Jump to content


Noime

Member Since 17 Feb 2018
Offline Last Active Nov 15 2018 12:44 AM
-----

Posts I've Made

In Topic: Error while trying to search an existing account

15 November 2018 - 12:12 AM

That's a really old bug with X2. It has to do with how some GROUP-BY statements are constructed by the framework, and the problem can raise its head at all different locations.

 

I silenced the problem by activating some backward-compatibility-options for the mysql daemon. My mysqld.cnf for mysql-version 5.7 has the following lines in the [mysqld] section :

#
# this is to silence X2 group-by errors
#
sql_mode = STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION

Older mysql versions don't know "sql_mode", but instead have just "mode". In that case the line must look like this. From memory, must be tested.

mode = "STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"

In Topic: secure X2 with fail2ban - anyone ?

08 November 2018 - 01:31 AM

Thanks Peter !

 

No, no : I don't intend to ban on the notifications. I definitely wasn't clear on this. My two lines are meant to suppress the notification lines in the apache logs. There is, for a single user, one line per second added to the log. That's huge ! It not only bloats the log, it makes fail2ban scan loads of data that are good. I chose to suppress the line on apache-level instead of with an ignoreregex in fail2ban.

 

Protecting against brute force login attempts would be nice, but I don't see a 403 on wrong login. But I maybe try to hack up a new repeat-offender filter that checks for repeated login attempts.

 

Even better would be if one could rename the login page. If we had this, any attempt to reach index.php/site/login could be regarded as a hacking event.


In Topic: secure X2 with fail2ban - anyone ?

07 November 2018 - 03:12 AM

Ok. Looking at the apache2 logs, they are flooded with notifications like "GET /index.php/notifications/get?lastNotifId=0&lastEventId=49&lastTimestamp=1541338711" which I don't need to know about.

 

Adding to the .htaccess

SetEnvIf Request_URI "/notifications/" notifications

Adding to the apache site config

CustomLog ${APACHE_LOG_DIR}/access.log combined env=!notifications
 
No more notification. Good.

In Topic: Process-related Flow Actions missing from 6.9.3 release...

15 June 2018 - 10:19 AM

I took a look into protected/components/x2flow/actions/ and there is nothing, finally, that makes me believe in what I said earlier about missing translations.

 

Funky, funky.

 

But the silence from X2 is unsettling. That's for sure.


In Topic: Process-related Flow Actions missing from 6.9.3 release...

14 June 2018 - 04:10 AM

Pretty funky.

 

I checked the number of lines in the messages files. This is what I found :

# wc -l */studio.php
   202 de/studio.php
   209 template/studio.php

So the English studio.php has more lines, which may imply that if translations are missing in the German file, they may not show.

 

Or "Add to Newsletter" isn't in any message-file, but only in the source code.

 

I am tempted to believe that many of these problems come from broken or incomplete message files.

 

Just a thought