Sunday, September 9, 2007

Macbook and iPhone

My boss is a huge macnerd. A true member of the HOMO (Honorable Order of Macintosh Operators). It was only a matter of time before I ended up with one.

After a few days with it, I can say that I'm as comfortable using it for day to day stuff as I am on my Linux laptop. Now, I cannot say that I am fully acquainted with the system. I can say that OSX has nothing on Compiz-Fusion. OSX is very nice to use, I do miss some of the features of my Kubuntu powered HP DV1000.

The iPhone. Best damn phone I have ever owned. However, I still wanna see OpenMoko out in the wild.
Posted by at 1 comment:

Sunday, September 2, 2007

ipTables and SSH Brute Force Stopping Power

I run a small webserver, serving up my own personal items of interest. One of the bigger annoyances in doing this on your own is brute force ssh attempts. When you connect via ssh there is a natural delay in the prompt for password. I wanted to take this a step further and delay the response for a longer period of time every time a failed attempt is made.

Here is the entirety of my iptables script.

#!/bin/sh

set -e

PATH="/bin:/sbin:/usr/bin:/usr/sbin"

case "$1" in
start)
iptables -F
iptables -t nat -F

# Default Deny Policy
iptables -P INPUT DROP
iptables -P FORWARD DROP

# Existing connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Localhost is always trusted.
iptables -A INPUT -i lo -j ACCEPT

# Allow SSH, WWW, DNS, WEBMIN, POP3, SMTP, IMAP2, HTTPS, FTP, GKRELLM
iptables -A INPUT -m hashlimit -m tcp -p tcp --dport 22 --hashlimit 1/min --hashlimit-mode srcip --hashlimit-name ssh -m state --state NEW -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --syn --dport 80 -j ACCEPT
iptables -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --syn --dport 25 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --syn --dport 53 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --syn --dport 10000 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --syn --dport 110 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --syn --dport 113 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --syn --dport 143 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --syn --dport 443 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --syn --dport 993 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --syn --dport 995 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --syn --dport 10001 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
;;
stop)
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
;;
restart|reload)
"$0" start
"$0" stop
;;
*)
echo "Usage: $0 {start|stop|reload|restart}"
esac

As you can see in the ssh line, every time an ip attempts to connect via ssh and fails, they have to wait. And every time they attempt to connect and fail, that time is compounded. This essentially stops dead brute force ssh attempts.
Posted by at No comments:

Thursday, August 30, 2007

FIRST POST!!!

Now, nobody can ever say, "First Post!" because I've already done it, so kiss my hind quarter.

For this first post I will post a bit about myself. I am a Systems Administrator. I've done some programming for work in the past. I hate coding for money. I will never do it again. McDonald's is more enticing an employment opportunity than any coding job.

Currently, I am employed by a small IT company. I get to support windows boxen all day. My favorite thing to do is unlock the same user account 17 times in one day.

I am also quite fond of spell check.

Hugs and Kisses
Posted by at 1 comment:
Subscribe to: Posts (Atom)