tag:blogger.com,1999:blog-304188992024-03-13T16:31:13.474-04:00GDFuegoThe occasional rantings of a computer geek.G.D. Fuegohttp://www.blogger.com/profile/10646006841687422655noreply@blogger.comBlogger23125tag:blogger.com,1999:blog-30418899.post-4281504889726839852017-08-28T11:13:00.002-04:002017-08-28T11:13:41.115-04:00My Letter to Joe Kennedy III about Sheriff Joe Arpaio.Representative Kennedy,<br />
<br />
I'd like to start off by saying that you seem to be a man of conviction. I agree with you on most if not all of what you speak about, and you seem to truly believe it. And I understand that you seem to support the impeachment of Trump based upon the Russia corruption scandal, at least looking at the video you published in May.<br />
<br />
It's time.<br />
<br />
Trump's pardon of Sheriff Joe Arpaio is an assault on the rule of law. Pardoning a man who was convicted of contempt of court due to disobeying a judge's order that he stop violating the Constitution is an assault on the Constitution, and an undermining of the courts themselves. Even if we put aside Mr. Arpaio's actions leading to the court order and eventual conviction, by issuing this pardon Trump is literally showing his own contempt for the courts and our Constitution. A failure to impeach for this offense undermines the whole concept of our system of justice.<br />
<br />
Martin Luther King Jr. referred to riots as the "Language of the Unheard". I have to wonder what option would there be besides violence for the disenfranchised, oppressed and threatened in a country where Justice is undermined from the very head of our government. What option besides vigilantism when other avenues of addressing grievances are shut down?<br />
<br />
Don't mistake my comments for supporting violence or attempts at vigilante justice. Citizens in our country right now are too polarized to be able to exercise good judgement. Misunderstanding is far too easy when people take the law into their own hand. I merely want to ensure that they have an alternative that they can believe in.<br />
<br />
Can I count on you to take the appropriate steps to ensure that an impeachment of Trump is begun? This means either supporting anyone who starts impeachment processes, or starting the process yourself. I am here to support you in any way that is possible, be it spreading word, getting signatures or anything else I'm not aware of.<br />
<br />
Your constituent,<br />
Gregory BoyceAnonymoushttp://www.blogger.com/profile/08992771541416602249noreply@blogger.com0tag:blogger.com,1999:blog-30418899.post-23244846562226431762017-04-22T13:16:00.001-04:002017-04-22T13:17:30.512-04:00<h2>
Privilege and Accountability</h2>
Given the state of the world these days, and especially with the state of our current leadership, I've been thinking a lot about priveledge and personal accountability. I'd like to share those thoughts.<br />
<br />
I consider myself to be a fairly successful individual. While I don’t own/operate my own business, I am good at what I do and I am paid well for it. I did this without college and was largely self-taught, at least in a formal sense. Most of what I know in terms of technology I gained through experimentation, reading and learning from those around me. I’m successful because I’m motivated and I work hard. <br />
<br />
But that’s only part of the story. I was also very lucky. <br />
<br />
Out of high school I was accepted to the computer science program of a local university. I ended up not attending for financial reasons, instead getting a job in the music department of a local retailer. I was good at my job. I worked hard and managers tended to like me. I made good friends there, and they helped me get out of the depression that so many teenagers deal with.<br />
<br />
Then, in 1997, the whole chain went out of business. Without that event, there’s a good chance I would have stayed there much longer. Perhaps I would eventually have become a manager there, or work my way up the corporate chain. It could have been a good job, but it wasn’t what I wanted for myself.<br />
<br />
Later that year I took my first technical support role at a computer providing outsourced telephone helpdesk support. They provided a lot of training, and I did well. Before too long I was consistently a top team member in terms of issues handled and issues resolved. Within a year I joined their Mentor in Training program and helped other team members succeed. At the end of the Mentor in Training program I ended up being passed up for a promotion to the team mentor position. They did offer to essentially allow me to remain in the program, essentially doing the Mentor job without the title.<br />
<br />
One weekend a co-worker asked what I was even doing there. He told me that I was wasting my time at that point and should move on to bigger and better things. We hadn’t worked together for very long, so I don’t recall his name anymore but I wish he did because he changed my life.<br />
After a relatively short period of time searching, I joined a local tech startup as a contractor at roughly twice the rate that I was making at my first tech job. I stepped into a team which had just been formed and really had no processes or tools and worked with my team members to really build up the group. It was a time of rapid learning. Before too long I was a Lead Engineer and then Senior Engineer.<br />
<br />
We grew fast, from 40 employees when I started to over one thousand a year or two later. Then came the bubble burst in 2001 which killed off a lot of our customers and forced a layoff that eliminated a large set of great people. I survived and stayed on, changing rolls several times. I was able to spend time in Network Operations, Information Security, IT, Professional Services, Software Testing and then finally our OS team. I did well in most of them and was paid well for my service.<br />
<br />
A good part of this was due to intelligence and hard work, but not all of it. If I had gone to college like I had intended, my life could have been very different. I would have had far less work experience when the bubble burst. If the store chain had survived I could still be there or perhaps I would have gone into computers at a later time, missing out on the fast growth of the tech sector in the 90s. If I hadn’t worked the weekend shift at my tech job, I might not have been convinced to look around. I could have been included in the layoffs at my company like a number of my friends were.<br />
In addition to luck, I had privileges not available to some of my peers. <br />
<br />
I grew up in a house where we had access to a computer in the late 1980s. This was uncommon. And I was given the ability to use it quite a bit, and even break things on occasion. I learned the most when I'm forced to recover from my own mistakes. I could very well see a kid screwing up a computer in the 80s resulting in them no longer being able to touch/learn from it.<br />
<br />
I grew up in a town which decided to hire a great Computer Science teacher while I was in high school. I was exposed to computer BBSes by an uncle who ran one from our house, and learned a lot accessing them and eventually setting up one myself.<br />
<br />
The town was also in the greater Boston area which had the tech sector of the 128 belt and then the startups of Cambridge.<br />
<br />
I am also white. While this shouldn’t matter, in reality it does. As far as I’m aware, no one went out of their way to help me due to my race, but I’m certain I had an advantage due to unintentional bias at a minimum. I was never assumed to be a hoodlum as a teenager or a terrorist in my 20s after 9/11. Sometimes privilege isn’t about what people do for you, but rather what they don’t do *to* you.<br />
<br />
I understand that I got ahead with a combination of skill, hard work, luck and privilege and this makes it hard to hold it against others simply because they missed out on one or more of these. People getting their start in a tough economy. People who have had their jobs outsourced or automated away. People who were born with less intelligence, potentially capping how far they can get ahead. People being discriminated against.<br />
<br />
None of us succeed or fail in a vacuum. I built on what others provided. I learned what others taught. I rode on the coattails of a growing business. And I took full advantage of the benefits that were awarded to me.<br />
<br />
I can even understand people who “don’t work hard enough” according to some. I work hard, but I also love what I do. If I was stuck working one or more dead-end jobs in order to make ends meet will struggle to work hard. The work may not be interesting. They may be overtired from working multiple jobs. They may have to take abuse from an uncaring public or management. That type of environment is demotivating, even depressing. You cannot be expected to work two jobs to pay the bills, and then be able to work even more to try to get ahead.<br />
<div>
<br /></div>
<div>
Instead of talking about "lazy millennials", or making assumptions about various ethnic groups, we should instead strive to give them the opportunities that they would otherwise be missing. Cutting fundings for schools hurts everyone. How can we as a country expect to succeed if we work on increasing the percentage of people in the country who are uneducated?</div>
<div>
<br /></div>
<div>
We work to automate or outsource our work to countries where labor is cheaper. I don't expect us to stop progress (and don't want us to), but it is cruel to take these actions and then demonize the people impacted. How many times have you heard people talk about Wal*Mart and McDonalds employees not deserving a living income? As if it is their fault that they need to work those jobs in order to make ends meet. Perhaps they could put effort into getting a better job, except they may very well be working multiple jobs in order to just put food on the table. </div>
<div>
<br /></div>
<div>
Not to mention people who just don't have the capabilities to get ahead on their own. Mental illness, lower intelligence, and physical handicap are just some of the reasons why someone may not *have* any options beyond what many consider to be entry-level work. Should they suffer for that?</div>
<div>
<br /></div>
<div>
This is a solved problem in the world. Finland for example is starting to provide a <a href="https://qz.com/876985/finland-hopes-to-dispel-one-of-the-biggest-critiques-of-a-basic-income/">basic income</a> to some of their people. The idea is that if people don't have to struggle to live, they will have the opportunity to explore options that wouldn't otherwise be available to them. Perhaps they want to be a musician, or an artist. Or they want to get into the world of computer programming, but just don't have the time to devote to learning it.</div>
<div>
<br /></div>
<div>
Some are concerned that this will just make people lazy. I suspect they may very well be right for a subset of the people. But is that really so bad? In a world where the total number of jobs is not increasing at the rate that the working age population is, wouldn't you rather just deal with motivated employees? And do we really want to punish everyone else in order to avoid letting them "get away" with not working?</div>
<div>
<br /></div>
<div>
Let's work together to create a future where automation doesn't lead to even more massive income disparity. Where companies like Wal*Mart don't make 120 Billion dollars while their employees starve on food stamps. Or run <a href="http://www.cnbc.com/2014/11/20/wal-mart-defends-employee-food-drive.html">"food drives"</a> to have their employees feed each other. Or companies like Uber leverage the under employed masses to take the profits of Taxi companies while simultaneously working on self-driving cars in preparation for putting those masses out of business as well.</div>
Anonymoushttp://www.blogger.com/profile/08992771541416602249noreply@blogger.com0tag:blogger.com,1999:blog-30418899.post-28450801946069186772016-06-28T14:28:00.000-04:002016-06-28T16:11:52.200-04:00Installing Ubuntu 16.04 on a ZFS root filesystemOne of the major new pieces of functionality in Ubuntu 16.04 (Xenial) is built in support for <a href="http://zfsonlinux.org/">ZFS filesystems</a>. I was disappointed to learn that ZFS support is not actually built into the installer itself, leaving you to piece things together yourself. I did find a few good tutorials online for this, but they all seem to be missing a few pieces. I'm hoping that this guide will be a bit more complete for people.<br />
<br />
It is based on a combination of the following two guides:<br />
<ul>
<li><a href="https://github.com/zfsonlinux/pkg-zfs/wiki/HOWTO-install-Ubuntu-16.04-to-a-Native-ZFS-Root-Filesystem">https://github.com/zfsonlinux/pkg-zfs/wiki/HOWTO-install-Ubuntu-16.04-to-a-Native-ZFS-Root-Filesystem</a></li>
<li><a href="http://dotfiles.tnetconsulting.net/articles/2016/0327/ubuntu-zfs-native-root.html">http://dotfiles.tnetconsulting.net/articles/2016/0327/ubuntu-zfs-native-root.html</a></li>
</ul>
<h2>
Booting Into the Install Environment</h2>
<div>
Setting up a ZFS filesystem requires a full set of userspace tools rather than the limited set included within the actual installer. Due to this, we're going to boot a Ubuntu Desktop live CD, and do a manual installation within its root filesystem. I found that the easiest way to do this was to boot the live CD, set a password for the ubuntu user, and SSH into the machine from a remote box. This way it is much easier to copy/paste commands from the webpage.</div>
<div>
<br />
To start off, we need to install the ZFS tools and debootstrap which we will use for actually installing the operating system:<br />
<br />
<i>apt-add-repository universe</i><br />
<i>apt-get update</i><br />
<i>apt-get install --yes zfsutils-linux debootstrap</i><br />
<i><br /></i>
<br />
<h2>
Partitioning the Disks</h2>
Next, we partition the disks. For now we're going to assume a two disk system which is just doing striping, but you can change as desired:<br />
<br />
<i>parted -- /dev/sda mklabel msdos Y mkpart primary zfs 0% 100%</i><br />
<i>parted -- /dev/sdb mklabel msdos Y mkpart primary zfs 0% 100%</i><br />
<br />
Device naming during bootup on Linux isn't always static, so we want to reference the disks through a static identifier like disk ID (/dev/disk/by-id), unfortunately Grub fails to properly identify the devices from the zfs command output, so we need this hack for now to make sure that update-grub will correctly identify the disks. Specifically, it forces creation of symlinks in /dev which map to the device names in /dev/disk/by-id. Some additional details about the issue can be found in <a href="https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1527727">this grub2 launchpad bug</a>.<br />
<br />
<i>echo 'KERNEL=="sd*[!0-9]", IMPORT{parent}=="ID_*", SYMLINK+="$env{ID_BUS}-$env{ID_SERIAL}"</i><br />
<i>> KERNEL=="sd*[0-9]", IMPORT{parent}=="ID_*", SYMLINK+="$env{ID_BUS}-$env{ID_SERIAL}-part%n"' > /etc/udev/rules.d/90-zfs.rules</i><br />
<i>udevadm trigger</i><br />
<h2>
</h2>
<h2>
Create Your Zpool</h2>
Now we actually create the zpool and import it to /mnt:<br />
<br />
<i>zpool create -m none -o ashift=12 -O compression=lz4 rpool /dev/sda1 /dev/sdb1</i><br />
<i>zfs create -o mountpoint=/ rpool/root</i><br />
<i>zpool export rpool</i><br />
<i>zpool import -d /dev/disk/by-id -R /mnt rpool</i><br />
<i><br /></i>
So here we create the zpool by device name, and then re-import it by device ID while mounting at /mnt.<br />
<br />
And then create various partitions off of the root filesystem:<br />
<br />
<i>zfs create -o setuid=off rpool/root/home</i><br />
<i>zfs create -o mountpoint=/root rpool/root/home/root</i><br />
<i>zfs create -o canmount=off -o setuid=off -o exec=off rpool/root/var</i><br />
<i>zfs create -o com.sun:auto-snapshot=false rpool/root/var/cache</i><br />
<i>zfs create rpool/root/var/log</i><br />
<i>zfs create rpool/root/var/spool</i><br />
<i>zfs create -o com.sun:auto-snapshot=false -o exec=on rpool/root/var/tmp</i><br />
<i><br /></i>
We break out these various subdirectories so we have the ability to optionally enable/disable compression, support for setuid/exec, and various other options. We can also choose to limit the maximum size of each mount independently.<br />
<h3>
</h3>
<h2>
</h2>
<h2>
Install Ubuntu</h2>
</div>
<div>
The install of Ubuntu itself is pretty straightforward:</div>
<h4>
</h4>
<h3>
<br /></h3>
<h3>
debootstrap the OS</h3>
<div>
<i>debootstrap xenial /mnt</i></div>
<div>
<i>zfs set devices=off rpool</i></div>
<div>
<i>grep -v cdrom /etc/apt/sources.list > /mnt/etc/apt/sources.list</i><br />
<i>cp /etc/udev/rules.d/90-zfs.rules /mnt/etc/udev/rules.d/90-zfs.rules</i><br />
<i><br /></i>
You'll notice at the end here we copy our hacky udev rule to the new filesystem. The "devices=off" option we set here disables the ability to create device nodes in the filesystem. This works since /dev is actually a devtmpfs partition of its own.</div>
<h4>
</h4>
<h3>
<br /></h3>
<h3>
Configure the network interface</h3>
<div>
<div style="font-style: italic;">
export INTERFACE=$(ip addr list | grep ^[0-9]: | grep -v "lo" | awk {'print $2'} | cut -d ":" -f 1)</div>
<div style="font-style: italic;">
echo test > /mnt/etc/hostname</div>
<div style="font-style: italic;">
echo 127.0.1.1 >> /mnt/etc/hosts</div>
<div style="font-style: italic;">
echo "auto $INTERFACE</div>
<div style="font-style: italic;">
iface $INTERFACE inet dhcp" > /mnt/etc/network/interfaces.d/$INTERFACE</div>
<h4>
</h4>
<h3>
<br /></h3>
<h3>
Enter the chroot for some final setup</h3>
</div>
<div>
<div>
<i>mount --rbind /dev /mnt/dev</i></div>
<div>
<i>mount --rbind /proc /mnt/proc</i></div>
<div>
<i>mount --rbind /sys /mnt/sys</i></div>
<div>
<i>chroot /mnt /bin/bash --login</i></div>
</div>
<div>
<i><br /></i></div>
<div>
<div style="font-style: italic;">
locale-gen en_US.UTF-8</div>
<div style="font-style: italic;">
echo 'LANG="en_US.UTF-8"' > /etc/default/locale</div>
<div style="font-style: italic;">
apt-get update</div>
<div style="font-style: italic;">
apt-get install --yes zfsutils-linux zfs-initramfs grub-pc linux-image-generic ssh</div>
<div style="font-style: italic;">
dpkg-reconfigure tzdata</div>
<div style="font-style: italic;">
update-initramfs -c -k all</div>
<h4>
</h4>
<h3>
<br /></h3>
<h3>
Set Up Grub's configuration</h3>
<div>
<div>
<i>sed -i 's/^\(GRUB_CMDLINE_LINUX_DEFAULT\)=.*/\1=""/g' /etc/default/grub</i></div>
<div>
<i>sed -i 's|^\(GRUB_HIDDEN_TIMEOUT=.*\)|#\1|g' /etc/default/grub</i></div>
<div>
<i>sed -i 's/^\(GRUB_CMDLINE_LINUX\)="\(.*\)"/\1="boot=zfs \2"/g' /etc/default/grub</i></div>
<div style="font-style: italic;">
<br /></div>
<div style="font-style: italic;">
ln -s /proc/mounts /etc/mtab</div>
<div style="font-style: italic;">
update-grub</div>
<div style="font-style: italic;">
rm /etc/mtab</div>
</div>
<h4>
</h4>
<h3>
<br /></h3>
<h3>
Set a root password and exit the chroot</h3>
<div style="font-style: italic;">
passwd root</div>
<div style="font-style: italic;">
exit</div>
</div>
<h4>
</h4>
<h3>
<br /></h3>
<h3>
Install the grub bootloader</h3>
<div>
<div>
<i>grub-probe /mnt</i></div>
<div>
<i>grub-install --root-directory=/mnt /dev/sda</i></div>
<div>
<i>grub-install --root-directory=/mnt /dev/sdb</i></div>
</div>
<h4>
</h4>
<h3>
<br /></h3>
<h3>
Reboot into the environment</h3>
<div>
reboot</div>
<div>
</div>
G.D. Fuegohttp://www.blogger.com/profile/10646006841687422655noreply@blogger.com0tag:blogger.com,1999:blog-30418899.post-4866201907831431472013-10-11T15:56:00.001-04:002013-10-11T15:56:37.445-04:00Eating your own dog food<div class="p1">
I got this unsolicited e-mail today:</div>
<blockquote class="tr_bq">
Hi,<br />
<br />
Hope you doing well. I am writing in regards to see if there is any possibility for us to work with your company. <b>We are leading provider of B2B, B2C and B2G lists and excellent list</b> compiler with highest delivery rate and data appending solutions. Our opt-in email database of Key decision makers can be used for your online promotion, brand awareness and to generate potential leads.<br />
<br />
We build list according to your requirements based on your targeted business. <b>We are specialized in Email Campaign and Data Append Solution</b>, where you can add your clients missing data (email, fax etc).</blockquote>
Apparently they provide opt-in only mailing lists. Shame they don't use them themselves.G.D. Fuegohttp://www.blogger.com/profile/10646006841687422655noreply@blogger.com0tag:blogger.com,1999:blog-30418899.post-69539891783376816432012-02-29T10:14:00.001-05:002012-02-29T10:18:05.678-05:00Whoops!My home server is configured to send me daily e-mails with any security events. Typically this means SSH brute force login attempts, and I occasionally take the opportunity notify people that their servers were breached and are being used for attacks.<br /><br />Today I found something amusing in the logs. Apparently some idiot hacker mixed up their username and password files for their attack:<br /><pre>Feb 28 02:32:53 buddha sshd[57691]: Invalid user QFhGj8kE7D3Vs from 223.4.115.46<br />Feb 28 02:32:55 buddha sshd[57693]: Invalid user aMb0lgX8umqqQGpFRjiGiP from 223.4.115.46<br />Feb 28 02:32:58 buddha sshd[57695]: Invalid user crinalove from 223.4.115.46<br />Feb 28 02:33:00 buddha sshd[57697]: Invalid user xyzsun123 from 223.4.115.46<br />Feb 28 02:33:02 buddha sshd[57699]: Invalid user 20090924 from 223.4.115.46<br />Feb 28 02:33:05 buddha sshd[57713]: Invalid user aicumine from 223.4.115.46<br />Feb 28 02:33:07 buddha sshd[57715]: Invalid user Router#32SOS from 223.4.115.46<br />Feb 28 02:33:10 buddha sshd[57717]: Invalid user cotinga from 223.4.115.46<br />Feb 28 02:33:13 buddha sshd[57719]: Invalid user cornalito from 223.4.115.46<br />Feb 28 02:33:15 buddha sshd[57721]: Invalid user l0p33os from 223.4.115.46<br />Feb 28 02:33:18 buddha sshd[57723]: Invalid user !mir@nine from 223.4.115.46<br />Feb 28 02:33:20 buddha sshd[57725]: Invalid user mucleus.caca.root from 223.4.115.46<br />Feb 28 02:33:23 buddha sshd[57727]: Invalid user !@#$%^ from 223.4.115.46<br />Feb 28 02:33:25 buddha sshd[57729]: Invalid user easy2use from 223.4.115.46<br />Feb 28 02:33:28 buddha sshd[57731]: Invalid user diana4ever from 223.4.115.46<br />Feb 28 02:33:33 buddha sshd[57733]: Invalid user pw2009inx from 223.4.115.46<br />Feb 28 02:33:36 buddha sshd[57735]: Invalid user eth0eth1254 from 223.4.115.46<br />Feb 28 02:33:38 buddha sshd[57737]: Invalid user eth0eth0 from 223.4.115.46<br />Feb 28 02:33:40 buddha sshd[57739]: Invalid user 1q2w3e4r5t6y7u8i9o0p from 223.4.115.46<br />Feb 28 02:33:43 buddha sshd[57741]: Invalid user kentlung from 223.4.115.46<br />Feb 28 02:33:45 buddha sshd[57743]: Invalid user 1q2w3e4r5t6y from 223.4.115.46<br />Feb 28 02:33:48 buddha sshd[57745]: Invalid user kta1234 from 223.4.115.46<br />Feb 28 02:33:50 buddha sshd[57747]: Invalid user Kt@1234 from 223.4.115.46<br />Feb 28 02:33:53 buddha sshd[57749]: Invalid user !mi$ from 223.4.115.46<br />Feb 28 02:33:55 buddha sshd[57751]: Invalid user perfectpassword from 223.4.115.46<br />Feb 28 02:33:58 buddha sshd[57753]: Invalid user !mir@ninie from 223.4.115.46<br />Feb 28 02:34:00 buddha sshd[57755]: Invalid user !mir@Ninie from 223.4.115.46<br />Feb 28 02:34:03 buddha sshd[57757]: Invalid user !Mir@nine from 223.4.115.46<br />Feb 28 02:34:05 buddha sshd[57759]: Invalid user vkvadaclasa from 223.4.115.46<br />Feb 28 02:34:08 buddha sshd[57761]: Invalid user vkvadaclasa from 223.4.115.46<br />Feb 28 02:34:10 buddha sshd[57763]: Invalid user vkvadaclasa from 223.4.115.46<br />Feb 28 02:34:13 buddha sshd[57765]: Invalid user vkvadaclasa from 223.4.115.46<br />Feb 28 02:34:15 buddha sshd[57767]: Invalid user d3v__3f__j3b0n from 223.4.115.46<br />Feb 28 02:34:17 buddha sshd[57769]: Invalid user kany123kany from 223.4.115.46<br />Feb 28 02:34:20 buddha sshd[57771]: Invalid user gywjddl!@!* from 223.4.115.46<br />Feb 28 02:34:22 buddha sshd[57773]: Invalid user aprkvkldf!!! from 223.4.115.46<br />Feb 28 02:34:25 buddha sshd[57775]: Invalid user dnjao123! from 223.4.115.46<br />Feb 28 02:34:28 buddha sshd[57777]: Invalid user eltmzm!!! from 223.4.115.46<br />Feb 28 02:34:31 buddha sshd[57779]: Invalid user #7364! from 223.4.115.46<br />Feb 28 02:34:34 buddha sshd[57781]: Invalid user disk!!! from 223.4.115.46<br />Feb 28 02:34:36 buddha sshd[57783]: Invalid user @#Rq92u8fjewRweqf45y43tgh3 from 223.4.115.46<br />Feb 28 02:34:39 buddha sshd[57785]: Invalid user @n!md@mP#$@&#3141$&#@!#mTadm!n$@ from 223.4.115.46<br />Feb 28 02:34:41 buddha sshd[57787]: Invalid user BUNdAS@#$RT%GQ~EQW#%^QW from 223.4.115.46<br />Feb 28 02:34:44 buddha sshd[57789]: Invalid user 163typist from 223.4.115.46<br />Feb 28 02:34:46 buddha sshd[57791]: Invalid user dudejr5542 from 223.4.115.46<br />Feb 28 02:34:48 buddha sshd[57793]: Invalid user E1T1RDs7 from 223.4.115.46<br />Feb 28 02:34:51 buddha sshd[57795]: Invalid user 198287 from 223.4.115.46<br />Feb 28 02:34:54 buddha sshd[57797]: Invalid user r9A6YOFYEh from 223.4.115.46<br />Feb 28 02:34:56 buddha sshd[57799]: Invalid user 9swL2k5Cp7 from 223.4.115.46<br />Feb 28 02:34:59 buddha sshd[57801]: Invalid user oxbow@852 from 223.4.115.46<br />Feb 28 02:35:01 buddha sshd[57803]: Invalid user frigfurg from 223.4.115.46<br />Feb 28 02:35:03 buddha sshd[57805]: Invalid user xew4upjg from 223.4.115.46<br />Feb 28 02:35:06 buddha sshd[57809]: Invalid user K4tp0ng from 223.4.115.46<br />Feb 28 02:35:08 buddha sshd[57811]: Invalid user dkagh!@#$ from 223.4.115.46<br />Feb 28 02:35:11 buddha sshd[57813]: Invalid user rhg0704 from 223.4.115.46<br />Feb 28 02:35:13 buddha sshd[57815]: Invalid user 654312 from 223.4.115.46<br />Feb 28 02:35:16 buddha sshd[57817]: Invalid user glaemsp!!! from 223.4.115.46<br />Feb 28 02:35:18 buddha sshd[57819]: Invalid user whznskwhdk from 223.4.115.46<br />Feb 28 02:35:21 buddha sshd[57821]: Invalid user globalpass from 223.4.115.46<br />Feb 28 02:35:23 buddha sshd[57823]: Invalid user punglor21 from 223.4.115.46<br />Feb 28 02:35:26 buddha sshd[57825]: Invalid user nic#!@ruc148 from 223.4.115.46<br />Feb 28 02:35:29 buddha sshd[57827]: Invalid user dudejrqwer!@#$ from 223.4.115.46<br /></pre>There are a LOT more in the log, but you get the picture.G.D. Fuegohttp://www.blogger.com/profile/10646006841687422655noreply@blogger.com0tag:blogger.com,1999:blog-30418899.post-16865674289944462562010-04-21T09:48:00.002-04:002010-04-21T09:55:42.660-04:00Python Tivo LibraryI've decided its about time I start really learning to code, so I've picked a project and I'm working to see how much I can actually implement.<div><br /></div><div>The long term goal of the project is to create a way to archive TV shows off of your Tivo and provide a mechanism to transfer the shows back on demand for showing. I'm working on creating it on Python, and as a starting point I've begun work on a general python library for interacting with them. Right now provided an IP address and your media access code it can connect to your tivo and give you a listing of all of your shows. </div><div><br /></div><div>My eventual goal is to provide it both a web interface and an interface that the Tivo can use as well as add autodiscovery of tivo devices. I'd like to also tie it into pytivo for the show playback. One nice thing is that would allow you to compress the shows for better storage.</div><div><br /></div><div>If anyone is interested in taking a look I'm hosting it at Sourceforge as a way to do revision control as well as learn Subversion a bit better (I'm more familiar with Perforce right now).</div><div><br /></div><div>http://tivoarchive.sf.net</div>G.D. Fuegohttp://www.blogger.com/profile/10646006841687422655noreply@blogger.com0tag:blogger.com,1999:blog-30418899.post-22044971263085851802009-10-14T23:26:00.001-04:002009-10-14T23:28:17.879-04:00New blog availableElectr0n has setup a new blog for the ##security channel on Freenode, and has asked me to help with some content. I just posted there on <a href="http://fnsecurity.blogspot.com/2009/10/evils-of-pastebin.html">Pastebin hacking</a> in light of the recent Hotmail password fiasco.<br /><br />Check it out.G.D. Fuegohttp://www.blogger.com/profile/10646006841687422655noreply@blogger.com0tag:blogger.com,1999:blog-30418899.post-78986598276550953812009-08-17T20:11:00.002-04:002009-08-17T20:25:42.080-04:00Career "Advancement"About 2 years back I left my job in an InfoSec group. That particular position wasn't the right fit for me anymore, and somehow I didn't think I would be a good fit for a security role in most other organizations. I don't have the pen testing experience needed for most security companies, and the thought of maintaining firewall rules at some retail house would bore the crap out of me.<br /><br />Since then I've been struggling to find myself career wise. I spent some time in an IT role, and I'm now trying a more customer facing role. Still I find myself happiest in ##security on Freenode, answering people's security questions.<br /><br />So, what now? Maybe someday I'll figure that out.G.D. Fuegohttp://www.blogger.com/profile/10646006841687422655noreply@blogger.com0tag:blogger.com,1999:blog-30418899.post-8969315025939290752009-03-05T18:58:00.003-05:002009-03-05T20:19:32.916-05:00The Wrong Tool for the JobThese days anti-virus and anti-spam are two very crucial components of a well run e-mail system. Due to how often spammers change their techniques, my company outsources this function to a vendor which provides both services. Both functions are designed and work fairly well.<br /><h2>Anti-Virus</h2>For Anti-Virus they seem to run messages through multiple commercial anti-virus scanners on their servers. Messages that trigger positive are quarantined, and a notification will be sent to the site admin and/or the intended recipient of the message notifying them of what happened.<br /><br />The site admin can report false positives to the vendor who will investigate and release a message if they can confirm that it was in fact a false positive. They also take an action to reduce future false positives based on what they find. These investigations tend to take 24 hours or so.<br /><h2>Anti-Spam</h2>Spam tends to be a bit more subjective, so false positives tend to be higher than with Viruses. Due to this, their anti-spam offering makes it a lot easier to both prevent and deal with these situations.<br /><br />Spam messages can either be tagged for users to filter on their own, or they can be actively filtered and put into a quarantine on their servers. Unlike quarantined virus mail, quarantined spam can be accessed and released by users directly.<br /><br />In order to prevent false positives site admins are able to whitelist domains, e-mail addresses or IP addresses for specific mail relays. Whitelisting a domain is typically not a great idea in these days of e-mail address spoofing, but e-mail address and whitelisting relays works fairly well.<br /><h2>Where it falls apart</h2>Sounds good so far, right?<br /><br />Well, here's where it all goes wrong. It appears that anti-virus vendors have discovered that they can use their scanning engines to pick up certain types of phishing and scam e-mails, essentially adding anti-spam into their anti-virus product.<br /><br />A phishing or a scam mail is SPAM, not a VIRUS. The difference here cause a big problem when you get spam levels of false positives while removing the user's ability to release their own messages and the site admin's ability to implement an sort of whitelisting.<br /><br />That's when you start getting end user reports of mail threads with customers going missing. Add in a 24 hour turn around time for releasing the messages when the problem is discovered and you start to consider deep-sixing your vendor.G.D. Fuegohttp://www.blogger.com/profile/10646006841687422655noreply@blogger.com0tag:blogger.com,1999:blog-30418899.post-77330013386020829432009-03-03T21:33:00.004-05:002009-03-03T22:26:01.240-05:00Wooo.. KindleBeing a big reader and a tech gear junkie, I was rather tempted when Amazon announced the <a href="http://en.wikipedia.org/wiki/Amazon_Kindle">Kindle</a> back in 2007. Somehow I managed to hold out on buying it until they announced the 2.0 version in early February. I pre-ordering it right away, and got my hands on it just last week.<br /><br />So far, I like it. Its thinner than I expected. Definitely very easy to use. I can hold it in one hand and access most of the controls that I need to read a book. The left side has the "Previous Page" and "Next Page" buttons while on the right side the "Previous Page" button is replaced by a "Home" button. Since I tend to read books in one direction, this seems to work fine.<br /><br />The free built in wireless is great for getting books, and occasionally pulling up text-only web sites. Due to the rather slow refresh on screen changes using it as a regular web browser is a bit tough.<br /><br />My biggest complaint is the DRM for files through the Kindle store. After being bitten by DRM from the iTunes Music store, I definitely have a bad taste in my mouth over DRM. Luckily there are other options out there.<br /><br />The first for me is <a href="http://manybooks.net">Many Books</a>. They offer a lot of free content in quite a few eBook formats, including both the native Kindle format and Mobibook which the Kindle also supports. They even have a <a href="http://mnybks.net">Mobile Interface</a> which works well from the Kindle itself. Most of the content has elapsed copyrights (older books), but there are occasionally newer books either available with sample chapters or content that was published under a <a href="http://en.wikipedia.org/wiki/Creative_Commons">Creative Commons</a> License.<br /><br />Next was <a href="http://oreilly.com/ebooks/">O'Reilly</a>. Being a big tech book reader, I have a lot of O'Reilly books.<br /><br />O'Reilly offers a number of their books in DRM-free E-Book formats, including the Kindle supported Mobibook format. They're not free, but I don't have any objection to paying for content, just having its usage limited by DRM. They even provide free updates to the books as new revisions are published. I just wish they made it a bit easier to get a list of just their books available in E-Book format.<br /><br />While I definitely like the Kindle, the only thing I'm not sure about at this point is if it was worth the cost or not. The Kindle costs $360. Sony's offering is quite a bit cheaper, although I have no idea how it compares feature wise.G.D. Fuegohttp://www.blogger.com/profile/10646006841687422655noreply@blogger.com0tag:blogger.com,1999:blog-30418899.post-35589212905767111562009-02-27T17:12:00.006-05:002009-03-13T23:03:33.489-04:00Data Recovery From a Bad Disk<p>My wife’s laptop drive failed yesterday, leaving her Windows XP laptop unbootable. IT provided her with a new laptop, but had deemed her data lost. While she does do backups of her data to a USB drive, it had been a while since the last backup so she was a bit concerned. And I of course enjoy a new challenge.</p><p>From the various articles I’ve read on data recovery in the past, I knew that the best bet was to make an image of the disk and attempt to recover data off of the image. There’s nothing worse than running a chkdisk/fsck on a partition, and having the attempts to fix the filesystem cause additional filesystem problems.</p><p>So how should I make an image? Being a Unix guy, my first thought was <a href="http://en.wikipedia.org/wiki/Dd_%28Unix%29">dd</a>. DD allows you to copy the complete filesystem off of a partition, and write it to a file. Unfortunately dd can have issues when it attempts to read a block from a disk that is in the process of failing. It will attempt to read again, rather than just moving on to the next block.</p><p>A quick Google search brought me to <a href="http://www.gnu.org/software/ddrescue/ddrescue.html">ddrescue</a>, which was designed to deal with this very issue.</p><p>Next step is to figure out the best way to actually access the data off of the disk. My first thought was to just pull out the drive and hook it up to my desktop machine. I have an adapter that allows me to plug a laptop drive into a standard IDE cable for a desktop system. I soon discovered that the system was using a SATA drive, and I didn’t have the correct cabling to hook a laptop SATA disk to my desktop, so that plan was shot.<br /></p><p>Next thought, Linux live cd. Unfortunately this was a Thinkpad x60s laptop (12" ultra-portable) which doesn’t actually have a CD-ROM drive. There are USB drives for it, but I don’t have one available. That leaves a USB flash drive.</p><p>Now to choose what linux image to use. I typically use Ubuntu as a live cd, but I’m not actually sure if they include ddrescue on that. I’m also concerned that Ubuntu might try to auto-mount the bad disk, potentially making the problem worse. So, after a bit of searching I come across <a href="http://www.sysresccd.org/Main_Page">System Rescue CD</a>. Its simple, console only and includes ddrescue. Even better, it includes <a href="http://www.sysresccd.org/Sysresccd-manual-en_How_to_install_SystemRescueCd_on_an_USB-stick">instructions</a> for putting it on a USB disk.</p><p>I download the ISO and follow their instructions, and no luck. The USB drive won’t work. I think their instructions could use some work. A quick download of <a href="http://unetbootin.sourceforge.net/">uNetbootin</a>, and I’m on my way. uNetbootin is a generic tool for turning a Linux live CD into a bootable usb drive. I found it a few months ago while trying to install Ubuntu on my eeePC. One more reboot, and I’m good to go.</p><p>So now I have the necessary tools to make an image of the bad disk. I just need a place to store the disk image. Its a 60GB drive, so there’s a bit of a storage need here. I don’t have a large enough USB drive on the system, so I need something network enabled. As it turns out, System Rescue CD includes sshfs support, allowing me to mount part of my desktop machine<br />filesystem remotely. Awesome.<br /></p><p>Running ddrescue was easy. Just <kbd>dd_rescue /dev/sda1 /mnt/desktop</kbd>. A few hours later, and the data was ready to be accessed. It even reported any bad blocks found on the disk. There turned out to be 120 errored reads, all clumped together on the disk. Based on the initial Windows<br />boot errors, that part of the disk seemed to hold OS components. Good sign for her data.</p><p>Now I have an image of a corrupt NTFS partiton. I used the <em>ntfsfix</em> tool from the <em>ntfsprogs</em> package on Ubuntu to fix the image. Any data from the bad sectors of the disk is going to be gone, but the partition can now be mounted in order to read the rest of the data.</p><p>A quick mount with <kbd>mount -t ntfs-3g <em>image</em> /mnt</kbd>, and there the data is. Looks like all of her important files were fine. I got to show up the IT folks, and earn me some nice brownie points. Perhaps I'll redeem them for actual brownies.<br /></p>G.D. Fuegohttp://www.blogger.com/profile/10646006841687422655noreply@blogger.com0tag:blogger.com,1999:blog-30418899.post-80451335592070943822009-02-19T20:35:00.005-05:002009-03-03T22:27:23.895-05:00Information Gathering Using SSH Public keys<p>I've been a pretty heavy user of SSH for the past 10 years or so. In that time I've learned a number of tricks including port forwarding in various directions, forwarding SSH agents (and the associated risks) and various key management techniques if you're providing key based authentication to large numbers of systems.</p><p>The most interesting trick I've learned with SSH, I haven't really seem talked about much. A former co-worker pointed me to the feasibility of this working with protocol 1 and a hacked up SSH client, but these days it trivially works with both protocol 1 and 2 using the normal OpenSSH client.</p><h2>The Trick<br /></h2><ol><li>Generate an RSA SSH key, and delete the private half. The passphrase does not matter since we won't be using the private key at all. <kbd>ssh-keygen -t rsa -f test -N "" && rm test</kbd></li><br /><li>Take the public key file (test.pub), and copy it to the authorized_keys file of a remote system.</li><br /><li>Set mode 600 on the public key. <kbd>chmod 600 test.pub</kbd></li><br /><li>Try to log into the remote system using the <em>public</em> half of the SSH key. <kbd>ssh -2 -i test.pub user@server</kbd></li></ol><p>Assuming all went according to plan, you should get prompted with <em>Enter passphrase for key 'test.pub':</em>. Since this is the public half of a key, no passphrase will ever succeed. You do however know that the private half of this key would have allowed you to log in.</p><p>In case you're curious, the reason for the chmod 600 is that the SSH client attempts to enforce good permissions for private keys by refusing to use a "private" key with open permissions. Since you're essentially tricking the client into treating a public key as a private key, the same rules apply.</p><h2>So What?</h2><p>This trick allows you to do two things:</p><p>It allows you to identify what servers a user has access to. If you have access to a person's public key (which are typically not protected since they're PUBLIC), you can determine what servers the person has access to by attempting to log into root, their username or any other account using their public key.</p><p>The second piece is a bit more interesting. If your company has a central key repository which is available to all employees, it becomes very easy to test all keys against a specific server in order to determine who has a private key which has access to the system.</p><p>In the past I've used this functionality at work in order to determine who can still log into a system which had been down for a considerable amount of time (and had missed some key rotations). A hacker could instead use this functionality to know who's private SSH key they're going to need to steal in order to gain access to the targeted system.</p><h2>Why it works</h2><p>The reason this works can be understood by looking at the <a href="http://tools.ietf.org/html/rfc4252#section-7">Public Key Authentication Method</a> of the SSH protocol.</p><p>Among other bits of data, the SSH client sends a copy of the public SSH key to the server as part of the authentication process. The server then responds with SSH_MSG_USERAUTH_FAILURE or a SSH_MSG_USERAUTH_PK_OK message. At this point you now know if access would be granted with the private key, but you have not needed to use that private key in any way yet.</p><p>This explains why only the public key is needed during the authentication step, but not necessarily why the SSH client makes this so easy for us. I suppose its probably just a quirk of how their key parsing code works.</p><p>They could change the code to not allow you to attempt to do private key operations without a private key, but really that just adds a small hurdle to exploiting this small weakness in the protocol. At the end of the day, you're still only as safe as the protections you put in place on your private keys.</p>G.D. Fuegohttp://www.blogger.com/profile/10646006841687422655noreply@blogger.com1tag:blogger.com,1999:blog-30418899.post-70628010246786962922009-01-28T20:10:00.005-05:002009-03-03T22:27:55.310-05:00Mac OS DNS bugI had a bit of an interesting experience the other day while attempting to fail over our Jabber server from our production site to the DR site.<br /><br />Our two servers each have their own A records in DNS with a TTL of 3600 seconds (1 hour). This long timeout is fine since the IP address of the actual server never really changes.<br /><br />Access to the service is instead provided by a CNAME record which points to one of those two hostnames. The TTL of the CNAME record is 60 seconds, allowing us to quickly fail over between the two sites as needed.<br /><br />So the time came, and I had to perform a fail over. I updated the CNAME, and in order to prevent users from being unable to connect, I waited 60 seconds before shutting down the old server and starting up the new one.<br /><br />From there things went bad. I tried to access the admin console, and failed. I tried to log into the Jabber server, and failed. Finally I hit the admin console through the A record instead of the CNAME, and found that other users had seamlessly failed over.<br /><br />After a bit of testing I determined that my Linux box and my Windows box both worked fine. The only problem was the Mac that I was making the change from. For some reason, the Mac was holding on to the old IP address.<br /><br />After some testing, and confirmation from other individuals on their Macs, I think I know what was going on. Using <kbd>dscacheutil -cachedump -entries</kbd>, I inspected the local resolver cache.<br /><br />Here's what I found:<br /><code><br />Category Best Before Last Access Hits Refs TTL Neg DS Node<br /> ---------- ------------------ ------------------ -------- ------ -------- ----- ---------<br /> Host 01/28/09 21:07:02 01/28/09 20:18:35 10 4 3600 <br /> Key: h_aliases:openfire.domain.fake. ipv4:1<br /> Key: h_aliases:openfire.domain.fake ipv4:1<br /> Key: h_name:server1.domain.fake ipv4:1<br /></code><br />This appears to be reporting that the local resolver cached the server1.domain.fake DNS record, and set an expiration date of the record for "<code>01/28/09 21:07:02". </code>openfire.domain.fake was then set as an alias for that record without retaining its own TTL. This would certainly explain the behavior that I saw.<br /><br />So it seems to Mac OS X may be incompatible with a fairly common DNS failover technique. I filed a bug, so it'll be interesting to see how long it takes before Apple gets around to fixing it.G.D. Fuegohttp://www.blogger.com/profile/10646006841687422655noreply@blogger.com1tag:blogger.com,1999:blog-30418899.post-87360904092329372302009-01-12T21:44:00.005-05:002009-03-03T22:28:43.403-05:00Home Media ServerI'm a bit of a media buff. I own several hundred DVDs, and I'm guessing well over 1000 cds.<br /><br />Like the rest of the known world, I solved the CD problem years ago. I ripped all of my CDs, and I store them in a few places including my iPod and my home media server. Early on I ripped in <a href="http://en.wikipedia.org/wiki/Ogg">ogg</a> format, but quickly regretted it when I bought a <a href="http://en.wikipedia.org/wiki/PhatBox">Phat Box</a> media player for my car. By the time they supported Ogg format, I had moved onto an iPod.<br /><br />Eventually I started buying music from the iTunes Music Store since it was so much easier than CDs, and I continued until I discovered the <a href="http://www.amazon.com/mp3">Amazon MP3 Store</a>. Buying in mp3 format instead of AAC is so much easier to deal with, not to mention the lack of DRM.<br /><br />Recently I read about <a href="http://sockso.pu-gh.com/">Sockso</a>. Sockso provides me with a simple web interface for streaming music off of my server so I can listen from work without having everything on local disk. Considering that my music collection is 58GB these days, it certainly saves me some space. Unfortunately Sockso does not support AAC format at this point, so I'm kind of out of luck on my iTunes media (even the non-DRM files).<br /><br />Recently I started trying to tackle the DVD issue as well. I have a DVD changer, but its just kind of clumsy. It attempts to detect the name of movies from the disc, but rarely succeeds. You can attach a PS2 keyboard and type them in manually, but I eventually had to move the player which required removing the discs (and losing the inputted data).<br /><br />So I thought I'd apply the same techniques to my movies. I used <a href="http://handbrake.fr/">Handbrake</a> to rip a number of movies and copy them onto my server as well. From there I can copy them into iTunes to watch on my computer, my iPod or transfer to my AppleTV (I apparently buy too much Apple gear).<br /><br />Most of my media is on my file server which runs linux, so I wanted to see if I can get away without running iTunes. My first option was <a href="http://pytivo.armooo.net/">pyTivo</a>. Its an interesting project. Its a python script that you point to your movie collection. It performs the necessary UDP broadcasts in order to announce your movie share on the network for your TiVo to see, and then converts the movie on demand to a format that TiVo can display properly. pyTivo works pretty well, but the code is in flux, and I'm not sure how much I want to trust it.<br /><br />My latest try was <a href="http://xbmc.org/">XBMC</a>. Its a rather nice media player that was created for the original XBox. These days it has also been ported to run on Windows, Linux, the Mac, and AppleTV. It can easily be installed on the AppleTV using <a href="http://code.google.com/p/atvusb-creator/">ATV USB Creator</a>.<br /><br />XBMC can recieve a stream from a <a href="http://en.wikipedia.org/wiki/UPnP_AV_MediaServers">Universal Plug'n'Play Media Server</a>. In my case I used <a href="http://mediatomb.cc/">MediaTomb</a> since it was available straight from Ubuntu. I'm not sure I'd suggest it due to the lack of access control. For now, I'm fine just running it bound to my local network only.<br /><br />I'm not sure I'm really happy with how all of this is working, but its still a work in progress.G.D. Fuegohttp://www.blogger.com/profile/10646006841687422655noreply@blogger.com0tag:blogger.com,1999:blog-30418899.post-756381062070442332008-10-16T22:24:00.002-04:002009-03-03T22:28:54.874-05:00I chose poorlyI finally took the advice of a co-worker and checked out <a href="http://www.igniterealtime.org/projects/openfire">OpenFire</a> to replace Jabber XCP. After about 30 minutes I had Openfire configured with all of the functionality that had taken me weeks to setup properly in XCP.<br /><br />Additionally I was able to pre-define buddy groups using AD groups, set a message of the day, send broadcast messages to all logged in users, and perform other handy functions.<br /><br />If you're looking at implementing a Jabber/XMPP solution, its definitely worth a look.G.D. Fuegohttp://www.blogger.com/profile/10646006841687422655noreply@blogger.com0tag:blogger.com,1999:blog-30418899.post-57383608737987726252008-07-30T22:00:00.002-04:002009-03-03T22:29:04.245-05:00x509 certs and XMPP serversOk, one last XMPP post for tonight.<br /><br />I came across an interesting issue with our test XMPP server today. When the server was initially created, it was setup with an x509/SSL certificate that was self signed. That cert expired the other day, and I had to replace it.<br /><br />Some of the people who were using the server started getting cert warnings while others did not. After a bit of investigating, I found the problem.<br /><br />There are two ways that an XMPP client can connect to a server.<br /><br />The first method is simple. You configure your client with your Jabber ID (username@company.com), and define an XMPP server (servername.company.com) to connect to. This is how our early documentation recommeded configuring your clients, but it is not the generally recommended method.<br /><br />The second method is the preferred one. You define a service record (SRV record) in DNS for _xmpp-client._tcp.company.com which points to your server name. Once your client has your Jabber ID (JID), the client will automatically look up the SRV record, and connect to that service.<br /><br />Now comes the cert warning. Apparently if you use an SRV record, your x509 cert needs to have a common name (CN) of company.com. If you define a server manually however, your CN needs to be the name of the server.<br /><br />Our self-signed cert was for company.com. I replaced it by a properly signed cert for servername.company.com, and broke everyone using the preferred configuration method. Seeing the issue, I replaced it with a properly signed cert for company.com, and broke the people following the published documentation.<br /><br />*sigh*<br /><br />So now I get to update the documentation and answer the various questions for people. Longer term I'm going to see if its possible to provide certs for both methods. While you can't have two certs on the same port, it may be possible to either use a cert with an altCN, or possible have the SRV port point to a non-standard port so that people who define the server name can connect to the default port number (5222/5223).G.D. Fuegohttp://www.blogger.com/profile/10646006841687422655noreply@blogger.com0tag:blogger.com,1999:blog-30418899.post-22120338705611207562008-07-30T21:27:00.001-04:002009-03-03T22:29:10.093-05:00Managing your own Chat serverRecently for work I've been dealing with trying to build a robust IM server environment for the company I work for. The plan was to allow employees to chat with each other without the conversations ever leaving the company. Our hope was to also tie the system into the various public instant messaging systems (AIM/MSN/YIM) so that we could use the same system to communicate with customers.<br /><br />After looking around at various offerings, the choices boiled down to a <a href="http://en.wikipedia.org/wiki/Jabber">Jabber/XMPP</a> based solution or a <a href="http://en.wikipedia.org/wiki/SIMPLE">SIP/SIMPLE</a> service like Microsoft OCS or Lotus Sametime. Since XMPP has more open source libraries for coding against it, we decided to go the XMPP route. Personally I was happy since the peer to peer nature of the SIP protocol introduces a few problems on our network.<br /><br />Of course, deciding on XMPP doesn't really narrow things down too much. There are a number of open source XMPP/Jabber servers out there, and quite a few commercial ones as well.<br /><br />We looked at <a href="http://jabberd2.xiaoka.com/">Jabberd2</a>, <a href="http://www.blogger.com/post-create.g?blogID=30418899">eJabberd</a> and <a href="http://www.jabber.com/CE/JabberXCP">Jabber XCP</a>.<br /><br />As far as I can tell, Jabberd2 and Jabber XCP are very similar in codebase, at least judging by the configuration file format. The thing that the commercial Jabber XCP product provides is a nice web interface for configuring the service, a pair of supported clients (one Windows client, one web based client) as well as commercial support.<br /><br />eJabberd was impressive. It is an open source application written in Erlang, which I wasn't familiar with. Erlang was a programming language created for distributed computing by Ericsson. On smaller installations, it can handle clustering without any form of external database. It automatically manages synchronization between nodes of the cluster.<br /><br />Version 2.0 of ejabberd also included a very nice web interface for managing the service, and included an inpressive number of plugins. Configuring the service was very very easy.<br /><br />At the end of the day, we ended up going with Jabber XCP. The main reason is the one feature that no one else was able to provide. The ability to really tie into the public IM systems, or at least one of them. Any XMPP server can tie into other XMPP services (like Google Talk), but Jabber XCP offered the ability to tie into AIM as well.<br /><br />The majority of Jabber/XMPP servers offer transports for the various IM services. What these transports do is essentially allow you to log into your own AOL/MSN/etc account from within your IM client. So I may be myname@company.com within my company, but I would be logging into my gdfuego account on AIM.<br /><br />Jabber XCP has a plugin (for additional per user cost), which allows you to actually use the same myname@company.com address within AIM itself. Unfortuantely MSN and YIM aren't an option at this time.<br /><br />Right now I'm getting close to turning our new server live, and I've been hitting a number of snags, but that'll be a story for another day.G.D. Fuegohttp://www.blogger.com/profile/10646006841687422655noreply@blogger.com0tag:blogger.com,1999:blog-30418899.post-5770189194236985982008-05-03T21:48:00.001-04:002009-01-12T22:27:55.902-05:00Even less spamDue to my frustration with my personal e-mail, I recently implemented some additional spam filtering which was amazingly effective.<br /><br />In the past 24 hours, the system has stopped 775 spams destined to valid users, and has accepted 37 legitimate messages. Previously it would have accepted those messages. Most would end up in my spam folder to be reviewed later, but others would end up in my inbox.<br /><br />This decrease in spam hitting my inbox is through Greylisting, implemented using Postgrey.<br /><br />A properly implemented mail server needs to be able to deal with a temporary delivery failures, and try again later. A system implementing Greylisting will keep track of the source IP address as well as the source and destination e-mail addresses. The first time a unique combination of these three things is seen, the message is given a temporary failure for 10 minutes.<br /><br />Legitimate mail is eventually delivered. Spammers give up and don't come back.G.D. Fuegohttp://www.blogger.com/profile/10646006841687422655noreply@blogger.com0tag:blogger.com,1999:blog-30418899.post-11451853667553042092008-04-11T18:29:00.000-04:002008-04-11T18:37:15.023-04:00I reject your e-mailI've always heard that the correct behavior of a mail server is to reject e-mail for local undeliverable addresses rather than accepting them and then bouncing. I never put too much thought into it though until recently when I took over management of our e-mail infrastructure.<br /><br />When the systems were handed to me, their queues generally had about 800-1000 e-mails<br /> to be delivered at any given point. As I dug into why, I found that the majority of those e-mails were outgoing bounce messages which were undeliverable for one reason or another. <br /><br />After a few changes, those systems are now rejecting around 1,000,000 spam messages a day. These are messages that would previously have been accepted and sent back out on the internet as <a href="http://en.wikipedia.org/wiki/Backscatter_%28e-mail%29">backscatter</a>.<br /><br />Rejecting instead of bouncing allowed me to significantly cut down on the amount of processing power, bandwith and disk space used on these systems. Not to mention cutting down on the amount of e-mail that the backscatter victims were receiving.<br /><br />Now if only everyone else who runs mail servers would figure this out.G.D. Fuegohttp://www.blogger.com/profile/10646006841687422655noreply@blogger.com0tag:blogger.com,1999:blog-30418899.post-91389943431165419802008-04-07T17:27:00.000-04:002008-04-07T17:32:07.460-04:00I read your e-mailWell, a few more months go by and I find myself responsible for the e-mail system of a 1000+ employee multi-national company. It only took me about a month or so before I had a better understanding of how mailflow works within the company than anyone had in several years.<br /><br />Its amazing how much crap can build up in a system that passes hands a few dozen employees who never quite put in the effort to fully understand or attempt any sort of cleanup.G.D. Fuegohttp://www.blogger.com/profile/10646006841687422655noreply@blogger.com0tag:blogger.com,1999:blog-30418899.post-33803204141234247922007-12-14T22:02:00.000-05:002007-12-14T22:14:23.702-05:00Wow, I suckTwo posts and I vanish for over a year. Wow I suck.<br /><br />Well, since my last post I've decided to leave my role as a Security Engineer. Instead I'm moving back to a Systems Administration role supporting Unix servers. Security still interests me, but at the end of the day what I enjoy is using technology to solve problems for people. In my security role I found myself finding problems without being able to assist in solving them.<br /><br />So as of January 2nd I get to go back to my roots, but with a greater understanding of security. Should be interesting.G.D. Fuegohttp://www.blogger.com/profile/10646006841687422655noreply@blogger.com0tag:blogger.com,1999:blog-30418899.post-1151707231229422302006-06-30T18:14:00.000-04:002006-06-30T18:40:31.243-04:00SSH SecurityI run a linux server that uses SSH as an authentication method. And my server is under attack. There has been over 1000 login attempts from a handful of systems in the past 2 days alone. Since June 1st, 19 different systems have attacked my system over 10,000 times. Chances are, if you're running a system that allows SSH authentication, your system is under attack as well.<br /><br />For the past few years there has been a remarkable increase in the number of SSH brute force attacks. There are automated scripts out there that scan networks for SSH daemons on port 22, and when found, attempt to log into them using dictionaries of common usernames and passwords.<br /><br />If you look in your logs, you'll likely see attempts that look something like this:<br />Jun 30 09:51:58 localhost sshd[32357]: Failed password for invalid user mark from 211.171.202.87 port 41435 ssh2<br />Jun 30 09:52:02 localhost sshd[32359]: Failed password for invalid user tomas from 211.171.202.87 port 42307 ssh2<br />Jun 30 09:52:06 localhost sshd[32388]: Failed password for invalid user rpm from 211.171.202.87 port 43192 ssh2<br />Jun 30 09:52:10 localhost sshd[32390]: Failed password for invalid user jean from 211.171.202.87 port 44095 ssh2<br /><br />If one of these common username/password pairs actually work against your system, the attacker will gain access to your machine, and likely will use your computer to continue their search for more systems to attack. Your system may also be used as a jumping point for other types of attacks. Your data may be stolen. And who knows what will be traced back to you.<br /><br />So is there anything you can do to protect yourself? Sure there is. You have a number of options, with different levels of effectiveness.<br /><br />1) Switch to key based authentication. If you generate an SSH key and use it to provide all access to your system then you're effectively immune against these sorts of attacks. Brute forcing a password using SSH may take days or weeks. Attempting to brute force an RSA based SSH key would take years. Note that you need to REQUIRE keys for authentication, not just use keys. As long as your server still accepts passwords, you're still vulnerable. Regardless of what your standard method for logging in is.<br /><br />2) If key based authentication isn't an option for you, your next best option is to use a strong password. The longer your password is, and the more random it is, the less likely a password based attack will work. In this case, it's important to ensure that ALL users of the system have strong passwords. Consider using an application like John the Ripper to test the strength of passwords if you have a number of users on the system.<br /><br />3) An additional option is to move your SSH daemon to a different tcp port. By default SSH listens on port 22. A daemon listening on a different port would be harder to find. Note that unless you mix this will strong passwords you're depending on Security through Obscurity. Obscuring a system like this isn't a bad thing, but it is not a fix all. Assume that someone will eventually find the daemon, and the attack will continue.<br /><br />4) Restrict who can talk to your SSH daemon. If you're lucky enough to only have a few sources of logins, you can use either application level IP restrictions or firewall rules to ensure you limit who can attempt to login. This works wonders if you trust the people on the allowed hosts list.<br /><br />The final item I wanted to mention isn't so much a prevention method as a community good deed. Most IPs you see in your logs represent a system that has been compromised by a similiar attack. In most cases, the owner of the system is not aware of what has happened. Or if they are aware, their ISP might be interested to find out about their activities.<br /><br />If you have some spare time, try tracking down an attacking system. Use tools like dig and whois to attempt to track down the owner of the system and the hosting ISP, and notify them about the attack. Include the log files showing their attack, and explain the issue in plain language. Treat them as a victim, and talk to them in a non-accusitory way.<br /><br />In a best case situation you'll get a response from the person and they will work to solve the problem. In the worst case scenario you won't get any response. Maybe they solved the problem without saying anything. Maybe they're ignoring you. In either case, at least you tried.G.D. Fuegohttp://www.blogger.com/profile/10646006841687422655noreply@blogger.com0tag:blogger.com,1999:blog-30418899.post-1151547670497453662006-06-28T22:07:00.000-04:002006-06-28T22:21:10.506-04:00An Awkward StartWell folks, I'm here again on my umpteenth attempt to start a regular blog of some sort. These attempts go back about 6 years ago, and generally ends with my anti-social behavior taking over once again.<br /><br />A little background on myself. I've spent the last 6-7 years working as a Linux sysadmin for a large company based in the Boston area. Last year I made the transitition from Sysadmin work with Infosec (Information Security).<br /><br />For those of you who may not be familiar with Information Security, it is a rather large field centered around defending computer systems. And of course in order to protect a system you also need to be familiar with how to attack a system. As they say, know your enemy.<br /><br />This blog is going to cover some of my life, and some of my work. Unless you're interested in computer security, you'll probably want to move on and read something else more up your alley.G.D. Fuegohttp://www.blogger.com/profile/10646006841687422655noreply@blogger.com0