Author Archives: David

The Legal Fight Not Meant to Be

How my wife went from mental health crisis, to jail, to the hospital, to home. And how I had to fight the legal system along the way.

On Wednesday, July 31, 2019, my world turned upside down…

For the second time in our five years of marriage, my wife, Lauren, had a psychotic break – a mental health crisis. But this time it was different. I had a 1 & 1/2 year old daughter to take care of. And Lauren was taken to jail.

According to state law, Lauren had assaulted me. As a defendant, she was barred from having any communication with me, the victim. I was not allowed to see her. I was not allowed to take her to the hospital when she was bailed out of jail 12 hours later. And for almost an entire week, I was not allowed to talk to her. And so, where the law was meant to protect and help citizens, I had to fight the State of Tennessee to help bring normalcy back to my family.

It’s like dying. Drowning. A total eclipse of the sun…. Psychosis, they call it. In shorthand, a break. They mean a break with reality. An alternate universe in which demons call the shots, direct your actions, bang you into bathroom walls so hard you bruise.

Lauren published a blog post from her point of view. Read more at https://laurenhwhite.com/2019/08/23/coming-home-psychotic-break-to-i-can-trust/

People are talking more frequently about Bipolar Disorder…

Right around the same time Lauren got sick, This American Life aired an episode featuring NYT Magazine author Jamie Lowe’s struggle with bipolar disorder and her experience with a type of trauma therapy known as CPT (cognitive processing therapy). Although she has a different life story than Lauren’s, I would recommend the episode, Ten Sessions, as a bird’s eye view into the life of someone who has bipolar disorder.

Lowe has also written a book about her experience with bipolar disorder and a medication she was on for a long time, lithium. I haven’t read the book, but it gets good reviews on Amazon. And as I listened to the first half of last weekend’s This American Life episode, I was grateful for Lowe’s openness on the topic.

(Lowe’s book, Mental: Lithium, Love, and Losing My Mind, is available on Amazon at https://www.amazon.com/Mental-Lithium-Love-Losing-Mind/dp/0399574492/.)


Heartache…

As I was getting into bed late that Wednesday night, I was incredulous. WHY ON EARTH was Lauren taken to jail, and not to a mental hospital, where she actually belonged?

I tagged Tennessee State Representative Rep. Mike Carter in the following tweet because he has fought on behalf of the mental health community, and I appreciate his advocacy work.

About 30 minutes prior to tweeting, I sent an SOS text message to a few of my church friends:

Please urgently pray for Lauren and my family. She’s had a psychotic break…. and is currently in jail due to state law. Mark [Lauren’s dad] is posting bail tomorrow morning, and taking her to a mental hospital…. I’m taking off work until at least Friday.


Triage…

Exhausted because I only slept 5 hours, I woke up Thursday morning in a daze. Did that just happen? Yes, the bumps on my head were still there.

Suddenly thrust into the role of a single parent – when I would normally have been at work – my focus was on my daughter. She needed a lot of reassurance that first day, that everything was (going to be) OK.

By mid-morning, my phone was blowing up with concerned friends and church members, wondering how they could help. I asked one of my best friends from church to help me delegate. If I needed anything at all that week, I would text him or 1-2 others, and I knew he would take care of it.

On Friday morning, a family friend picked up our daughter so that I could have a few hours to myself. I needed time to think, prioritize tasks, and to talk to Lauren’s regular psychiatrist. I also needed to get letters from Lauren’s doctors that would help to lift the no-contact order.

My brother and his wife came to help on Friday evening. He and I ate at a cheap hibachi restaurant down the road, and she watched my daughter. I was exhausted, but it was good to get out of the house for the first time.

Specific events run together, and the weekend was a blur…

The elders came to pray for and encourage me. My friends brought dinner Saturday night, and sat with me as I grieved. Saturday night, I had trouble sleeping again. I woke up Sunday morning at 3:30am.

That’s when I had to rant…

The legal fight that should not have been…

On Monday, the same mother who watched my daughter the previous Friday morning watched her again. I dropped my daughter off at this friend’s house at 10am, and went to work. I was encouraged and full of optimism.

Monday afternoon, my brother (a local lawyer) and I went to court – the first time – to try and get the no-contact order lifted. When Lauren would eventually be released from the hospital, she wouldn’t be able to come home without the order lifted. We expected that there wouldn’t be much of an issue. We were wrong.

The judge said we needed to get a letter from the hospital where Lauren was, that specifically stated it would be beneficial to Lauren for her to have contact with me.

So I called the hospital and explained the situation to the social worker.

Liability concerns…

The hospital wouldn’t budge. They explained that they didn’t have any history with Lauren or me, and so couldn’t say that it would actually be beneficial for Lauren to come home when she would eventually be released from the hospital. I talked to them multiple times, and even met with them in person. It was all for naught. They wouldn’t write a letter with the specific wording the judge said we needed..

To make matters worse, Lauren had recently begun seeing a new therapist who had never met me. The therapist was equally hesitant to write anything that she could not say with certainty. And Lauren’s psychiatrist was unavailable to write a letter until Wednesday.

On the one hand, I get it. State law is meant to protect, and in most cases of domestic violence, there absolutely needs to be a period of separation between victim and defendant. But on the other hand, my wife was sick, and had a diagnosed mental illness. This was not a typical domestic issue. She needed a safe, stable place to come home to.

Unfortunately, my only option was to wait until Wednesday, when Lauren’s psychiatrist could write her letter, even though the judge said he needed a letter from the hospital.

Preparing for the second attempt…

On Wednesday, I went to work at my day job (someone else volunteered to watch my daughter) in the morning, but I couldn’t focus. I knew I was going to court again in the afternoon, and I didn’t know if Lauren’s psychiatrist’s letter would be enough to convince the judge.

I drove to the hospital mid-morning, and talked to the the social worker at the hospital one last time in the hopes of getting them to provide the exact wording that we wanted in a letter for the judge. They still wouldn’t budge.

That morning, I got a phone call from someone else at the hospital that Lauren was going to be released Thursday. On the one hand, this was great news. Lauren was improving and was about to be released. On the other hand, she still couldn’t come home – which was the best place for her.

After trying (and failing) to focus for 30 minutes, I gave up, and went to a coffee shop for lunch before court started in the afternoon. I ran into a friend (he surprised me by paying for my lunch) and that was an unexpected source of encouragement. I was tired, nervous, and wanted this nightmare behind me.

Finally, it was time.

Armed with the psychiatrist’s letter, I met my brother at his office, who had some concerns about the particular wording of one of the sentences in that letter. After a last minute phone call and scramble to get that fixed, and we were on our way.

Court, a second time…

We sat for about 2 hours, waiting our turn. You see, General Sessions court (in Hamilton County, anyway) has a large docket on any given day, and we had to appear without any prior schedule, meaning the court had to fit us in with no prior notice. My brother knew the process though, and eventually, the judge heard our case – the second time.

Finally, I had great news. Not only was Lauren going to be released from the hospital on Thursday, but she was coming home – the best and safest place for her. With the no-contact order lifted, I was also able to visit Lauren in the hospital Wednesday night – a full week after this nightmare started.

Reflections and relief…

As I drove Lauren home that Thursday afternoon and in the following days, I couldn’t help but wonder how things might have turned out differently if Tennessee state law had accounted for a mental health crisis in the event of domestic assault. The responding officers’ hands were tied, and I harbor no ill will towards them. However, it still frustrates me to no end that Lauren was not taken immediately to a hospital.

The drive home was quiet. I was exhausted. Lauren was exhausted. And I knew that she had experienced a lot of trauma. My entire family had endured a week’s worth of trauma. But Lauren was coming home.


Approximately a month and a half after the incident described, Lauren and I, along with my brother, appeared in court for her scheduled court date to address the charge of domestic assault. The prosecutor completely dismissed the charge, and Lauren’s record has been cleared.


David is a husband and father who lives in Chattanooga, TN. He is a Systems & Cybersecurity Engineer for EPB, a local Internet Service Provider. Learn more about him at https://www.davidmartinwhite.com/about/.

A huge thank you to my brother, Daniel White, who provided free legal assistance during the mess described in this blog post.

Another huge thank you to all of my extended family, my church (New City East Lake) and friends who jumped in and helped us this week. From visiting Lauren in the hospital when I couldn’t because of the no-contact court order, to babysitting my daughter, to dropping food off, to simply sitting with me. I couldn’t have made it through the week without you. Thank you.

Share

Analyzing Logs stored in Synology Log Center for Abusive IP Addresses

A few days ago, I published a blog post on how one can quickly and easily setup a Synology NAS to act as a log receiver and store syslogs from remote CentOS servers.

When I wrote the post, I hadn’t planned to write a Part 2. But here we go! In this blog post, I will explain how I am analyzing the logs, stored in Synology’s Log Center, to identify abusive IP addresses and generate a list of the top offending /24 networks. The goal is to then automatically upload this list of networks back to every server we manage, and load those networks into each server’s firewall.

Relevant to this post, it should be noted that we are using a set of iptable wrapper scripts known as CSF (ConfigServer Security & Firewall). I think CSF is better than something like Fail2Ban, because it does much more than filter for abusive IP addresses. CSF also tracks for potential suspicious users and/or processes, and it includes an easy-to-configure perl config file to manage your firewall (opening and closing specific tcp and/or udp ports). And yes, CSF does support IPv6.

Synology Log Center stores its data in sqlite3 databases. My first step was to parse through the logs, and find the relevant messages where the firewall specifically blocked an IP address. Each server’s logs are represented in a different sqlite3 database.

So first, I run a simple find command to identify the databases. Then, I select the appropriate column from each database:

for i in $(find -name "*.DB"); do sqlite3 $i "SELECT msg FROM LOGS;"

(You’ll notice that my ‘for’ loop hasn’t been terminated in the above code. More on that in a second…)

Here is an example message (a row from within the sqlite3 database) that I’m interested in  (I am redacting the IP addresses and replacing the redaction with x.x.x.x or y.y.y.y).

Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=52:01:22:e0:39:21:84:b5:9c:f9:08:30:08:00 SRC=x.x.x.x DST=y.y.y.y LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=17737 PROTO=TCP SPT=48944 DPT=15132 WINDOW=1024 RES=0x00 SYN URGP=0

So now, I need to grab the SRC IP address. I initially was selecting (correct) results with the following command:

grep "SRC=" | awk '{print $7}' | sed 's/SRC=//'

… Which, when combined with my earlier code, looked like this:

for i in $(find -name "*.DB"); do sqlite3 $i "SELECT msg FROM LOGS;" | grep "SRC=" | awk '{print $7}' | sed 's/SRC=//'; done

But someone who does some work for me from time to time pointed out that, with the above command, I’m assuming CSF will always format the log message the same and that the IP address I’m interested in will always be in the 7th column. He suggested an alternative way to grab the IP address. After some testing, and verifying that each method returns the same results, I decided to go with his method, because I agree – it future proofs the code, and is a more accurate filter for the SRC IP Address.

grep "SRC=" | sed -e "s/^.*SRC=//" -e "s/ .*//"

So, combined with my earlier code, the full command syntax is now:

for i in $(find -name "*.DB"); do sqlite3 $i "SELECT msg FROM LOGS;"; done | grep "SRC=" | sed -e "s/^.*SRC=//" -e "s/ .*//"

At this point, we have a list of raw IP addresses. But now, I want to gather some statistics about these IP addresses, and identify the most abusive subnets. First, we should sort, and then we should only output unique lines (no point in displaying the same IP address twice). Then, let’s only output the first 3 octets, do another sort, make sure the results are unique, and count how many IP addresses are represented in each line:

awk -F . '{print $1"."$2"."$3}' | sort | uniq -c

Now we’re getting somewhere. The lined containing the full commands now looks like this:

for i in $(find -name "*.DB"); do sqlite3 $i "SELECT msg FROM LOGS;"; done | grep "SRC=" | sed -e "s/^.*SRC=//" -e "s/ .*//" | sort | uniq | awk -F . '{print $1"."$2"."$3}' | sort | uniq -c |

This will output a list of /24 subnets (IP addresses minus the last octet, preceded by how many times that subnet appeared in the list), i.e. like this: 5 x.x.x

Now let’s only grab subnets that seem problematic. You can pick any number, and I would recommend testing that number and being flexible with it, as you don’t want to block legitimate traffic just because it is coming from a subnet where other members of that IP space has had bad behavior. To start, I’m going with 20 for now.

Finally, let’s format the output so that it represents a valid subnet.

awk '$1 > 20' | awk '{print $2".0/24"}'

… and save it to a file.

Here’s the final command:

for i in $(find -name "*.DB"); do sqlite3 $i "SELECT msg FROM LOGS;"; done | grep "SRC=" | sed -e "s/^.*SRC=//" -e "s/ .*//" | sort | uniq | awk -F . '{print $1"."$2"."$3}' | sort | uniq -c | awk '$1 > 20' | awk '{print $2".0/24"}' > abusive-ip-addresses.txt

What will I do with the information?

I plan to use Synology’s crontab to run the above command once an hour. The resulting text file will get rsync’d to one of our servers

CSF will then be configured to block anything within the text document. According to CSF’s documentation, Blocklists are controlled by modifying /etc/csf/csf.blocklists

So, a valid entry could be: DEVELOPCENTS|86400|0|https://our.private.url/abusive_ip_addresses.txt

Share