Where is fishdan.com? We recently moved, and I ran fishdan.com our of my house. For the moment, I'll point the DNS here to keep my fan updated. I'll do my best to write a thing or 2 about the new placem, the move, etc.
A guy over on Sportsdot has a theory that in almost every fantasy football league the person who drafted 3rd took LaDanian and will soon be in the playoffs, and everyone who drafted 2nd took Sean Alexander, and is now eliminated from the playoffs. He's accumulating data, so your $0.02 will help
read more |
digg story
Executive Summary: This article details how to minimize hack attempts on open facing ports on a *nix machine, by reading the attackers IP addresses from a log file, and adding the address to hosts.denyChances are pretty good if you've got a port open to the internet you're seeing unwanted traffic on it. If you've got a service such as telnet or FTP or POP that transmits passwords unencrypted, you're significantly at risk for a breach from a packet being intercepted, but even if you're using a secure protocol such as SSH, you're vulnerable to a brute force attempt to break into your site. As an example, here is a sample of a log file showing a break-in attempt on one of my servers:
Oct 8 13:54:18 chapelle sshd(pam_unix)[4554]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.13.157.12
Oct 8 13:54:22 chapelle sshd(pam_unix)[4557]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.13.157.12
Oct 8 13:54:27 chapelle sshd(pam_unix)[4560]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.13.157.12
Oct 8 13:54:31 chapelle sshd(pam_unix)[4563]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.13.157.12
Oct 8 13:54:36 chapelle sshd(pam_unix)[4566]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.13.157.12
Oct 8 13:54:40 chapelle sshd(pam_unix)[4569]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.13.157.12 user=root
Oct 8 13:54:44 chapelle sshd(pam_unix)[4571]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.13.157.12 user=root
Oct 8 13:54:49 chapelle sshd(pam_unix)[4573]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.13.157.12 user=root
Oct 8 13:54:53 chapelle sshd(pam_unix)[4575]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.13.157.12On my linux box (Fedora Core 5), this is coming from /var/spool/messages What this shows is an attempt to login via SSH on the machine "chapelle." In some cases the login attempts were with no user name, in some cases, they were with username root.
The log files used to go on and on with these breakin attempts, as the users tried about 5000 common login names and passwords. And it could easily be more in the future. Although I use a secure username and password, and do not allow root to login remotely, I still am annoyed by the attempts. If you have users who have common user names, such as "john" or "jjones" or something like that, then these break-in attempts are more than just an annoyance for you. Don't think "I don't have anything worth breaking in for", because hackers certainly are not thinking that.
So what can you do? On a *nix based system, there is a file called hosts.deny -- on Fedora it's at /etc/hosts.deny If you add an IP address or hostname to this file, that IP address will no longer be able to connect. So, all you have to do is get the IP address of the attacking machine into that file, and you'll block them.
What follows is how I do it -- it's not particularly clever, but I think it's generic enough that anyone else faced with this problem can adapt my method to their problems. You could use this for any service that keeps a log file that shows offending IP addresses.
On a *nix box, sshd (the program used to run ssh) is set up to log all important messages to /var/log/messages. This log file usually contains alot of other messages too, so it's important to filter out some of the noise before trying to process the file. In order to do that, I run the following command:
(I made it tiny so it will be one one line. You're gonna cut and paste it anyway)
cat /var/log/messages | grep "`date "+%b %e %H"`" | grep authentication | grep failure | grep sshd > /usr/local/hourlyssh.logI'll break down what this does step by step
cat /var/log/messages -->
prints out the entire messages file| grep "`date "+%b %e %H"`" -->
only include lines from this hour| grep authentication -->
only include lines with the word "authentication| grep failure -->
only include lines with the word "failure"| grep sshd only -->
include lines with the word "sshd"> /usr/local/hourlyssh.log -->
overwrite the hourlyssh log with the new resultsAfter running that command, you've got only the lines you want in a file. Now you just have to parse the file to get out the IP addresses and add them to /etc/hosts.deny You could easily do this in a shell script, or in PERL or really any language you want. I'm doing it in Java because I believe that's the lowest common denominator.
Save the following as ~root/DenyAddress.java
import java.io.*;
import java.util.Hashtable;
import java.util.StringTokenizer;
import java.util.Enumeration;
public class DenyAddress {
public static final String HOSTSDENY_PATH = "/etc/hosts.deny";
public static final String HOURLYLOG_PATH = "/usr/local/hourlyssh.log";
public static void main(String argv[]) {
try {
File fml = new File(HOURLYLOG_PATH);
String line = null;
Hashtable toBeBanned = new Hashtable();
BufferedReader in = new BufferedReader(new FileReader(fml));
/*
This assumes your log format looks like this:
Aug 2 06:01:27 myserver sshd(pam_unix)[7402]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=64.6.244.66
If it doesn't you'll have to parse the ip out of the log yourself.
*/
while ((line = in.readLine()) != null) {
StringTokenizer st = new StringTokenizer(line, " ");
while (st.hasMoreTokens()) {
String token = st.nextToken();
if (token.startsWith("rhost")) {
String ip = token.substring(6);
if (toBeBanned.get(ip) == null) {
toBeBanned.put(ip, 0);
}
else {
//keep track of how many failed attempts per ip address
Integer i = (Integer) toBeBanned.get(ip);
toBeBanned.put(ip, i + 1);
}
}
}
}
//we're finished with reading toBeBanned
Enumeration en = toBeBanned.keys();
while (en.hasMoreElements()) {
String ip = (String) en.nextElement();
Integer val = (Integer) toBeBanned.get(ip);
//only ban people with 3 or more failed login attempts
if (val <= 3) {
toBeBanned.remove(ip);
}
else {
//do nothing;
}
}
//now read from hosts.deny to make sure we don't add an address that's already banned
fml = new File("/etc/hosts.deny");
in = new BufferedReader(new FileReader(fml));
while ((line = in.readLine()) != null) {
if (line.startsWith("#")) {
//ignore
}
else {
StringTokenizer st = new StringTokenizer(line, ":");
while (st.hasMoreTokens()) {
if (st.countTokens() == 2) {
st.nextToken();
String nip = st.nextToken().trim();
toBeBanned.remove(nip);
}
}
}
}
//append onto the existing file;
FileWriter fw = new FileWriter(fml, true);
PrintWriter pw = new PrintWriter(fw);
Enumeration en2 = toBeBanned.keys();
StringBuffer bannedString = new StringBuffer();
while (en2.hasMoreElements()) {
String bip = (String) en2.nextElement();
pw.println("ALL: " + bip);
bannedString.append(" " + bip);
}
pw.flush();
fw.flush();
fw.close();
if (bannedString.length() > 0) {
//write banned addresses to syslog
//you can omit this line if you don't need extra confirmation
Runtime.getRuntime().exec("logger \"banning " + bannedString.toString() + "\"");
}
}
catch (Exception e) {
e.printStackTrace(); //run this a few times manually to see if it works for you
}
}
}
//END CODE
So now I've got the code that does what I want -- now I just have to rol it all together.
I make a shell script called
denyaddresses and put it in ~root
#denyaddresses
echo `date`
cat /var/log/messages | grep "`date "+%b %e %H"`" | grep authentication | grep failure | grep sshd > /usr/local/hourlyssh.log
cd /root
java DenyAddress
echo " ";
echo " ";
compile DenyAddress.java in /root by doing
$JAVA_HOME/bin/javac -classpath . DenyAddress.java
then as root do a
crontab -e and add the following line:
*/5 * * * * ~root/denyaddresses >> ~root/deny.logNote that this
must be run as root in order to edit the hosts.deny file
I've tried to make this relatively generic. Hopefully you'll be able to adapt this to your own needs. If not, post here, and I'm sure the community can help you out.
Arlo Guthrie is playing in Boston on 11/15.
My music tastes are eclectic and broad. I'm going to see Arlo Guthrie down at Symphony Hall. It's a larger venue than I like to normally see him in, but I'm glad he's popular enough to fill it.
Arlo's a real working musician. He's out on the road ALOT and I respect the hell out of that. Like everyone who went to school in Austin, I was in a garage band for a while, and I always dream that someday I might hit the road again with a guitar.
I'm sure Arlo's gonna go off on the Iraq conflict, and tie it in to Alice's restaurant. But That's Arlo. He's a child of the 60's, and political dissent is one of the most important things that happens here in the US.
It's something we can all learn from that generation: the fact that popular will can on occasion trump unpopular leadership. I look on the Vietnam war as the wrong conflict. Of course I wasn't there, and I was only 7 (almost 8) when Saigon fell. But I feel very differently about the 2 conflicts -- to me Vietnam was senseless, Iraq is sensible.
I'm glad to have a dissenter like Arlo around though. I want my opinions on this to be challenged. The daily butcher's bill from around the globe DEMANDS that we daily take the time to consider whether we are undertaking the best course of action. So far I'm in complete agreement with the destination we're pursing, if not necessarily every turn in the road. Arlo does the Alice's restaurant bit every year in Boston right before Thanksgiving, so I'm planning on going and then having a feast that can't be beat! (That's some Arlo humor).
Seriously though, Arlo's an American Icon -- if you get a chance to see him, you should.
