From slash5toaster at gmail.com Wed Jul 8 17:48:54 2009 From: slash5toaster at gmail.com (Clyde Jones) Date: Wed, 8 Jul 2009 17:48:54 -0700 Subject: Help troubleshooting Xwindows problem Message-ID: <294686ad0907081748k5feb100dl767f347e8e7ae22@mail.gmail.com> Hi I have a user who is having trouble with an X application. He is using cygwin X and the application is very slow from his desktop. I have the same setup, but a faster connection and I have no trouble whatsoever. I don't see any usual memory issues with the server, or the client. I will have to try booting into a live cd to test the connection there. Any thoughts on how to isolate the problems? -- We are what we think. All that we are arises with our thoughts. With our thoughts, we make the world. -Buddha From rsr at inorganic.org Tue Jul 14 22:42:10 2009 From: rsr at inorganic.org (Roy S. Rapoport) Date: Tue, 14 Jul 2009 22:42:10 -0700 Subject: Netflix is Hiring Message-ID: <20090715054210.GA28394@rsrfc.inorganic.org> I just read http://baylisa.org/services/announcements.shtml which advises me to be brief. I was intending to wax lyrical about Netflix and the environment here (I'm sending this from my personal account, but I've been working at Netflix now for about 2.5 weeks). In the interest of helping people with really short attention span: HI. WE'RE HIRING SENIOR SYSTEMS ADMINISTRATORS/ENGINEERS. INTERESTED? CONTACT ME. There. The rest of you can feel free to read more below. Firstly, more about the technical environment here: Netflix is probably pretty unique (personally, I use the word "weird") -- we've got a steady supply of IBM Kool-Aid here. We run IBM server hardware (on which we run both AIX and Linux; more of the latter, thankfully) and storage systems. We're also now starting to use Isilons and Netapps, thankfully. Scripting language of choice seems to be Perl, though as a Python person I'm grateful to not be required to use it. Speaking of not being required to do something, Netflix is big -- and I mean BIG -- on minimizing rules, regulations, red tape, etc. It's helped them get to where they are today. Their big motto is "freedom and responsibility" -- do whatever you want to do, just act in Netflix's best interests. It's a little crazy. A good example of this is the vacation policy and tracking system, which is described in one sentence: There is no vacation policy and tracking system. You take off the time you take off. You work the time you work. You get paid regardless. Another example of "let's not waste time tracking and managing stupid stuff" is lunch. They realized people had meetings over lunch, and when they did, they'd order lunch in. Then they'd have to figure out, when lunch arrived, who ordered it, where to bill it, who was supposed to get it, where it was; sometimes people wouldn't show up and there'd be lots of food left over. Lots of work for not much of a reward. So they just started ordering in lunch for everybody. Consistent, easy to track, less headaches. Doesn't mean you don't get to go out to lunch, mind you. You just don't have to :). Internally, it's described as a high-performance environment. Their focus is on hiring very very good people, paying them significantly-above-market wages, setting out the context for what success looks like, and unleashing them. If they don't perform, they get fired. It really is that simple. For some people, this can be a scary place to work in. If you value safety, if you value thinking you'll always have a job (ha!), if you've been in this industry for a long time and are ready for a little slower pace, more calm environment ... it's not the place for you. I've been in IT for 18 years, and I've been happiest when I've been at my most disruptive. I've never been in a more perfect environment for me. It's a shark tank. If you think you're a shark, you're going to have a fantastic time. If you think you're chum ... it's probably not a good fit. If you're interested in talking more, feel free to email me here, at rsr at inorganic.org, or at my work address, at rrapoport at netflix.com. -roy From rick at linuxmafia.com Wed Jul 15 02:16:14 2009 From: rick at linuxmafia.com (Rick Moen) Date: Wed, 15 Jul 2009 02:16:14 -0700 Subject: Netflix is Hiring In-Reply-To: <20090715054210.GA28394@rsrfc.inorganic.org> References: <20090715054210.GA28394@rsrfc.inorganic.org> Message-ID: <20090715091614.GP26829@linuxmafia.com> Quoting Roy S. Rapoport (rsr at inorganic.org): > I just read http://baylisa.org/services/announcements.shtml which advises > me to be brief. FYI: http://baylisa.org/services.shtml details our various mailing lists' focuses. I believe the one you were looking for was baylisa-jobs at baylisa.org. Yr. welcome. -- Cheers, My pid is Inigo Montoya. You kill -9 Rick Moen my parent process. Prepare to vi. rick at linuxmafia.com From david at catwhisker.org Thu Jul 23 06:32:34 2009 From: david at catwhisker.org (David Wolfskill) Date: Thu, 23 Jul 2009 06:32:34 -0700 Subject: Do you care about WHOIS contact information? Message-ID: <20090723133234.GC77331@bunrab.catwhisker.org> Under normal circumstances, I'm in the habit of perusing certain logfiles on my home network (which I admit isn't "Large") every morning, looking for certain forms of anomalous activity. One of those forms that has proved fairly common over the years is a sequence of attempts to login via my SSH server. While I'm aware of strategies such as port-shifting and the like, I don't do that. For one thing, it complicates my life more than necessary; for another, my SSH server is actually one of the better-protected services, as I only permit public key authentication via SSH. So if the stupid perps want to wear themselves out & advertise their activities by banging their heads against my SSH server, well, that's just fine by me. Of course, that doesn't stop me from noticing -- or reporting -- their activities. This is all the more so because I have my packet filter configured to log all 22/TCP SYN packets; the SSH server already logs all attempts to connect to it. So when I notice a burst of activity, I do a WHOIS query and provide the allegedly responsible party for the netblock in question an appropriate excerpt from each of the logfiles in question, together with a slightly-customized (for the occasion) bit of boilerplate text explaining why I'm writing and what the significance of certain bits of the logfile extracts is, concluding with an offer to provide additional information on request. The whole thing is deliberately phrased to be non-confrontational and non-accusatory -- e.g., it starts with: | Below, please find log entries corresponding to several unauthorized | attempts to access my SSH server. I have no reason to believe that | any of my systems were harmed or compromised, but the activity was | certainly not welcome, and I'm notifying you of it in case the | information helps a current or future investigation you may make. Fundamentally, I believe there is much value in treating others as I'd like to be treated. And if stuff like that originated from a network for which I have responsiblity, I'd really like to know. Anyhow, I often get auto-responses; I also sometimes get a more personal note of thanks from the other admins (e.g., when they find out that they had a compromised host they didn't know about on their network), so I believe it's a useful exercise in general. Sometimes, though, my notification message gets bounced -- e.g., with an equivalent of "no such mailbox" for each of the addresses on the recipient list. Over the years, I've developed an approach for addressing (no pun intended) this situation, but before I explain that, I'd like to do a reality check and ask y'all what you (would) do about it. :-) Peace, david -- David H. Wolfskill david at catwhisker.org Depriving a girl or boy of an opportunity for education is evil. See http://www.catwhisker.org/~david/publickey.gpg for my public key. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 195 bytes Desc: not available URL: From nathan at lindstrom.com Thu Jul 23 07:56:53 2009 From: nathan at lindstrom.com (Nathan W. Lindstrom) Date: Thu, 23 Jul 2009 07:56:53 -0700 Subject: Do you care about WHOIS contact information? In-Reply-To: <20090723133234.GC77331@bunrab.catwhisker.org> References: <20090723133234.GC77331@bunrab.catwhisker.org> Message-ID: <001a01ca0ba5$d11f01a0$735d04e0$@com> David, Just run SSH on a different port, for example, 23. Use an alias on your client to un-complicate your life. The scans will COMPLETELY stop, and besides, there is nobody at the other end anyway. It's all automated drive-by scanning, and the netblock admins don't care. Your automatic reporting idea is cool, but ultimately it's output is just so much spam. Or use port knocking. You really should do that (or at least listen on a non-standard port) anyway, because SSH isn't the most secure thing in the world. Unless you're building OpenSSH from source immediately after every security update, you're vulnerable to worse attacks than just random password-guessing. Limiting your authentication methods to public key won't save you if the attack exploits an SSH bug. Remember, there are no stupid perps. Just a million compromised PCs running scripts. It's the non-stupid perps that should you need to worry about. :) -----Original Message----- From: owner-baylisa at baylisa.org [mailto:owner-baylisa at baylisa.org] On Behalf Of David Wolfskill Sent: Thursday, July 23, 2009 6:33 AM To: baylisa at baylisa.org Subject: Do you care about WHOIS contact information? Under normal circumstances, I'm in the habit of perusing certain logfiles on my home network (which I admit isn't "Large") every morning, looking for certain forms of anomalous activity. One of those forms that has proved fairly common over the years is a sequence of attempts to login via my SSH server. While I'm aware of strategies such as port-shifting and the like, I don't do that. For one thing, it complicates my life more than necessary; for another, my SSH server is actually one of the better-protected services, as I only permit public key authentication via SSH. So if the stupid perps want to wear themselves out & advertise their activities by banging their heads against my SSH server, well, that's just fine by me. Of course, that doesn't stop me from noticing -- or reporting -- their activities. This is all the more so because I have my packet filter configured to log all 22/TCP SYN packets; the SSH server already logs all attempts to connect to it. So when I notice a burst of activity, I do a WHOIS query and provide the allegedly responsible party for the netblock in question an appropriate excerpt from each of the logfiles in question, together with a slightly-customized (for the occasion) bit of boilerplate text explaining why I'm writing and what the significance of certain bits of the logfile extracts is, concluding with an offer to provide additional information on request. The whole thing is deliberately phrased to be non-confrontational and non-accusatory -- e.g., it starts with: | Below, please find log entries corresponding to several unauthorized | attempts to access my SSH server. I have no reason to believe that | any of my systems were harmed or compromised, but the activity was | certainly not welcome, and I'm notifying you of it in case the | information helps a current or future investigation you may make. Fundamentally, I believe there is much value in treating others as I'd like to be treated. And if stuff like that originated from a network for which I have responsiblity, I'd really like to know. Anyhow, I often get auto-responses; I also sometimes get a more personal note of thanks from the other admins (e.g., when they find out that they had a compromised host they didn't know about on their network), so I believe it's a useful exercise in general. Sometimes, though, my notification message gets bounced -- e.g., with an equivalent of "no such mailbox" for each of the addresses on the recipient list. Over the years, I've developed an approach for addressing (no pun intended) this situation, but before I explain that, I'd like to do a reality check and ask y'all what you (would) do about it. :-) Peace, david -- David H. Wolfskill david at catwhisker.org Depriving a girl or boy of an opportunity for education is evil. See http://www.catwhisker.org/~david/publickey.gpg for my public key. -------------- next part -------------- A non-text attachment was scrubbed... Name: Nathan W Lindstrom.vcf Type: text/x-vcard Size: 4029 bytes Desc: not available URL: From rflii at speakeasy.net Thu Jul 23 08:22:16 2009 From: rflii at speakeasy.net (rflii at speakeasy.net) Date: Thu, 23 Jul 2009 08:22:16 PDT Subject: Do you care about WHOIS contact information? Message-ID: <57382.1248362536@speakeasy.net> I believe you are on the right track. Treating them fairly in the beginning will help make your case if you need to escalate the situation. As far as auto-replies that the email does not exists... I immediately escalate to the provider. This typically gets a response for me as we all are anxious of the stupid ISP's and their knee jerk reactions for possible TOS violations. Cheers, Ron Leedy On Thu Jul 23 6:32 , David Wolfskill sent: >| Below, please find log entries corresponding to several unauthorized >| attempts to access my SSH server. I have no reason to believe that >| any of my systems were harmed or compromised, but the activity was >| certainly not welcome, and I'm notifying you of it in case the >| information helps a current or future investigation you may make. > >Fundamentally, I believe there is much value in treating others as >I'd like to be treated. And if stuff like that originated from a >network for which I have responsiblity, I'd really like to know. > From nicole at unixgirl.com Fri Jul 24 13:38:08 2009 From: nicole at unixgirl.com (Nicole) Date: Fri, 24 Jul 2009 13:38:08 -0700 Subject: Do you care about WHOIS contact information? In-Reply-To: <20090723133234.GC77331@bunrab.catwhisker.org> References: <20090723133234.GC77331@bunrab.catwhisker.org> Message-ID: <4A6A1BB0.6010808@unixgirl.com> David Wolfskill wrote: > Under normal circumstances, I'm in the habit of perusing certain > logfiles on my home network (which I admit isn't "Large") every > morning, looking for certain forms of anomalous activity. > > One of those forms that has proved fairly common over the years is > a sequence of attempts to login via my SSH server. > > While I'm aware of strategies such as port-shifting and the like, > I don't do that. For one thing, it complicates my life more than > necessary; for another, my SSH server is actually one of the > better-protected services, as I only permit public key authentication > via SSH. > > So if the stupid perps want to wear themselves out & advertise their > activities by banging their heads against my SSH server, well, > that's just fine by me. > > Of course, that doesn't stop me from noticing -- or reporting -- > their activities. > > This is all the more so because I have my packet filter configured > to log all 22/TCP SYN packets; the SSH server already logs all > attempts to connect to it. > > So when I notice a burst of activity, I do a WHOIS query and provide > the allegedly responsible party for the netblock in question an > appropriate excerpt from each of the logfiles in question, together > with a slightly-customized (for the occasion) bit of boilerplate > text explaining why I'm writing and what the significance of certain > bits of the logfile extracts is, concluding with an offer to provide > additional information on request. The whole thing is deliberately > phrased to be non-confrontational and non-accusatory -- e.g., it > starts with: > > | Below, please find log entries corresponding to several unauthorized > | attempts to access my SSH server. I have no reason to believe that > | any of my systems were harmed or compromised, but the activity was > | certainly not welcome, and I'm notifying you of it in case the > | information helps a current or future investigation you may make. > > Fundamentally, I believe there is much value in treating others as > I'd like to be treated. And if stuff like that originated from a > network for which I have responsiblity, I'd really like to know. > > Anyhow, I often get auto-responses; I also sometimes get a more > personal note of thanks from the other admins (e.g., when they find > out that they had a compromised host they didn't know about on their > network), so I believe it's a useful exercise in general. > > Sometimes, though, my notification message gets bounced -- e.g., > with an equivalent of "no such mailbox" for each of the addresses > on the recipient list. > > Over the years, I've developed an approach for addressing (no pun > intended) this situation, but before I explain that, I'd like to > do a reality check and ask y'all what you (would) do about it. > > :-) > > Peace, > david > Hi David. Short answer.. Give up unless its really consistent or bad. Easier to just firewall them. I tried doing that for awhile. I too would get an occasional, "thanks" But more often I got bounced emails (people using bad email addresses to avoid spam), replies asking how is this any of my business, telling me thanks we already know (but not that they have done anything about it), and even a few threats saying a lawyer would be contacting me for sending them obviously false information. I found it just to amazing how many people wanted to stick their fingers in their ears, blame someone else, blame me, or just not care. So I gave up on doing it. Too much work for too little gain. More power to you, as I would want to know. But I often found it a true example of how no good deed goes unpunished. As for the bounces, so many people have learned that 99.9% of the time they will only get spam at the address listed for their domains, they list fake ones or it is rarely if ever checked. Not to mention how many sites are setup on a shared host someplace, managed by some contactor, and all emails listed in whois goes to some corporate dweeb who still thinks it's a bunch of tubes. Nicole From nicole at unixgirl.com Fri Jul 24 13:38:08 2009 From: nicole at unixgirl.com (Nicole) Date: Fri, 24 Jul 2009 13:38:08 -0700 Subject: Do you care about WHOIS contact information? In-Reply-To: <20090723133234.GC77331@bunrab.catwhisker.org> References: <20090723133234.GC77331@bunrab.catwhisker.org> Message-ID: <4A6A1BB0.6010808@unixgirl.com> David Wolfskill wrote: > Under normal circumstances, I'm in the habit of perusing certain > logfiles on my home network (which I admit isn't "Large") every > morning, looking for certain forms of anomalous activity. > > One of those forms that has proved fairly common over the years is > a sequence of attempts to login via my SSH server. > > While I'm aware of strategies such as port-shifting and the like, > I don't do that. For one thing, it complicates my life more than > necessary; for another, my SSH server is actually one of the > better-protected services, as I only permit public key authentication > via SSH. > > So if the stupid perps want to wear themselves out & advertise their > activities by banging their heads against my SSH server, well, > that's just fine by me. > > Of course, that doesn't stop me from noticing -- or reporting -- > their activities. > > This is all the more so because I have my packet filter configured > to log all 22/TCP SYN packets; the SSH server already logs all > attempts to connect to it. > > So when I notice a burst of activity, I do a WHOIS query and provide > the allegedly responsible party for the netblock in question an > appropriate excerpt from each of the logfiles in question, together > with a slightly-customized (for the occasion) bit of boilerplate > text explaining why I'm writing and what the significance of certain > bits of the logfile extracts is, concluding with an offer to provide > additional information on request. The whole thing is deliberately > phrased to be non-confrontational and non-accusatory -- e.g., it > starts with: > > | Below, please find log entries corresponding to several unauthorized > | attempts to access my SSH server. I have no reason to believe that > | any of my systems were harmed or compromised, but the activity was > | certainly not welcome, and I'm notifying you of it in case the > | information helps a current or future investigation you may make. > > Fundamentally, I believe there is much value in treating others as > I'd like to be treated. And if stuff like that originated from a > network for which I have responsiblity, I'd really like to know. > > Anyhow, I often get auto-responses; I also sometimes get a more > personal note of thanks from the other admins (e.g., when they find > out that they had a compromised host they didn't know about on their > network), so I believe it's a useful exercise in general. > > Sometimes, though, my notification message gets bounced -- e.g., > with an equivalent of "no such mailbox" for each of the addresses > on the recipient list. > > Over the years, I've developed an approach for addressing (no pun > intended) this situation, but before I explain that, I'd like to > do a reality check and ask y'all what you (would) do about it. > > :-) > > Peace, > david > Hi David. Short answer.. Give up unless its really consistent or bad. Easier to just firewall them. I tried doing that for awhile. I too would get an occasional, "thanks" But more often I got bounced emails (people using bad email addresses to avoid spam), replies asking how is this any of my business, telling me thanks we already know (but not that they have done anything about it), and even a few threats saying a lawyer would be contacting me for sending them obviously false information. I found it just to amazing how many people wanted to stick their fingers in their ears, blame someone else, blame me, or just not care. So I gave up on doing it. Too much work for too little gain. More power to you, as I would want to know. But I often found it a true example of how no good deed goes unpunished. As for the bounces, so many people have learned that 99.9% of the time they will only get spam at the address listed for their domains, they list fake ones or it is rarely if ever checked. Not to mention how many sites are setup on a shared host someplace, managed by some contactor, and all emails listed in whois goes to some corporate dweeb who still thinks it's a bunch of tubes. Nicole From nicole at unixgirl.com Fri Jul 24 13:38:08 2009 From: nicole at unixgirl.com (Nicole) Date: Fri, 24 Jul 2009 13:38:08 -0700 Subject: Do you care about WHOIS contact information? In-Reply-To: <20090723133234.GC77331@bunrab.catwhisker.org> References: <20090723133234.GC77331@bunrab.catwhisker.org> Message-ID: <4A6A1BB0.6010808@unixgirl.com> David Wolfskill wrote: > Under normal circumstances, I'm in the habit of perusing certain > logfiles on my home network (which I admit isn't "Large") every > morning, looking for certain forms of anomalous activity. > > One of those forms that has proved fairly common over the years is > a sequence of attempts to login via my SSH server. > > While I'm aware of strategies such as port-shifting and the like, > I don't do that. For one thing, it complicates my life more than > necessary; for another, my SSH server is actually one of the > better-protected services, as I only permit public key authentication > via SSH. > > So if the stupid perps want to wear themselves out & advertise their > activities by banging their heads against my SSH server, well, > that's just fine by me. > > Of course, that doesn't stop me from noticing -- or reporting -- > their activities. > > This is all the more so because I have my packet filter configured > to log all 22/TCP SYN packets; the SSH server already logs all > attempts to connect to it. > > So when I notice a burst of activity, I do a WHOIS query and provide > the allegedly responsible party for the netblock in question an > appropriate excerpt from each of the logfiles in question, together > with a slightly-customized (for the occasion) bit of boilerplate > text explaining why I'm writing and what the significance of certain > bits of the logfile extracts is, concluding with an offer to provide > additional information on request. The whole thing is deliberately > phrased to be non-confrontational and non-accusatory -- e.g., it > starts with: > > | Below, please find log entries corresponding to several unauthorized > | attempts to access my SSH server. I have no reason to believe that > | any of my systems were harmed or compromised, but the activity was > | certainly not welcome, and I'm notifying you of it in case the > | information helps a current or future investigation you may make. > > Fundamentally, I believe there is much value in treating others as > I'd like to be treated. And if stuff like that originated from a > network for which I have responsiblity, I'd really like to know. > > Anyhow, I often get auto-responses; I also sometimes get a more > personal note of thanks from the other admins (e.g., when they find > out that they had a compromised host they didn't know about on their > network), so I believe it's a useful exercise in general. > > Sometimes, though, my notification message gets bounced -- e.g., > with an equivalent of "no such mailbox" for each of the addresses > on the recipient list. > > Over the years, I've developed an approach for addressing (no pun > intended) this situation, but before I explain that, I'd like to > do a reality check and ask y'all what you (would) do about it. > > :-) > > Peace, > david > Hi David. Short answer.. Give up unless its really consistent or bad. Easier to just firewall them. I tried doing that for awhile. I too would get an occasional, "thanks" But more often I got bounced emails (people using bad email addresses to avoid spam), replies asking how is this any of my business, telling me thanks we already know (but not that they have done anything about it), and even a few threats saying a lawyer would be contacting me for sending them obviously false information. I found it just to amazing how many people wanted to stick their fingers in their ears, blame someone else, blame me, or just not care. So I gave up on doing it. Too much work for too little gain. More power to you, as I would want to know. But I often found it a true example of how no good deed goes unpunished. As for the bounces, so many people have learned that 99.9% of the time they will only get spam at the address listed for their domains, they list fake ones or it is rarely if ever checked. Not to mention how many sites are setup on a shared host someplace, managed by some contactor, and all emails listed in whois goes to some corporate dweeb who still thinks it's a bunch of tubes. Nicole From rick at linuxmafia.com Fri Jul 24 14:49:04 2009 From: rick at linuxmafia.com (Rick Moen) Date: Fri, 24 Jul 2009 14:49:04 -0700 Subject: Do you care about WHOIS contact information? In-Reply-To: <20090723133234.GC77331@bunrab.catwhisker.org> References: <20090723133234.GC77331@bunrab.catwhisker.org> Message-ID: <20090724214903.GM26829@linuxmafia.com> Quoting David Wolfskill (david at catwhisker.org): > Over the years, I've developed an approach for addressing (no pun > intended) this situation, but before I explain that, I'd like to > do a reality check and ask y'all what you (would) do about it. Personally, I classify any scripted ssh login-attempt session using "joe" username/password combos to be essentially doorknob-twisting rather than an attack worthy of the name, and ignore it completely. Going by shirtsleeve calculations, if one's system enforces good password / keypairs, then the attempts you cite are astronomically unlikely to succeed within geologic time. The connecting system might have been a malware-compromised MS-Windows box. Or it might be a freshman misbehaving using his/her first shell account. And so on. Sure, you're doing a socially beneficial thing in attempting to clue people in that they might have compromised hosts or rogue users. One might respond similarly to incoming portscans. I commend you for doing that. I personally don't bother unless there's some greater sign that a significant system (such as, say, a major university ftp site or outgoing mail relay) has been root-compromised and is being abused by criminals. _Then_, I might send polite notes to the WHOIS contact mailboxes, or even call the listed telephone numbers (especially if the WHOIS e-mail mailboxes are in-band, and subject to possible interception by the bad guys). -- Rick Moen There was an old man Said with a laugh, "I rick at linuxmafia From Peru, whose lim'ricks all Cut them in half, the pay is .com Looked like haiku. He Much better for two." --Emmet O'Brien From nicole at unixgirl.com Fri Jul 24 13:38:08 2009 From: nicole at unixgirl.com (Nicole) Date: Fri, 24 Jul 2009 13:38:08 -0700 Subject: Do you care about WHOIS contact information? In-Reply-To: <20090723133234.GC77331@bunrab.catwhisker.org> References: <20090723133234.GC77331@bunrab.catwhisker.org> Message-ID: <4A6A1BB0.6010808@unixgirl.com> David Wolfskill wrote: > Under normal circumstances, I'm in the habit of perusing certain > logfiles on my home network (which I admit isn't "Large") every > morning, looking for certain forms of anomalous activity. > > One of those forms that has proved fairly common over the years is > a sequence of attempts to login via my SSH server. > > While I'm aware of strategies such as port-shifting and the like, > I don't do that. For one thing, it complicates my life more than > necessary; for another, my SSH server is actually one of the > better-protected services, as I only permit public key authentication > via SSH. > > So if the stupid perps want to wear themselves out & advertise their > activities by banging their heads against my SSH server, well, > that's just fine by me. > > Of course, that doesn't stop me from noticing -- or reporting -- > their activities. > > This is all the more so because I have my packet filter configured > to log all 22/TCP SYN packets; the SSH server already logs all > attempts to connect to it. > > So when I notice a burst of activity, I do a WHOIS query and provide > the allegedly responsible party for the netblock in question an > appropriate excerpt from each of the logfiles in question, together > with a slightly-customized (for the occasion) bit of boilerplate > text explaining why I'm writing and what the significance of certain > bits of the logfile extracts is, concluding with an offer to provide > additional information on request. The whole thing is deliberately > phrased to be non-confrontational and non-accusatory -- e.g., it > starts with: > > | Below, please find log entries corresponding to several unauthorized > | attempts to access my SSH server. I have no reason to believe that > | any of my systems were harmed or compromised, but the activity was > | certainly not welcome, and I'm notifying you of it in case the > | information helps a current or future investigation you may make. > > Fundamentally, I believe there is much value in treating others as > I'd like to be treated. And if stuff like that originated from a > network for which I have responsiblity, I'd really like to know. > > Anyhow, I often get auto-responses; I also sometimes get a more > personal note of thanks from the other admins (e.g., when they find > out that they had a compromised host they didn't know about on their > network), so I believe it's a useful exercise in general. > > Sometimes, though, my notification message gets bounced -- e.g., > with an equivalent of "no such mailbox" for each of the addresses > on the recipient list. > > Over the years, I've developed an approach for addressing (no pun > intended) this situation, but before I explain that, I'd like to > do a reality check and ask y'all what you (would) do about it. > > :-) > > Peace, > david > Hi David. Short answer.. Give up unless its really consistent or bad. Easier to just firewall them. I tried doing that for awhile. I too would get an occasional, "thanks" But more often I got bounced emails (people using bad email addresses to avoid spam), replies asking how is this any of my business, telling me thanks we already know (but not that they have done anything about it), and even a few threats saying a lawyer would be contacting me for sending them obviously false information. I found it just to amazing how many people wanted to stick their fingers in their ears, blame someone else, blame me, or just not care. So I gave up on doing it. Too much work for too little gain. More power to you, as I would want to know. But I often found it a true example of how no good deed goes unpunished. As for the bounces, so many people have learned that 99.9% of the time they will only get spam at the address listed for their domains, they list fake ones or it is rarely if ever checked. Not to mention how many sites are setup on a shared host someplace, managed by some contactor, and all emails listed in whois goes to some corporate dweeb who still thinks it's a bunch of tubes. Nicole From guy at extragalactic.net Tue Jul 28 21:52:43 2009 From: guy at extragalactic.net (Guy B. Purcell) Date: Tue, 28 Jul 2009 21:52:43 -0700 Subject: Help troubleshooting Xwindows problem In-Reply-To: <294686ad0907081748k5feb100dl767f347e8e7ae22@mail.gmail.com> References: <294686ad0907081748k5feb100dl767f347e8e7ae22@mail.gmail.com> Message-ID: <6B97DC72-C38A-41E0-AEAC-279B7A3DECDB@extragalactic.net> On Jul 8, 2009, at 5:48 PM, Clyde Jones wrote: > I have a user who is having trouble with an X application. He is > using cygwin X and the application is very slow from his desktop. I > have the same setup, but a faster connection and I have no trouble > whatsoever. Given that "but" & the fact that X is very chatty, I'd suggest perhaps limiting your connection to match his & seeing what happens, or (assuming you're in reasonably close proximity & the HW involved isn't bulky) relocating your box to his location. You could also snoop the traffic individually for an agreed-upon identical set of actions (e.g. log in, then back out) to compare packet timings: if network bandwidth and/or latency is the cause, and the performance is as bad as you've implied, you should definitely see it in the timings. -Guy From guy at extragalactic.net Tue Jul 28 22:39:28 2009 From: guy at extragalactic.net (Guy B. Purcell) Date: Tue, 28 Jul 2009 22:39:28 -0700 Subject: Do you care about WHOIS contact information? In-Reply-To: <20090723133234.GC77331@bunrab.catwhisker.org> References: <20090723133234.GC77331@bunrab.catwhisker.org> Message-ID: On Jul 23, 2009, at 6:32 AM, David Wolfskill wrote: [...brute force attack notification automation bits...] > Anyhow, I often get auto-responses; I also sometimes get a more > personal note of thanks from the other admins (e.g., when they find > out that they had a compromised host they didn't know about on their > network), so I believe it's a useful exercise in general. > > Sometimes, though, my notification message gets bounced -- e.g., > with an equivalent of "no such mailbox" for each of the addresses > on the recipient list. > > Over the years, I've developed an approach for addressing (no pun > intended) this situation, but before I explain that, I'd like to > do a reality check and ask y'all what you (would) do about it. I have a couple thoughts :^) If you have things completely automated, you could tweak the system a bit to dump the addresses of those (under your current system) you *would* send a message to into files--one file per day (sort of like 'sar' does), then add a daily cron job that goes through the files for the previous N days & checks for repeat offenders (via some tunable criteria)--and sends messages only to *those* folks (and potentially auto-firewall the host for a while, too). This would likely significantly reduce the number of messages you send, thus the number of bounces you get from them, leaving you more able to deal with those bounces manually. Personally, I wish *everyone* had a similar system in place, but that's not likely to happen (*I* certainly don't have one, and don't have the time even to implement one handed to me, much less roll my own at this point; hmm, make a dandy summer project for my kid, though...). Unfortunately, I don't think it's likely to be able to scale as the Internet in general--and the bad guy population in particular--grows in its various ways (number of nodes, power of the nodes, speed of the connections, etc.), much as the spam problem ballooned. Eventually, I think trying to deal with this is a friendly manner will become impossible, much like dealing with spammers has :^( I *do* value whois data, BTW, which is why I still have my email address listed for my domains. -Guy From david at catwhisker.org Wed Jul 29 09:44:27 2009 From: david at catwhisker.org (David Wolfskill) Date: Wed, 29 Jul 2009 09:44:27 -0700 Subject: Do you care about WHOIS contact information? In-Reply-To: <20090723133234.GC77331@bunrab.catwhisker.org> References: <20090723133234.GC77331@bunrab.catwhisker.org> Message-ID: <20090729164427.GA5005@albert.catwhisker.org> On Thu, Jul 23, 2009 at 06:32:34AM -0700, David Wolfskill wrote: > ... > Over the years, I've developed an approach for addressing (no pun > intended) this situation, but before I explain that, I'd like to > do a reality check and ask y'all what you (would) do about it. > ... There were a handful of replies, some of which were thoughtful & on-point. My thanks to those who responded. Since I did offer that bit of a teaser, I thought I'd try to get the promised explanation out before I go wandering off-Net for several days. I'll sketch a bit of context first, then go over what the approach I generally use is. Please note that the below is intended as a description of an approach to be used by a human being; it is nowhere near precise enough to automate: there are points at which human judgement is called for. And in general, it's my understanding that automating some of the stuff I do is a fairly effective way to perform a self-inflicted DoS attack on the resource one is trying to protect. And while I admit to having made mistakes (and intending to live long enough to make some new ones), I like to think that I'm not stupid. :-} First, all exposed services from the network in question run on FreeBSD systems -- and there aren't many exposed services (SSH, SMTP, NTP (with certain hosts), HTTP{,S}, and DNS should be about it). I have a static /32; a FreeBSD machine with 3 NICs acts as my router/packet filter and the gateway between the Internet and my home networks. That machine actually provides the externally-facing SMTP, NTP, and DNS services; SSH and HTTP{,S} are port-forwarded to internal hosts. SSH is configured to only permit public key authentication via SSHv2 protocol. For a packet filter, I (still) use FreeBSD's IPFW. (Darren Reed's ipfilter & OpenBSD's pf are also available, but IPFW suits my purposes and I've been using it for over a decade. "Use what you know," yeah?) The packet filter plays a moderately important role in what follows, so I'll go into that in a bit of detail now. One of the things IPFW provides in its packet-filtering rules is the ability to test a source or destination address to see if it's in a "table" -- which uses the same structure and search mechanisms as the routing table in the IP stack. (I.e., it is stored as a Radix tree, vs. a simple list, and the most specific match wins.) Each entry in one of these tables consists of a CIDR block specification and a 32-bit "tag"; I don't use the tag. Among the various IPFW rules I use (anti-spoofing; ensuring that only desired services are offered to the outside world; ...), I have created 3 (so far) such IPFW tables. (I also implement them in the IPFW rules I run on my laptop, since it is sometimes in direct contact with hosts outside my control. Yes, I run FreeBSD on my laptop. And in response to one correspondent, I actually update the FreeBSD image I run rather frequently: on the laptop, daily; on the other machines, usually every couple of weeks. I also maintain a couple of private mirrors of the FreeBSD CVS & SVN repositories (updated nightly), one set of which resides on my laptop.) * For table 1, there are 2 rules. One of them blocks all traffic from any IP address in the table; the other blocks all traffic to any such address. Thus, any entry in this table effectively gets dyked out of my view of the Internet. * For table 2, there is a rule that disallows a 22/tcp SYN packet from any IP address in the table; thus, hosts using such IP addresses cannot initiate an SSH session to my network (or laptop). * Table 3 is like table 2, but for HTTP{,S}. I don't use this much, but sometimes my patience wears a bit thin. I could easily add other tables; I've considered replacing much of the sendmail "access.db" with (say) IPFW table 4: attempts to pass a 25/tcp SYN from such an IP address would be rejected. Another thing I do with the IPFW rules (in addition to logging blocked traffic) is log every successful 22/tcp SYN packet -- i.e., every apparent attempt to initiate an SSH session. My SSH server also logs every attempt it sees to initiate an SSH session. One of the things I check when I review the logs is to look for glaring discrepancies between the above 2 log (extracts): I've been seeing the following pattern often enough that it's a concern -- the packet filtyer will log a bunch of 22/tcp SYN packets from a certain address, but the SSH server won't show any attempts to actually establish a session. In this case, I perform a WHOIS query against the address, and for most of the world, I then peform a WHOIS query against the Netname returned, extract all of the CIDR blocks for each of the returned results, and add them to table 2. ("Most of the world" because LACNIC doesn't use Netnames; it uses Inetnum -- a CIDR address. So for LACNIC nets, I use their Inetnum.) I do not attempt to notify anyone about this, as I haven't figured out a way to explain what seems to be going on in a way that I'd be willing to read if I received such a missive. While I don't believe I have much (if any) exposure, the discrepancy makes me a little nervous, and I will protect my network. And while I could use port-knocking or other bits of Rube Goldberg-inspired protocol design, I'm not yet willing to complicate my life that much. For the more common case of a flurry of SSH session-initiation attempts, usually from the same IP address, I perform a WHOIS query against the address, check to see if I've corresponded with whoever is claimed to be responsible about this sort of thing before, and take one of a couple of steps: * If this appears to be a repeat offender, I will use my judgement to determine whether to send a(nother) notification or not. If the allegedly-responsible party seemed at least marginally responsive, I'll probably send another note, along with the most recent log extracts. If they were less than marginally responsive, I do the above-sketeched WHOIS queries and add the resulting CIDR blocks to table 1. * If this appears to not be a repeat offender, I send a notification that the unwanted activity was noticed. Some responses I get are clearly from auto-bots, and that's OK. Sometimes I get bounce-o-grams. My reaction to that is to immediately place all CIDR blocks I find that allegedly have the same "responsible party" in table 1. Thus, for example, any network I see that is part of CHINANET will be added to table 1 with no further attempt at correspondence. While I've not had the response that one correspondent cited (of verbal abuse or legal threats), I expect that were I receive such a response, that would also warrant augmenting table 1. I also keep copies of all such correspondence (when I send notifications, I Bcc: myself). And all of my notifications are signed (in the PGP/GPG sense). In a similar vein, I look for odd-looking attempts to provoke my Web server into doing something I don't desire, and similarly attempt to notify the responsible folks. Again, a bounce-o-gram will get the CIDR blocks added to table 1, while too many repeats from the same netblock will get it added to table 3. The basic idea should be apparent: if I can't report abuse involving the netblock in a way that I consider reasonable, I want nothing to with them, and will take action accordingly. And for specific services that appear to be targeted, I will take steps to mitigate the exposure. As for the mechanics, I've semi-automated the table updates, by using a fairly ugly, hacked-up combination of Makefiles, Perl scripts, and shell scripts that depends (in large part) on the meanings of command-line flags to FreeBSD's whois(1) program. I have one directory for each of the tables in question. Each such directory contains: * a Makefile * a flat file named .table, which is an ordered list of CIDR blocks, one per line. * subdirectories, each of which has a name corresponding to a registry-selection flag for whois(1), such as "a" (for ARIN), "A" (for APNIC), "f" (for AfriNIC), "l" (for LACNIC), or "r" (for RIPE). Each entry in each of the subsdirectories is a flat file containing an unordered list of CIDR blocks, one per line. For LACNIC subsdirectories, the file name is typically an IPv4 address (in dotted-quad form); for the others, the file name is the Netname (e.g. CHINANET-SH). The Makefile's default target is .table. The dependencies for .table are the subdirectories themselves; those for the subdirectories are the files within them. The action taken for each file that was updated more recently than its containing subdirectory is to perform a WHOIS query (using the name of the subdirectory as a registry-selecting command-line flag), then parsing the result to extract whatever appears to be a specification for the netblock, convert it to CIDR (if necessary) and update the file with it. Note that the whois(1) program, when given a query such as "whois -A CHUNGHWA-TELECOM-TY-TW" may well return information on several netblocks/netranges; the approach used collects them all. Lastly, all of the CIDR specifications are collected, ordered, and an attempt is made to remove duplicate specifications; the result replaces .table. Practically speaking, to add (say) netname FOO from ARIN to table 1, I'd cd to the directory and: * touch a/FOO * touch a/FOO * make * sudo mk_table -t 1 !-2:$ (where "mk_table" is a shell script that actually adds the specified CIDR entries to the specified IPFW table. The duplication of the touch(1) invocation is to ensure that the mtime of the file is more recent than that of the subdirectory. Yeah, that's a hack.) mk_table is also used during the boot process to initialize a given IPFW table from the contents of the .table for for the table in question. (This reduces the time it would otherwise take to go read all of the files.) There's a moderately-interesting side-effect in this: sometimes a would-be correspondent's domain's nameservers are in a netblock that I've dyked out of my view of the Net. In that case, sendmail (which I still use) refuses to accept the mail, as it can't resolve the sender's domain. Evidence to date suggests that (nearly?) all of these messages are actually spam; accordingly, I don't consider it a problem (for me, anyway). One other noteworthy observation: I do not provide for a specific mechanism to remove entries. Should an occasion warrant, removing the appropriate file(s) (& re-creating the .table file) will deal with the next reboot, and I suppose I could issue the IPFW commands to delete entries within tables. But so far, I've had no such occasion present itself. And I freely admit that I can get away with some of this because the only network I'm directly affecting is my own -- not a network I'm administering on behalf of someone else. So there are definite limitations on how readily something even vaguely like this might be implementable in many situations. But it might also encourage a bit of thought.... :-} Peace, david -- David H. Wolfskill david at catwhisker.org Depriving a girl or boy of an opportunity for education is evil. See http://www.catwhisker.org/~david/publickey.gpg for my public key. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available URL: From cariapa at yahoo.com Wed Jul 29 10:56:24 2009 From: cariapa at yahoo.com (Sandeep Cariapa) Date: Wed, 29 Jul 2009 10:56:24 -0700 (PDT) Subject: Do you care about WHOIS contact information? Message-ID: <91564.6509.qm@web82603.mail.mud.yahoo.com> Interesting responses... I run ssh on a non-standard randomly generated port, use phrase authentication AND a private key :-) Years ago, I left 22 open for a friend to log in, forgot to close it, and about 4 days afterwards found some clown was running spam from my poor server. I contacted the various ISPs he was coming in from but nobody cared. David I commend you on your approach though. Sandeep Cariapa --- On Tue, 7/28/09, Guy B. Purcell wrote: > From: Guy B. Purcell > Subject: Re: Do you care about WHOIS contact information? > To: "BayLISA" > Date: Tuesday, July 28, 2009, 10:39 PM > > On Jul 23, 2009, at 6:32 AM, David Wolfskill wrote: > > [...brute force attack notification automation bits...] > > > Anyhow, I often get auto-responses; I also sometimes > get a more > > personal note of thanks from the other admins (e.g., > when they find > > out that they had a compromised host they didn't know > about on their > > network), so I believe it's a useful exercise in > general. > > > > Sometimes, though, my notification message gets > bounced -- e.g., > > with an equivalent of "no such mailbox" for each of > the addresses > > on the recipient list. > > > > Over the years, I've developed an approach for > addressing (no pun > > intended) this situation, but before I explain that, > I'd like to > > do a reality check and ask y'all what you (would) do > about it. > > I have a couple thoughts :^) > > If you have things completely automated, you could tweak > the system a bit to dump the addresses of those (under your > current system) you *would* send a message to into > files--one file per day (sort of like 'sar' does), then add > a daily cron job that goes through the files for the > previous N days & checks for repeat offenders (via some > tunable criteria)--and sends messages only to *those* folks > (and potentially auto-firewall the host for a while, > too).? This would likely significantly reduce the > number of messages you send, thus the number of bounces you > get from them, leaving you more able to deal with those > bounces manually. > > Personally, I wish *everyone* had a similar system in > place, but that's not likely to happen (*I* certainly don't > have one, and don't have the time even to implement one > handed to me, much less roll my own at this point; hmm, make > a dandy summer project for my kid, though...).? > Unfortunately, I don't think it's likely to be able to scale > as the Internet in general--and the bad guy population in > particular--grows in its various ways (number of nodes, > power of the nodes, speed of the connections, etc.), much as > the spam problem ballooned.? Eventually, I think trying > to deal with this is a friendly manner will become > impossible, much like dealing with spammers has :^( > > I *do* value whois data, BTW, which is why I still have my > email address listed for my domains. > > -Guy > > From sigje at sigje.org Fri Jul 31 17:53:50 2009 From: sigje at sigje.org (Jennifer Davis) Date: Fri, 31 Jul 2009 17:53:50 -0700 (PDT) Subject: Volunteers Needed for the Linux Picnic!! Message-ID: <20090731174145.T2816@slick.sigje.org> Hey folks, It's Linux Picnic time! We do need some volunteers :) Please do spread the word to other groups that might be interested as this is a community run effort. August 15 is the date of the picnic. How can you help? Come along and have fun :) (RSVP will be sent soon..) 1) BBQ-ers - people to man the grill stations 2) Food purchasers 3) Utensils to be used for the picnic 4) First Aid 5) Shuttlers Jennifer