I've been using Subversion heavily lately to keep my live and development sites synchronized and its been a huge productivity booster. I had to move some code over to a lite site for work this evening and it was such a pain, because I had to go through and figure out the files I needed to copy. With svn, or even cvs, I could use tags and then an update and let the computer do the grunt work. Instead it was a 15 minute task and i broke the site twice due to missing dependencies.

Then, I wanted to do a quick update to soccerblogs.net, and needed to pull in code from another project within the repository using the svn:externals property. I set the property and committed it, then when I tried to update my local development copy, the svn client would fail.  I had the following lines in my apache error log:

[Wed Feb 14 00:20:32 2007] [error] [client 65.23.154.104] client denied by server configuration: <PATH TO SVN>

The svn client would complaing about "PROPFIND: 403 Unauthorized". I triple cheked my apache+svn configuration, and I could browse my repository just fine in a web browser. It turns out that if you have mod_evasive installed, the access pattern from svn can look like a denial-of-service attack to it, so it blocks with a 403. Disabling mod_evasive did the trick - and I didn't really need it anyway. None of the English language google results mentioned this, but this one in Spanish had it. Sometimes, being bilingual pays off.

Under debian, fail2ban's configuration is in /etc/fail2ban/. In the filter.d directory add the following file and name it apache-modsec.conf.

[Definition]
# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
#         host must be matched by a group named "host". The tag "<HOST>" can
#         be used for standard IP/hostname matching.
# Values: TEX
#
failregex = [[]client <HOST>[]] mod_security: Access denied with code 500
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex = 

Enable this filter by adding the followin to jail.local:

[apache-modsec]
enabled = true
port   = http
filter = apache-modsec
logpath = /var/log/apache*/*error.log
maxretry = 4

Restart fail2ban, next time a spammer gets blocked by modsecurity 4 times, it will be recorded in /var/log/fail2ban.log

2007-02-07 11:52:45,024 fail2ban.actions: WARNING [apache-modsec] Ban 207.234.131.237

Did you know they advanced the time on the doomsday clock? Did you know we had a doomsday clock? Is the doomsday clock little more than a PR stunt? Sure, it looks bleak, so this dose of optimism should make you think again about our "imminent" destruction.  There's also a predictions markey where you can bet on what's going to be our great undoing.

My first reaction was a sigh of relief. After all, the 1947 doomsday prediction marked the start of a golden age. Never have so many humans lived so long --- and maybe never so peacefully --- as during the past 60 years. The per-capita rate of violence, particularly in the West, seems remarkably low by historical standards. If the clock's keepers are worried once again, their track record suggests we're in for even happier days.