|
duck monster posted:Actually I'd strongly recomend not letting your mysql listen on a public port. Some dudes gunna scan it down and brutalize it. What? There's nothing insecure about a public MySQL server. Just use a password other than the combo to your luggage and you'll be fine.
|
# ? Jun 21, 2009 17:53 |
|
|
# ? May 9, 2024 16:00 |
|
Janin posted:What? There's nothing insecure about a public MySQL server. Just use a password other than the combo to your luggage and you'll be fine. General rule of thumb: never leave a daemon bound to external addresses unless you have an explicit need to serve connections to external clients. Doing otherwise is just stupid and leaving yourself open to the various kinds of remote exploits that are a fact of life. For MySQL specifically, just looking at RedHat's advisories from the past few years, I've found two remote exploits that don't require any sort of login: https://rhn.redhat.com/errata/RHSA-2009-0259.html https://rhn.redhat.com/errata/RHSA-2007-0875.html That's for a single vendor, I'm sure there's more. Despite your offhand luggage password comment, all you need is one DB account with a crackable password -- even if that account only has limited access -- and that account can then be used to exploit the other 3 or 4 advisories I found that required an (any!) authenticated user. Betting your data and your server on being able to keep tabs on database account passwords is, again, stupid. tl;dr: "lol just have a safe password" is not a valid security policy
|
# ? Jun 21, 2009 18:13 |
|
Janin posted:What? There's nothing insecure about a public MySQL server. Just use a password other than the combo to your luggage and you'll be fine. This is wrong. Never leave any service running publicly available unless it has to be accessed by something external. When it does need to be accessed externally enforce the tightest access rules possible on multiple layers when possible. If your backup server needs to get access to your MySQL server and an SSH tunnel or VPN isn't possible 3306 should be explicitly blocked in your firewall from all IPs EXCEPT your backup machine's IP and then the backup user should ONLY be able to connect from that IP. Never just leave a service running publicly available unless it 100% needs to be
|
# ? Jun 21, 2009 18:17 |
|
bitprophet posted:General rule of thumb: never leave a daemon bound to external addresses unless you have an explicit need to serve connections to external clients. Doing otherwise is just stupid and leaving yourself open to the various kinds of remote exploits that are a fact of life. The first advisory wouldn't be solved by moving MySQL to an internal port, and the second doesn't expose any data. Forcing all requests to a database server through a proxy is just introducing another layer that could, and probably does, contain security vulnerabilities. Any vulnerability exploitable by a logged-in user could be performed just as easily over an SSH tunnel. I maintain that Client -> public SSH -> private MySQL is just as insecure as Client -> public MySQL. TOO SCSI FOR MY CAT fucked around with this message at 18:25 on Jun 21, 2009 |
# ? Jun 21, 2009 18:23 |
|
Janin posted:I maintain that Client -> public SSH -> private MySQL is just as insecure as Client -> public MySQL. Then you are stupid. As a sidenote if you do indeed chose to go with an outside facing MySQL please have the good conscience to use SSL.
|
# ? Jun 21, 2009 18:34 |
|
How do I get python to deal with datetimes with timezones?code:
Python Docs posted:%z UTC offset in the form +HHMM or -HHMM (empty string if the the object is naive).
|
# ? Jun 21, 2009 18:52 |
|
pytz is your best chance, but I don't know if it supports parsing strings with tz information.
|
# ? Jun 21, 2009 19:11 |
|
Zombywuf posted:How do I get python to deal with datetimes with timezones? http://pypi.python.org/pypi/iso8601/
|
# ? Jun 21, 2009 19:27 |
|
m0nk3yz posted:You should see this: Definately on leopard.
|
# ? Jun 21, 2009 20:23 |
|
Janin posted:What? There's nothing insecure about a public MySQL server. Just use a password other than the combo to your luggage and you'll be fine. Keep on believing bro. Keep on believing. I've seen first hand MySQL databases raped from somewhat determined brute force attacks. And There have been brute forcer distributed worms for MS-SQL leaving me to suspect a MySQL brute worm is a matter of when, not if.
|
# ? Jun 21, 2009 20:26 |
|
Janin posted:The first advisory wouldn't be solved by moving MySQL to an internal port, and the second doesn't expose any data. Forcing all requests to a database server through a proxy is just introducing another layer that could, and probably does, contain security vulnerabilities. Any vulnerability exploitable by a logged-in user could be performed just as easily over an SSH tunnel. What. No thats an absurdity. Two iron gates is harder to crack than one, always.
|
# ? Jun 21, 2009 20:28 |
|
duck monster posted:What. No thats an absurdity. Two iron gates is harder to crack than one, always. Not to mention that everyone runs outside facing SSH, flaws in it get detected near real time of attacks. No one in their right mind runs a public facing MySQL, so chances of detecting an exploit on it are very low.
|
# ? Jun 21, 2009 21:04 |
|
deimos posted:Not to mention that everyone runs outside facing SSH To ask a Python question: anyone know of any decent "CLI UI" (and not curses-based, I don't think) libraries for Python? I'm thinking of commonish stuff like progress bars, spinners, formatting data into columns, simple "choose option A B or C" menus, and so forth. (I could swear I saw a PyMOTW posting on that last one, but can't find it now. Maybe I should ask Doug...) Yes, many of these tasks are relatively simple, but it's still annoying to try and reinvent the wheel and it feels like the sort of thing that someone would have written a lib for.
|
# ? Jun 21, 2009 22:11 |
|
bitprophet posted:To ask a Python question: anyone know of any decent "CLI UI" (and not curses-based, I don't think) libraries for Python? I'm thinking of commonish stuff like progress bars, spinners, formatting data into columns, simple "choose option A B or C" menus, and so forth. (I could swear I saw a PyMOTW posting on that last one, but can't find it now. Maybe I should ask Doug...) If this exists, it would be cool. I'm always writing progress bars and the like.
|
# ? Jun 22, 2009 01:05 |
|
bitprophet posted:I actually had to lock our network down with a VPN because of SSH bruteforce attacks. Successful ones. Because highly placed nontechnical staff (read: ones I cannot say "no" to) with logins didn't want to use secure passwords. Moral of story: never rely solely on the strength of a single level of password authentication if your user base consists of people who are not you. To continue with the derail, your fault for not using private keys. To answer your question maybe python-gnt? (It is curses though)
|
# ? Jun 22, 2009 05:27 |
|
This might be what you need. Seems to implement a windowing system on top of curses. Forgot I still had that link saved.
|
# ? Jun 22, 2009 05:40 |
|
deimos posted:To continue with the derail, your fault for not using private keys. quote:To answer your question maybe python-gnt? (It is curses though) hlfrk414 posted:This might be what you need. Seems to implement a windowing system on top of curses. Forgot I still had that link saved. Yea, those are both curses, which I was hoping to avoid. Just want simple, no frills generic implementations of stuff like wget/curl type progress bars and etc. I'll do more looking on my own; was mostly looking for a "oh yea, package X is a well known standard in this area" which doesn't seem to be the case. Not asking you guys to do my research for me
|
# ? Jun 22, 2009 12:40 |
|
Is there an alternative to mod_python, since I'm running 2.6? I found some vague info from google on how to alter the install, but I can't get it to work.
|
# ? Jun 22, 2009 12:42 |
|
LuckySevens posted:Is there an alternative to mod_python, since I'm running 2.6? I found some vague info from google on how to alter the install, but I can't get it to work. mod_wsgi if you're lucky
|
# ? Jun 22, 2009 13:14 |
|
bitprophet posted:I actually had to lock our network down with a VPN because of SSH bruteforce attacks. Successful ones. Because highly placed nontechnical staff (read: ones I cannot say "no" to) with logins didn't want to use secure passwords. Moral of story: never rely solely on the strength of a single level of password authentication if your user base consists of people who are not you. quote:To ask a Python question: anyone know of any decent "CLI UI" (and not curses-based, I don't think) libraries for Python? I'm thinking of commonish stuff like progress bars, spinners, formatting data into columns, simple "choose option A B or C" menus, and so forth. (I could swear I saw a PyMOTW posting on that last one, but can't find it now. Maybe I should ask Doug...)
|
# ? Jun 22, 2009 13:21 |
|
duck monster posted:Yeah, theres brute forcer worms out there alright. Use fail2ban, it basically sits over ssh (and a few other things, I think) and if it gets more than 3 or 4 consecutive login atempts from an IP, it drops it at the firewall for 15 minutes, and a bunch of other techniques. A friend was talking the other day about a hack that'd implement teergrubbing , basically rather than drop the connection, just fall comatose and try and exhaust the worms threads (Thus crashing it or grieviously slowing it down) You just need a few iptables rules. If you have the TARPIT module (unmaintained for ages) you can tarpit the connection, i.e. set the TCP window to 0, but keep responding to SYNs (If you don't know what that means, basically its what you describe as teergrubbing (where the hell did that term come from?)). http://paste2.org/p/278718 for anyone interested. code:
|
# ? Jun 22, 2009 14:10 |
|
Uh. Old anti spam trick. MTA , when it detects spam ,rather than hanging up it just sits there holding the spammers hand and falls asleep. The old spam bots where pretty much single threaded, so it'd kill it dead. Old web trick that used to work awesome for web spam was to create a gzip file with a html header and 2 gigs of zeros. 2meg file. Hide it on a <div style=display:none> type link and for added measure put it in robots.txt (to filter out good bots like google) and serve it as a gzipped html file. the thing would send the 2meg file, which would unpack inside the bots brain, flooding it with 2 gigabytes worth of zeros. Make sure apache knows not to unpack it under any costs and ONLY serve it if the bot accepts gzip html It does horrifying things to browsers too.
|
# ? Jun 22, 2009 15:10 |
|
LuckySevens posted:Is there an alternative to mod_python, since I'm running 2.6? I found some vague info from google on how to alter the install, but I can't get it to work. It depends on what you're trying to do with it. If you're looking to find something like the python publisher handler you can probably use zope but I've never used it personally so I can't say what the real differences are. If you wanted to use mod_python to access apache via handlers for each step I don't think there is an alternative to mod_python. But if all you're trying to do is write CGI scripts, you can just stick a "#!/bin/env python" at the top of your script and drop them in a directory with +ExecCGI.
|
# ? Jun 22, 2009 15:54 |
|
Zombywuf posted:teergrubbing (where the hell did that term come from?)). A tarpit (also known as Teergrube, the German word for tarpit)...
|
# ? Jun 22, 2009 17:51 |
|
tef posted:A tarpit (also known as Teergrube, the German word for tarpit)... Crazy Germans, munging all their words together to make new words. Oh wait...
|
# ? Jun 22, 2009 21:42 |
|
Is there good documentation on python internals or any advice for diving in? I've been looking at the gil talk http://blip.tv/file/2232410 and I've been wondering if there might be some simple improvements that could mititage some of the gil problems on multicore. Or at least make Control-C work in a mutlithreaded program.
|
# ? Jun 26, 2009 23:42 |
|
bitprophet posted:Yea, those are both curses, which I was hoping to avoid. Just want simple, no frills generic implementations of stuff like wget/curl type progress bars and etc. Uh what no. urwid is a general console UI library. One of its backends is curses, but it doesn't depend on curses or require you to use curses. LuckySevens posted:Is there an alternative to mod_python, since I'm running 2.6? I found some vague info from google on how to alter the install, but I can't get it to work. This question makes no sense. You're going to have to explain what it is you want. mod_python also sucks, for reasons I've already explained several times in this very thread.
|
# ? Jun 27, 2009 03:13 |
|
tef posted:Is there good documentation on python internals or any advice for diving in? Ugh. That talk. Here's one link for you: http://www.python.org/dev/ - unfortunately, I don't know of a doc on interpreter internals, or if I did, I've forgotten
|
# ? Jun 27, 2009 03:46 |
|
m0nk3yz posted:Ugh. That talk. ceval.c, it really is remarkably readable. For unladen swallow eval.cc and llvm_fbuilder.cc, unladen-swallow might be a good place to look just because they do have the man power and the strong inclination to look at these issues (no offense monkeyz).
|
# ? Jun 27, 2009 06:42 |
|
king_kilr posted:ceval.c, it really is remarkably readable. For unladen swallow eval.cc and llvm_fbuilder.cc, unladen-swallow might be a good place to look just because they do have the man power and the strong inclination to look at these issues (no offense monkeyz).
|
# ? Jun 27, 2009 07:53 |
|
king_kilr posted:ceval.c, it really is remarkably readable. For unladen swallow eval.cc and llvm_fbuilder.cc, unladen-swallow might be a good place to look just because they do have the man power and the strong inclination to look at these issues (no offense monkeyz). What? No worries, I'd drop everything and work on unladen swallow if I had the time. The more core-devs that work on it the happier I am. I'd really like to see unladen become core sooner rather than later. Now, I'd bitch myself blue if someone was suggesting dump time into pypy, because that's a science project, and has been for awhile. Depending on how the next milestone go, I'm considering cutting over to running it alongside 2.6 in production. quote:It's funny how in the OSS world "man-power" means 3 people. Well, it's 3 almost-full time people whose job it is to kick rear end on the project. For example, I don't know of anyone who works on python-core who get paid close to full time to work on it. Most of the people I speak to get *maybe* 25% of their time at paying jobs to work on it. I get around 20% usually. Also, it's not just Collin/Jeffery/Thomas - they've actually got 4 or 5 other people helping out, as well as LLVM people pitching in. Well, that and they have an actual project plan, milestones and focus. It's not often you get something like that in OSS. m0nk3yz fucked around with this message at 12:59 on Jun 27, 2009 |
# ? Jun 27, 2009 12:54 |
|
m0nk3yz posted:Now, I'd bitch myself blue if someone was suggesting dump time into pypy, because that's a science project, and has been for awhile. Depending on how the next milestone go, I'm considering cutting over to running it alongside 2.6 in production.
|
# ? Jun 27, 2009 18:27 |
|
Janin posted:PyPy is currently faster than Unladen. on some very synthetic benchmarks
|
# ? Jun 27, 2009 20:03 |
|
Janin posted:PyPy is very compatible with CPython now, and is currently faster than Unladen. I'm not sure where you're getting your numbers from: PyPy Guys posted:Python interpreter is now between 0.8 and 2x (and in some corner case 3-4x) slower than CPython If we assume they're refering to CPython 2.5 (which is the version they're compatible with) then they'll be maybe 5% slower (above this) than 2.6, and over 20+% slower than unladen swallow (above and beyond the other numbers).
|
# ? Jun 27, 2009 20:08 |
|
Janin posted:PyPy is very compatible with CPython now, and is currently faster than Unladen. It is... with very selective benchmarks - namely long running/hot loops, and I don't know anyone who would run it in production. Run the unladen swallow benchmarks (real world, no bullshit ones) and you'll see the real performance. I'm sure PyPy, when it gets focus, or commercial backing/sponsorship could very well become a better platform than CPython. The JIT work it's doing is pretty cool, from a "hey that's neat" type of perspective, but the difference between what they've been doing, and the unladen swallow is vast. Not to mention unladen swallow is running youtube. That's real-world.
|
# ? Jun 27, 2009 20:12 |
|
http://morepypy.blogspot.com/2009/06/jit-progress.htmlquote:The performance of the resulting code is quite good: even with Boehm (the GC that is easy to compile to but gives a slowish pypy-c), a long-running loop typically runs 50% faster than CPython. That's "baseline" speed, moreover: we will get better speed-ups by applying optimizations on the generated code. Even unoptimized, with the less-performant GC option, it's faster than CPython. 50% is obviously a corner case, but I have seen 5-8% improvements over 2.x trunk. Once it achieves 3.x compatibility, I plan to begin testing it for use in personal projects.
|
# ? Jun 27, 2009 20:15 |
|
Janin posted:http://morepypy.blogspot.com/2009/06/jit-progress.html ... the post even specifically says it's for a very specific case, and not for general code. More importantly if the improvements you've seen are 5-8% (which is inconsistant with the PyPy guys' own statements) then that's 15% slower than Unladen swallow's Q1 release at a minimum.
|
# ? Jun 27, 2009 20:20 |
|
king_kilr posted:... the post even specifically says it's for a very specific case, and not for general code. More importantly if the improvements you've seen are 5-8% (which is inconsistant with the PyPy guys' own statements) then that's 15% slower than Unladen swallow's Q1 release at a minimum. Python trunk, which contains the Unladen improvements.
|
# ? Jun 27, 2009 20:28 |
|
Janin posted:Python trunk, which contains the Unladen improvements. Actually, it doesn't - it only contains some of the "easy to upstream" ones.
|
# ? Jun 27, 2009 20:32 |
|
|
# ? May 9, 2024 16:00 |
|
m0nk3yz posted:Actually, it doesn't - it only contains some of the "easy to upstream" ones. From http://code.google.com/p/unladen-swallow/wiki/Releases quote:2009Q1
|
# ? Jun 27, 2009 20:50 |