30 Jan 2006 07:46 pm
Restricting ssh access to selected IP addresses
This is probably one of those “what’s a spline?” kind of things which I should have learnt years ago, but somehow looking it up on google proved rather tricky. I try to spend as little of my life wearing a sys-admin hat as possible, so if I’m missing something obvious please let me know.
Anyway, a server I’m involved with had been being hammered for months by people running brute force SSH attacks. There is pretty much zero chance of them successfully guessing a password, but unfortunately the sheer number of connections has occasionally reached sshd’s limits and locked even real users out. The hosting company has been able to connect directly to restart sshd where necessary, but obviously it’s not a tenable situation for what will eventually become a production server.
Most of what I could find on Google deals with setting up monitoring systems to monitor the sshd logs and dynamically create firewall rules to block any clients which appear to be performing brute force attacks, but our situation is really much simpler. For this server, and I would imagine most, there is a very finite set of IP addresses which might legitimately connect via SSH. I guess ISPs assigning dynamic IP addresses might stretch this in some cases, but even then the set is likely to be quite small (and could probably be defined by domain).
I was about to dive in and start setting iptables rules for SSH, which makes me rather nervous when the server in question is on the other side of the world, but someone at work suggested that using hosts.allow might be simpler.
Having never actually touched hosts.allow in the past, I did a bit of digging and ran a cross this nice little introduction to TCP wrapping SSH which seems to have been set up specifically for some sort of exploit against ssh version 1, but showed pretty much exactly what I wanted to do.
For what it’s worth, I ended up with the following, which seems to work beautifully.
[root@server root]# cat /etc/hosts.allow
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
[root@server root]# cat /etc/hosts.deny
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
You would think this is the sort of thing the hosting provider’s technicians would have recommended the moment we said we were having trouble, but I guess they prefer offering more costly solutions.
Technorati Tags: ssh, sysadmin, hosting, firewall, security, linux
28 Jan 2006 07:25 pm
Alphabet cloud tshirt
I ran across Snap Shirts earlier today. They sell t-shirts which have tag clouds based on famous books or a blog of your choice (which is scraped on the fly). Very cute idea, though I’m not sure I actually want any. What I did like, however, was their counted alphabet shirt, which contains the letters of the alphabet scaled based on their frequency in the 86 800 most common words in English.
After seeing that shirt, I decided I wanted one similar, but taking the relative word frequency into account. The letter frequency in a given language is very useful for solving simple codes (i.e. replace a with l, b with g and so on), and so it’s not too difficult to find a list of letter frequencies for English (I compared it to the letter frequency on this site’s front page – very close).
With the right frequencies in hand, I knocked up a web page with the letters in the right relative sizes and it all ran through a few conversions to get the image in a format to go onto a shirt. If anyone else would like one, you can get your very own alphabet cloud t-shirt from the kstruct cafe press store. No mark-up, since I really just made it for myself, and if you want the same image on some other cafe press item just let me know.
Technorati Tags: t-shirt, alphabet, cryptography, tag cloud
Personal& Technology& Web
28 Jan 2006 08:06 am
Google and censorship
So, Google is censoring search results on their Chinese site, presumably because the Chinese government asked them to do so. Lots of people (mostly Americans) seem to be very upset about this.
Putting on my devils advocate hat for a moment…
Just because Americans happen to equate censorship and ‘evil’ doesn’t mean everyone does. From the Chinese government’s perspective, ‘evil’ could very well be defined as assisting Chinese citizens in accessing material the government considers inappropriate. That, in fact, would be why they have made doing so illegal.
As an international company Google is going to be faced with many situations where what happens to be considered evil is going to vary from society to society. How they try to resolve this with their ‘do no evil’ policy will be interesting to watch.
Technorati Tags: google, censorship, china, america, law
26 Jan 2006 11:01 am
I had always assumed the phrase was ‘just desserts’, but apparently not.
Google, however, seems to thing I might mean ‘just desserts’ though.
Technorati Tags: language, google
23 Jan 2006 10:24 pm
Impro – Aussie icons
It’s almost time for another impro show. This one will be under the theme ‘Aussie Icons’, which means I have to come up with some sort of costume before 7pm Sunday (I’m thinking either sport-related or getting three other people to join me as The Wiggles).
We’ll be in ‘The Studio’ in the Street Theatre this month, which only seats about 80 people, so be sure to get there early if you want a good seat (Unfortunately there’s some complicated set on the main stage which we can’t really work around).
Anyway, it should be a fun show with random teams lots of Australia gags, so I’d encourage everyone to come along.
Technorati Tags: Canberra, Impro, Theatre, Australia
Apparently Microsoft can get away with anything
It seems I’m not the only one who thinks that Roz Ho, Manager of Microsoft’s Mac Business Unit, should not be allowed on stage. The sad thing is that behind the pathetic jokes and general uncomfortableness, she had a few interesting things to say.
If you’re a mediocre public speaker, the last thing you should be doing is walking on stage after one of the best, and trying to be funny. Keep it simple, present the messages you want the audience to remember, and leave. You’re not going to be the highlight of the show, but then, a Microsoft rep is never going to be the highlight of Macworld anyway.
It is strange to contrast Liz Ho’s performance with this story from Mike Evangelist who tells of how hard Steve Jobs usually pushes guest presenters. I guess Microsoft has enough clout that they can get away with it.
Technorati Tags: Macworld, Microsoft, Public speaking, Steve Jobs
16 Jan 2006 05:59 pm
Diana Anaid’s real name
15 Jan 2006 04:11 pm
Bram Cohen came up with a very cool Schrödinger’s cat like quantum mechanics thought experiment the other day involving a quantum dualist shooting himself at twenty paces.
Sadly, back when I studied quantum mechanics it was all differential equations and very few thought experiments. I guess that is what you should expect in a real science class and I probably would have been happier moonlighting in philosophy except that they always seemed to have so much reading to do. Still, at least I can claim that once upon a time I actually understood all this stuff.
Technorati Tags: Quantum mechanics, Science, Mathematics, Schrödinger, Thought experiment
14 Jan 2006 08:22 pm
Why the iTunes mini store is unusable – and it’s not privacy
I actually went through and backed everything on my Mac up yesterday so I could install the latest batch of Apple updates. Silly though it may be, I was actually quite keen to try the iTunes mini store. There seems to have been quite a lot of stress over the privacy aspects lately, but I guess I’m just not overly stressed about it.
What does bother me, however, it that it’s apparently completely unusable.
That error dialog is modal (i.e. it won’t let me do anything until I dismiss it), and came up as a result of double clicking to start a song. Thankfully it doesn’t come up if a problem song plays automatically (i.e. as the next song in the playlist), but the problem does seem to be consistently caused by all songs with the same artist. Oh, and for those who are wondering, no, it doesn’t come up if the mini store is closed.
Now maybe this is a somewhat Australia specific problem, given that our store is still quite new and still gives these error messages in normal usage occasionally. But even if it only occurred one time in a thousand, it’s totally unacceptable for an action like playing a song to bring up some modal dialog which is, at best, peripherally related to the action. There’s a really obvious place for this error message to go in this case – into the mini store pane, which is what I hope to see happening in the next update.
I guess in the end, this reinforces the point some of the privacy guys have been making. You don’t expect playing a song in iTunes to have anything to do with the network, let alone give you back some sort of server error.
Anyway, that’s my rant for today. I’ll be turning it off and forgetting about it now.
Technorati Tags: mac, itunes, macword, mini store, itms, ui, design, music, privacy
Sitemaps and navigational search
There’s an interesting comment on Jared Spool’s Site Maps and Site Indexes, Revisited (a follow up to What about Site Maps and Site Indexes?) that site maps might help search engines ‘easily spider your site’. While I agree that site maps might make a good seed/starting point for a search engine, I don’t quite see how any crawling engine is going to be taken seriously if it can’t cope with a sitemap-less site. Getting a good starting point can useful in a multi-domain crawl assuming you only want one connection per domain at a time because it allows you to get up to the maximum number of threads quickly, but this isn’t usually an issue with individual sites.
That said, I find sitemaps very useful for a search engine related reason. Sitemaps very often reflect the expected navigational search queries, so they provide a good set of test data if you want to evaluate your search engine’s performance on navigational queries. We do this sort of analysis quite often as part of customer demonstrations. Grab the search results for each of the sitemap link names, and see where the page linked in the sitemap comes up, then compare the results between search engines.
Of course, navigational queries aren’t the only aspect of a search engine to consider, and this is unlikely to justify maintaining a sitemap for your site, but I for one will be disappointed if they lose popularity.
(And for reference, no, I wouldn’t often use a sitemap myself. I have occasionally resorted to them when looking for something I’m sure should exist after basic navigation and search have failed, but thankfully that’s not too often)
Technorati Tags: Search, Web design, UI, Sitemap
Next Page »