Archive for January, 2007

IPTables against SSH dictionary attacks

Sunday, January 14th, 2007

Like everybody who has a Linux server running an SSH daemon connected to the Internet, I regularly get attacked by people (well, botnets probably) trying to do a brute-force attack against the server. Such attempts can take many hours, during which they simply try many thousands of possible username/password combinations.

As long as you have your SSH server configured properly, the most important thing being to only allow SSH access to accounts which actually need it, this is more an annoyance than a problem. Nonetheless, it is an annoyance, if only because of all the crap in your logfiles.

There are many ways to detect and block such attacks. sshdfilter works well, and a good detailed overview of the various options can be found here. One that particularly appealed to me, however, was a very simple netfilter-based technique consisting of only two lines of iptables code. It uses the recent netfilter extension, and the idea of using it to combat SSH attacks was apparently first conceived by Andrew Pollock.

(more…)

Posted in hacks | 17 Comments »

Hidden Variables

Saturday, January 13th, 2007

“We now know that the moon is demonstrably not there when nobody looks.”
– N. David Mermin

Last Wednesday, I was in a pub with some friends. That is to say, we are no longer colleagues, yet a good time was had by all (except for the one who got drenched in beer by the newbie waitress), so I’d say “friends” would be the appropriate classifier.

A laser pointer happened to be present, and we were playing with it, so of course the conversation turned to quantum mechanics and the Einstein-Podolsky-Rosen paradox. We remembered what the paradox was about and what it was supposed to prove, but we didn’t quite remember why it was a paradox; in other words, why the hidden variables hypothesis was not an acceptable alternative to nonlocality. So I looked it up afterwards.

(more…)

Posted in science | 2 Comments »

12-01-07 blog outage

Saturday, January 13th, 2007

My site was down for most of the day yesterday, as XS4ALL moved me to a new IP address because I am now an ADSL-only customer. The move to the new IP went smoothly enough, but I had to restart my firewall script manually, and of course the DNS records for mwolf.net and martinwolf.net had to be changed. And because I was at work, I couldn’t see to that right away.

No mail should have been lost, however, thanks to EasyDNS’s backup mail spool feature. I run my own mailserver, but there is a secondary MX record which points to a backup server maintained by EasyDNS, which caches anything sent to me while my own server is down and then forwards it when I’m up again. Great feature!

~$ dig mwolf.net mx

;; QUESTION SECTION:
;mwolf.net. IN MX

;; ANSWER SECTION:
mwolf.net. 10416 IN MX 5 mwolf.net.
mwolf.net. 10416 IN MX 10 smtp.easydns.com.
mwolf.net. 10416 IN MX 100 smtp2.easydns.com

Posted in meta | No Comments »

Five things you probably didn’t care about

Monday, January 8th, 2007

Well, looks like I’ve been tagged for the latest blog fad, the “five things you didn’t know about me” chain letter. Thanks, Edward.

Here we go. Actually, some of these are things which you did know about me, if you are more than a passing acquaintance.

  1. The first computer programs I wrote, in BASIC, were little sprite animations on the BBC Micro, when I was in my early teens or maybe even younger than that. A typical scenario for such an animation would go like this: airplane flies over, drops a bomb, little stick-man walks up from the side of the screen and pushes a little trampoline under the bomb, which bounces back and hits the plane, causing it to burst into flames. Good times.
  2. Later, I moved on the Atari ST, the Commodore Amiga, and eventually the first PCs. Other machines that found their way into the Wolf household were the Sharp MZ-700, the Philips P2000 (that was before the BBC, actually, but I never programmed on it), a Canon X-07 1983-vintage ultraportable including a portable four-colour pen-plotter, and a Sharp PC-1248 calculator-sized computer. Most of these were bought by my dad and eventually made it into my greedy hands; I still have the Canon and the PC-1248. I also still have the Amiga, which was the first computer I bought for myself.
  3. My dad is the one who got me started on the path to computer geekdom. He is, at least in some ways, a bigger geek than I am.
  4. I have a pet snake, Billie.
    Billie, my pet snake, on the couch Billie, my pet snake, in his terrarium
  5. Although never a Sporty Spice, I used to do quite a bit of swimming and horseback riding as a teenager, and during the summer vacations I have been known to disappear into the French Alps wearing a large backpack and not come back for several days. Since a bit more than a year ago I’ve taken up indoor climbing, which I do quite enthusiastically now one or two days a week.

Well, it’s a chain letter, so let me do unto others as I have been done unto: Mark Dirk-Jan Jeroen Bert

Posted in me | 1 Comment »