On this page
| 8 May 2005 | Name That CMS! | |
| 9 May 2005 | New Server | |
| 18 May 2005 | SBLD - The SSH Blacklist Daemon | |
| 26 June 2005 | XSLT Tag Attributes | |
| 8 August 2005 | Stage 1 | |
| 11 August 2005 | RSS Support | |
| 24 August 2005 | New Ragnar Functions | |
| 31 August 2005 | SBLD Statistics | |
| 5 October 2005 | Fun with ALSA | |
| 8 October 2005 | Thank you! | |
| 15 October 2005 | Ah, College. | |
| 20 October 2005 | OpenOffice.org 2.0 and GTK | |
| 31 October 2005 | Halloween | |
| 1 November 2005 | All Hallow's Eve | |
| 7 November 2005 | Cara's Defense | |
| 9 November 2005 | Validation |
Name That CMS!
I'm re-writing my blog engine from scratch, and the project needs a name. Would anyone like to suggest one?
0 comments
New Server
New server is up. It's on a much faster line, and is a little more powerful than the alt154.org server. Please update your links and bookmarks accordingly.
Progress
- Replace faulty fans/disks... Done
- OS Install... Done
- Network Setup... Done
- DNS registration... Done
- Web site files... Done
- Engine ported... Done
- Apache2... Done
- Postfix... Done
- Procmail... Done
- MUAs... Done
- IMAP... Done
- Firewall... Done
- Apache statistics and logs... Done
- Penetration testing... Done
- Service hardening... Done
- HTTPS server... Done
- Anti-spam... Done
- SMTP Relay lockdown... Done
- System hardening... Done
- Automatic security updates... Done
- SASL... Done
My new e-mail address is aphyr@aphyr.com
SBLD - The SSH Blacklist Daemon
If you run a server with SSHD exposed to the internet, chances are that server is being scanned for common username and password combinations. These often appear in the authorization log (/var/log/auth.log) as entries like:
Jun 12 13:33:57 localhost sshd[18900]: Illegal user admin from 219.254.25.100<br />
Jun 12 13:37:17 localhost sshd[18904]: Illegal user admin from 219.254.25.100<br />
Jun 12 13:37:20 localhost sshd[18906]: Illegal user test from 219.254.25.100<br />
Jun 12 13:37:22 localhost sshd[18908]: Illegal user guest from 219.254.25.100<br />Extend that for several hundred lines, and you'll have an idea of what one scan looks like.
Being somewhat opposed to the idea of people clogging my logs with useless information, I wrote a small perl script to detect these entries in the log file and block the offending source address using iptables. It detects scans within a matter of seconds, and blocks the IP quickly to stop the attack. Blocks are only enabled for a short time--as little as 30 seconds is enough to discourage most automated scanners. SBLD limits the number of simultaneous bans to reduce iptables load and it's own resource usage, and gradually decreases the alert level for hosts when no attack is taking place.
With SBLD, the scan is quickly detected and ended.
Jun 17 13:31:58 localhost sshd[3314]: Illegal user test from 209.76.72.12<br />
Jun 17 13:31:59 localhost sshd[3316]: Illegal user test from 209.76.72.12<br />
Jun 17 13:32:00 localhost sshd[3322]: Illegal user tester from 209.76.72.12<br />
Jun 17 13:32:00 localhost sbld[3326]: Blocked 209.76.72.12<br />
Jun 17 13:32:30 localhost sbld[3326]: Unblocked 209.76.72.12<br />The detection method itself is a simple regex applied to the log file, so it should be fairly easy to extend the daemon to block other kinds of attacks.
SBLD is still under development, but I'd like to encourage people to try it out and/or offer improvements. I make no guarantees as to the performance, safety, or security of this software. Contact me with feedback.
Files
XSLT Tag Attributes
Wonko just pointed out to me an incredibly easy way of including XPath expressions inside your XSLT templates, especially within tags that need to have dynamic content like images and links. The best method I've been able to come up with prior to this point is to add a custom attribute to the tag, like so:
<a>
<xsl:attribute name="href">
<xsl:value-of select="link_edit" />
</xsl:attribute>
Edit
</a>But there's a much easier way to do it, if you don't mind sacrificing some structure for readability. Just include the XPath expression for the value you want to include in braces, like this:
<a href="{link_edit}" />Doing it this way has cut hundreds of lines from my XSLT templates, making them much easier to maintain and read.
Stage 1
I've finished the codebase for Ragnar, my new content management system. Things may be a little hectic around here while I fix bugs and add new functionality, but it should work out in the end. In the meantime, try out the new threaded comment system, and send me bug reports or suggestions for features.
New Ragnar Functions
Work on Ragnar continues, but mostly behind the scenes. I've written a simple node management tool to edit their properties, a friendly interface for deleting nodes, and a node addition page generated from the defined data taipus. Doing this entailed a redesign of the CGI parser, so things feel a bit cleaner now. Finally, an XML export mode is the result of a more flexible output function--this makes designing templates much easier, and lets other programs access Ragnar data without scraping.
Adding text content is now much easier. The filter understands both plain text conventions and html formatting, but strips disallowed tags and attributes through HTML::Scrubber. This behavior is fully configurable, and works well for small comments and large bodies of text alike.
Currently I'm working on file uploads and a better way to define data taipus in the first place. Uploads need to be detected, matched to fields, stored, and a URL written to the database field to match--not an easy task with multipart encoding. Modification of the MySQL tables directly seems to be the best option, as the config file is straight SQL already.
Other interesting ideas orbiting my brain:
- Synchronizing metadata for JPEG photographs with their EXIF headers.
- Auto-detected field taipus for editing nodes.
- More flexible methods for parenting nodes, like attaching a screenshot to a blog entry.
- Automatic expansion of sub-comments when desired.
- Image scaling that actually fits the user's browser.
I hope everyone is having an enjoyable summer!
SBLD Statistics
I wrote a quick script to analyze the logs generated by SBLD. You can pull them out of syslog, or (as I'm doing), have your log checker aggregate SBLD events for you. I'm making the statistics for my site available here, as a resource for others.
Fun with ALSA
I just realized that aside from simple copies, the ALSA route_policy duplicate will mix to arbitrary numbers of output channels AND that such a device can use a Dmix PCM device as its slave. This means that it's possible to take 2 channel CD audio and have it mixed to 5.1 channel surround, and still let other applications use the sound card. This makes XMMS very happy.
On the other hand, my onboard i810 sound card reverses the surround and center channels, and it does some funky mixing on the center channel for the subwoofer, which sounds really messed up when played on the rear speakers. I haven't figured out how to compensate for this yet.
A useful ALSA FAQ can be found here: http://alsa.opensrc.org/faq/.
Thank you!
After a harrowing day of homework and Assassins, Pechous and I stopped by the mailboxes. I'm used to not getting much mail, but I was expecting a book for my physics class. To my astonishment and suprise, my mailbox door was ajar--and a bouquet of colorful flowers were sprouting from its brass frame! I took them home, converted a CD spindle into an impromptu vase, and placed this unexpectedly joyful gift on my desk. It brings some much appreciated color to my space.
Thank you so much, mysterious giver of floral festivity. This makes me very happy. :-)
Ah, College.
It's a crisp autumn morning, the trees are alight with midwestern color, and cool sunlight defines sharp shadows on the pavement, grass, and leaves. I'm making my way down to the dining hall for lunch, and observing the trajectories of warmly bundled students flowing towards the chapel for convocation. Suddenly I realize that the half-familiar melody chiming across campus is not the bell tower's usual sonorous intonation, but the Hogwarts theme from Harry Potter.
I love this place.
OpenOffice.org 2.0 and GTK
I run Fluxbox as my primary window manager, and use gnome-settings-daemon to keep gnome apps happy and GTK-informed. Thus far, all has gone well. However, OpenOffice.org does something very funky to determine whether one is using KDE or GTK, finds neither on my system, and drops back to the horribly ugly interface of 1997.
I haven't figured out how to fix this yet, but running gnome-session sets up something which convinces OpenOffice to use the GTK theme. It doesn't appear to be an environment variable, because I can set my environment identically under gnome and fluxbox, with no difference in OO behavior. My guess is there's some sort of socket or temporary file set by gnome-session, but it's all a mystery and the source is obfuscated. If anyone knows of a way to force OpenOffice 2.0 to use GTK, I'd be interested to hear about it.
Halloween
Yarr, Halloween is here. Pechous shaved and dyed his hair, which makes him a completely different person bearing an uncanny resemblance to himself. There are gorillas walking into the dining hall and sitting down with trays full of bananas--whether for Halloween or sociology, I can't tell. As for myself, well, it's my goal to find materials to become a Mr. Hand. This may or may not be feasible.
Also: SLEEP NOW!
All Hallow's Eve
After sneaking through a temporally claustrophobic schedule punctuated by moments of enjoyment vis. retroactive Russel recovery and crowbar defense 101, I managed to assemble a costume and enjoy a happy Halloween. In keeping with Nick, Max, Russell, and the two Rachels's theme of Fight Club, I was an evil minion. It's somewhat anticlimactic when your everyday clothing is suitable for bringing about the downfall of civilization, but it fit the part well.
Visited the haunted Evans and Nourse, which was amazing. The volunteers put an incredible amount of work (and ketchup) into converting the dorms, and it really paid off well. The image that sticks in my head afterwards isn't the zombies, knives, or blood stains, but the old tunnels covered in graffiti. Poems, drawings, satanic inscriptions and promises to loved ones, marks of furtive exploration and drunken success, logos of sports teams emblazoned in white and blue spray paint, paintings from "Where the Wild Things Are", lyrics of songs and fragments of descriptive prose, all carefully preserved within a musty corridor, unobserved beneath the feet of passers-by. One could spend hours simply reading and exploring these endlessly annotated passageways. It's something no photograph can capture, though I wish it were possible to do so.
Maybe some day I'll have the opportunity to return.
Cara's Defense
My introduction to Cara Chomski went something like this:
"Cara? She's frighteningly competent."
"At what? Classwork, sports, discussion..."
"Yes."
Two weeks later, I was assigned an enforcement contract for Assassins: track down and terminate one Cara Chomski, an assassin who had been inactive for 72 hours. Wearing my trenchcoat and borrowed sunglasses, I located down her room, found out she was practicing below the concert hall, and made my way to practice room 30. I'd never really been to the practice rooms before, and didn't realize that they had not one, but two doors. I knocked on one, waited, and spun around as Cara opened the second. Sprinted for the other door, but she slammed it closed and locked it. Defeated, I headed off to do some work.
An hour later I returned, armed with a cardboard sword in place of the knife. Heard her practicing the piano inside, waited until the song was finished, and slammed open the door. She sprung to her feet as I swung for her stomach, but she parried with her sheet music and produced a coat hanger from nowhere. I backed her into a corner, but she parried all of my blows. Just as I was about to make the final strike, she dodged in and stabbed me. With the coat hanger.
My hat is off to you, Cara, for defeating an enforcer with an improvised defensive mechanism (sheet music), and a plastic coat hanger. Frighteningly competent indeed. :-D
Validation
Someone caused an interesting bug this morning: the input validation function doesn't check for weird character encodings (Hello, Korea...), which can be parsed and stored correctly but gunk up the XSLT processor. I've modified the node addition system to perform rigorous sanity checks on all incoming data. This has the added benefit of ensuring that your content is valid XML, so mistakes like tags which are closed out of order will be detected.