Page MenuHomePhabricator

Identify bots using AES128-SHA maintainers running on toolforge
Closed, ResolvedPublic

Description

Checking AES128-SHA usage records, we've detected several bots running within toolforge using "cryptic" User-Agents that doesn't help a lot on identifying the maintainers. Discussing the issue with @aborrero he mentioned that maybe they could be identified given toolforge IPs and timestamps of the requests.

List of unidentified UAs:

  • DotNetWikiBot/3.15 (Unix 3.13.0.139; Mono 3.2.8; .NET CLR 2.0.50727.1433). Activity detected: 10.68.18.205 (tools-exec-1426) - 2018-05-04T10:51:36.872Z: matched to @Dmitry89 in toolforge https://tools.wmflabs.org/admin/tool/dibot
  • DotNetWikiBot/3.15 (Unix 3.13.0.139; Mono 3.2.8; .NET CLR 4.0.30319.17020). Activity detected: 10.68.17.209 (tools-exec-1411) - 2018-05-04T04:15:49.643Z
  • DotNetWikiBot/3.15 (Unix 3.13.0.139; Mono 4.8.0; .NET CLR 4.0.30319.42000). Activity detected: 10.68.23.14 (tools-exec-1416) - 2018-05-04T04:30:05.069Z: matched to @MaxBioHazard in toolforge https://tools.wmflabs.org/admin/tool/mbh
  • DotNetWikiBot/3.15 (Unix 3.13.0.141; Mono 3.2.8; .NET CLR 2.0.50727.1433). Activity detected: 10.68.23.103 (tools-exec-1413) - 2018-05-03T18:22:12.959Z: matched to @Dmitry89 in toolforge https://tools.wmflabs.org/admin/tool/dibot
  • DotNetWikiBot/3.15 (Unix 3.13.0.141; Mono 4.8.0; .NET CLR 4.0.30319.42000). Activity detected: 10.68.16.126 (tools-exec-1441) - 2018-05-03T21:00:29.183Z: matched to @MaxBioHazard in toolforge https://tools.wmflabs.org/admin/tool/mbh
  • DotNetWikiBot/3.15 (Unix 3.13.0.147; Mono 3.2.8; .NET CLR 2.0.50727.1433) --> matched to @Dmitry89 in toolforge https://tools.wmflabs.org/admin/tool/dibot
  • DotNetWikiBot/3.15 (Unix 3.13.0.147; Mono 4.8.0; .NET CLR 4.0.30319.42000) --> matched to @MaxBioHazard in toolforge https://tools.wmflabs.org/admin/tool/mbh

Event Timeline

Vgutierrez created this task.

Do we need to stop using DotNetWikiBot framework, because you will disable encryption method, used in it?

It's more likely that DotNetWikiBot just needs to be built against a newer .NET version, or needs .NET configuration tweaks, to support better encryption (or perhaps already is capable and some bots are behind on releases of it or some of its dependencies). I'm not familiar enough with DotNetWikiBot or .NET in general to know, though.

E-mail of DNWB author is codedriller@gmail.com . You can write a letter to he and explain, what he should do to fix this problem.

@MaxBioHazard I just tested DotNetWikiBot/3.15 on a docker container with mono 4.8.0 and it's able to use recent TLS ciphersuites, so you should be able to keep using it.
I see from the UserAgent of your bot, that you're not using the default mono version provided on toolforge, did you upload your own mono version? In that case, what is the source of the mono 4.8.0 that is being used to run your bot?

AutoWikiBrowser isn't showing in your requests... And that is .NET based, though mostly on Windows, rather than mono (though, there are some users that do..)

DotNetWikiBot looks fairly unmaintained based on it's SVN repo

.NET 4.0 supports up to TLS 1.0 while .NET 4.5 supports up to TLS 1.2

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;

https://msdn.microsoft.com/en-us/library/system.net.servicepointmanager.securityprotocol(v=vs.110).aspx
https://msdn.microsoft.com/en-us/library/system.net.securityprotocoltype(v=vs.110).aspx

^ Those should be doable in the client code to force it to use TLS at a minimum

I wonder if the fallback in Mono it not use the most secure version for some reason, and is taking a less secure one based on what the server is offering

AutoWikiBrowser isn't showing in your requests... And that is .NET based, though mostly on Windows, rather than mono (though, there are some users that do..)

As part of T193376 I didn't identify AutoWikiBrowser as an UA speaking AES128-SHA, which UA string are you using?

AutoWikiBrowser isn't showing in your requests... And that is .NET based, though mostly on Windows, rather than mono (though, there are some users that do..)

As part of T193376 I didn't identify AutoWikiBrowser as an UA speaking AES128-SHA, which UA string are you using?

Something like

WikiFunctions ApiEdit/{0} ({1}; .NET CLR {2})

so you should be able to keep using it.

Did you mean that we can change nothing in our bots, its compilation settings, and when you disable AES128 our bots will continue working?

I compile my mono version from sources from https://download.mono-project.com/sources/mono/mono-4.8.0.382.tar.bz2

In T194380#4208219, @MaxBioHazard wrote:

so you should be able to keep using it.

Did you mean that we can change nothing in our bots, its compilation settings, and when you disable AES128 our bots will continue working?

I compile my mono version from sources from https://download.mono-project.com/sources/mono/mono-4.8.0.382.tar.bz2

in that case, according to http://www.mono-project.com/docs/about-mono/releases/4.8.0/#tls-12-support if you enable btls it should be enough:

export MONO_TLS_PROVIDER=btls

I should execute this string on Toolforge console? And recompile mono after this?

In T194380#4208278, @MaxBioHazard wrote:

I should execute this string on Toolforge console? And recompile mono after this?

If I'm reading the mono instructions correctly, it would be enough to add that line before launching your bot:

export MONO_TLS_PROVIDER=btls
mono bot.exe

My bots are launched from cron. I hope, execute this string once would be enough.

It won't be, just single line it

MONO_TLS_PROVIDER=btls mono bot.exe

@MaxBioHazard please let us know when you make the change to check on our side that everything looks good :)

usage: jsub [options...] program [args...]
jsub: error: argument program: Program 'MONO_TLS_PROVIDER=btls' not found.

In T194380#4210052, @MaxBioHazard wrote:

usage: jsub [options...] program [args...]
jsub: error: argument program: Program 'MONO_TLS_PROVIDER=btls' not found.

you can set an environment variable using jsub's flag -v, so: jsub -v MONO_TLS_PROVIDER=btls.

I did it for all of my bots, except one, that launched permanently. Yet another my bot runs not from Toolforge, but from third-party Windows server, without mono (due to this bug: T147109)

@MaxBioHazard so.. this is one of your bots talking proper TLS 1.2:

-   ReqHeader      X-Connection-Properties: H2=0; SSR=0; SSL=TLSv1.2; C=ECDHE-ECDSA-CHACHA20-POLY1305; EC=X25519;
-   ReqHeader      User-Agent: DotNetWikiBot/3.15 (Unix 3.13.0.147; Mono 4.8.0; .NET CLR 4.0.30319.42000)

For the windows bot it should be the same.. as long as you are able to run it with Mono 4.8 or higher.

@MaxBioHazard I'm still seeing (at least) one bot related to you using AES128-SHA, one using the account Рейму Хакурей

Maybe you didn't add MONO_TLS_PROVIDER=btls there?

I re-run this bot with this option.

In T194380#4224611, @MaxBioHazard wrote:

I re-run this bot with this option.

Thanks! I've already seen it behaving properly :)

Vgutierrez claimed this task.
Vvjjkkii renamed this task from Identify bots using AES128-SHA maintainers running on toolforge to v7caaaaaaa.Jul 1 2018, 1:10 AM
Vvjjkkii reopened this task as Open.
Vvjjkkii removed Vgutierrez as the assignee of this task.
Vvjjkkii raised the priority of this task from Medium to High.
Vvjjkkii updated the task description. (Show Details)
Vvjjkkii removed a subscriber: Aklapper.
Vgutierrez renamed this task from v7caaaaaaa to Identify bots using AES128-SHA maintainers running on toolforge.Jul 1 2018, 8:02 AM
Vgutierrez closed this task as Resolved.
Vgutierrez claimed this task.
Vgutierrez lowered the priority of this task from High to Medium.
Vgutierrez updated the task description. (Show Details)
Vgutierrez added a subscriber: Aklapper.