<html><head>
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
</head><body bgcolor="#FFFFFF" text="#000000">Given the state of the
wiki a the moment, I think taking the quickest path to get it fixed
would be prudent. Is there a way we can get JP root access to this
server, even temporarily? We get 25% of our website traffic (2 million
visitors) to the wiki. I realize we're all after the same thing, but
spammers are not going to hit the dev environment, so there's really no
way to tell if teh problem is fixed without actually working directly on
the production machine. This should be a 30 minute fix.<br>
<br>
I realize there is a lot of risk in giving ssh access to infra machines,
but I think it's worth taking a look at either putting this machine in a
place where a different level of admin could access it without giving
away the keys to the entire OpenStack infrastructure or figuring out a
way to set up credentials with varying levels of access. <br>
<br>
Jimmy<br>
<br>
<span>Paul Belanger wrote:</span><br>
<blockquote cite="mid:20160226162722.GE30842@localhost.localdomain"
type="cite">
<pre wrap="">On Fri, Feb 26, 2016 at 10:12:12AM -0600, JP Maxwell wrote:
</pre>
<blockquote type="cite"><pre wrap="">But if you wanted to upgrade everything, remove the mobile view extension,
test in a dev/staging environment then deploy to production fingers
crossed, I think that would be a valid approach as well.
</pre></blockquote>
<pre wrap=""><!---->Current review up[1]. I'll launch a node tonight / tomorrow locally to see how
puppet reacts. I suspect there will be some issues.
If infra-roots are fine with this approach, we can use that box to test against.
[1] <a class="moz-txt-link-freetext" href="https://review.openstack.org/#/c/285405/">https://review.openstack.org/#/c/285405/</a>
</pre>
<blockquote type="cite"><pre wrap="">J.P. Maxwell | tipit.net | fibercove.com
On Feb 26, 2016 10:08 AM, "JP Maxwell" <a class="moz-txt-link-rfc2396E" href="mailto:jp@tipit.net"><jp@tipit.net></a> wrote:
</pre><blockquote type="cite"><pre wrap="">Plus one except in this case it is much easier to know if our efforts are
working on production because the spam either stops or not.
J.P. Maxwell | tipit.net | fibercove.com
On Feb 26, 2016 9:48 AM, "Paul Belanger" <a class="moz-txt-link-rfc2396E" href="mailto:pabelanger@redhat.com"><pabelanger@redhat.com></a> wrote:
</pre><blockquote type="cite"><pre wrap="">On Fri, Feb 26, 2016 at 09:18:00AM -0600, JP Maxwell wrote:
</pre><blockquote type="cite"><pre wrap="">I really think you might consider the option that there is a
</pre></blockquote><pre wrap="">vulnerability
</pre><blockquote type="cite"><pre wrap="">in one of the extensions. If that is the case black listing IPs will be
</pre></blockquote><pre wrap="">an
</pre><blockquote type="cite"><pre wrap="">ongoing wild goose chase.
I think this would be easily proven or disproven by making the questy
question impossible and see if the spam continues.
</pre></blockquote><pre wrap="">We'll have to let an infra-root make that call. Since nobody would be
able to
use the wiki. Honestly, I'd rather spend the time standing up a mirror dev
instance for us to work on, rather then production.
</pre><blockquote type="cite"><pre wrap="">J.P. Maxwell | tipit.net | fibercove.com
On Feb 26, 2016 9:12 AM, "Paul Belanger" <a class="moz-txt-link-rfc2396E" href="mailto:pabelanger@redhat.com"><pabelanger@redhat.com></a> wrote:
</pre><blockquote type="cite"><pre wrap="">On Thu, Feb 25, 2016 at 08:10:34PM -0800, Elizabeth K. Joseph wrote:
</pre><blockquote type="cite"><pre wrap="">On Thu, Feb 25, 2016 at 6:35 AM, Jeremy Stanley <a class="moz-txt-link-rfc2396E" href="mailto:fungi@yuggoth.org"><fungi@yuggoth.org></a>
</pre></blockquote><pre wrap="">wrote:
</pre><blockquote type="cite"><blockquote type="cite"><pre wrap="">On 2016-02-25 02:46:13 -0600 (-0600), JP Maxwell wrote:
</pre><blockquote type="cite"><pre wrap="">Please be aware that you can now create accounts under the mobile
view in the wiki native user table. I just created an account for
JpMaxMan. Not sure if this matters but wanted to make sure you
were aware.
</pre></blockquote><pre wrap="">Oh, yes I think having a random garbage question/answer was in
</pre></blockquote></blockquote></blockquote></blockquote><pre wrap="">fact
</pre><blockquote type="cite"><blockquote type="cite"><blockquote
type="cite"><blockquote type="cite"><pre wrap="">previously preventing account creation under the mobile view. We
probably need a way to disable mobile view account creation as it
bypasses OpenID authentication entirely.
</pre></blockquote><pre wrap="">So that's what it was doing! We'll have to tackle the mobile view
</pre></blockquote></blockquote></blockquote><pre wrap="">issue.
</pre><blockquote type="cite"><blockquote type="cite"><blockquote
type="cite"><pre wrap="">Otherwise, quick update here:
The captcha didn't appear to help stem the spam tide. We'll want to
explore and start implementing some of the other solutions.
I did some database poking around today and it does seem like all
</pre></blockquote></blockquote></blockquote><pre wrap="">the
</pre><blockquote type="cite"><blockquote type="cite"><blockquote
type="cite"><pre wrap="">users do have launchpad accounts and email addresses.
</pre></blockquote><pre wrap="">So, I have a few hours before jumping on my plane and checked into
</pre></blockquote></blockquote><pre wrap="">this.
</pre><blockquote type="cite"><blockquote type="cite"><pre wrap="">We are
using QuestyCaptcha which according to docs, should almost be
</pre></blockquote></blockquote><pre wrap="">impossible
</pre><blockquote type="cite"><blockquote type="cite"><pre wrap="">for
spammers to by pass in an automated fashion. So, either our captcha
</pre></blockquote></blockquote><pre wrap="">is too
</pre><blockquote type="cite"><blockquote type="cite"><pre wrap="">easy, or we didn't set it up properly. I don't have SSH on wiki.o.o
</pre></blockquote></blockquote><pre wrap="">so
</pre><blockquote type="cite"><blockquote type="cite"><pre wrap="">others
will have to check logs. I did test new pages and edits, and was
</pre></blockquote></blockquote><pre wrap="">promoted
</pre><blockquote type="cite"><blockquote type="cite"><pre wrap="">by
captcha.
As a next step, we might need to add additional apache2 configuration
</pre></blockquote></blockquote><pre wrap="">to
</pre><blockquote type="cite"><blockquote type="cite"><pre wrap="">blacklist IPs. I am reading up on that now.
</pre><blockquote type="cite"><pre wrap="">--
Elizabeth Krumbach Joseph || Lyz || pleia2
_______________________________________________
OpenStack-Infra mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OpenStack-Infra@lists.openstack.org">OpenStack-Infra@lists.openstack.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra</a>
</pre></blockquote><pre wrap="">_______________________________________________
OpenStack-Infra mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OpenStack-Infra@lists.openstack.org">OpenStack-Infra@lists.openstack.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra</a>
</pre></blockquote></blockquote></blockquote></blockquote></blockquote>
<pre wrap=""><!---->
_______________________________________________
OpenStack-Infra mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OpenStack-Infra@lists.openstack.org">OpenStack-Infra@lists.openstack.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra</a>
</pre>
</blockquote>
<br>
</body></html>