Wed, 19 Jan 2005
A fellow nolugger wrote this article about New Orleans. I think much of the same could be said about European countries. Certainly my recent honeymoon to Spain had me thinking in a similar mode. Priorities, perspective, and values....
This is one of those articles I'm just preserving for my own future reference.Tue, 18 Jan 2005
I found this article on installing Debian From Scratch fairly intresting. Lately I've been installing mepis as a Debian install for others. But for myself, I need something a bit more hands-on. The Debian install I have at home is getting really stale now so I am actually considering a re-install.
Lots of folks think a re-install might not be necessary; just apt-get upgrade to happiness. But, honestly, I've got a mess of old packages, configs, etc form having a nearly 4 year old desktop, unstable installation. If this box were a server with a stable-testing, it would be a different story. There are times when a clean install makes sense. And it would give me a chance to get re-aquainted with the "Debian way" and new tools they have built -- just recently I discovered the rather handy modules-assistant for rebuilding nvidia-kernel and alsa-src on my 2.4-kernel unstable Debian box.
Joey Hess wrote an article sometime back on how he maintains his entire home directory in cvs. He has updated it now to use subversion now. I've been using svn to maintain some projects myself and I liked Joey's original concept. The only issues for me is that I sometimes use different profiles for some job sites. And the Operating System differences in some of my more heavily edited bash_profile scripts are pretty convoluted. I also may not have svn clients on the machine's I use so rsync or just scp would be needed there.
In any case, it's a neat concept and something I may have to try soon.Sat, 08 Jan 2005
Everything is Crazy has published an article that asserts that ever increasing bandwidth will eventually overcome Microsoft's Operating System monopoly. In other words, the application platform moves from the Operating System to the Internet itself.
There is some evidence to support the notion that Operating Systems will matter less and less. Google's Gmail is a tantalizing, but relatively simple glimpse. Mozilla and Firefox have oft been presented as application platforms in their own right. Certainly the browser is one of the most utilized components for any computer user. And while the old "the network is the computer" campaigns ultimately fizzled, as Everything is Crazy's author notes in a followup, the bandwidth simply wasn't there.
Here's where the argument falls apart a bit for me:
Most users have no desire to be the system administrators of their machines, and would gladly turn that task over to someone else for a nominal fee. As bandwidth increases, telcos, cable companies, and others will be in the perfect position to become application service providers for the average home user, and said average home user will gladly accept this, as long as the price isn't too high. I see this as almost inevitable.It's true, average joe users are struggling with security pains and becoming less than happy system administrators. But I just don't see cable companies and telcos stepping up to this plate. The bottom line, as always, is the bottom line. The investment to become an application provider would be substantial. This is particularly evident when you factor in the support costs. Telco's and cable companies have not been particularly good at consumer tech support and satisfaction so far.
And I don't see there being a viable return on investment any time soon. Providers are still looking to maximize their initial investments building and launching broadband. They are spending most of their time and dollars getting 'triple-play' going to compete with one another while fending off interlopers such as Vonage and AT&T for voice. The only provider that might have some ability to test these waters as a variant of the Application Service Provider is Time-Warner with it's AOL division.
Otherwise, third parties probably have the best possibility of getting into this sort of game. Will we one day do all of our word processing and spreadsheet work in a browser rather than a traditional desktop app? Maybe. Or maybe in two or three years things will be far more different than we imagined presenting other possibilities for people to get (over)excited about.
OpenBSD doesn't have portupgrade like FreeBSD. Many OpenBSD users just take a snapshot of installed ports/packages by first running pkg_info and then deleting their package database as described in OpenBSD's upgrade documentation. OpenBSD does offer a script though, to check what ports are out of date: /usr/ports/infrastructure/build/out-of-date. The script seems to work well for my needs.Wed, 05 Jan 2005
cygwin, perl, ssh with X11 forwarding on a single cd. All of it runs from the cd too. Another CD for the toolkit. Get it here.
Sometime around the release of Firefox 1.0, the default use of Emacs-style keybindings in the URL bar was changed. Here's how to put it back right.
Also found a really handy feature for reading RSS/Atom feeds in Thunderbird. I like this much better than the Live bookmarks method employed by Firefox or the sidebar readers available as extensions. This is a really good way to get security announcements and weekly newsletters from the various distributions. Mouse gestures, Conquery, Adblock, and User-Agent Switcher extensions make the whole Mozilla Firefox/Thunderbird suite the winning combo for me.Mon, 03 Jan 2005
Since this past summer, compromised machines have been attempting to brute force user accounts via ssh. Mostly this is annoying but it would be nice to detect and block these IPs. Francisco de Borja Lopez Rio made a Python script that watches /var/log/authlog on OpenBSD and adds IPs to a filter table for OpenBSD's pf. Script can be found here.
Later Juan J. Martinez used the same concept to create a simple shell script to behave similarly. While this is nice, some of my own bastion hosts running ssh are not OpenBSD machines and thus cannot run pf. So I modified Juan's script to use Weitse Venema's ubiquitous tcp wrappers instead. The bash shell script also expects GNU variants of cat, echo, awk, etc. but should be easily modifiable to operate on, say, Solaris. You can get it right here. It would also be relatively easy to edit to use Linux iptables instead.
Incidently, there may be some other, perhaps better approaches for dealing with this. One is to only allow key-based authentication instead of simple password authentication. Another might be to run ssh on a port other than 22. The first option is probably the most secure and some useful details can be found here. Running somewhere other than 22 may be out of the question and automated attack scripts may use port scanning to find running sshd's rather than assuming the well-known service port.
If you don't need to ssh from arbitrary hosts, then you should be blocking that at the firewall level, though you can add it to hosts.deny as well. Since this is IP based, attackers that can figure out your "whitelist" allowed machine IPs could utilize spoofing for a determined attack. The attacks we're blocking here are almost certainly automated and more of a nuisance. Restricting logins to key-based authentication only should be considered. This script or one of the firewall scripts noted above could then be added as well to block automated nuisance attempts. For a little extra obscurity, Port Knocking could be layered into the mix....
Download link: ssh_blocker_wrap-sh.tar.gz