If you can trace the colour css it can be changed on the server. No simple way to do it, it's all fixed in the theme somewhere.
Server updates
-
exxos
- Site Admin

- Posts: 28370
- Joined: 16 Aug 2017 23:19
- Location: UK
Re: Server updates
-
PhilC
- Moderator

- Posts: 7451
- Joined: 23 Mar 2018 20:22
Re: Server updates
Thought as much, I'll stick with the light one for now then.
If it ain't broke, test it to Destruction.
-
exxos
- Site Admin

- Posts: 28370
- Joined: 16 Aug 2017 23:19
- Location: UK
Re: Server updates
More firewall refining going on. Problem is the flood traffic dynamic keeps changing making it difficult to keep on top of.
Fail2ban is basically worthless these days. I mean years ago, all I really had to worry about was people trying to hack the email server. Now it's pretty much a thing of the past. I've retired some more jails as they caught nothing for months. A lot gets dealt with higher up in the chain now anyway.
The problem these days is the botnets. Life was simple when there was grouped small ranges of ips flooding with requests. Now we get 1 bad IP across thousands of /24 blocks. 1 bad IP out of 255 block which at most only hits once a day. Nothing by itself. But the vast ip ranges which are doing exactly that total into huge requests per second.
So I'm being a lot more aggressive with detections now. We don't get users from pakistan for example, and that's where a lot traffic is coming from. So many bad IP detections and the whole country gets banned now. The harder part is filtering USA traffic. It's dealt with differently, but whole networks will get banned from now on.
Its at the point, as I feared a couple years back, that half the world will simply get banned. Leaving us with more common countries like uk and USA etc. We get some users from EU, france Germany etc also. But trying to keep on top of all this is a full-time job now for me. One which clearly isn't ever going to end.
Even every blocklist is pointless these days. I gave up because by the time enough users reported enough bad traffic, it's already to late. Plus I've searched the lists for ips hitting us and there's almost nothing listed in any list anyway. I mean fail2ban and blocklists should be enough, but nope. As I said before, fail2ban can't even keep up anymore. It ended up more resources than it saved in the end. There's not many avenues left to explore.
Its almost doesn't matter how efficient I make the server. The traffic just keeps on increasing. Even bashing 444 errors directly from nginx can't keep up with some floods. I forget how efficient nginx is, all I know is it can take one hell of a beating and even that couldn't keep up when meta was flooding us. Nevermind all the other botnets piled on top.
Registered users need to stay logged in as much as possible as you get temp whitelisted. This only works if you have a fixed ip though!
I got some unban requests over the past few weeks but users who got whitelisted get unbanned automatically about once an hour. So there's no need to request a unban right away. I can't be in front of the pc 24/7 anyway, which is why it's done automatically. If anyone is banned for more than 2 hours, either your not logging in often enough or your on a rotating ip which changes to often to keep track of.
Fail2ban is basically worthless these days. I mean years ago, all I really had to worry about was people trying to hack the email server. Now it's pretty much a thing of the past. I've retired some more jails as they caught nothing for months. A lot gets dealt with higher up in the chain now anyway.
The problem these days is the botnets. Life was simple when there was grouped small ranges of ips flooding with requests. Now we get 1 bad IP across thousands of /24 blocks. 1 bad IP out of 255 block which at most only hits once a day. Nothing by itself. But the vast ip ranges which are doing exactly that total into huge requests per second.
So I'm being a lot more aggressive with detections now. We don't get users from pakistan for example, and that's where a lot traffic is coming from. So many bad IP detections and the whole country gets banned now. The harder part is filtering USA traffic. It's dealt with differently, but whole networks will get banned from now on.
Its at the point, as I feared a couple years back, that half the world will simply get banned. Leaving us with more common countries like uk and USA etc. We get some users from EU, france Germany etc also. But trying to keep on top of all this is a full-time job now for me. One which clearly isn't ever going to end.
Even every blocklist is pointless these days. I gave up because by the time enough users reported enough bad traffic, it's already to late. Plus I've searched the lists for ips hitting us and there's almost nothing listed in any list anyway. I mean fail2ban and blocklists should be enough, but nope. As I said before, fail2ban can't even keep up anymore. It ended up more resources than it saved in the end. There's not many avenues left to explore.
Its almost doesn't matter how efficient I make the server. The traffic just keeps on increasing. Even bashing 444 errors directly from nginx can't keep up with some floods. I forget how efficient nginx is, all I know is it can take one hell of a beating and even that couldn't keep up when meta was flooding us. Nevermind all the other botnets piled on top.
Registered users need to stay logged in as much as possible as you get temp whitelisted. This only works if you have a fixed ip though!
I got some unban requests over the past few weeks but users who got whitelisted get unbanned automatically about once an hour. So there's no need to request a unban right away. I can't be in front of the pc 24/7 anyway, which is why it's done automatically. If anyone is banned for more than 2 hours, either your not logging in often enough or your on a rotating ip which changes to often to keep track of.
-
exxos
- Site Admin

- Posts: 28370
- Joined: 16 Aug 2017 23:19
- Location: UK
Re: Server updates
The WIKI should behave again now. It was refusing connections over the paste few days. That was because I switched over to HTTP3 for tests, gave up, then forgot to remove HTTP3 from the WIKI config. Anyway, should be fixed back to using HTTP2 now !
-
exxos
- Site Admin

- Posts: 28370
- Joined: 16 Aug 2017 23:19
- Location: UK
Re: Server updates
740 million blocked IPs so far. That is about 17% of the entire IPv4 space blocked now. Those are prettymuch all botnets.
-
exxos
- Site Admin

- Posts: 28370
- Joined: 16 Aug 2017 23:19
- Location: UK
Re: Server updates
What's going on with the forum lately (botnet floods explained)
Right, so some of you might have noticed the odd hiccup over the past week or two. The short version is the forum and wiki have been getting absolutely hammered by botnet floods. Not a targeted attack as such, just relentless waves of automated junk traffic battering the server around the clock, coming from hundreds of thousands of infected machines all over the world. The forum and the wiki both seem to be the main targets.
To keep everything online I've built up a layered defence that spots the bad traffic and blocks it automatically. A few days ago it was holding back around 17% of the routable internet. After the last couple of nights it's crept up to roughly 21%, which is very nearly 800 million IP addresses, almost all of it in parts of the world the forum gets no real visitors from anyway.
Have a think about that for a second. To keep one small retro Atari forum ticking over, I'm having to block more than a fifth of the entire internet. It really shows you how much of the online world in 2026 is just compromised, malware riddled machines being quietly rented out as botnets without their owners having the faintest idea.
Just to be clear, this is only the bad bots. The legitimate search engine and archive crawlers are all still welcome. The good ones identify themselves properly, obey robots.txt, don't flood, and publish their IP ranges so I can wave them straight through. It's the anonymous junk pretending to be real browsers that gets blocked.
Who's the worst? Vietnam and Malaysia by a mile this week, with big waves out of the Middle East too (Pakistan, Egypt, Algeria and the Gulf states), plus Indonesia, Brazil and a long tail of everywhere else. These are nearly all ordinary home broadband connections that have been infected and roped into a botnet without the owner knowing a thing about it.
So why us? A little Atari forum? Honestly it's a bit of a puzzle, but here are a few theories:
The good news: you lot are fine. Logged in members always get proper live pages, and the blocking goes easy on the UK, US and Europe where you actually are. If you're reading this, you got through no problem.
If you ever do get blocked (unlikely unless you happen to share a chunk of network with infected machines):
And a personal note. I'll be straight with you, this lot has basically taken over my life the past few weeks. Nearly every spare minute has gone on watching the traffic, pulling apart each new attack pattern and writing custom scripts to deal with it. The annoying part is it never stays fixed. The traffic ramps up every month or so, and whatever worked last month falls over the next, so each new wave has to be studied and beaten from scratch. It's turned into a full time job in all but name, and it's why I've had next to no time for hardware, or anything else lately.
So with almost a quarter of the internet now blocked, fingers crossed things stay quiet from here on. Realistically that number's only going to keep climbing over the next few days and weeks, and yeah, it sounds completely mad to be blocking that much of the internet just to run a little Atari forum, but that's the state of things in 2026.
Anyway, the forum's coping well and it's business as usual. Cheers for your patience, and as always, keep the retro chat coming. :)
Right, so some of you might have noticed the odd hiccup over the past week or two. The short version is the forum and wiki have been getting absolutely hammered by botnet floods. Not a targeted attack as such, just relentless waves of automated junk traffic battering the server around the clock, coming from hundreds of thousands of infected machines all over the world. The forum and the wiki both seem to be the main targets.
To keep everything online I've built up a layered defence that spots the bad traffic and blocks it automatically. A few days ago it was holding back around 17% of the routable internet. After the last couple of nights it's crept up to roughly 21%, which is very nearly 800 million IP addresses, almost all of it in parts of the world the forum gets no real visitors from anyway.
Have a think about that for a second. To keep one small retro Atari forum ticking over, I'm having to block more than a fifth of the entire internet. It really shows you how much of the online world in 2026 is just compromised, malware riddled machines being quietly rented out as botnets without their owners having the faintest idea.
Just to be clear, this is only the bad bots. The legitimate search engine and archive crawlers are all still welcome. The good ones identify themselves properly, obey robots.txt, don't flood, and publish their IP ranges so I can wave them straight through. It's the anonymous junk pretending to be real browsers that gets blocked.
Who's the worst? Vietnam and Malaysia by a mile this week, with big waves out of the Middle East too (Pakistan, Egypt, Algeria and the Gulf states), plus Indonesia, Brazil and a long tail of everywhere else. These are nearly all ordinary home broadband connections that have been infected and roped into a botnet without the owner knowing a thing about it.
So why us? A little Atari forum? Honestly it's a bit of a puzzle, but here are a few theories:
- We're just a target of opportunity. Botnets crawl the whole internet looking for anything that responds. A forum with thousands of pages and a big wiki is a juicy looking target to a dumb script, regardless of what the content actually is.
- Badly written scraper bots. This is my favourite theory, because the "leeching our content" idea doesn't really add up. We're a small site. A sustained flood like this could download the entire forum and wiki in a couple of hours flat. So why keep hammering it for days and weeks on end? Either the bots are so badly written they don't know when to stop, or they're just mindlessly re-scraping the same pages forever. Incompetence on an industrial scale, basically.
- Session and login probing. A big chunk of it is bots throwing fake session IDs at the forum, poking at it to see if there's a way in or just to generate load. Old phpBB forums are a well known shape on the internet, so the scripts know exactly what to prod at.
- Someone's actually driving it. Here's the interesting one. A week or so back we were under a heavy flood and it stopped dead at around 10 or 11 at night. Not tailed off, not gradually eased, just switched off like a tap. Random internet noise doesn't do that. That strongly suggests there's an actual person, or a very small number of people, sat at a control panel somewhere turning this thing on and off. Which means at least some of this is deliberate, even if the reason why is anyone's guess.
The good news: you lot are fine. Logged in members always get proper live pages, and the blocking goes easy on the UK, US and Europe where you actually are. If you're reading this, you got through no problem.
If you ever do get blocked (unlikely unless you happen to share a chunk of network with infected machines):
- Most blocks now clear on their own within the hour on the automatic cleanup, so nine times out of ten just wait an hour and try again.
- Still stuck after that? Log in from a different connection (your phone on mobile data does the trick) and fire off an unban request here: https://www.exxosforum.co.uk:8085/IP_CHECK/. That's the fastest way to get an address cleared.
- To stay on the permanent whitelist, just be logged in for at least an hour a week. Regulars basically never get caught out.
And a personal note. I'll be straight with you, this lot has basically taken over my life the past few weeks. Nearly every spare minute has gone on watching the traffic, pulling apart each new attack pattern and writing custom scripts to deal with it. The annoying part is it never stays fixed. The traffic ramps up every month or so, and whatever worked last month falls over the next, so each new wave has to be studied and beaten from scratch. It's turned into a full time job in all but name, and it's why I've had next to no time for hardware, or anything else lately.
So with almost a quarter of the internet now blocked, fingers crossed things stay quiet from here on. Realistically that number's only going to keep climbing over the next few days and weeks, and yeah, it sounds completely mad to be blocking that much of the internet just to run a little Atari forum, but that's the state of things in 2026.
Anyway, the forum's coping well and it's business as usual. Cheers for your patience, and as always, keep the retro chat coming. :)
Who is online
Users browsing this forum: ClaudeBot and 4 guests