This is also happening on Windows 8.1.  So, we restart the computer, everybody wants to update everything, wait for it…  then, wait some more.  Patience is more than a virtue at startup.

And then, waited (a lot!), Task / Notification “Area” says that an Update (Flash) is available, click… BOOM!  Adobe site, no thank you to chrome, slider/progress bar, if you have trouble click here… click… Internet Explorer explodes, checks for solutions, reloads the page… LOOP.  Yay!  The return of the Adobe Flash (maybe) 12-15 or 16 Installer problems.  Dear friend (IE, Adobe Installer Bug) we didn’t miss you.

The “workaround” (not fix):  Close IE, Task Manager (taskmgr.exe) to be sure, Internet Options from Control Panel, clear history/cache, Privacy tab and TURN OFF the Pop-up Blocker, restart the computer (if you want to be 100% sure), Internet Options again and make sure Pop-up Blocker isn’t magically back on, IE and go directly to adobe.com (if you have a ‘flash enabled’ Home/Start Page type it in the ‘search/address bar’), bottom-right corner click the Flash link…

Back to: un-[x] (or No Thank You) to chrome, toolbars, special offers and bundles, Install… today was version 22.0 – Done!

Close all IE windows again, Internet Options again, TURN ON the Pop-up Blocker.

All is well.  Those previous video problems, informative (sarcasm) “ERROR” message, hover/pop stuff all working again.

For about 8 minutes, until Adobe releases 23.x (smiley).

This is not a new thing, it has been going on for years since WordPress versions in the middle 3.xx-es.  It’s not a WordPress “bug” – it’s because PHP v5.3.xx went End Of Life almost 2 years ago (on 14 Aug 2014 – see: http://php.net/eol.php ).  And, see: https://wordpress.org/support/topic/wp-35-is-not-compatible-with-php-53-please-read

Now, here’s the deal.  Computers are [supposedly] cheap these days.  Supposedly.  So, [supposedly] you just buy some awesome new quad-this-or-that x64 with at least 128GB RAM and some number of TBs of storage to… host your 20-30 MB WordPress sites.  Because images, that’s why.  Oh yeah, then manually migrate 100 or so websites, databases, all the associated “stuff” and spend “a few minutes each” changing all of the myriad of things you had to do to those sites and config files to make it work a couple-few years ago.

Or: keep what you’ve got and deal with it until the new V-Lab-Super-Box is online and your “team” starts pushing things around in their spare time.  Right.

If you did google-bar the above image issue you’ll have discovered that it has gotten progressively worse the more versions away from good olde EOL PHP 5.3.xx WordPress has gotten.  We experienced this.  This page is being written in WordPress 4.2.8, the site that went to pot today auto-magic-ly updated itself to 4.5.2.  That site was having dreaded the “http Error” problem with images for over a year.  Now, today, kaput!  No images, no PDFs, no nothing through the [Add Media] [Upload] section.  We finally got a PDF to upload and link in a page by angrily clicking refresh and doing the same thing over and over (Add media, library, upload… select… repeat).  Once upon a time we could size images to “web friendly” sizes and do the Angry-Repeat click-ery – no more.  Kaput!

“Well,” says google-bar, “didn’t you know about the Media From FTP plugin?”  https://wordpress.org/plugins/media-from-ftp/  “No,” says us.  So, we give it a try and when you click [Activate] it happily tells you:  Only works with PHP version 5.4 or higher.

Then it happened, just before give-up-time, because: (1) had already uploaded via ftp the problem image; (2) had looked at the [Insert From URL] button hundreds of times today.  [Insert From Url] clicked, http://domainname.com/wp-content/uploads/2016/05/PictureName.jpg…  BAM! Done.

Now it doesn’t show up in the Library but it shows up in the page – and in Edit mode there’s the alignment stuff, room for a title and a caption, and the ability to make it a link to itself (full sized).  The only hang-up: it inserts the image with width and height set to it’s “real” values (giant in this case).  Last trick, get some server-side resizing done (on the fly stuff) and…  BAM! Done.

So, at long last, here is the long way around work-around for Great New WordPress on Great Olde Server[s] with incompatible PHP (and other things) versions.

• ftp upload your image (keep the WordPress method of folder naming in case you ever “migrate” the site to Great New Server[s])
• In the page or post: [Add Media] and [Insert From URL]
• In the page or post: [Edit] the image, make it a link to itself, add a caption, title and alignment if you wish.
• [Preview changes] and use whatever you use to see the on-screen height-width numbers you need to stop the server from sending the full-sized image to that thumbnail-sized box.  (We did Print-Screen, Paint, Select on a Windows computer.)
• Switch your WordPress Editor to [Text] (underlying HTML) and change the width and height properties of your IMG tag.  (We changed – width=”2592″ height=”1944″ – to – width=”662″ height=”496″.)

Finally, [Save] the page or post, and go shake that piggy-bank and see about that new high-speed quad or oct thing with all the latest of everything (including PHP).  Test runs on many devices and browsers: invisible server-side image resize and send (thanks, Apache) and post complete.  Not very “reflexive” but “good enough” for now.

Now that that is taken care of… a test… of WordPress 4.2.8

This file would not upload.

Above: try again, pig headed try again, try again… error, error, long slow progress bar – worked !  Not worth the trouble.

Last notes and link:  Thanks to WordPress ( http://www.wordpress.org ) for not updating us to death.  The new Quad is actually in place and in QA Testing mode – but, migration is not going to happen until a lot more testing is done.  Known bugs are better than unknown ones.

What happened: clients could not connect.  It would start to, prompt for credentials, show the welcome screen, then a disconnect with a message:

Your Remote Desktop session has ended.

Another user connected to the remote computer, so your connection was lost. Try connecting again, or contact your network administrator or technical support group.

The only way around it was to physically “Sign out” at the hardware.

The fix: add a password to the account (see the notes below) and enable the “Allow only…NLA” (picture) option in the remote desktop settings.

How this all happened…

First: not a very well used Windows 8 “test” computer.  When we set it up originally we didn’t put a password on it.  We must have had some old Macs or XP boxes that we tried to connect RDP clients from, so had un-checked the “Allow connections only…” option in the Remote tab.

2nd: No “pre-release” Windows X stuff.  On July 29, 2015 we had to update this computer to 8.1 before upgrading to X.  The 8.1 and the X (Ten/10) installers did not mention exactly how important a password is to these newest systems.  A little online searching tells us that it’s not Microsoft’s fault, not too many people seem to have this exact series of mistakes/user errors.

Finally: we ended up with a Windows X (Pro) computer with RDC (the new name for RDP) enabled, old un-secure clients allowed, and no “only user” account password.

How this all got fixed…

First: After reading too many online posts and pages about RDP (RDC) in general we saw “a couple” of mentions about that “Allow connections only…” checkbox.  Went to see what was up: un-checked.  Put a check-mark in there and tried again…

Second: Secure connections require minimally secure computers (user account needs a password).  When we tried to connect this time we got a “Cannot connect” error stating that “…the password is expired… …or…” (about 3 total possibilities that we didn’t screenshot).  We knew there was no password so it wasn’t “expired.”  Back to the hardware, set a password on the user account, Sign out, Sign in…

Finally:  Add the new password to the RDP (RDC) client connection dialogue and everything works fine.  RD Client connected, console user was Signed out.

This was a very “anomalous behavior incident” but if we could do it someone else probably could as well.  So, now it’s documented.

It works.  That’s all we can say.  It is difficult to set up and it is slow once it is set up.  It “can” do it, so here’s how you “can” make it do it.

We only tested from a “clean” install of Windows Ten (10, X).  The first time run of mail starts a “First Time” or “Out Of Box” experience that you will only ever see the real “first time.”  If you add an account and then delete it, Mail App then loads with an “empty” workspace and everything has to be done manually.  Throughout this post we use “click” to mean tap or click.

Here are the steps we followed – screenshots follow in order:

1. Click inside the “Search Area / Address Bar” (next to the “Start/Windows Logo”) and type “mail”. Click “Mail – Trusted Windows Store app” at the top of the menu/search results.
2. Click on “+ Add account” on the “First Time/Let’s Get Started” screen
3. Click on “Other account – POP, IMAP”
4. Put in your full email address and password. Click the “Sign-in” button.
   Note: make sure your password is correct, it is very important to not causing syncing errors and extremely long delays when finished.
5. The first time – after a pretty long delay – you will get a message that says: We couldn’t find info for that account. Make sure the email address is correct and try again.  Click the “Sign-in” button two-to-three more times until “Sign-in” changes to “Advanced”. (5th image)
6. Click “Advanced” to get to the scrolling “Internet email account” screen.
7. Give your account a name (this is what it be called “locally”).
8. Enter “Your name” (this is what you want to appear when people receive email from you).
9. “Incoming email server” should be your domain name (everything after the @ in your email address) or mail.yourdomainname.ext[ention]  (the mail. is optional)
10. Change the “Account type” from IMAP to POP3
11. Scroll down until you see “Username” and “Password” (those should be there) and “Outgoing (SMTP) email server”.  Your outgoing server is the same as your incoming server.  You can use the domain name only (everything after the @ in your email address) or the optional mail. prefix plus your domain name.
12. Scroll down to the bottom and take the check-marks out of the “Require SSL” (incoming and outgoing) boxes.  Leave the top two check-marks in place.  See: Picture 8.
13. Click on “Sign-in” and you will be returned to the “First things first…” screen.
14. Click on “Ready to go” (picture 9) and…
15. Your first “big problem and delay” appears.  It took almost 20 minutes for our test computer to “time out” and give us the “Your account settings are out of date” alert/notification. There is nothing you can do but wait it out.  Once the alert appears with the [Fix Account] and [Dismiss] buttons, click on Fix Account.  (Picture 10)
16. Fixing the account consists of clicking the “Continue” button on the “Untrusted certificate” screen.  (Picture 11)  If you click cancel nothing will work and you’ll have to figure out how to delete the account and start over without the “First things first” screen.
17. Finally, here is the importance of that password (back at step 4).  We – on purpose – entered it incorrectly to “see what happens.”  BOOM! That’s what happens.  Another 20+ minutes for the timeout on the incoming server, then again (total 40+ minutes) for the outgoing server’s timeout.  In the meantime we got “blocked” from the mail server for “Too many failed AUTH attempts”.  During that 20 minutes of “Still working on it…” the “Mail app” was trying to log in hundreds of times per second with the wrong password.  After just over 40 minutes we got another Alert/Notification that “Your account settings are out of date”.  Fix this time was entering the correct password.  Once done, the “Inbox” sync-ed almost instantly, then 20 more minutes and the same “block” from the server because “Mail app” did not “fix” incoming and outgoing servers the first time.  Alert again, fix again (this time we dismissed it and manually fixed it by clicking the “gear” icon and going to the Account Settings). Somewhere around one hour and forty-five minutes later, mail sent and received.

Of other note: The “Mail app” does not appear to delete the mail from the server.  This is good – and – bad.  It’s good if you have multiple devices checking the same account.  It’s bad if you delete mail from the server from your other devices.  The “re-sync-ing” of mail that is the Inbox of “Mail app” and no longer at the server is a very, very, very long and slow process.  We only had one message, removed it from the server via webmail, it took “Mail app” 7 minutes to “sync” (remove the one message from Inbox and do whatever background database or file “magic” it does during “Still working on it…”).

So, there it is, the pictures are next, and here is one more recommendation/reminder from us:  You can use the “Mail app” in Windows Ten (10, X) for your ComputerMedic.org hosted email (POP3/SMTP) – it is a lot easier to use a 3rd party app (or program) like Mozilla’s Thunderbird. ( https://www.mozilla.org/en-US/thunderbird/ )

The files are all dated May 16th but the popups began today, June 1, 2015, down there by the clock, in the “Tray.”

Get Windows X – with no “go away” button.

Is it hogging up the system resources? Is it covering the whole screen?  Singing songs?

No.  But mosquitos and flies only occupy like .0001% of your cellular mass while they are annoying the pee out of you.  And, much like those mosquitos and flies, if you land your poop-eating or blood-sucking self on my .0001% of my cellular mass – I consider seriously ending you.

/me sets the eyes on the Linux distros and the mac-cy compy.
(Only real computer nerds know what that means – hopefully MS has one they can consult with.)
http://www.ubuntu.com/desktop comes to mind.

OK – since I can’t “end” MS like the other poop-eaters and blood-suckers of my life here’s the “hard way” to get rid of the “Get Windows X” nuisance.

Start Task Manager (works with or without “Run as Administrator”), find GWX.exe and “End” it.

Now you have to hurry up, because they jammed your Task Scheduler full of garbage to rebirth this thing.  And you cannot (even as Administrator) disable or delete the tasks.

Open a command prompt (that’s a DOS box for you old people) – as Administrator:
Win7: Start Bubble->Type “CMD” in the box->Wait… the list will produce “Command Prompt” -> Right-click it and “Run as Administrator” (left-click).

Win8: Right-Click the doo-hicky-Windows-cubes in the lower-left corner, left-click Administrator Command or whatever they call it (I can’t stand 8/8.1 so I still “roll with 7″)

It should open in the C:\windows\system32 “folder” by default.

Type: CD Tasks\Microsoft\Windows\Setup and then press [Enter].

There are two directories (“folders”) here that contain (on my computer) 5 different tasks.

The first directory “GWX” can be properly disposed of from here, so:

Type: DEL GWX\*.* and press [Enter].  Answer yes to the prompt.

Next type: RD GWX and press [Enter].  Poof, one down.

Now the Tricky-Sticky one: GWXTriggers – you can’t touch this from your CMD prompt. Or, can you?  If you try – like I did (see picture) – you’ll get 3 permission denied errors.

Here’s what you do:
Get “into” that directory so it is the default – type: CD GWXTriggers and press [Enter]

Now type: START .  (that’s start and a space and a period (or dot)) and press [Enter]

Windows Explorer should open up and tell you to [Continue] to gain permanent permissions to the folder – so [Continue].

Now, mark the three files, delete them (recycle or not, it’s up to you), close Explorer.

Back at your “elevated” command box, type: CD .. (CD space and two periods/dots) and press [Enter].

Type: RD GWXTriggers and press [Enter].

There, done, gone, no more popups (until tomorrow).

Someone find me an exit from this Matrix, or like the famous LK is reported to have said on Sunday 5.31.15: “When will this madness end?”

http://en.support.wordpress.com/images/gallery/

Read it slowly (I did not, several times), above even has a link to below:

http://www.wpbeginner.com/plugins/how-to-add-gallery-carousel-in-wordpress-without-jetpack/

Followed some instructions, but in a hurry, so let’s try it:

Save Draft, Add Media, Select Pix, ??? :

Tiles… so that didn’t work, try: “Pencil” (edit the gallery), Nope, try the type=slideshow from text mode? Tiles.

OK, great, went back to settings, uncheck Carousel, check it, save, save, now if you click any image – pops up a manual slide show (have to right-arrow or click/tap edges of the screen to get the next image). Not exactly as advertised.

http://premium.wpmudev.org/forums/topic/why-dont-i-see-type-in-my-wordpress-gallery

* Remove carousel without jetpack, then install slimjetpack (all one word like that).

Mad. MADDER. MADDEST-EST!!

http://en.support.wordpress.com/images/gallery/
Back to here, slowly, uncheck the “show in cool mosaic.” UNCHECK.

http://premium.wpmudev.org/forums/topic/why-dont-i-see-type-in-my-wordpress-gallery
AND here:
http://wordpress.org/support/topic/missing-slideshow-feature-from-media-gallery
Back to here, Settings->Slim Jetpack->
Activate (1) Carousel (2) Tiled Galleries and (3) Shortcode Embeds

Now go back to Settings->Media->
…uncheck the “show in cool mosaic.” UNCHECK.
Save (at least twice because computers stink).

Now, at last Horacio!, flippy-floppy picture box above. Slideshow is a “Type” of Gallery when editing/creating.

Post-Facto: should have made this a post because it is showing up in my menu. Soon, copy it to a post and delete this page. Next-day Post-Facto: turned into a post, fixed some super-grammar and some layout issues. Deleted the page (and emptied the trash).

You’re a bad bot. I’m tired of playing with you. I’m going to make you dead now.

July, 2014.  The internet is a secluded village, all controlled and terrorized by one boy…

Meet Anthony, from the ‘It’s a Good Life’ episode of The Twilight Zone (Nov. 1961).  Details over at imdb, or watch the whole episode (with modernized commercial/ad inserts) at hulu.

We’ve hired Anthony, now in his 50s to do away with spam, Zombie DNS DDoS Bots, and other such pests buzzing around and annoying or destroying everything and everyone in the internet play ground.  We should have thought of it earlier… Just making bad things dead or wishing them into the cornfield.

OK, not quite that easy, here’s what’s up in the fight against Spam-Nados and Zombie Bots…

[Thermal] Inversion Layers.  In the undersea world of submariners these separations between temperatures of water mask objects from sonar and/or, of course, thermal imaging.  What does that have to do with servers and DDoS attacks? Nothing.  Except the association is how we remember:

Inverse Tactics.  At some point around the Happy Holiday Season 2013-2014 (aka Christmas to normal people) a server manager woke from a horrible holiday dream – a dream of fail2ban memory leaks, dead sockets, out of memory errors and massive log files – with a vision of a less nightmarish future.  Simplicity was unmasked.  The fortune-cookie like note that comes from the bobble-head-devil fortune machine in that other episode of Twilight Zone:

Invert your tactics.

Instead of trying to use fail2ban (perl/python/loosely interpreted regexs) to sift through everything and lock out the bad guys after they had been bad, and possibly then wrong because UDP sources are easily spoofed; use the ‘firewall’ (compiled, close to the kernel, strict iptables) as a firewall.  Seems simple, use the firewall as the firewall. But that’s hind-sight.

So, simple, use the firewall, invert the tactics.  What does that mean?

It means: allow only certain things along the ‘port 53 chain’ ~ only the domains that we truly are the authoritative host for.  And, since our little web-server is also a recursive-caching DNS server for itself and others; only do this filtration on the ‘net-facing’ (public) adapter.  Confused? Good. Welcome to the Twilight Zone.

Inverted logic:
– Old way: allow everything, find anything ‘known bad’ and block that; ever growing list of ‘known bad’ (because the bad-bot guys change what they query you to death with)
– New way: allow only the domains we NS host to be allowed passed iptables to get to bind/named and furthermore to fail2ban; drop all other (not known good) DNS queries.  Yep; drop; no tarpit, no ‘channel[s] closed’, no loopback, no reply, no nothing, DEEeee-ROP. (Wish bad queries into the corn field.)

Simple. Smart. Effective.  Can’t find the notes to give credit to some very helpful websites/pages that helped us through this “seems simple (everything computer is supposed to be simple)” but was very, very complicated set of iptables rules. TODO for later: find the notes, give the credit.

Here’s the summary:
– iptables does string matching (the * here is that iptables string matching on UDP sockets is very complicated, based on hex conversions of the strings, very strict, but very fast)
– set up a new ‘table (chain)’ and set of ‘RETURN’ rules based on the domains we actually want to give answers to DNS queries for
– set up the new ‘table (chain)’ to default to DROP (not reject, not return) all others

Here’s the implementation, using the plain text matching of iptables instead of the complete domain.tld (the dots don’t translate so you have to use hex to match domain(special)tld):

#!/bin/sh
#
# create the chain to drop everything we don't specifically know
if ! iptables -L netdnswash -n  >/dev/null 2>&1 ; then
        #echo "debugging make the chain netdnswash"
        iptables -N netdnswash
fi
# flush it either way
iptables -F netdnswash
# default rule = DROP.  This is to stop trying to block badbots, only allow good stuff.
# This should also drop the '.' (single dot) query
iptables -A netdnswash -j DROP
### during build/testing return everything, watch the counters on the one-two test domains
### iptables -A netdnswash -j RETURN
# put the most common ones up top (e.g. computermedic.org since that's the name server, then down to the least busy)
# reverse order because inserts stack on top
iptables -I netdnswash -i eth1 -p udp -m udp --dport 53 -m string --algo bm --icase --to 255 --string 'mldragon' -m comment --comment "mldragon.com" -j RETURN
iptables -I netdnswash -i eth1 -p udp -m udp --dport 53 -m string --algo bm --icase --to 255 --string 'computermedic' -m comment --comment "computermedic.org always first" -j RETURN
# make sure this is first in the INPUT chain - returns to INPUT will allow fail2ban to catch crap.gooddomain.tld
# make sure that fail2ban (actions) build their rules at/after 2. More manual thinking for fail2ban (admins) but way less work
# make sure it doesn't already exists
if ! iptables -L INPUT -n | grep 'netdnswash' -c 2>&1 ; then
        #echo "debugging make the rule in INPUT"
        iptables -I INPUT 1 -i eth1 -p udp -m udp --dport 53 -j netdnswash
fi

Note 1: all chain creation prior to adding it to the INPUT chain rules.
Note 2: only traffic on the ‘net-facing/public’ adapter goes through here (at the bottom, …eth1…)
Note 3: used inserts ( -I ) so what you want first you have to put last in the script (invert again)
Note 4: once fully tested and put into operation: iptables-save >/path/to/conf_file so that if the server restart iptables doesn’t have to be ‘re-made’.
Note 5: change the fail2ban jail create/destroy commands to insert at 2, so fail2ban can be restarted without messing up the new iptables stuff.

Now, important, the lack of the complete domain.tld business.  If we had hundreds or thousands of Ns in our NS we would go through the trouble to use ‘hex string matching’ to get the whole computermedic.org thing in there.  But the “less than hundreds” number of domains on this server lets us deal with the occasional bad bot playing computermedic.tld [other than org] games.  How do we deal with that?

fail2ban of course.  Now, much relaxed and under-loaded because no more rolling/spoofed-source DNS/DDoS querries.  Again, don’t want to tell the bad-guys how to defeat our newly created defensive systems, but suffice it to say: if you run 3 or more ddosasia.computermedic.org or www999, www998, www997 (the rolling ones we encountered) queries against the server fail2ban is going to shut you down (1st time for 2 hours, 2nd time for… drumroll… Evuh!).  First the cornfield for a reasonable timeout, then fail2bAnthony makes you dead.

Less Spammy Inboxes version 14.7 (year.month versioning because there have been way too many versions)

I hate anybody that doesn’t like me!

Now that fail2bAnthony has less DNS problems on his hands, lots of free memory and CPU cycles, has not gone to swap in at least 3 months it’s time to put fail2bAnthony on task of wishing spambots into the cornfield, and those dreaded three-headed-gophers (the guess your password bots that then use your email to send spam everywhere ‘authenticated’): Dead.

fail2ban was already working the ‘mail servers logfiles’ to identify bad auth attempts and ban bad guys there.  However! We utilize an ‘Anti-Spam Relay/Filter Server’ (or several) and a great many of the bad auth attempts were going to those.  A couple of new fail2ban filters and actions, done.  Send legit email if you want copies of the fail2ban files, not publishing those (x-th time: don’t give the bad-guys a ‘how we defend ourselves’ map).  We’ll suffice it to say in this regard: had to get a few users new passwords, but ‘rejects’, bad server reputation points, and dictionary/rolling login attempts, junk in the mailq, against all mail systems are significantly decreased.  Will be even more decreased as time goes by because after certain re-bans, ips and whole ranges are banned for 1 year (all ports).  Cornfield, cornfield, dead.

A little over a year ago we said ‘Finally…’ ( http://www.computermedic.org/?p=9 ).  Doing all of this iptables, fail2ban, named (forgot to mention above, no more spoofed/loop-back entries in named conf files because no more bad domains/tlds allowed through), mail/spam server tuning revealed a major problem in the spam filter/relay setup: SenderBase did not install last year.  ‘Hypothetically speaking’ we could pretend that we use a certain Anti-Spam SMTP Proxy ( ASSP ) and we ‘hypothetically’ used their install/update scripts to get the thing moving.  Well, in those 12-18 days of extreme server configs and installs and the months of Zombie-Bot and DDoS-Nado wars after, the one little message in a log file seldom read about Net::SenderBase not being available was missed. Then there is the fact that ASSP ‘hypothetically’ does not log (even if debug level logging is selected) anything about SenderBase if it was not available at startup.  Where the problem lies: in some nix distros the install/update scripts, and the howto pages, that say use MCPAN to install Net::SenderBase don’t warn you to watch the output carefully to make sure there wasn’t any error[s].  Here’s the deal, and a warning: Watch the output of install Net::SenderBase carefully!!  If there are errors (any error means no SenderBase, no filters, regex matching, country matching, scoring, based on SenderBase in ASSP, and nothing to let you know): force install Net::SenderBase.

Bam. Done, had to go back an re-tweak/un-tweak about 12,000 ASSP (hypothetically) settings, logs, regex-es, etc., that had been tweaked trying to figure out why so much wasn’t working, gave ASSP a full stop (/etc/init.d/assp stop), let it rest a minute, fired it back up (replace stop with start) and wah-lah! 79% blocked instead of 45-51%.  Less spammy inboxes.

Updated wordpress to 3.9.1 today.
Not important but it works *great* in IE11.  Makes links correctly, which it did not.  Looks a little better.  Good job wordpress.

The digital world has out-run squirrel:

• Does not work fully with Internet Explorer 11
• Does not work fully with mac and iDevices (pod, phone, pad, OSX (**ok with Mozilla or firefox on OSX but no one runs that)
• Does not work fully with [An]Droid devices
• Does not work fully with Surface (trimmed IE 10/11)

So, 1.11.14 we installed and tested version 0.9.5 of roundcube.

Hosted at MLD/CMI? Check it out at [www.yourdomain.xyz]/rcmail or, for example:

http://www.computermedic.org/rcmail

Log in using your full email address as username (just like squirrel).

After your first log in you should go to the settings screen and turn on HTML composition and viewing and set your signature options (if you keep using roundcube).

Both work fine side-by-side, but you should not be logged in with both at the same time.

Link at the top/right soon.

We have had to turn back on/up as many of the filters and blocks as possible because the “spam load” on some of the users (including the admin) is overwhelming.

Some of your contacts may get ‘rejections’ or ‘bounces’ if their servers are identified as “blacklisted” (DNSBL).  If you have any reports from your friends about problems email support@computermedic.org and we’ll get them whitelisted.

It was a backdraft. Or the eye of the Zombie-Nado-Cane. When the bad-bots got some air around August 5th – hak4umz.net DDoS or DNS Amplification – fail2ban (and the servers) got burned.

Even the “eye-dee-keff-kuh-may” (TammyBelle’s God Mode Code for DOOM][ ) cheat didn’t help.  fail2ban got clobbered… ‘already banned’ every one second in the log and no more bans happening because 100s or 1000s of times per second from 100s or thousands of bots: bad requests.

Here is the Serious! problem when you put the fail2ban -vs- the entire globe death match together:

2013-08-13 12:40:37,730 fail2ban.actions: INFO   [named-flood] <ip> already banned
2013-08-13 12:40:38,732 fail2ban.actions: INFO   [named-flood] <ip> already banned

almost exactly one second apart, hundreds of times, and no new banning going on.
Q: Why?
A: fail2ban appears to have a “one second pulse/parse” clock built in to it.

Q: So?
A: So, when 4,000 log entries appear in a log that fail2ban is reading within that one second, fail2ban ‘queues’ (or spools or fifo’s) those 4,000 entries into an internal list and tries to de-queue them one-per-second.

Easier math: (“let’s say”) there are 10 ‘fail regex’ entries pouring into your log per second. Trying to de-queue the messages from the first second takes fail2ban 9 seconds.  By the time it gets done, there are 90 more messages/fails waiting.  So every second that goes by (in this low number scenario) the problem gets 10-to-the-10th-power worse.  The problem being fail2ban over-run by those headless bomb-toting zombies.  The “real world” explanation: fail2ban lags out and becomes combat ineffective.  In cop-talk the radio call from Officer fail2ban would be: “Extended”

Now, a “server admin” must consider – besides ‘shutdown -h now’ – is there a solution to the problem? First part of that: what – exactly – is the problem.  More Q/A (logic/reasoning):
Q: Problem?
A: fail2ban says ‘already banned’ and is ‘lagged out'; can’t fight the good fight.

Q: Why?
A: Too many log entries per second.  fail2ban reads logs and ‘actions’ based on log entries.

Q: So, why don’t you server admins just limit the number of log entries? (Instead of trying to hyper-tune fail2ban, just give it less to do? Remember the old-old server used to say ‘…the previous message repeated ### times…’)
A: Why didn’t I think of that.

The old-old server was a Gentoo box dragged across the millennium boundary by makes and make-installs.  It finally wore out (it still runs, it was just retired because it had done it’s duty) this year.  A little searching about ‘the previous message repeated’ and was reminded that that is called: rate-limit-ing.  A modern Centos-6-x86_64 install (not a bunch of custom compiled stuff on a 32-bit Gentoo) uses an ‘out of the box’ rsyslog and doesn’t say things like ‘…the previous message…’  The new stuff says:
imuxsock begins to drop messages from pid 1228 due to rate-limiting

Very little more searching finds:
http://www.rsyslog.com/tag/rate-limiting/

The docs are a ‘little dated’ (2010) but the essentials are there to solve the problem (problem being ‘too many log entries for poor old fail2ban’).

vim /etc/rsyslog.conf (and add as the 2nd and 3rd uncommented lines):

#### 8.12.13 - try to slow the message floods so fail2ban won't die so much ####
$SystemLogRateLimitInterval 1
$SystemLogRateLimitBurst 5

[Esc]:wq (write and quit)

Now do a /etc/init.d/rsyslog restart or service rsyslog restart (reload does not work, I tried it) and…

Tah-dah!  fail2ban can keep up with the log.  Some of the abusers (firey screaming zombies with tater-bombs) get by for a few seconds until the rate-limit/fail2ban get Serious!; but, real-world they were getting by by the hundres-of-thousands before this fix (while poor old fail2ban was over-run or lag-back-buffered).

It may not be ‘iddqd’ (god/degreelessness mode in ‘that other great fps’), but $SystemLogRateLimitInterval/$SystemLogRateLimitBurst is very close to TammyBelle’s “eye-dee-keff-kuh-may” (megaarmor, weapons and keys) for fail2ban.

Almost as good as Tangy-Bells for break-shishst.
Very happy, ammo added.

*** A minor success/victory ***
49 hours later… fail2ban chugging along ban/unban-ing, much smaller log files, no other services lagged out because of the packet attacks on port 53….