09:05 < ChillerDragon> wot jxsl xd
09:07 < jxsl13> remove the DreamBerd star D:
09:22 < ChillerDragon> hrhrhr
11:33 < jxsl13> remove it!
11:45 < bridge> <AssassinTee> Has anyone stats how bad the ddos situation is in teeworlds currently?
11:46 < bridge> <heinrich5991> ddnet servers are regularly DoSed
11:46 < bridge> <jxsl13> stats: bad
11:46 < bridge> <AssassinTee> thx, means no server from me 🙂
11:46 < bridge> <d_une> is this an attempt to fill concurrent non-ddnet servers?
11:47 < bridge> <AssassinTee> I have a server at home, but if I expose it to teeworlds, a ddos attack would be a disaster
11:47 < bridge> <d_une> I don't mean for you
11:50 < bridge> <AssassinTee> I can't follow you
11:50 < bridge> <d_une> I meant, the motivation behind the ddos
11:51 < bridge> <AssassinTee> ahh!
11:51 < bridge> <heinrich5991> sometimes promoting non-ddnet servers, sometimes expressing anger about decisions e.g. bans, sometimes purely malicious
11:52 < bridge> <d_une> ok ty
11:52 < bridge> <AssassinTee> how do you know the motiviation? Aren't the individual dos-ip sending DNS tables or something?
11:53 < bridge> <heinrich5991> because sometimes you can talk to the person behind the attack
11:54 < bridge> <AssassinTee> Hope one day they forget to turn on their VPN
11:56 < bridge> <AssassinTee> The only motivation I know of, was a server with a password, and since they can't enter, ddos
11:56 < bridge> <AssassinTee> Server Name was something like "Map testing server" where I was just mapping and you don't want to be as a regular player
11:58 < bridge> <AssassinTee> DDNet doesn't do geoip filtering or does it? A player with a possible ping > 600 connecting from china shouldn't have much business on DDNet brazil
12:02 < bridge> <AssassinTee> But thx for the feedback
12:02 < bridge> <heinrich5991> ddnet doesn't do geoip filtering
12:03 < bridge> <heinrich5991> and it would be not nice if it did, why should a player from china not be able to chat with peopel from brazil
12:16 < bridge> <AssassinTee> Because you are hosting gameservers and not chat-servers. But I fully understand your point. Technically they can still connect to a server in the middle, EU or US (idk). I am just tired of banning IPs from the same 3 countries, why should I let connections from countries through, which keeps attacking me and have no business on the server in the first place? I am not nice, i am angry about the world
12:20 < bridge> <heinrich5991> does banning these countries even help protect your server though?
12:20 < bridge> <heinrich5991> if not, you're just making a nuisance for these people without any gain in return
12:23 < bridge> <AssassinTee> If the banning would happen on a network level, it would certainly help against dos attacks. In my case I am banning people who try to ssh into it, which nobody except me should have business with
12:24 < bridge> <heinrich5991> the ssh thing is not useful btw
12:24 < bridge> <heinrich5991> unless you like clean-looking logs
12:24 < bridge> <heinrich5991> you want to disable password authentication and then you're good
12:24 < bridge> <heinrich5991> banning IP addresses that try to authenticate does nothing
12:25 < bridge> <heinrich5991> the banning IP addresses on the network level against DoS attacks only helps if the problem is that the game servers themselves are overwhelmed
12:25 < bridge> <heinrich5991> unfortunately, sometimes it's the linux kernel or the network interface that gets overwhelmed
12:25 < bridge> <AssassinTee> it protects you from bruteforce attempts, and password authentication isn't disabled, that's the point. Otherwise I'd need to have my private key on multiple machines
12:26 < bridge> <heinrich5991> you can add multiple private keys
12:26 < bridge> <heinrich5991> you should never do password authentication
12:26 < bridge> <heinrich5991> if you do want to have password authentication, choose a secure password
12:26 < bridge> <heinrich5991> then you also don't have to worry about brute force attempts
12:26 < bridge> <heinrich5991> if you choose a bad password, then banning might help somewhat. but why do you do that?
12:26 < bridge> <heinrich5991> if you want to have clean logs, change the SSH port
12:32 < bridge> <AssassinTee> I am happy with my setup now, ofc my password is secure, I don't care (too much) about the logs, I like (and need) the ability to login into my server from anywhere, because I travel a lot. I already logged into it from my parents home, switzerland, finnland, all on different machines. I already thought about changing the port tho. I use the same tool an other services as well, the ssh banning is just the main cause of banned IP adresses
12:33 < bridge> <heinrich5991> the ssh banning is just a false sense of security
12:33 < bridge> <heinrich5991> (in fact, it was a security vulnerability on its own in the past, with some tool. ssh had no such vulnerability AFAIK(
12:33 < bridge> <heinrich5991> (in fact, it was a security vulnerability on its own in the past, with some tool. ssh had no such vulnerability AFAIK)
12:34 < bridge> <AssassinTee> huh, can you elaborate on this?
12:36 < bridge> <heinrich5991> https://research.securitum.com/fail2ban-remote-code-execution/
12:36 < bridge> <AssassinTee> thx
12:36 < bridge> <heinrich5991> each piece of code that runs is a piece of code that's vulnerable
12:36 < bridge> <heinrich5991> ssh has a good security story
12:36 < bridge> <heinrich5991> some random other tool probably does not
12:37 < bridge> <heinrich5991> hmm. that one needs a MITM for the server though
12:37 < bridge> <heinrich5991> I thought it was worse, let me retry searching
12:38 < bridge> <AssassinTee> I found much more, but they usually lead to arbitrary IP bans
12:38 < bridge> <heinrich5991> which is also bad because you could get locked out
12:42 < bridge> <AssassinTee> Thanks, this is a valuable info ^^ In my view the tool only modified ip tables in order to block connections, but I guess there is more to it
12:50 < bridge> <AssassinTee> You are right, the benefit is small, and it would be bad if it would be the only security measurement (which it isn't). But it keeps the simple stupid bots out, which is a plus side for me
12:53 < bridge> <reitw> You can use a ssh tarpit on the default port then lol, it's funny to annoy chinese bots
12:55 < bridge> <reitw> https://github.com/skeeto/endlessh
12:55 < bridge> <heinrich5991> simple stupid bots are also kept out by changing the default port btw
12:56 < bridge> <heinrich5991> that's also extra software you run 😉
12:56 < bridge> <reitw> true, well I don't use it at all but it's cool that it exists
12:56 < bridge> <heinrich5991> ye
12:57 < bridge> <reitw> instead I deploy a ssh key per computer
12:58 < bridge> <AssassinTee> you can run the tarpit in a docker container, if you have docker already running, then it's not even extra code
12:59 < bridge> <heinrich5991> docker isn't a security boundary
13:02 < bridge> <heinrich5991> e.g. https://cloud.google.com/blog/products/gcp/exploring-container-security-an-overview
13:03 < bridge> <heinrich5991> > A container isn’t a strong security boundary
13:03 < bridge> <heinrich5991> I suppose it says "strong"
13:03 < bridge> <heinrich5991> so maybe it is a weak one 🙂
13:04 < jxsl13> sombody tell ChillerDragon to un-star the DreamBerd programming language.
13:04 < bridge> <AssassinTee> I found this exact link already, at least it prevents direct access to shared resources, I guess it's still better than nothing
13:06 < bridge> <AssassinTee> > Use the const const const keyword to make a constant constant constant
13:06 < bridge> <AssassinTee> Ah yes, the constant constant constant
13:09 < bridge> <AssassinTee> Nice shitpost, but why?