Yesterday I posted about implementing rate limiting on new connections. Today I'm going to cover how to take it a step further and watch failed login attempts and automatically block an IP address for a day.

First, you'll want to download BlockHosts from A C Zoom. It's a python script that can be run every time someone attempts to connect that will watch your log files and dynamically create your /etc/hosts.allow file to keep out the nasties.

So, in a traditional step by step method, here's what to do:

sudo su -
wget http://www.aczoom.com/tools/blockhosts/BlockHosts-2.4.0.tar.gz
tar -zxvf BlockHosts*
cd BlockHosts*
python setup.py install

Now you'll want to configure the /etc/blockhosts.cfg file, so open it with your favorite editor and make the following changes:

Look for "WHITELIST = ". You might want to add your own local network to this just in case.

Look for "LOGFILES" and uncomment the one that says:

LOGFILES = [ "/var/log/auth.log", ]

Look for "[mail]" and plug in your setup if you want it to send you an email periodically telling you what action has been taken.

Save and close that.

Sure, there's a lot of tutorials out there for blocking SYN+FIN, christmas scans, etc.

But did you know that most of those won't help against a default nmap scan? Try it - block all the standard stealth scans, etc using something like the following:

$IPTABLES -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

$IPTABLES -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP

You'll find that a simple nmap scan is still able to list all the ports available on the machine. Not that I'm telling you to not use the above code, in fact it's a good first step.

If someone is trying to find all open ports on your server, think about what's happening. They are randomly going around poking it in various places saying "Hey, who's there?". They poke to the tune of hundreds or even thousands of probes per second.

I just had an epiphany. I want twitter to implement a threshold setting in my account above which I don't get notified of new followers.

For instance,

I get followed by "JennyFreeLaptop23434".

I get an email letting me know...

But, with a follower threshold setting on notifications, I could set in MY account a threshold of "10:1" and since Jenny is following 253,530 people and only has 5 followers, I can safely assume that Jenny is a spammer. And if Jenny is following more than 10 people for every follower, don't bother letting me know she's (he's?) following me too.

Just a thought...

There's so many different HOWTO's on the Internet regarding using bridged networking for kvm virtual machines. Unfortunately most are completely out of date, wrong or just don't apply to Ubuntu's implementation.

Believe it or not, it's not very hard. KVM/QEMU will automatically create the "tap" interface (actually it names them vnetX) and will even create a new MAC address for it. All we have to do is put our primary ethernet adapter into promiscuous mode and create a bridge device.

Both steps are easily done by editing /etc/network/interfaces. No additional scripts are needed if you're using static IP addresses.

Here's an example setup for preparing the host machine. This assumes you have one physical card in the machine (eth0) and that you want to access your host machine using 192.168.1.2:

# The loopback network interface
auto lo
iface lo inet loopback

# Create our bridge interface using a static IP address on the network
auto br0
iface br0 inet static
        address 192.168.1.2
        netmask 255.255.255.0
        network 192.168.1.0
        broadcast 192.168.1.255
        gateway 192.168.1.1
        pre-up ifconfig eth0 down
        pre-up ifconfig eth0 0.0.0.0 promisc up
        pre-up brctl addbr br0
        pre-up brctl addif br0 eth0
        bridge_fd 9
        bridge_hello 2
        bridge_maxage 12
        bridge_stp off
  

Ah, the speed of fiber Internet. 9.2 Megabit throughput... What a pain to get working properly, at least while trying not to inconvenience my customers. I'm a bit surprised that my outbound is so slow though... Gonna have to talk to them about that.

This drove me up the wall trying to figure it out, but loading jpg's or tiff's into a Cairo surface with Python really isn't all that hard.

The trick is to load it into a gtk.gdk.pixbuf first. here's an example:

pixbuf = gtk.gdk.pixbuf_new_from_file(filename)
x = pixbuf.get_width()
y = pixbuf.get_height()
''' create a new cairo surface to place the image on '''
surface = cairo.ImageSurface(0,x,y)
''' create a context to the new surface '''
ct = cairo.Context(surface)
''' create a GDK formatted Cairo context to the new Cairo native context '''
ct2 = gtk.gdk.CairoContext(ct)
''' draw from the pixbuf to the new surface '''
ct2.set_source_pixbuf(pixbuf,0,0)
ct2.paint()
''' surface now contains the image in a Cairo surface '''

Of course you could bypass stamping it onto a Cairo surface entirely and just use the original pixmap for most things, but for doing affine translations I needed an actual surface and not a context to one. Otherwise you have to remember what is accessible through gdk and what is a native Cairo surface.

With a little bit of pipe magic, you can even do image manipulation externally before loading it, and never have to create a temp file:

import subprocess
  

If you do a lot of Ubuntu installations, or you like to always carry a copy with you so you can use Linux wherever you are, installing Ubuntu on a USB stick really isn't all that hard.

Simply use Synaptic to install "usb-creator". Download an image of Ubuntu that you want to run from the USB drive, keeping it in an ISO image file. From the System+Administration menu you'll see "Create A USB Startup Disk." Choose the ISO file you downloaded as the source image, and pick your empty USB stick as the destination.

If you chose "Stored in reserved extra space" you can literally run Ubuntu from the stick and any changes you make or files you create will be stored on there as well - in my case my Wireless setup is remembered from boot to boot, and any files I save in my home directory are still there next time.

It's a great way to show off Linux to someone who has never seen it - simply keep it on your keyring and you're always ready to run Linux. It's a great way to carry PC and network diagnostic utilities with you as well.

Well, the thumbnail browser for my photography workflow application is complete. The next step is to finish designing the UI around it, and then link it with a database, etc. to keep track of photos.

Here's a video of it in action. Keep in mind this is early Alpha. It loads in thumbnails and rotates and reflects them on the fly. The farther and faster you drag your mouse over the images, the faster they go, and they continue to spin and slow down after you let go.

I'm working on a photo manager for Linux with a kinetic scrolling feature in Python. So far so good. The thumbnails are actually being rendered, tilted and reflected by my code. Unfortunately Python can't do perspective transforms, only sheers, so you get a bit of a top-down view.

Here's another "Senior Portrait" for Whitley. I'm loving the new 50mm Prime lens. I was afraid it would be cropped too close for portrait work, and it almost is, but it's working out rather nicely.

It was blowing cold and about 15 degrees for this shot, so we didn't tarry and only got the one really usable shot out of the 30 or so taken. Lit with sunlight filtered through the trees behind me and over my left shoulder. No reflector was needed, because the snow did nicely to provide a nice all around soft fill.

First I used LightZone for Linux to do the RAW conversion and relight the image, reducing the shadows on her face and add a high-key effect. Then I used Gimp to do a bit of reconstruction of her hair due to some wild strands blowing in the wind, and softened up her skintone and brightened her eyes. I also prefer to use Gimp for the final image sharpening.