Did we just discover a way to grow the Yarn.social network? 🤣

All our servers come with an initial 2tb for free.

Their response:

The bandwidth for our free instances is 2 TB of free bandwidth.

Mike Wolfman
ww.vultr.com
enior Linux Systems Administrator

😱

@bender@twtxt.net Is right. Apparently it’s 0 bandwidth. I’m asking them some clarifying questions:

Hi Team,

Just noticed that you offer FREE (as in $0) VM(s) on the vc2-1c-0.5gb-free
plan. however I also note that this has 0 Bandwidth.

I’m a bit confused by this. What would be the point of having a free VM if it has no Bandwidth? How is network bandwidth charged in this case?

cheers
james

@aelaraji@aelaraji.com Yes it would be honestly, for low traffic volumes for sure!

@terron@duque-terron.cat Oh! For a minute there I thought this was our cat 🐱 Haha 😆

@lyse@lyse.isobeef.org Or… You got interrupted and forgot about the shape of the codebase you were going for 🤣

@kat@yarn.girlonthemoon.xyz Morning! 👋 I’m quite ill today, taking today/tomorrow off work. Not sure what I’ve come down with 😢 😷

@kat@yarn.girlonthemoon.xyz HTMX is very nice to use 🤣

Look forward to it 😅

@bender@twtxt.net It’s true! This is only a good thing @kat@yarn.girlonthemoon.xyz 🤣 You keep going like this with your own little community of friends, and my twtxt.net (flagship pod) will no longer be 🤣 I’ve always want to see Yarn.social grow, but grow in ways that keep to its truest sense of “decentralised”. That’s one of the reasons I built yarnd not to scale too much 🤣 My own pod has around ~18-20 active users per month (give or take) and that’s honestly enough 😅

@kat@yarn.girlonthemoon.xyz Oh you self-host Plex too! 🤔 Nice! 👍

I don’t want it to be 2026 🤣

@bmallred@staystrong.run You can probably recover missing twts from our caches if you need to…

Hey this could be good news for self-hosters and folks that want to run their own yarnd? 🤔 Vultr is offering 1 vCPU, 500MB Memory and 10GB Storage for FREE! That’s right $0.00 🤣

@aelaraji@aelaraji.com Man I’m sorry to hear this. 😢 Whatever it is you’re going through, things will get better I promise you 🤗

@aelaraji@aelaraji.com Same, I hope things get much better for you bud 🤗

No more stupid little DDoS(s) from fucking China now 🤣

Note for reference I was trying to write and fix this rule (fixed version below):

# Ignore Content-Type restrictions for Git
SecRule REQUEST_HEADERS:Host "@streq git.mills.io" "id:101,phase:1,t:none,nolog,ctl:ruleRemoveById=920420"

Notably the custom operator @lookupASN

I’ll try to add a README for caddy-waf soon™ (going back to bed now) at least document the customizations I’ve made to this WAF (which I forked from caddy-coraza)

This is how I build my caddy:

proxy-1:~# cat build.caddy.sh
#!/bin/sh

xcaddy build \
	--with github.com/caddy-dns/cloudflare \
	--with github.com/caddyserver/cache-handler \
	--with git.mills.io/prologic/caddy-ratelimit \
	--with git.mills.io/prologic/caddy-waf
proxy-1:~#

Ahh fuck! Sorry I was fixing a rule 🤣 This is much better!

proxy-1:~# grep -c 'Bad ASN' /var/log/caddy/caddy.log
2441

@bender@twtxt.net Yes they are rather large 🤣 Here you go:

proxy-1:~# cat /etc/caddy/waf/bad_asns.txt
# CHINANET-BACKBONE No.31,Jin-rong Street, CN
# Why: DDoS
4134

# CHINA169-BACKBONE CHINA UNICOM China169 Backbone, CN
# Why: DDoS
4837

# CHINAMOBILE-CN China Mobile Communications Group Co., Ltd., CN
# Why: DDoS
9808

# FACEBOOK, US
# Why: Bad Bots
32934
proxy-1:~#

@bender@twtxt.net AS Number:

An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain, that presents a common and clearly defined routing policy to the Internet.[1] Each AS is assigned an autonomous system number (ASN), for use in Border Gateway Protocol (BGP) routing. Autonomous System Numbers are assigned to Local Internet Registries (LIRs) and end-user organizations by their respective Regional Internet Registries (RIRs), which in turn receive blocks of ASNs for reassignment from the Internet Assigned Numbers Authority (IANA). The IANA also maintains a registry of ASNs which are reserved for private use (and should therefore not be announced to the global Internet).

Cool! 😎 So I can now block ASN(s) 🤣 (And I bet no-one noticed anything)

@kat@yarn.girlonthemoon.xyz I love blue 🤣

@aelaraji@aelaraji.com Still in my cache 🤣

@aelaraji@aelaraji.com Bahahaha, you know where the default theme lives 🤣 PRs welcome!

It’s nice to see that some Crawlers actaully respect rate limits and respect a 429 Too many requests response 👌 Thank you Google! 🙌

@bender@twtxt.net So you mean, get failtb2n to look at my Caddy audit logs for violations and then just block at the firewall level for repeated violations? 🤔

@kat@yarn.girlonthemoon.xyz token will still be valid 👌

@kat@yarn.girlonthemoon.xyz 🙌

@kat@yarn.girlonthemoon.xyz Yeah that’s what the admin function does. Normal user password reset is different but requires working email 🤣

@kat@yarn.girlonthemoon.xyz Speaking of KVM, Tiny Pilot and Jet KVM look really good!

@kat@yarn.girlonthemoon.xyz It’ll be whatever the actual server’s time zone is.

@kat@yarn.girlonthemoon.xyz Temporally change the admin account on your pod to another account. Then login with that and reset the password on your main account.

What didn’t work? Hmmm 🤔

Hmm? 🤔

@seabirdie@yarn.girlonthemoon.xyz 👋 Welcome to Yarn.social 🙌

@kat@yarn.girlonthemoon.xyz Haha 🤣

Also yarnd supports video too 🤣

@kat@yarn.girlonthemoon.xyz Thanks! I built my own video hosting platform too but not nearly as fancy as what you use 🤣

@yarn.girlonthemoon.xyz@yarn.girlonthemoon.xyz 👋 Welcome to Yarn.social 🙌

@bender@twtxt.net Wre I’m talking about Web right? 🤣

@aelaraji@aelaraji.com Nice! 🙌

@bender@twtxt.net you’re right the scale wasn’t that large, but analyzing the logs. It definitely was a detox attack. 🤣 I woke up this morning to see six other small spikes like this which I’ll have to analyze later tonight…

@movq@www.uninformativ.de Yes

@kat@yarn.girlonthemoon.xyz What do you use for this btw? 🤔

So I need to figure out how to block ASN(s)…

Additionally, I’ thinking of; How to detect DDoS attachs?

Here’s one way I’ve come up that’s quite simple:

Detecting DDoS attacks by tracking requests across multiple IPs in a sliding window. If total requests exceed a threshold in a given time, flag as potential DDoS.

@lyse@lyse.isobeef.org Cool 👌

Hmmm so I’ve sustained two DDoS attacks on my Gitea server today. A few hours apar. Still analyzing the traffic…

For the time being… I’ve just blocked all of OpenAI(s) Bots. They (thankfully) publish a JSON endpoint that you can use to block all OpenAI crawlers from reaching your server (in my case, blocking it at the edge). Example:

proxy-1:~# curl -qs https://openai.com/gptbot.json | jq -r '.prefixes[].ipv4Prefix' | xargs -I{} ./block-ip.sh {}

Where block-ip.sh is simply:

#!/bin/sh

ufw insert 1 deny from "$1" to any

@aelaraji@aelaraji.com Yes! 👏 This is exactly what it is! 🤣 I will of course soon™ be hosting this service, likely at validator.twtxt.net 😅😅

@kat@yarn.girlonthemoon.xyz Haha 🤣 If someone figures this out, please let me know 🙏🙏 – In the meantime, I’m going to very soon™ write a daemon that will watch the audit log for repeated violations and add to the network firewall.

This is better:

proxy-1:~# ./audit-log-by-ip.sh 4.227.36.76 | coraza-log-formatter -m -
2025/01/04 23:17:04 4.227.36.76 58982 GET /external?aff-HY0BLO=&f=mediaonly&f=noreplies&nick=g1n&uri=https%3A%2F%2Fthe-president-codes.linegames.org null 0  On OWASP_CRS/4.7.0
Actionset: OWASP_CRS/4.7.0
Message: Bad User Agent
Severity: 0
Raw: SecRule REQUEST_HEADERS:User-Agent "@pmFromFile /etc/caddy/waf/bad_user_agents.txt" "id:2000,log,phase:1,deny,msg:'Bad User Agent'"

Nice! I wrote another useful tool 👌

proxy-1:~# ./audit-log-by-ip.sh 4.227.36.76 | coraza-log-formatter -m -
Actionset: OWASP_CRS/4.7.0
Message: Bad User Agent
Severity: 0
Raw: SecRule REQUEST_HEADERS:User-Agent "@pmFromFile /etc/caddy/waf/bad_user_agents.txt" "id:2000,log,phase:1,deny,msg:'Bad User Agent'"

How in da fuq do you actually make these fucking useless AI bots go way?

proxy-1:~# jq '. | select(.request.remote_ip=="4.227.36.76")' /var/log/caddy/access/mills.io.log | jq -s '. | last' | caddy-log-formatter -
4.227.36.76 - [2025-01-05 04:05:43.971 +0000] "GET /external?aff-QNAXWV=&f=mediaonly&f=noreplies&nick=g1n&uri=https%3A%2F%2Fmy-hero-ultra-impact-codes.linegames.org HTTP/2.0" 0 0
proxy-1:~# date
Sun Jan  5 04:05:49 UTC 2025

😱

Done.

@lyse@lyse.isobeef.org Oh good! It works haha 🤣 I’ll bump it up a bit 👌

And now I’ve applied rate limits on every site to reasonable values 👌

@bender@twtxt.net Isn’t that why um yarning my progress 🤣

@kat@yarn.girlonthemoon.xyz I’ve actually moved most of my stuff of of Cloudflare now 🤣 I’m actually very happy with my edge proxy setup that reverse proxies, caches and acts as a web application firewall 🥳

@kat@yarn.girlonthemoon.xyz Have you seen the SSG that I built and use on all my static sites? zs 🤔

Oh gawd. I can’t enable caching on my edge proxy everywhere 😱 Some shit™ doesn’t deal with a caching reverse proxy in front of it very well for some reason I don’t have time to dig into right now 🤔

What’s a reasonable per second or per minute rate limit that I could apply in general at my edge proxy for all clients? (no matter what) … LIke a good reasonable upper bound? 🤔

@movq@www.uninformativ.de Yeah I swear to god the engineers that write this shit™ don’t know how to write distributed cralwers that don’t happy the shit™ out of their targets 🤦‍♂️

@doesnm@doesnm.p.psf.lt No. I generally don’t put up any robots.txt files at all really, because they mostly get ignored. I don’t generally mind if “normal” web crawlers crawl things. But LLM(s) can go fuck themselves 🤣

@movq@www.uninformativ.de Yeah it’s starting to piss me off too 🤣 Not nearly as much as that guy, but stil. Anyway I’m having fun! Now I just need to find a good IP/Subnet list that I can blacklist entirely, ideally one that’s updated frequently so I can refresh firewall rules.

Bloody fucking hell. I think one of Google’s GenAI crawlers was just hitting my Gitea instance quite hard. Fuck 🤬 Geez

@movq@www.uninformativ.de Oh 🤦‍♂️

I just banned 41 bad user agents from accessing any of my services. 😱

@movq@www.uninformativ.de How do you manage to get those skulines on your photos? 🤔

@doesnm@doesnm.p.psf.lt No, it’s only designed for yarnd. What did you have in mind here? 🤔

@doesnm@doesnm.p.psf.lt It is the same API that yarnc the command-line client uses.

i.e: Not much point in running a WAF on a static site. But OTOH if there’s enough abuse from shitty assholes, there might be 🤔🤔

I’m just basically learning now how ModSecurity rules work and how to write my own.

The builtin OWASP rules are already working nicely 👌 – And yeah I won’t include the WAF on every site block, probably just my main/primary domain where I tend to run demo services and other things.

@kat@yarn.girlonthemoon.xyz If you’ve been following my yarns the other day about me getting off of Clownflare and building my own WAF, Proxy and effectively my own Edge network, you’ll know I’m doing this at the very edge 🤣🤣

Having a lot of fun with Coraza today. A Web Application Firewall library written in Go that also happens to have a Caddy module.

@bender@twtxt.net Hey ! 👋

@eapl.me@eapl.me And here I always lived by:

Problems are solved by method.
– Dr. Don Abel.

🥱 morning y’all 👋 Soo tired 🥱 Need coffee!!! ☕️☕️☕️☕️

@lyse@lyse.isobeef.org It does not 🤣 Shsll I enable it? 🤣

@bender@twtxt.net It’s true! 🤣 It’s a total garbage nonsense title. But the actual research paper that the video references is real. Apple did in fact do a bunch of research and proved what we already know 🤣 – That is, AI is stupid 🤣

@movq@www.uninformativ.de Amend 🙏

But to be fair, we already knew this… I’ve observed it first hand, we knew it at the beginning. I’ll just leave you with this:

Stochastic Parrot

or put simply:

Artificial Incompetence

Apple DROPS AI BOMBSHELL: LLMS CANNOT Reason - YouTube

@movq@www.uninformativ.de Fuxking awesome 🙃😍

@movq@www.uninformativ.de Yup! 😅

I can walk you through some examples later tonight when I get back if you like?

A pointer is basically a reference to a variable. It is typically used with structs and especially in pointer receiver methods so that you can modify fields of a struct.

@kat@yarn.girlonthemoon.xyz Oh! I can totally help you 🤗 I love Go! 😍

Holy Smokes 🤣 And this has only been <24h 😱

Also post as much as you want! It’s a free world. It’s your feed. It’s your daughter. 🤣 nobody actually has to read any of it let alone follow you if they don’t want to. 🙃 that’s kind of the beauty of a truly decentralized slow social media ecosystem. 😎

@kat@yarn.girlonthemoon.xyz You should’ve seen me back in the day! These days I try to post a little less often so as not to cause too much noise in the ecosystem 🤣 nobody cares what I think anyway right? 😅

@kat@yarn.girlonthemoon.xyz yarnd actually stores your feed in plain text on disk too 🤣

@andros@twtxt.andros.dev What do you mean by API? yarnd (which powers Yarn.social pods like twtxt.net) does have an API, however that API is designed for clients to interact with the pod and the user’s account and feed. e.g: there is a command-line client called yarnc and I used to maintain a mobile native app (using Flutter).

What use-case did you have in mind?

@kat@yarn.girlonthemoon.xyz So far it’s been alright. I wasn’t too impressed with Caddy’s logging capabilities though or the fact you have to custom build caddy just to support DNS-01 ACME challenge. But other than that, it’s okay.

@bender@twtxt.net Well technically now I can turn off ingress access to my infra on ports 80/43 etc and just rely on the outbound wireguard tunnelling for the ingress back in.