Claudio Santambrogio

Running a machine with an open ssh port will lead, sooner or later, to annoying log entries in your system log:

sshd[24592]: Invalid user pi from x.x.x.x
sshd[24598]: Invalid user wf from x.x.x.x
sshd[24600]: Invalid user fj from x.x.x.x

or possibly even

sshd[53704]: Failed password for user from x.x.x.x port z ssh2

They rarely pose a serious threat if you are running with good enough passwords - and this is a reminder to all to please use strong passwords. But the risk for successful attacks is still present (I never feel too confortable when reading the logs of intrusion attempts), and furthermore these attempts awfully clutter your system log.

So I set off looking for various ways of avoiding brute force hammering - and found a quite neat solution in sshdfilter, a wrapper to run sshd and create iptables rules on the fly to throttle access to the ssh port.

A first measure to already lower the chances of brute force login attemtps is to simply run the ssh service on a higher port than 22 - it certainly does not help when a full portscan is made, but, as simple as it sounds, it already avoids those idiots running blind attempts on port 22 across the net. You might also consider not allowing remote root login, and allow ssh access only to a restricted number of users - make sure to have the following two lines in your /etc/ssh/sshd_config:

PermitRootLogin no
AllowUsers user

Next I set up sshdfilter and restarted sshd via sshdfilter: any login attempt with an invalid username will be immediately banned and failed passwords for valid users are treated the same way.

Update 1

Thomas, with whom I had been talking about throttling ssh brute force attacks, has posted his solution to the problem - nice and elegant!

No comments

from hell with love

Tuesday, February 21, 2006 11:06:14 PM

plan9

Just a few notes to register my experiments, in order to remember, later, how I did stuff… and maybe useful for somebody who wants to go through the steps himself.

Got around to expriment a bit with Inferno, a Plan 9 based compact operating system designed for building distributed and networked systems.

Installation instructions are pretty straightforward. I did this on two machines of my local net (installing to userspace), then proceded to boot the systems up and get them to talk to each other. One of them functions as key and file server, the other one is the client. The online installation documentation [PDF] is very detailed.

Setting up the server

As a start, take care to edit the network setup file. I have installed Inferno in userspace to /home/csant/inferno - this file is the inferno_root. Open the file inferno_root/lib/ndb/local and in the section infernosite= edit SIGNER and FILESERVER to point to your local machine, say

SIGNER=10.0.0.5
FILESERVER=10.0.0.5

The file inferno_root/lib/ndb/inferno will also tell you which ports the system will need - if you run a firewall, it might be a good idea to make sure now that the other machine will be able to use these ports through your firewall, to avoid some grief later.

You'll now start the system that will function as server with the command line emu -r/home/csant/inferno, which tells it where to find its root. Next you are at the prompt.

I will not get into details on the shell, but lead you through the setup, providing commands you'll have to enter, and shell output.

First we set up the correct time:

; cp /locale/CET /locale/timezone

You can check out your initial namespace:

; ns
bind / /
bind -ac '#U' /
bind /dev /dev
bind -b '#c' /dev
bind '#p' /prog
bind '#d' /fd
bind /net /net
bind -a '#I' /net
bind -a /dev /dev
bind -a /net /net
bind /net.alt /net.alt
bind -a /net.alt /net.alt
bind -c '#e' /env
cd /

Now prepare a clean file of secrets:

; cp /dev/null /keydb/keys; chmod 600 /keydb/keys

and create a new entry for your network signer (either a fully qualified domain name, or an individual):

; auth/createsignerkey csant

Next start the authentication network services:

; svc/auth
Key: 
Confirm key:

The command ps should tell you if they are running:

; ps
       1        1      csant    0:00.0    release    73K Sh[$Sys]
      14       13      csant    0:00.0        alt    17K Cs
      18       17      csant    0:00.0       recv    25K Keyfs
      19       17      csant    0:00.0    release    47K Styx[$Sys]
      20       17      csant    0:00.0       recv    25K Keyfs
      22        1      csant    0:00.0        alt     9K Listen
      24        1      csant    0:00.0    release     9K Listen[$Sys]
      26        1      csant    0:00.0        alt     9K Listen
      28        1      csant    0:00.0    release     9K Listen[$Sys]
      30        1      csant    0:00.0        alt     9K Listen
      32        1      csant    0:00.0    release     9K Listen[$Sys]
      34        1      csant    0:00.0        alt     9K Listen
      36        1      csant    0:00.0    release     9K Listen[$Sys]
      37        1      csant    0:00.0      ready    73K Ps[$Sys]

Next create the users that will be allowed to authenticate with the signer:

; auth/changelogin csant
new account
secret: 
confirm: 
expires [DDMMYYYY/permanent, return = 21022007]: 
change written

and we need to generate a server key set - we'll obtain a certificate and save it in a file named default:

; getauthinfo default
use signer [$SIGNER]: localhost
remote user name [csant]: csant
password: 
listen: got connection on tcp!*!inflogin from 127.0.0.1!22226
save in file [yes]: yes

Our server is now up and running - time to get the client configured.

Setting up the client

The client is much less complicated to set up - he will get all information from the server. We'll edit the network setting file inferno_root/lib/ndb/local and enter the same values as for the server - yes, because the server will be 10.0.0.5. We assume the inferno_root is the same as above, just on another machine.

First start inferno on the client (in our case on 10.0.0.6) with the same command emu -r/home/csant/inferno.

Start your network and the connection server:

; ndb/cs

and get a certificate from the server:

; getauthinfo tcp!10.0.0.5
use signer [$SIGNER]: 10.0.0.5
remote user name [csant]: csant
password:
save in file [yes]: yes

We are authenticated - time to mount the remote machine and resources:

; mount 10.0.0.5 /n/remote

and you are ready for using your new distributed network operating system.

Disclaimer: did I ever say this was useful for something?

No comments

plan 9 from outer space…

Sunday, February 19, 2006 5:57:50 PM

linux, plan9, kernel

…to your Linux box.

v9fs, the 9P file system support for Unix/Linux/*BSD, has entered the main Linux kernel tree as per version 2.6.13. 9P is the resource sharing protocol developed originally for Plan 9. It presents a unified distributed resource sharing protocol that will be able to distribute devices, file systems, system services, and application interfaces. It was revised for the 4th edition of Plan 9 under the name 9P2000.

The operating system Inferno is based on Plan 9, but both the original and the derivative product do not have a broad audience. Implementing the underlaying key concept on other UNIXes seems to be a very promising project, though, and likely to meet a much broader audience.

Setting it up on my Linux box was not too difficult. Here a little HowTo.

Setting it up

Step 1: enabling the client in the kernel

Grab a recent kernel source - I myself used a vanilla 2.6.15.4;
Enable CONFIG_9P_FS=m in the kernel .config file - unless you don't want it built as a module and need it directly in the kernel;
make and install your kernel as usual;
load your new module with `modprobe 9p2000`.

Step 2: installing the server

Download the UNIX 9P server, aka u9fs - there is ongoing work to implement the server into the kernel module as well;
make the server, and then
copy the binary executable to /usr/sbin/u9fs; you might also want to copy the file u9fs.8 in your source code directory to /usr/share/man/man8/ and read `man u9fs`;

one way to start the server is via xinetd - add the following to a new /etc/xinetd.d/u9fs file:

service u9fs
{
     disable         = no
     socket_type     = stream
     wait            = no
     user            = root
     group           = root
     protocol        = tcp
     port            = 564
     server          = /usr/sbin/u9fs
     server_args     = -m 65560
}

and the follwing to your /etc/services:
```
u9fs     564/tcp       9fs  # Plan 9 fs
```
there are three ways for authentication, none, the default rhosts and p9any; use rhosts only on very safe and controlled networks; none obviously turns off authentication altogether. Personally, I have not yet managed to get p9any working - so I have, for the time being (my network is safe), added the hosts of my internal network to /etc/hosts.equiv;
now `/etc/init.d/xinetd restart`.

Step 3: get it going!

`mkdir /mnt/9`
`mount -t 9P 10.0.0.1 /mnt/9` - make sure you replace the IP address with your own address; a warning: do not use a hostname, but a numeric IP address, the DNS lookup has been biased to work with NFS, but not with other distributed filesystems.
`ls /mnt/9/`

There are other ways to start the server and mount the filesystem in userspace only, but this is still new ground to me. At the moment the security model is still rudimentary - a safer alternative is to tunnel through ssh and call your own instance of the u9fs.

This is all not very exciting as long as the machine with the server is the same the client is running on - but becomes far more interesting when you mount remote machines. Currently I have only been able to access the filesystem, and this only in read mode, but as far as I have understood accessing devices and process resources shouldn't be too far off. And at that point 9P will be unleashed to its full potential.

What is the big deal about it?

Quoting from the main paper [PDF] :

9P2000 support provides a nice alternative to NFS for distributing static files. It can be configured in such a way that users can export and mount their own file system resources. Its synchronous mode of operation and optional caching make it ideal for situations where the cache models and delayed writes of other file systems cause problems. Many utilities, such as CVS and various e-mail servers, discourage the use of NFS repositories due to concerns with data corruption resulting from bad cache behavior and lack of transaction semantics.

However, as mentioned several times before - distributed file service is not the only benefit of 9P2000. It can be used to share networking stacks and block and character devices between members of a 9P2000 cluster. It can be used to manipulate Linux synthetic file systems, such as /proc and /sys providing distributed control and management. It also can be used as an infrastructure to implement distributed applications.

Userspace applications

Unfortunately there are not many applications in userspace yet - the main collection being Russ Cox's Plan 9 from User Space, aka plan9port or p9p, a port of many Plan 9 programs from their native Plan 9 environment to Unix-like operating systems. My somewhat biased perspective cannot but smile when reading the `man web` page - a sample quotation:

web, wmail - handle web page, mail message for plumber

[…]

The supported browsers are Opera, Mozilla Firefox, Mozilla Firebird, and Mozilla.

wmii is a very interesting dynamic window manager based on 9P.

Plan 9 and 9P is a new universe to me; it might be worth exploring it more, and following development of the v9fs. Once we get so far as to really share resources on Linux as well, a huge step forward will be achieved. I am looking forward to it.

Oh, and did I mention that Glenda, the Plan 9 bunny, is really cute?

Update 1

Interestingly enough, as soon as I have started digging into this project, some significant changes get announced. The v9fs site moves to a new location and u9fs is going to be replaced by npfs, the Linux-based set of libraries and servers that soon will find distribution in various packages, to be pushed out to distros.

No comments

weekly *nix

Friday, February 17, 2006 5:23:24 PM

desktop, opera

Our weekly build includes several *nix specific fixes - as always, we are happy about feedback.

In particular, we would very much appreciate your feedback on handling of widgets in various window managers - are there any issues specific to certain window managers? It is known that with some minimalist window managers, like e.g. Ion and Ratpoison, there might be some usability issues, as windows do not float on your desktop, but get assigned a full frame. Ion, for one, doesn't even have the concept of a desktop.

No comments

opera 8.52

Friday, February 17, 2006 12:07:11 AM

opera, desktop

Just a quick note to (finally ) point to our latest final version currently being uploaded - stay tuned, it's a busy week!

No comments

desktop team gets a blog

Monday, February 13, 2006 4:31:07 PM

opera, linux, desktop

After TP2 got released, we are happy to announce the new Desktop Team blog - the place where you'll find snapshots of Opera's development, and much more!

Unfortunately, there are no Linux/Unix builds this time, due to problems with the build system - let's hope things will be fixed soon.

3 comments

opera 9 technical preview 2

Tuesday, February 7, 2006 9:04:45 AM

linux, opera, preview

As you may have noticed, Opera 9 Technical Preview 2 is out, with many Unix specific fixes. This is a very important release on Unix - several things got fixed that have been troublesome to many users in the past.

In particular, we would very much appreciate feedback on printing and plug-ins.

Happy testing, and have fun

No comments

the lost dialog

Tuesday, January 17, 2006 9:10:05 PM

linux, cli, rants

Interaction with the computer has mainly evolved around the WIMP approach, requiring a low learning curve and little effort from the user - with the basic misunderstanding that userfriendly does not necessarily mean only easy to use, but might also require some learning process. However, in our modern society nobody is willing to commit oneself to the learning process any more, people want their food pre-chewed and pre-digested; they have lost the capability and the will to engage in a dialog, to listen, to think, to react - that is all too much effort. Our society looks for the brain-dead entertainment that requires no interaction and the least intellectual effort.

I have the suspicion that there is a link between this and the decline of the CLI - interaction via the command line is all about dialog, commands are given, questions are asked, and responses are read: all based on the simple and familiar syntax <doSomething> <toThis>.

I do not want to say that the command line is the best, nor the only solution. But for several tasks it might well be a better UI than the graphical one, and in many ways a more efficient one - but we too easily discard this option a priori due to the fact that it is so far away from the well-known WIMP environment - that it requires you to sit up, read your screen, parse the string, and finally activate your brain and decide how to react - it is asking you for a dialog.

I like the command line.

3 comments

opera and motif?

Thursday, January 12, 2006 8:59:42 AM

news, linux, opera

One of the bigger annoyances Opera users on Linux have been struggling with is the dependency on Motif for plug-ins to work.

A recurring question is which of the Motif flavours should I use? - we have a full page to document installation thereof; there are some detailed instructions on how to get it up and running, and how to deal with conflicts, on forums of some distros; our own my.opera forum is full of people looking for help…

Well - there is good news!

Opera is getting rid of this dependency: Opera 9 will make life much easier to all those Linux users, and plug-ins will not require the presence of Motif in any of its flavours to be installed.

And there is more: this is just one of the surprises you can expect to see in the next public version

6 comments