1. 17 Nov, 2003 7 commits
    • Leigh Stoller's avatar
      Merge the two state machines (batchstate and state) into a single · 2025e0bd
      Leigh Stoller authored
      state machine (state). All of the stuff that was previously handled by
      using batchstate is now embedded into the one state machine. Of
      course, these mostly overlapped, so its not that much of a change,
      except that we also redid the machine, adding more states (for
      example, modify phases are now explicit. To get a picture of the
      actual state machine, on boss:
      
      		stategraph -o newstates EXPTSTATE
      		gv newstates.ps
      
      Things to note:
      
      * The "batchstate" slot of the experiments table is now used solely to
        provide a lock for batch daemon. A secondary change will be to
        change the slot name to something more appropriate, but it can
        happen anytime after this new stuff is installed.
      
      * I have left expt_locked for now, but another later change will be to remove
        expt_locked, and change it to active_busy or some such new state name in
        the state machine. I have removed most uses of expt_locked, except those
        that were necessary until there is a new state to replace it.
      
      * These new changes are an implementation of the new state machine,
        but I have not done anything fancy. Most of the code is the same as
        it was before.
      
      * I suspect that there are races with the batch daemon now, but they
        are going to be rare, and the end result is probably that a
        cancelation is delayed a little bit.
      2025e0bd
    • Leigh Stoller's avatar
      Add web login attack detection/prevention. Two changes: · b1de9fb2
      Leigh Stoller authored
      * Add slots to users table to track number of failures in the last N
        seconds. If a threshold is passed (currently 4 failures in the last
        minute), the web login is disabled. Note that I do not disable the
        ops shell login at this time. Aging is passive; the values are cleared
        when login is successful, or when more then one minute has passed
        since the last failure. In other words, a burst of failures will
        disable the login, but failures over time are okay.
      
      * Add login_failures table to do exactly the same as above, except it
        is on an IP basis (REMOTE_ADDR in the server). Currently the
        threshold is 8 failures in the last two minutes, at which time all
        logins from that IP are disabled.
      
      In both cases email is sent to tbops (and the user).
      
      The constants are defined at the top of www/tbauth.in, rather then as
      site variables, to avoid pounding the DB when an attack is being
      launched.
      
      To clear a user freeze, go to the user profile page and use the
      "toggle" near the bottom.
      
      To clear an IP freeze: delete from login_failures were IP='1.1.1.1'
      b1de9fb2
    • Kirk Webb's avatar
    • Leigh Stoller's avatar
      Add login_failures tbale and failure slots to users table. Both are · be8b5f28
      Leigh Stoller authored
      for tracking login attacks.
      be8b5f28
    • Mike Hibler's avatar
    • Mike Hibler's avatar
      Update README to include item about what frisbee won't do to dampen the · 6047ca80
      Mike Hibler authored
      enthusiasm of those who want to replace expensive commercial solutions
      (and so I don't have to tell people over and over...)
      6047ca80
    • Mike Hibler's avatar
      First foray into using an MD5 hash to improve speed. · c34c1178
      Mike Hibler authored
      Currently, this only means defining a signature file and creating a
      utility to make them and check them against a disk.  The signature file
      is not used by frisbee/imageunzip yet.
      c34c1178
  2. 16 Nov, 2003 2 commits
  3. 14 Nov, 2003 2 commits
  4. 13 Nov, 2003 2 commits
  5. 12 Nov, 2003 10 commits
  6. 11 Nov, 2003 10 commits
  7. 10 Nov, 2003 7 commits