IPs ban on Linux

Posted on January 26, 2015 by gawen

Who needs a quick ban?

Today we had a bruteforce attack on our nginx server. Well cannot say he was anywhere near successful though, the guy did POST /wp-login.php several times per second and all he got as an answer was 404. Fat chance…

But still, he had our access logs growing far larger than they usually do. So I tried to ban him. Unfortunately nginx does not use TCP wrappers by default (you can use ngx_tcpwrappers although it will have to be rebuilt from source).

So I made a little script, called ban-hammer to temporarily ban IPs using IPTables. There is also a cron.daily script to unban IPs each day. The script requires rpnc, but it is easy to adapt without it.

These scripts add and remove the IPs into a special IPT chain (which you can configure in the script). So you also have to configure your firewall to jump to the two chains and load banned IPs on boot:

echo "Bans"

load_bans() {
  ban_table=$1
  ban_chain=$2
  iptables=$3

  $iptables -N $ban_chain

  while read ban
  do
    ip=$(echo "$ban" | cut -d'=' -f 1)
    $iptables -A $ban_chain -s "$ip" -j DROP
  done < "$ban_table"

  $iptables -A INPUT -j $ban_chain
}

load_bans /etc/firewall/ip4.ban IP4BAN iptables
load_bans /etc/firewall/ip6.ban IP6BAN ip6tables

FP comparison in Shell

Posted on January 6, 2015 by gawen

People tend to not like Shell. But I do!
Here is a simple example, try this floating point comparison:

$ [ 0.1 -gt 0.01 ]
[: 0.1: bad number

The shell itself cannot use float.
But there are multiple workarounds. Here is the one I prefer:

if rpnc "$a" "$b" - | grep "^-" > /dev/null
then
  echo "a < b"
fi

Although you may not have the rpnc command, so here is another one:

if [ $(echo "$a < $b" | bc) -eq 1 ]
then
  echo "a < b"
fi

ISP y u no DNSSEC?

Posted on December 15, 2014 by gawen

Unbound is a secure, lightweight and high performance validating, recursive, and caching DNS resolver. It performs DNSSEC validation and it is also really easy to configure. Although it cannot act as a full fledged authoritative server, you may take a look at NSD, which is, on the contrary, authoritative only. For a nice tutorial about unbound configuration, see this post.

Today I discovered local_unbound on FreeBSD. This script generates a configuration suitable for running unbound as a forwarding resolver. It also uses resolveconf to update the list of forwarders. This means that it is automatically configured with the name servers provided by the DHCP offer.

By default, unbound is configured to withheld the reply from the client when the validation fails. Unfortunately most of the name servers provided by home routers and ISPs do not support DNSSEC. Even worse, some ISPs redirect all queries to their own name servers which of course do not support DNSSEC either. You can check if it is the case with this command:

dig @8.8.8.8 +short test.dnssec-or-not.net TXT

As Google public DNS support DNSSEC. If it does not show you anything, it is OK. If instead it says something like: “Nope! DO bit not set in your query” then your query has been forwarded to a server which is not DNSSEC capable.

Because of this, you often end up with a nice caching forwarding resolver which does not seem to resolve anything (at least on the client side) because of bogus validations.

You have two solutions to overcome this. First you can force your forwarders to DNSSEC capable servers such as Google public DNS (8.8.8.8 / 8.8.4.4). However, as mentioned above this does not work when your ISP redirect all queries to its own server. The second solution is to configure unbound into permissive mode (/etc/unbound/unbound.conf):

server:
    (...)
    val-permissive-mode: yes

In that case, replies to queries that did not pass validation are not longer withheld from the client but the Authenticated Data bit is not set in the reply.

Today’s movie: Interstellar

Posted on November 30, 2014 by gawen

We start this new series with Interstellar by Christopher Nolan. I did not expect to watch this movie. Actually you must know that I was somewhat apprehensive. To me this movie was a direct inspiration from The Songs of Distant Earth by Arthur C. Clarke. This book stirred me so hard. To the point it has partly shaped my vision of life, and of the place we have here. I felt that no movie could ever render this. And I (deeply) feared to see one of my favorite science fiction novel trampled on by yet another gargantuan sf blockbuster overflowing with CGI in every possible direction with a bunch of heroes saving the world (again) because you know that’s just what heroes are for anyway.

Well I must admit, this is what I just saw, yet I was agreeably surprised. And the emotional impact that built all along the movie far outreached my expectations. I found myself multiple times begging for the storyline not to slip into one direction or another, because I felt that all this tension would deflate grotesquely like a dismaying soufflé, only to find minutes later that it was still ok.

The movie itself is not without fails. It is extremely ambitious. And as someone would naturally expect, it misses the point from time to time. It sometimes drew itself too far into the drama to the point that the story was loosing its legitimacy. Some scenes deserved to be more explored, and the fast paced rhythm contrasted too much with the heavy atmosphere of interstellar travel through the vastness and solitude of space combined to the ultimate hope of humanity that the movie tried to convey. These two themes go very well together. But they must be treated with due respect and certainly not as a way to blow up things and acting as a show-off.

Best acting goes for Anne Hathaway (Brand). On the other hand Cooper, Matthew McConaughey’s personnage, sometimes lacks conviction that would benefit to some key parts of the movie. Dialogues are somewhat clunky, and that certainly didn’t help. There are multiple unassuming nods to other sf movies. 2001 being one of them though both movies are still far apart. I was also pleased to see another nod to Arthur C. Clarke, The Garden of Rama.

In conclusion, my impression is that this movie could have been something awfully good. But it is not bad either. I’d even go to say that it is good up to very good.

Popularity

Quote

Posted on November 27, 2014 by gawen

Being overwhelmingly popular is not a pledge of quality
but rather a clue of commonness.

New series: Today’s movie

Posted on November 26, 2014 by gawen

In a preceding article (ChangeLog), I said that I might post more on different subjects than what I usually post. So as part of this perpetual opening initiative, I will soon start a new series called “Today’s movie“. In which I tell you about a movie I am about to watch, what I thought of it (for what it’s worth), why you should drop everything you are doing right now to see it, or not.

You may like this, or not.
And you may also flame in the comments if you don’t agree.
Well I hope you’ll like it though.

As for me it will be an opportunity to revisit movies I didn’t see in a while.

We are back

Status

We have had a outage of nearly an entire day on our VPS today. According to the stated SLA of 99.98% we can rest assured for some time now 😉

Configure audio devices on VirtualBox

Posted on November 13, 2014 by gawen

I recently installed a new Debian guest on a FreeBSD host with VirtualBox. On this VM I need to be able to play/record sound from my laptop (Skype). To do so I configure the guest with an Intel HDA soundcard using the OSS audio driver. However I want to use the internal mic (/dev/dsp1.0) which is different than the default unit (/dev/dsp). So I had basically two options. Either I could record my voice but could not hear anything or I could hear everything but could not record my voice.

But there is a solution! I digged in the VirtualBox source code, and there are actually some options for the OSS driver (and other audio drivers as well). The two options of interests are:

DACDev: Path to the DAC (output/playback) device.
ADCDev: Path to the ADC (input/record) device.

You can use VBoxManage to configure these options. Assuming that the name of the VM is MyVM with an Intel HDA card and the OSS driver, use this command:

$ VBoxManage setextradata MyVM "VBoxInternal/Devices/hda/0/LUN#0/Config/Audio/OSS/ADCDev" /dev/dsp1.0

You can also directly edit the vbox file for this VM:

MyVM.vbox:

<ExtraData>
  ...
  <ExtraDataItem name="VBoxInternal/Devices/hda/0/LUN#0/Config/Audio/OSS/ADCDev" value="/dev/dsp1.0"/>
</ExtraData>

Note if when starting the VM you receive the message The attached driver configuration is missing the 'Driver' attribute (VERR_PDM_CFG_MISSING_DRIVER_NAME). This is probably because the sound device you selected for this VM is not the same as specified in the extra data. The above example is for Intel HD Audio (hda). If you need ICH AC97, replace hda by ichac97 in the example above.

FreeBSD suspend and ttys.

Posted on November 5, 2014 by gawen

I use FreeBSD 11-CURRENT on a Thinkpad X201 laptop. I said in a preceding post (Hello FreeBSD!) that although the Intel KMS driver works, I did not have access to the ttys and also that suspend and resume did not work.

This is no longer the case! I rebuiIt world two days ago (r274088) and I now have access to the ttys, and suspend/resume also works without any apparent problem (thanks to KMS/VT (NewCons) I guess). FreeBSD 11 is going to be great!

Gawen's blog

Enjoy life, one bit at a time.