SolarScale Blog

TCP Wrappers to protect ssh

In the last few days there was a rumour of an openssh exploit, and also a worm that would spread from openssh'ed computers. One thing I did was change the default port so that an automated worm going to port 22 would go nowhere. I also applied TCP wrappers to my hosts, I'll give you an example of a host I use only for IPv6.

$ more /etc/hosts.allow
sshd : [2001:a60:f074::]/48

$ more /etc/hosts.deny
sshd : ALL
$ 

The host in question was a FreeBSD host and they require those weird square brackets with the prefix behind. An OpenBSD host doesn't require these square brackets.

What the rules do is they allow my IPv6 subnet to connect via SSH and deny the rest.

40 Years ago (Apollo)

The first man in orbit was Yuri Gagarin and that was in 1961. Eight years later we had the first man on the moon. That tells you that it's not all too hard to get to the moon considering 30 years of development since the V2 rocket that Wernher von Braun designed in world war 2. The Chinese have a space program and even put people into orbit before. Whether they can land a man on the moon in 8 years remains to be seen. But it's not impossible.

Random Hackepedia

Distributed Denial of Service (see DoS). A distributed denial of service is many computers on the Internet coordinating a Denial of Service attack (DoS) against a single host, network or network infrastructure....

To read more about DDos go here.

Removed link

In a commit Theo de Raadt points out that OpenBSD does not link to sites filled with hatred. I am following suit by removing this link from the SolarScale blog. I don't exactly know what the offending message was but I have some idea of it.

An intergalactic puzzle

I read NASA's APOD (Astronomy Picture of the Day) and if you click on the link you'll see todays picture which is a message to aliens. I wanted to see just how easy it is so I started deciphering it. First it lists numbers in quantity represented as dots then it shows the binary value of the number and then a base 10 representation. These numbers go from 0 to 10 (with binary as well) and continue in base ten with 10,11, 12, 14, 15 and 20. At the top then is a 1 on the left side and a 1 on the right side in binary, possibly indicating our sexes (with five spots possibly indicating our fingers on each hand). Then it continues with prime numbers from 2 through 89 (so that definitely something intelligent is behind this). And then it says 2 3021377 X1 which I cannot figure out, but perhaps you can.

Hah! Google knew it was a very high prime number called a Mersenne prime. Here is it's homepage.

Random Hackepedia

Syslog is the common way of managing logfiles on UNIX. Processes that wish to log something write to a UNIX socket usually bound in /dev/log which then goes to syslogd that writes these logs to a file usually found in /var/log.

To read more about syslog at hackepdia go here.

OpenBSD packages

First off, I'm not a fan of packages. But I'm wrong. The economics of pre-compiled packages are better than building a package yourself. For one you don't have to run your CPU hot building a port that someone has already done for you, so you're wasting less electricity if you install the package. However I'm the type of person that wants the source code at all times so I've found a way to compromise. I put this in my /etc/mk.conf:

# more /etc/mk.conf
FETCH_PACKAGES=Yes
PKG_PATH=ftp://ftp.de.openbsd.org/pub/OpenBSD/4.5/packages/i386/

So now all I have to do is go into the ports and type: make fetch (gets the source) and make install (gets the package and installs it). This way I have the source to fall back on when I need it and the package process is a few seconds at most.

Random Hackepedia

All users on a system have the ability to customize their environment to their taste. This can involve choosing a shell such as bash, zsh, or tcsh, setting the environment, shell aliases, or running scripts at startup. These tasks are all handled by various "profile scripts".

To read more about profiles read on.

The xlog is discontinued

Some people must have gotten hold of an old cache of my blog from 2006/2007 where I offered blog articles in encrypted form. You could order a decrypt CD then to decrypt what was written, however noone at the time was interested. I discontinued offering the blog in encrypted form and no sales were made. I found some bounce mails from people today writing in to the decrypt mailbox (which doesn't exist anymore). Thanks for your interests but the offer is over.

Natally does AES

Well I have been hacking away at natally the last couple weeks now and I finally got dual mode encryption into it. It now does AES as well as Blowfish encryption. Because of the nature of the code it should be easy now to add other ciphers now too, it just needs to be put in place. I started out with blowfish and then coded my way to AES removing a lot of hard code such as blocksizes which need to be dynamic with multiple ciphers. I'm thinking perhaps I should write a manpage now (ughh) or something.

PS: with revision 50 I committed the NAT state expiration code which was needed to complete this project. Perhaps it'll need a bit of tweaking here and there but the main code is finished.