[15:49:48] 10netops, 10Operations, 10fundraising-tech-ops: NAT for new fundraising bastion - https://phabricator.wikimedia.org/T193177#4161644 (10cwdent) [15:51:16] 10netops, 10Operations, 10fundraising-tech-ops: NAT for new fundraising bastion - https://phabricator.wikimedia.org/T193177#4161671 (10cwdent) [16:08:07] 10netops, 10Operations, 10fundraising-tech-ops: NAT for new fundraising bastion - https://phabricator.wikimedia.org/T193177#4161775 (10ayounsi) a:03ayounsi ```lang=diff [edit security nat static rule-set static-nat] + rule frbast1001 { + match { + destination-address 208.80.155.8... [16:08:18] 10netops, 10Operations, 10fundraising-tech-ops: NAT for new fundraising bastion - https://phabricator.wikimedia.org/T193177#4161777 (10ayounsi) 05Open>03Resolved [16:10:47] 10Traffic, 10netops, 10Operations, 10ops-ulsfo: Rack/cable/configure ulsfo MX204 - https://phabricator.wikimedia.org/T189552#4161795 (10BBlack) Note this will involve a planned ulsfo site outage, with its traffic falling back to codfw. If things go well the outage should be brief, the 5h estimate above is... [16:33:11] 10netops, 10Operations: ulsfo<->eqord BGP down - https://phabricator.wikimedia.org/T192114#4161917 (10ayounsi) 05Open>03Resolved TTL fixed. Sessions up. [17:18:48] 10netops, 10Operations, 10fundraising-tech-ops: New PFW policy - https://phabricator.wikimedia.org/T193189#4162058 (10cwdent) [18:05:14] varnish 4.1.10 has been released yesterday, including the #1799 and OH leak fixes that we've backported already https://github.com/varnishcache/varnish-cache/blob/4.1/doc/changes.rst#varnish-cache-4110-2018-04-25 [18:06:06] we might want to go through the other changes and see what else we should port [18:06:36] cool [18:10:29] 10netops, 10Operations, 10fundraising-tech-ops: New PFW policy - https://phabricator.wikimedia.org/T193189#4162232 (10ayounsi) 05Open>03Resolved a:03ayounsi Pushed. ``` $ nc -zv 208.80.155.8 22 Connection to 208.80.155.8 22 port [tcp/ssh] succeeded! ``` [18:44:55] 10Traffic, 10Operations, 10ops-eqiad, 10Patch-For-Review: rack/setup/install lvs101[3-6] - https://phabricator.wikimedia.org/T184293#4162375 (10Cmjohnson) @ayounsi Can you create a subnet for LVS for row D please. [19:13:49] I'm looking at traffic from web crawlers and just noticed we get a lot of traffic from some bots pretending to be Google's bots and falsely identifying themselves in the useragent string. Is this something the traffic team interested in or is worried about? [19:28:21] bearloga: hmmm how are you identifying that behaviour? just matching IP ranges and UA? [19:35:49] vgutierrez: looking up by UA then reverse DNS lookup on the IP address to check the hostname. e.g. 1.2M requests from "Googlebot/2.1 (+http://www.googlebot.com/bot.html)" -- which is not even in Google's list of crawler UAs -- in one day but host is some VPS company, not Google [19:37:55] yup.. the legit one is "Googlebot/2.1 (+http://www.google.com/bot.html)" [19:38:01] Yup [19:39:22] thx for letting us know about this [19:39:44] So yeah, I don't know if this is of interest to the team so I don't know if I should file a restricted-view phab task about it or start an email thread with all the offenders. [19:40:34] hmmm bblack can answer better than me to that question, I've been around a few months now :) [19:41:31] but, in other similar cases, we talked to the offenders to try to get a nice behaviour from their bots [19:42:35] nice behaviour --> https://www.mediawiki.org/wiki/API:Etiquette [19:43:30] bblack: I'm going to be verifying IP addresses of traffic from Googlebot, Baiduspider, Yandexbot, Bingbot anyway because the task I'm working on requires genuine crawler traffic so if you want I can make a list of UAs & IP addresses that misrepresent themselves [19:45:05] that would be interesting for me actually, I'm analyzing UAs right now to discern legit users that they're using AES128-SHA ciphersuite [19:45:16] so a blacklist of UAs could become handy :) [19:48:41] vgutierrez: sounds good [20:20:53] FWIW, "googlebot.com" is owned by Google [20:21:13] (same whois data as google.com) [20:21:49] If you have some samples of IPs these UAs come from, can communicate them (privately) to us or XioNoX and we could verify from other perspectives whether it seems to be truly-google or not, perhaps. [20:21:53] bearloga: ^ [20:22:29] (not the whole list, but maybe samples to sanity-check) [21:01:55] I think this would be useful to the general public [21:02:43] hmm, do bots impersonating other bots have any privacy rights? [21:38:34] 10HTTPS, 10Traffic, 10Operations, 10Wikimedia-Shop: store.wikimedia.org HTTPS issues - https://phabricator.wikimedia.org/T128559#2078914 (10Pcoombe) The store HSTS header now has `max-age=31557600`, but still no `includeSubDomains` or `preload`.