The Public Policy Lean Canvas

I’ve been invited to participate in the Startup Nations Summit in Tallinn, Estonia this coming November, representing New Zealand. The central event at this year’s summit will be a Policy Hack, in which delegates from all over the world will get together to collaboratively nut out government policies relating to startups.

If you’ve ever spoken to me for more than five minutes, you’ll know that I’m a huge fan of Eric Ries and Steve Blank’s Lean Startup Methodology, and that one of my favourite tools is Ash Maurya’s Lean Canvas. Way back in 2013, Rowan Yeoman and I applied the Lean Canvas to Social Enterprise, and produced the Social Lean Canvas, which (mainly thanks to Rowan) has taken off globally.

But how can we apply the key elements of the Lean Startup Methodology to public policy? By that I mean:

  • Your business (or endeavour) can be treated as a science experiment using the Build – Measure – Learn cycle
  • Get out of the building – there is no knowledge inside the building
  • Before you reach product-market fit (ie, a scaleable, repeatable business model), the main measure of progress is learning; any time or resources you don’t spend on learning how to reach product-market fit is wasted
  • You’ll learn a lot more by measuring what people actually do than you will by asking them hypothetical questions.
  • Don’t waste time or resources on premature optimisation

The beauty of the Lean Canvas is that it allows you to quickly jot down and keep track of the key aspects of your business, and identify the key assumptions underlying those aspects, so that you can go out and validate those assumptions. Generally, you’ll want to start your validation with the riskiest assumptions – those assumptions which if proved incorrect (invalidated), will kill your business.

So I cooked up a Public Policy Lean Canvas. You can go and get it at leanpolicy.org

Knocking vulnerability scanners with fail2ban

I’ve been running fail2ban on my Linux servers for years. It’s a neat little piece of software that detects people trying to break into your system, and then ignores any further packets from the intruder’s IP address for a period of time. It comes as a standard package for many distributions, and is easy to install and set up. It has limitations – it can’t really deal with distributed attacks – but it’s very useful for what it does.

Recently I’ve noticed a large number of automated scans from the Jorgee vulnerability scanner, using numeric IP addresses. Apache log entries look something like this:

59.120.89.243 - - [01/Sep/2017:00:51:58 +1200] "HEAD http://54.245.116.119:80/mysql/admin/ HTTP/1.1" 301 238 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:51:59 +1200] "HEAD http://54.245.116.119:80/mysql/dbadmin/ HTTP/1.1" 301 239 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:51:59 +1200] "HEAD http://54.245.116.119:80/mysql/sqlmanager/ HTTP/1.1" 301 242 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:51:59 +1200] "HEAD http://54.245.116.119:80/mysql/mysqlmanager/ HTTP/1.1" 301 244 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:51:59 +1200] "HEAD http://54.245.116.119:80/phpmyadmin/ HTTP/1.1" 301 236 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:51:59 +1200] "HEAD http://54.245.116.119:80/phpMyadmin/ HTTP/1.1" 301 236 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:51:59 +1200] "HEAD http://54.245.116.119:80/phpMyAdmin/ HTTP/1.1" 301 236 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:52:00 +1200] "HEAD http://54.245.116.119:80/phpmyAdmin/ HTTP/1.1" 301 236 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:52:00 +1200] "HEAD http://54.245.116.119:80/phpmyadmin2/ HTTP/1.1" 301 237 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:52:00 +1200] "HEAD http://54.245.116.119:80/phpmyadmin3/ HTTP/1.1" 301 237 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:52:00 +1200] "HEAD http://54.245.116.119:80/phpmyadmin4/ HTTP/1.1" 301 237 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:52:00 +1200] "HEAD http://54.245.116.119:80/2phpmyadmin/ HTTP/1.1" 301 237 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:52:00 +1200] "HEAD http://54.245.116.119:80/phpmy/ HTTP/1.1" 301 231 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:52:01 +1200] "HEAD http://54.245.116.119:80/phppma/ HTTP/1.1" 301 232 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:52:01 +1200] "HEAD http://54.245.116.119:80/myadmin/ HTTP/1.1" 301 233 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:52:01 +1200] "HEAD http://54.245.116.119:80/shopdb/ HTTP/1.1" 301 232 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:52:01 +1200] "HEAD http://54.245.116.119:80/MyAdmin/ HTTP/1.1" 301 233 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:52:01 +1200] "HEAD http://54.245.116.119:80/program/ HTTP/1.1" 301 233 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:52:02 +1200] "HEAD http://54.245.116.119:80/PMA/ HTTP/1.1" 301 229 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:52:02 +1200] "HEAD http://54.245.116.119:80/dbadmin/ HTTP/1.1" 301 233 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:52:02 +1200] "HEAD http://54.245.116.119:80/pma/ HTTP/1.1" 301 229 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:52:02 +1200] "HEAD http://54.245.116.119:80/db/ HTTP/1.1" 301 228 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:52:02 +1200] "HEAD http://54.245.116.119:80/admin/ HTTP/1.1" 301 231 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:52:02 +1200] "HEAD http://54.245.116.119:80/mysql/ HTTP/1.1" 301 231 "-" "Mozilla/5.0 Jorgee"
... and so on ...

There’s no point in encouraging those!

So I cooked up a new fail2ban rule.

In filter.d/apache-numeric.conf:

# Fail2Ban configuration file
#
# Regexp to catch numeric ip address accesses

[Definition]
failregex = ^ -.*"(GET|POST|HEAD) http\:\/\/\d+\.\d+\.\d+\.\d+.*$

ignoreregex =

# Author: Dave Moskovitz

… and in jail.local:

[apache-numeric]
enabled = true
filter = apache-numeric
action = iptables-multiport[name=ApacheNumeric, port="http,https"]
logpath = /var/log/apache2/*/access.log
bantime = 3600
maxretry = 3

et voila, numeric IP scans curtailed.