Tomáš Pospíšek's Notizblock

deinstalling ibus

ibus was installed by default on my Debian bullseye laptop. live-task-localisation depends on it and I'm guessing that live-task-localisation was installed because I installed from an USB Stick.

I'm using Xfce as a desktop, konsole as a terminal and KeePassXC to manage passwords.

Even while doing nothing ibus is infrequently using CPU and of course memory. Do I need ibus? I don't know, but I don't think so. I do not need to enter chinese or other characters that are "exotic" to me.

So I deinstalled ibus via aptitude while running the desktop. aptitude deinstalled the following packages along:

ibus-m17n ibus dconf-cli python3-ibus-1.0 gir1.2-ibus-1.0
ibus-data ibus-gtk ibus-gtk3 im-config libibus-1.0-5
libm17n-0 libotf0 m17n-db

Then I killed all ibus* daemons running on my system by using systemctl --user stop ... or kill -HUP ....

After that konsole and KeePassXC would not receive any keyboard inputs any more. It seems as if those programs (probably along with other programs that I wasn't running at the time), dynamically detect the presence of ibus and use it as keyboard input if available.

Restarting KeePassXC fixed the second problem and starting a new konsole fixed the other.

However, be aware that when killing ibus while running konsole you might risk loosing the work you are currently doing in it (or in any other X11 console or possibly in other programs). So it's better so save your work before killing ibus. Because I had some open work in console I did the copy/paste trick to save open files in vim and terminate other sessions. Mind you that it might be tricky to copy/paste "special" characters that you need, such as CTRL-D, Escape and such.

Tomáš Pospíšek, 2021-08-01

smtp bruteforcing

The default settings of fail2ban are to ban an IP if it incorrectly authenticates 5 times within 10 minutes.

We are seeing one bruteforcing attempt every 3 minutes. The IPs where the attempts are coming from are wideely distributed over the address space. However we do block IPs that try sustainedly.

Watching the log it feels like there is at least one actor that has access to a very large number of IPs that is continually bruteforcing us, that is aware of fail2ban's default settings and is scanning with a frequency that makes sure that he's flaying under the radar of fail2ban's default settings (5 attempts per 10min).

It's also interesting to see what happens when you report an IP:

From: Tomas Pospisek
To: abuse@...
Subject: bruteforcing SMTP auth


the IP mentioned in the email subject has been bruteforcing SMTP auth on our server. I have blacklisted it.

2020-02-21 00:29:53 SMTP protocol error in "AUTH LOGIN" H=(UF2RIBjOt) [] AUTH command used when not advertised

Please let me know when you have stopped that IP from bruteforcing us so that I can remove it from the blacklist again.


Good citizens of the internet

who as net date comment AS9009 2021-07-02 terminated VPS and customer within a day

Bad citizens of the internet

who as net date comment AS16276 2021-07-02 reply with arbitrary blueprint mail asking you to jump through some arbitrary process AS8100 2021-07-02 reply with blueprint mail but no reply if action was taken AS4134 2021-07-02 no reply, spam contact bounces/is full AS46664 2021-07-16 no reply
Viet Speet Ltd AS135905 2021-07-09 no reply AS45382 2021-07-09 no reply AS63737 2021-07-09 no reply AS8075 2021-07-09 reply with blueprint mail asking you to jump through some arbitrary process AS202306 2021-07-09 no reply

Tomáš Pospíšek, 2021-07-17