Time Nick Message 18:28 pdurbin semiosis: do you front your Java app servers with anything? Apache or Nginx or whatever? 18:29 semiosis our old system (which will be shutdown in a couple weeks!) was a hodgepodge of java & php blended together with a lot of apache wizardry 18:29 semiosis our new system is cleanly separated into rest api servers running tomcat and php web servers running apache 18:30 pdurbin so do you front tomcat with anything? or do you just run tomcat on port 8080 18:30 semiosis amazon elastic load balancer to tomcat 8080 18:30 pdurbin hmm. ok 18:30 * pdurbin is being driven crazy by a session bug 18:31 semiosis ewwww, state 18:31 pdurbin cookies. jsessionid 19:55 semiosis i remember that stuff looking unnecessarily complicated in tomcat 19:55 semiosis tomcat clustering iirc 19:56 hydrajump working on bringing up a new bastion host, because old one is not maintained in a long time. 19:56 semiosis whereas with php all one needs to do is set the memcache or redis server address and it's done 19:56 bear yea, I always reached for glassfish when confronted with a java clustering urge 19:56 hydrajump Any advice for fail2ban vs sshguard? 19:57 semiosis hydrajump: are those still necessary when password login is disabled? 19:58 bear iptables and password disabled is preferred 19:58 bear fail2ban or sshguard is nice only if your scanning the logs for ips that are doing bad things and comparing them to other events 21:14 hydrajump semiosis: I think so to prevent lots of attempts at trying to brute force. 21:15 semiosis maybe i'm being naive but i'm not worried about brute force attempts against 2048+ bit keys 21:15 hydrajump yeah that's true I don't think they are likely to gain access. I would think you still want to block the repeated attempts 21:16 hydrajump codex: what does the security guru think :P 21:16 * codex waiting for the security guru to come along 21:16 hydrajump hehe 21:17 codex i use fail2ban -- it's great 21:17 codex when properly configured, it helps a lot 21:17 codex it's not perfect. Don't "rely" on it. It's a nice "general" filter to filter out the crap of the crap 21:17 hydrajump so it has value even with "big" keys 21:17 codex the main issue is the delay in event -> to log -> to read/injection by fail2ban 21:17 codex if someone is really hammering you, they will get a few thousand hits before your "6 in 30 seconds" rule hits 21:18 hydrajump what about sshguard any different or it is just ssh specific whereas fail2ban works with multiple services? 21:18 codex I haven't used sshguard (i use fail2ban for ssh, web, anything that has a log really) 21:19 codex assuming it works the same way -- looks at logs, parses, and has some sort of an iptables logic? 21:19 hydrajump can you share any specific things you configure in sshd_config and your ssh fail2ban rule? 21:19 codex yea, one sec 21:19 codex i'll lookup what I have 21:20 codex I am using the default filter by 'Cyril Jaquier' 21:20 codex and the ddos one by 'Yaroslav Halchenko' 21:20 codex I think both come by default with the system 21:21 codex i have an ingoreip with all my IP ranges, and something like this: 21:21 codex maxretry = 5 21:21 codex findtime = 30 21:21 codex bantime = 1800 21:26 semiosis pdurbin: top 3 to watch? https://www.oracle.com/javaone/sessions/index.html 21:31 hydrajump codex: do you bother to run sshd on a non-standard port...I know it doesn't do anything for security ;) 21:33 semiosis i run openvpn on a non-standard port, fwiw 21:34 codex there are two big "schools of thought" here -- if it's a non-standard port, when something like heartbleed happens, it will give you some time 21:35 codex if you are running unpatched, a non-standard port won't help 21:35 codex I think the biggest advantage is to prevent the drive-by's 21:35 codex openvpn is a great example -- why have 1000 people per day poke at your openvpn just because it happens to sit on that port 21:35 codex plus, with openvpn, it's way more useful having it on 443 and udp/53 :) 21:36 semiosis never had my udp/41194 packets filtered yet 21:36 semiosis hotels, airports, etc 21:36 semiosis but running on 53 is a great idea 21:52 hydrajump codex: really run openvpn on udp 53? 21:53 hydrajump what do you gain from opening port udp 53 and using that for OpenVPN? 21:53 hydrajump maybe I'm missing the obvious? 21:54 pdurbin semiosis: well, Enterprise Nashorn since you asked about it, I guess 21:55 pdurbin anything by Venkat Subramaniam is good 21:55 semiosis hydrajump: other people's networks may be less likely to block that outbound 21:55 semiosis hydrajump: so you have a better chance of reaching your ovpn gateway 21:55 bear and if they do their iptables rules allow inbound 53 if an outbound request is pending 22:07 semiosis pdurbin: thx 22:08 semiosis watching Thinking in Functional Programming now 22:08 pdurbin where's my talk, I'd like to know 22:08 semiosis s/Programming/Style/ 22:09 pdurbin I'll try to watch that one. This is the talk by him I went to: Programming with Lambda Expressions in Java [CON1770] https://oracleus.activeevents.com/2014/connect/sessionDetail.ww?SESSION_ID=1770 (which was good and funny) 22:27 semiosis tbh, this talk is mostly a pitch for FP, very beginner 22:27 semiosis should be titled "What is FP?" 22:35 pdurbin bummer 22:35 pdurbin semiosis: did I tell you about the lambda lab? a friend went through the whole thing and got a lot out of it 22:36 semiosis havent heard of it 22:39 pdurbin I first mentioned it here: http://irclog.greptilian.com/sourcefu/2014-10-02#i_79001 22:39 pdurbin here it is: https://github.com/stuart-marks/LambdaHOLv2 22:40 semiosis nice! 22:40 pdurbin I think I only made it through exercise 8 or so. planning on going through it at some point 22:40 semiosis wow 27 of them 22:41 pdurbin it's basically a Java 8 lambda kata ... failing tests, then you use lambdas to make them pass 22:41 semiosis I'd love this on a flight 22:43 pdurbin don't cheat with the directory of solutions :) 22:44 pdurbin oh, and there are hints too, hidden by default, at least in netbeans 22:45 hydrajump semiosis: bear interesting. I've been running my own on 1194 udp, but for the new openvpn deployment I'll do that. 23:50 hydrajump btw another good security source https://bettercrypto.org/