gwire

One annoyance of running a publically-accessible WordPress site is the bots that attempt to rapidly try thousands of login attempts via /wp-login.php.

Even if none of the guesses are ever likely to work, the site will waste resources running PHP and SQL to confirm that to be the case.

A barrier to these drive-by hack attempts can be added using nginx's http_limit_req, where rate limiting is applied only to POST requests for the login page, not affecting the rest of the site.

In /etc/nginx/conf.d/login-limit.conf we create the zone LOGINLIMIT. 1m is the size of the shared memory zone for tracking requests, and 15r/m limits to 15 requests per minute (ie 1 every 4 seconds).

My assumption is that you should be able to discover Mastodon accounts by searching for email addresses, which should in turn query webfinger.

So for a domain that isn't hosting Mastodon, you can set up a webfinger server. Or you can just hand code some json files and serve them using nginx.

Rather than look into installing a webfinger server, I just initially want to serve up the json files directly from nginx.

Set up a redirect under example.com (as suggested in RFC 7033)

  location = /.well-known/host-meta {

Email Message-Id: headers generated by Outlook servers use domains that appear to incorporate

AAA: a three character geographic region
PPPP: either "PRXX" when appended to city, "PRDXX" appended to region where XX is a small value 01-99
...or PXXX where XXX appears to be a unique value 001-999
BB: a two character "city" code
C: a value appended to BB 0-9 or A-Z
MM: "MB" or "01MB", not sure what this is
DDDD: a value 0001-9999 server identifier? customer?
X: seemingly random value 0-9a-z (which you'd expect in a Message-Id)

	#!/usr/bin/env ruby

	# Remote mastodon accounts can be refreshed with the command
	# tootctl accounts refresh --all
	# https://docs.joinmastodon.org/admin/tootctl/#accounts-refresh

	# however, tootctl was having issues, so I ended up writing a this
	# helper script to scan a mastodon cache for missing avatar/header images
	# prioritising recently active accounts, and download directly
	#

	<?php
	/**
	* Mastodon accounts can be verified by adding a rel="me" link in the basic rendered html.
	* While a <link/> could be added, it seemed like the existing social-links block should be
	* the place to add it, but there's currently no way to specify "rel" values in the UI.
	*
	* Currently only adds to "mastodon" links, but could probably be added to others.
	*/
	add_filter('render_block', 'social_rel_me', 10, 2);
	function social_rel_me($block_content, $block) {

	#!/usr/bin/env python3

	# quick script to iterate through the parliament contact API and outputs email details
	# in the from "name,party,email" for each current Commons member

	import sys
	import json
	import requests
	import re

	## these are the IPFS gateways I've seen most frequently in spam/phishing.
	## Others can be found via https://ipfs.github.io/public-gateway-checker/
	## We assume the string "/ipfs/" followed by a Base36/Base32 string of at least 20 chars is an IPFS url.

	uri __URI_IPFS_LIKELY m,/ipfs/[a-z0-9]{20,}=?,i
	uri __URI_IPFS_1 m,://ipfs.io/ipfs/,i
	uri __URI_IPFS_2 m,://ipfs.fleek.co/ipfs/,i

	meta HEX_IPFS_URI ( __URI_IPFS_1 \|\| __URI_IPFS_2 )
	describe HEX_IPFS_URI Contains a known IPFS public gateway URI

	#!/usr/bin/env python3

	# tinycaa - generate a CAA RR type 257
	#
	# example: ./tinycaa.py --domain example.com --flag 1 --tag issue --ca ca.example.net
	#
	# https://www.rfc-editor.org/rfc/rfc8659
	#
	# 2022 Lee Maguire

	#!/usr/bin/env python3

	# tinysvcb - generate a RR type 64 SVCB or 65 HTTPS records in tinydns wire format
	#
	# example: ./tinysvcb.py --https --domain example.com --priority 0 --target host.example.com
	#
	# Based on https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-https/10/
	#
	# 2022 Lee Maguire