How to automatically block IPs that send too many HTTP requests?

I run a website that regularly gets hit by too many HTTP requests coming from the same IP.

Is there a simple way of automatically reject connections for IPs that send more than 2 requests per second?

Currently I just block some IPs manually via iptables, but I want to block IPs automatically that do not behave like a human.

How to handle players’ requests for attacks aimed at crippling the enemy?

I’m DMing a recently-started campaign with 5 new players. They are completely new to RPGs and roleplay. In a combat, they often phrase their attacks in ways such as “I aim at the eyes in order to blind him and shoot my arrow”, or “with a swift dash forward, I try to pierce her leg with my rapier so to incapacitate her movements”, or “I unleash a powerful blow aimed between the helmet and the chestplate, to try and decapitate this enemy”, etc., and expect me to make the enemies suffer the consequences of their detailed actions, especially when they roll high on the d20.

My players are quite enthusiast about roleplaying and narrating what they do and demand the same from me. I find this great, as I love this style of playing, so it’s easy for me to satisfy their thirst for narrative and I enjoy writing a lot. However, I tried to explain to them that such an approach in combats can prove to be obnoxious, to the point that even the rules themselves just plainly avoid the topic:

The loss of hit points has no effect on a creature’s capabilities until the creature drops to 0 hit points.

PHB p.196, Hit Points

They were disappointed and, after the discussion, wondered what the point of combat narration is anyway. They therefore started unhappily phrasing everything they do in fights as such: “I attack him”, “I throw [spell] at him”. This resulted in coldly mechanical fights and dull narration, despite my efforts to try and paint a creative representation of the events without their input.

I definetely don’t want to bring crippling wounds into fights, as it can be quite hard to rule about anything and it is just a spit away from one-shotting an enemy due to a critical hit “aimed at the neck”. It would also make the PCs overpowered, unless I balance this by allowing intelligent enemies to make the same reasonings, complicating everything even further.

What can I do to keep my players engaged in combat narration without making it fall into a headshot-seeking madness? How can I encourage roleplaying in fights without allowing crippling and state-inflicting wounds (such as arrows into the eyes) to be made?


Related questions:

  • How can I describe hit point damage without talking about wounds?
  • Aiming at specific body parts

Authenticate to SharePoint using Client Id and Client Secret with python Requests module

I would like to authenticate to SharePoint using Python and the Requests package. This is what I have so fare:

from oauthlib.oauth2 import BackendApplicationClient from requests_oauthlib import OAuth2Session  client_id = 'my_client_id' client_secret = 'my_client_secret' sitepath = 'https://our_sites.company_name.com/sites/my_site'  client = BackendApplicationClient(client_id=client_id) oauth = OAuthSession(client=client) token = oauth.fetch_token(token_url='super_long_token_url',                           client_id=client_id,                           client_secret=client_secret) 

However a “ValueError: Please supply either code or authorization_response parameters”

Ideally I was hoping to use the client_id and client_secret basically as a user and password. In any case, help would be appreciated.

CORS requests for Instagram fail without VPN

My wife’s machine could not load any Instagram content through JavaScript because of the following error:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://graph.instagram.com/logging_client_events. (Reason: CORS request did not succeed). 

I tried getting it to work again, even went so far as to uninstalling Firefox, clearing any Mozilla related data and reinstalling it… same error (default settings, no plug-ins).

Then I noticed she had been logged out of the VPN service (just a commercial VPN service), so I logged her in without giving it much thought. Try Instagram again and… problem solved.

I tried to repeat the above on my own machine, same story:

  • VPN service enabled -> everything works just fine.
  • VPN service disabled -> CORS request for Instagram fail.

My Question(s):

  • Is there any common explanation for this behaviour?
  • Could this point to a compromised router or strange ISP activity?

Do modern operating systems still send targeted or directed Wi-Fi probe requests that contain SSIDs?

Do modern (versions of) operating systems, primarily Android and iOS on mobile, still send targeted or directed probe requests when searching for Wi-Fi networks to connect to?

Such targeted or directed probe requests contain the SSIDs of known networks, and may thus leak information about the sending device’s location history, the owner’s social relationships, etc.

According to this source, modern operating systems do not send these requests anymore:

Around 2014, the privacy implications of targeted probe requests started to become widely publicized and understood. Most new devices therefore stopped sending them. […] When the privacy implications of targeted request probes became widely appreciated, most new mobile devices stopped sending them altogether. […] Targeted probe requests are mostly a thing of the past.

Other sources, like this one or this one, seem to confirm that targeted probe requests are not sent anymore on the latest versions of Android, at least.

If this is indeed true, and perhaps also for iOS (and some desktop OSs), are there any press releases, bug tracker entries, security reports or code commits that confirm this?

Directed probe requests, as opposed to broadcast requests that don’t contain a network’s SSID, should only be necessary for hidden networks. The impact is stronger on mobile devices, where you tend to both have more known networks added to your device and broadcast that list in more places.

Travel Approval Requests

I have two date columns, “First Day of Travel” and “Last Day of Travel”. Based on the last day of travel, I want to send a message to all users returning on that last day of travel a email reminder to fill out there Trip Report. I did go into edit column and try using Column Validation, but it did not work. Any help in completing this task would be greatly appreciated.

PHP stuff requests on Node.js based web app?

We have a Node.js based web application, that has routes like:

myapp.com/posts/[postId]

We tracked strange requests, which lead to 404 on this routes. The requests were to routes like:

/posts/phpinfo.php /posts/.user.ini /posts/info.php3 /posts/phptest.php 

Neither we’re using PHP nor do i know anything about it…

To me it seems that a crawler/bot is requesting these routes, using some PHP related stuff as postIds which makes no sense (to me)…

Is this legit, though useless, or a security related issue?

What could cause this?

Why CORS is still securing an open api where all requests have a wildcard (*)?

In case of an open API, the only possible value for Access-Control-Allow-Origin is a wildcard (*), since you can’t have a list of allowed domains.

Still, this seems not to bug developpers and appears to keep the system secure. How is that possible? Isn’t allowing all domains to make every request the same as not having SOP or CORS Policy?

It might be that I don’t really get the security provided by CORS, but as I understood it, it avoid an unwanted domain to use session cookies of a user without his consent. Still, I don’t get why it protect the user to see his account used for unwanted purposes once a data modifying route is opened to this domain.

Basic batched get requests using REST API

I’m hunting around on the web right now for some basic (preferably working) examples of making a batch of get requests using the new $ batch endpoint in O365 with the REST API.

I’ve located some good information from Andrew Connell and Steve Curran but I’m hoping someone could offer some working JavaScript to demonstrate the concepts.

How do I make a batched REST request using JavaScript to read information from two seperate lists?

Should I immediately look at hooking into a helper library like datajs or Steve Curran’s RestBatchExecutor.js or is this basic enough to do using SP.RequestExecutor or jQuery.ajax?

Open VPN in Ubuntu18.04 with restriction which requires a keep-alive window in browser that sends requests every 100 seconds to local address

My institute has a system which requires a keep-alive window that sends requests every 100 seconds to local address “192.xx.xx.xx”. If a request is not sent, the internet access on that room IP is revoked. When VPN is connected, all intranet addresses are inaccessible and so even when you connect to a VPN successfully, the connection will break after around a 100 seconds. Any solutions ?