Looks like someone had the same idea for ssh blocking
Denyhosts parses your log
files and adds ssh attack automated attack attempts to tcp_wrappers'
/etc/hosts.deny. This is the same concept as this
little shell script I cooked up. Of course my little script was derived from
another script specific to openbsd and it's pf firewall.
Denyhosts is pretty much the same idea as mine but it uses python rather
than a shell script. Python is common enough on most platforms but some
non-linux platforms may not have it within installing 3rd party resources.
The attacks on non-vulnerable machines with sshd running are harmless enough,
but the extra layer can't hurt. And if a later vuln is discovered, you've
already got a list of compromised hosts blocked out via tcp_wrappers.
[/Computers/Security/#denyhosts.html]
Comments (1)
Linux kernel.org infrastructure
This interesting article
talks about the kernel.org infrastructure used to maintain the Linux kernel.
Overall it's a fascinating little bit of history. It's also intriguing
because it gives an example of running an extremely bandwidth and processor
intensive site. This quote is especially interesting regarding an earlier
verision of kernel.org hosted on a dual PIII.
Serving data with http and ftp is is not very CPU intensive, but
over time the amount of rsync traffic being fed by the kernel.org server
continued to increase, and rsync is CPU intensive. "That's what rsync does"
Peter said, "it trades bandwidth for CPU horsepower. We were getting to the
point where we had all the bandwidth, but the Dual PIII 1.1's couldn't really
keep up." He noted that the load average kept growing, well into triple
digits. Referring to 32-bit systems, Peter noted, "we learned that the Linux
load average rolls over at 1024. And we actually found this out empirically."
That's fairly amazing. Also noteworthy is the bare number of software
optimizations they've thrown at the problem, which basically consisted of
mounting their filesystems with the noatime attribute. Have to double
check that one on some of my busier http boxes.
Slashdot has an article in their FAQ,
detailing their hardware and software mix as well. It probably hasn't been
updated in a while but the basic config described probably remains as detailed
in the FAQ entry.
[/Computers/OS/Linux/#kernel_org.html]
Comments (0)
My MP3 player is an antique!
According to this
the MP3 hard drive player I use every day -- a PJB 100 -- is an antique. O.K.
Maybe not an antique, but a collectors item.
The PJB was the first hard drive MP3 player. The one I have has a 20G hard
drive. It's about 4 times larger than an ipod, roughly the size of a
cassette walkman. The functionality and the interface is very nicely done.
The sound quality is excellent. My rechargeable battery doesn't hold much of
a charge these days, but I mostly use it in my car. The headphone jack is a
little worn but I could just fix it with a quick solder. And it's USB1.1
which mean transfers to it are SLOW.
Still, I can't bring myself to replace a box that just works. By and
large, I have the same functionality as an ipod and have had it since 2001.
All the excitement about random play on a really large hard drive was rather
amusing to me since I've been doing that for years. The PJB was a wonderful
device to have when I was driving all over the state for work. I still carry
my "antique" every day. And until it goes belly up, I see no reason to
change. (or I can't get a working kernel module anymore )
Wikipedia has a detailed entry on the PJB-100.
One of the coolest features mentioned is one I take for granted: gapless
playback. That means that if there is no gap on an album's tracks, then there
is no gap in the playback from the PJB as intended. There are still several
ways of getting music on (and off) a pjb. My preferred method of upload is
through an emacs mode of all things. The Table of Contents (TOC) is a text
file after all, so it actually makes a lot of sense.
[/Computers/#ancient_mp3.html]
Comments (2)
Knoppix 3.8 and UnionFS
The new Knoppix 3.8 has added an interesting feature by incorporating UnionFS
into the filesystem. What does this mean? Well it means I can modify a file
in /etc without a problem. The underlying unionfs structure writes the mod to
/ramdisk and the change is transparent.
In fact, any change can be made. Software can be added. And further, those
changes can be incorporated with Knoppix's existing persistent home dir
feature. So every time you boot it, it picks up your mods. Knoppix already
has so many uses and so much functionality. And it keeps getting better.
First read about it on oreillynet.
[/Computers/OS/Linux/#knoppix_unionfs.html]
Comments (0)
BigAdmin article on SAN booting and Jumpstart
This is one of those articles
I'm just preserving for my own future reference.
[/Computers/OS/Solaris/#SANfabricboot.html]
Comments (0)
Debian From Scratch
I found this article
on installing Debian From Scratch fairly intresting. Lately I've been
installing mepis as a Debian install for
others. But for myself, I need something a bit more hands-on. The Debian
install I have at home is getting really stale now so I am actually
considering a re-install.
Lots of folks think a re-install might not be necessary; just apt-get
upgrade to happiness. But, honestly, I've got a mess of old packages,
configs, etc form having a nearly 4 year old desktop, unstable installation.
If this box were a server with a stable-testing, it would be a different
story. There are times when a clean install makes sense. And it would give
me a chance to get re-aquainted with the "Debian way" and new tools they have
built -- just recently I discovered the rather
handy modules-assistant for rebuilding nvidia-kernel and alsa-src on my
2.4-kernel unstable Debian box.
References
[/Computers/OS/Linux/#DebianFromScratch.html]
Comments (1)
$HOME in revision control
Joey Hess wrote an article sometime back on how he maintains his entire home
directory in cvs. He has updated it now to use subversion
now. I've been using svn to maintain some projects myself and I liked Joey's
original concept. The only issues for me is that I sometimes use different
profiles for some job sites. And the Operating System differences in some of
my more heavily edited bash_profile scripts are pretty convoluted. I also may
not have svn clients on the machine's I use so rsync or just scp would be
needed there.
In any case, it's a neat concept and something I may have to try soon.
[/Computers/OS/Linux/#homedirinrevcontrol.html]
Comments (0)
Today's del.icio.us links
More at http://del.icio.us/omegaman)
[/Computers/Bookmarks/#1105145534.html]
Comments (0)
The internet as platform?
Everything is Crazy has published an article that asserts
that ever increasing bandwidth will eventually overcome Microsoft's Operating
System monopoly. In other words, the application platform moves from the
Operating System to the Internet itself.
There is some evidence to support the notion that Operating Systems will matter
less and less. Google's Gmail is a tantalizing, but relatively simple
glimpse. Mozilla and Firefox have oft been presented as application platforms
in their own right. Certainly the browser is one of the most utilized
components for any computer user. And while the old "the network is the
computer" campaigns ultimately fizzled, as Everything is Crazy's author notes in a
followup, the bandwidth simply wasn't there.
Here's where the argument falls apart a bit for me:
Most users have no desire to be the system administrators of their machines,
and would gladly turn that task over to someone else for a nominal fee. As
bandwidth increases, telcos, cable companies, and others will be in the
perfect position to become application service providers for the average home
user, and said average home user will gladly accept this, as long as the price
isn't too high. I see this as almost inevitable.
It's true, average joe users are struggling with security pains and becoming
less than happy system administrators. But I just don't see cable companies
and telcos stepping up to this plate. The bottom line, as always, is the
bottom line. The investment to become an application provider would be
substantial. This is particularly evident when you factor in the support
costs. Telco's and cable companies have not been particularly good
at consumer tech support and satisfaction so far.
And I don't see there being a viable return on investment any time soon.
Providers are still looking to maximize their initial investments building and
launching broadband. They are spending most of their time and dollars getting
'triple-play' going to compete with one another while fending off interlopers
such as Vonage and AT&T for voice. The only provider that might
have some ability to test these waters as a variant of the Application Service
Provider is Time-Warner with it's AOL division.
Otherwise, third parties probably have the best possibility of getting into
this sort of game. Will we one day do all of our word processing and
spreadsheet work in a browser rather than a traditional desktop app? Maybe.
Or maybe in two or three years things will be far more different than we imagined
presenting other possibilities for people to get (over)excited about.
[/Computers/Internet/#internet_as_app_platform.html]
Comments (0)
Keeping ports up to date on OpenBSD
OpenBSD doesn't have portupgrade
like FreeBSD. Many OpenBSD users just take a snapshot of installed
ports/packages by first running pkg_info and then deleting their package
database as described in OpenBSD's upgrade documentation. OpenBSD does offer
a script though, to check what ports are out of date:
/usr/ports/infrastructure/build/out-of-date. The script seems to
work well for my needs.
[/Computers/OS/OpenBSD/#updating_ports.html]
Comments (0)
Today's del.icio.us links
More at http://del.icio.us/omegaman)
[/Computers/Bookmarks/#1104958956.html]
Comments (0)
Xlivecd
cygwin, perl, ssh with X11 forwarding on a single cd. All of it runs from the
cd too. Another CD for the toolkit. Get it here.
[/Computers/Tips/#xlivecd.html]
Comments (0)
Emacs keybindings for firefox
Sometime around the release of Firefox 1.0, the default use of Emacs-style
keybindings in the URL bar was changed. Here's
how to put it back right.
Also found a really handy feature for
reading RSS/Atom feeds in Thunderbird. I like this much better than the Live
bookmarks method employed by Firefox or the sidebar readers available as
extensions. This is a really good way to get security announcements and weekly
newsletters from the various distributions. Mouse gestures, Conquery,
Adblock, and User-Agent Switcher extensions make the whole Mozilla
Firefox/Thunderbird suite the winning combo for me.
[/Computers/Tips/#emacs_bindings_for_firefox.html]
Comments (0)
ssh blocker script for TCP Wrappers
Since this past summer, compromised machines have been attempting to brute
force user accounts via ssh. Mostly this is annoying but it would be nice to
detect and block these IPs. Francisco de Borja Lopez Rio made a Python script
that watches /var/log/authlog on OpenBSD and adds IPs to a filter table for
OpenBSD's pf. Script can be found here.
Later Juan J. Martinez used the same concept to create a simple shell script to behave similarly.
While this is nice, some of my own bastion hosts running ssh are not OpenBSD
machines and thus cannot run pf. So I modified Juan's script to use Weitse
Venema's ubiquitous tcp wrappers instead. The bash shell script also expects
GNU variants of cat, echo, awk, etc. but should be easily modifiable to
operate on, say, Solaris. You can get it right here. It would
also be relatively easy to edit to use Linux iptables instead.
Incidently, there may be some other, perhaps better approaches for dealing with this.
One is to only allow key-based authentication instead of simple password
authentication. Another might be to run ssh on a port other than 22. The
first option is probably the most secure and some useful details can be found
here. Running
somewhere other than 22 may be out of the question and automated attack
scripts may use port scanning to find running sshd's rather than assuming the
well-known service port.
If you don't need to ssh from arbitrary hosts, then you should be blocking
that at the firewall level, though you can add it to hosts.deny as well. Since
this is IP based, attackers that can figure out your "whitelist" allowed
machine IPs could utilize spoofing for a determined attack. The attacks we're
blocking here are almost certainly automated and more of a nuisance.
Restricting logins to key-based authentication only should be considered. This
script or one of the firewall scripts noted above could then be added as well
to block automated nuisance attempts. For a little extra obscurity, Port Knocking could be
layered into the mix....
Download link: ssh_blocker_wrap-sh.tar.gz
[/Computers/Security/#ssh_blocker_wrap-sh.html]
Comments (0)
Asking the wrong questions
is the leading cause of wrong answers." That's what my .sig says.
Here's a well-written page on researching and asking technical questions.
The insights esr provides can be applied in other ways as well.
Click here
for more.
[/Computers/Internet/#questions.html]
Comments (0)
TCP/IP class
Way back in 2001, Barry McCormick and I wrote up this document
and taught a two session class for NOLUG on
the basics of TCP/IP. Looking at my web stats lately and after doing some
googling about, I've found it's quite a popular download. Since my site has
been rearranged often, I'm just posting this so it can be found again easily.
While some of the material is slightly outdated, it's still a solid
introduction and Barry and I are pretty proud of the work we put into it.
[/Computers/Internet/#tcp_ip_class.html]
Comments (0)
Using OpenBSD CARP and pfsync for inexpensive firewall/router redundancy
Enterprise network admins are probably familiar with Cisco's HSRP
which allows for router redundancy and VRRP
for firewall redundancy. This article
describes a way to achieve the same thing using features in the
upcoming OpenBSD 3.5 release . Other commercial firewalls certainly
have similar capability. However, OpenBSD's feature set is becoming
rather compelling.
Smaller businesses can certainly find value in such an approach,
keeping their network available and secure at a fraction of the cost.
Evening paying an outside consultant for installation and ongoing
support would be cost effective. Deploy something like this and things remain
comfortable for your cisco-trained network admins.
All of this of course reminds me that I really need to schedule some
time to upgrade my own OpenBSD
firewall.
[/Computers/Internet/Security/#carp_and_pfsync.html]
Comments (1)
Patent Nuttiness
This is a truly
rediculous patent. Apparently a company called ideaflood.com has managed to patent
subdomains.
*boggle*
So if I decide to set up, say, Jennifer.scottharney.com, I'm supposed
to pay a licensing fee to this company. How did they get this patent
in the first place?
Christopher Falkowski, a legal specialist in these topic areas for Bloomfield
Hills, Mich.-based Rader, Fishman and Grauer (raderfishman.com) says a number
of key requirements must be met to obtain a patent, whether that patent is in
the area of Web hosting operations or any other technical field: The invention
must be new or novel. It must be non-obvious. The persons claiming the patent
must be the inventors. And the patent application must be filed within one
year of a public disclosure or sale.
The patent was apparently issued in 1999. One of the first relevant
RFC's I could find is RFC
805 dated 8 February, 1982. Here's the introductory text:
Introduction
A meeting was held on the 11th of January 1982 at USC Information
Sciences Institute to discuss addressing issues in computer mail.
The attendees are listed at the end of this memo. The major
conclusion reached at the meeting is to extend the
"username@hostname" mailbox format to "username@host.domain",
where the domain itself can be further structured.
Hmmm. Besides being an obvious idea, there's clearly prior art.
That's just one RFC out of many and I'm certain there are hundreds of
examples of this use of subdomain naming. Perhaps a search of
The internet archive will provide
some examples.
[/Computers/Internet/#patent_nuttiness.html]
Comments (0)
making picture albums.
I like to use album to make my picture albums
The command to generate the static picture pages is:
~scotth/album/album.pl -medium 50% -medium_type -known_images -theme ../album/Themes/Blue
once i'm in a directory full of pictures. Makes it simple, really.
[/Computers/Internet/Site_Info/#making_albums.html]
Comments (0)
New thoughts on streaming music
Writing up the procedure I use to stream music got me thinking about
problems with it and alternatives. One problem that it has is
that I must be logged in on the console, in X, running xmms. A power-outage
forced reboot could end my musical bliss at work ;). Someone
else pointed out that I really should consider ogg. While re-encoding
all my source CD's would be a massive undertaking this would eventually
be a good goal. Transcoding from mp3->ogg is a bad idea but for a low
quality stream it may have little impact.
So I found gnump3d and liked what
I saw. So I installed it, reconfigured some firewall rules, and liked it
even more. This is a web-based way to control and stream an music collection.
The web interface is well-designed and skinnable. It seems to give me more
control than xmms-shell. I can cue up individual songs or albums. Each
song is a playlist so I can easily scramble within my xmms client at work
rather than on the server. I can create customer playlists through the web
interface.
The coolest feature is the way resampling is handled. The parameters
for resampling (called downsampling in gnump3d.conf allow
you to specify subnets that do not require downsampling. Thus I can
fire up a session on my local desktop and use it to control music and
those songs will not be re-encoded to a lower bitrate. The cacheing
that happens between each song due to stream is instantaneous on a local
connection so album play is minimally interrupted.
gnump3d doesn't utilize a MySQL or other backend database. It's
very simple to setup and has taken some reasonable security precautions. I
like it's "keep it simple" approach.
It doesn't work well through the reverse inbound proxy so I run it
through an alternate port on the firewall and redirect that to the
internal gnump3d server. One way I could deal with this is switch
to Apache::MP3. This is a mod_perl
solution that runs within Apache. So even SSL-encrypted streaming could
work through this. Port 80 name-based virtual hosts work fine Apache::MP3::Skin
and Apache::MP3::Resample would provide the additional similar functionality.
A user can choose the level of resampling desired so it's pretty interesting.
Since gnump3d works so well for me I didn't try the Apache perl module approach but
I may mess with it at a layer time. I've been experimenting with mod_perl stuff for
a while so it may be educational to mess with this.
[/Computers/OS/Linux/Tips/#more_streaming_music.html]
Comments (0)
|