave and the server is okay now.
>>>
>>> On a lark, I checked for "viagra" in the logs and,
>>> alas, found that we served up various URLs of the form
>>> http://www.hep.wisc.edu//dasu/rootFiles/*/viagra about 1500
>>> times during the last 32 days.
>>>
>>> I guess we're okay now, but we should be aware that it seems
>>> there's someobody out there who understands AFS and is
>>> using loose ACLs to "own" us.
>>>
>>> steve
>>> --
>>>
>>
>> ----------
>> status: unread -> chatting
>>
>> ______________________________________
>> UW-HEP Help System <help@hep.wisc.edu>
>> <https://help.hep.wisc.edu/issue5332>
>> ______________________________________
>
> ______________________________________
> UW-HEP Help System <help@hep.wisc.edu>
> <https://help.hep.wisc.edu/issue5332>
> ______________________________________

=====================================================================
| Prof. Wesley H.Smith | Ph: 608-262-4690 or 2281, Fax:608-263-0800 |
| High Energy Physics  | Physics Dept., University of Wisconsin     |
| 4275 Chamberlin Hall | 1150 University Ave.,Madison WI 53706-1390 |
| wsmith@hep.wisc.edu  | http://hep.wisc.edu/wsmith/                |
=====================================================================

The condor-hosts ACL does include the web server.  It is just this:

  128.104.28.0
  128.104.29.0
  128.105.0.0
  198.51.254.0
  198.51.255.0
  128.104.3.0
  128.104.202.0
  128.104.32.0
  144.92.101.0
  144.92.180.0
  144.92.181.0
  144.92.182.0
  144.92.183.0
  128.104.55.0

--Dan

Sridhara Dasu via UW-HEP Help System wrote:
> Dear Steve,
>
> This is quite disturbing.  The loose ACLs (i.e., free write access to  
> all nodes in condor-hosts) were set because we are using that method  
> for shared file system across multiple DNs of GLOW.  I put those  
> directories on web for convenience long ago but I don't really need  
> them now.  Your removing the link is just fine. It appears to me that  
> the "attack" is from one of the condor-hosts as I believe we don't let  
> the web server post files to our directories, do we?
>
> Regards,
> Sridhara
>
> ---------------------------------------------------------------------
> Prof. Sridhara Rao Dasu                         Department of Physics
> dasu@hep.wisc.edu                             University of Wisconsin
> http://www.hep.wisc.edu/~dasu                    4289 Chamberlin Hall
> 608-262-3678 ( Office )                        1150 University Avenue
> 408-829-6625 (Wireless)                        Madison, WI 53706, USA
>
>
> On Jun 30, 2008, at 5:50 PM, rader@hep.wisc.edu wrote:
>
>   
>> It happened again--the cause was: the index.html I created
>> *disappeared*!
>>
>> It appears the person abusing our system has exploited the
>> ACLs on /afs/hep.wisc.edu/cms/data/rootFiles.
>>
>> Since /afs/hep/home/dasu/www/rootFiles was a symlink to the
>> directory above, so I just removed it (the symlink.)  The
>> loadave and the server is okay now.
>>
>> On a lark, I checked for "viagra" in the logs and,
>> alas, found that we served up various URLs of the form
>> http://www.hep.wisc.edu//dasu/rootFiles/*/viagra about 1500
>> times during the last 32 days.
>>
>> I guess we're okay now, but we should be aware that it seems
>> there's someobody out there who understands AFS and is
>> using loose ACLs to "own" us.
>>
>> steve
>> --
>>     
>
> ----------
> status: unread -> chatting
>
> ______________________________________
> UW-HEP Help System <help@hep.wisc.edu>
> <https://help.hep.wisc.edu/issue5332>
> ______________________________________

Dear Steve,

This is quite disturbing.  The loose ACLs (i.e., free write access to  
all nodes in condor-hosts) were set because we are using that method  
for shared file system across multiple DNs of GLOW.  I put those  
directories on web for convenience long ago but I don't really need  
them now.  Your removing the link is just fine. It appears to me that  
the "attack" is from one of the condor-hosts as I believe we don't let  
the web server post files to our directories, do we?

Regards,
Sridhara

---------------------------------------------------------------------
Prof. Sridhara Rao Dasu                         Department of Physics
dasu@hep.wisc.edu                             University of Wisconsin
http://www.hep.wisc.edu/~dasu                    4289 Chamberlin Hall
608-262-3678 ( Office )                        1150 University Avenue
408-829-6625 (Wireless)                        Madison, WI 53706, USA


On Jun 30, 2008, at 5:50 PM, rader@hep.wisc.edu wrote:

>
> It happened again--the cause was: the index.html I created
> *disappeared*!
>
> It appears the person abusing our system has exploited the
> ACLs on /afs/hep.wisc.edu/cms/data/rootFiles.
>
> Since /afs/hep/home/dasu/www/rootFiles was a symlink to the
> directory above, so I just removed it (the symlink.)  The
> loadave and the server is okay now.
>
> On a lark, I checked for "viagra" in the logs and,
> alas, found that we served up various URLs of the form
> http://www.hep.wisc.edu//dasu/rootFiles/*/viagra about 1500
> times during the last 32 days.
>
> I guess we're okay now, but we should be aware that it seems
> there's someobody out there who understands AFS and is
> using loose ACLs to "own" us.
>
> steve
> --

It happened again--the cause was: the index.html I created 
*disappeared*!

It appears the person abusing our system has exploited the 
ACLs on /afs/hep.wisc.edu/cms/data/rootFiles.

Since /afs/hep/home/dasu/www/rootFiles was a symlink to the 
directory above, so I just removed it (the symlink.)  The
loadave and the server is okay now.

On a lark, I checked for "viagra" in the logs and,
alas, found that we served up various URLs of the form
http://www.hep.wisc.edu//dasu/rootFiles/*/viagra about 1500
times during the last 32 days.

I guess we're okay now, but we should be aware that it seems
there's someobody out there who understands AFS and is 
using loose ACLs to "own" us.

steve
--