20:10 Dimey: manus i had to do something terrible earlier :/
20:10 nick: lol
20:10 nick: explain plz
20:10 nick: you left us hanging before :/
20:10 Dimey: i was on the loo, having not gone for 7 days before
20:10 nick: o_O
20:10 Dimey: so its fair to say with all the codeine i was “bunged up”
20:10 nick: lol
20:10 Dimey: after about 15 mins i decided a bit of intervension was necessary to proceed
20:10 Dimey: so i had to scoop the shit out of my own ass with my middle finger :(

Read the rest of this entry »

So while our beleaguered police force are being told not to bother prosecuting for certain crimes (such as knife related) because of prison overcrowding, they’re instead concentrating their efforts on populating the last few remaining places on catching the most heinous, nefarious, despicable and despised people society has had the arrogance to cough up:  people who share music.

Cleveland police have today confirmed that six people have been arrested for allegedly sharing music files via the defunct BitTorrent tracker OiNK.cd.

More over here.  Unreal.

And on the subject of sharing, here’s something worth listening to.

pf, which originated from the OpenBSD project, is easily one of the most elegant firewalling solutions I’ve ever come across. Check this example out. I was getting pretty tired of all the SSH dictionary-type attacks on our new box - a problem compounded by the fact that we’re running various jails and so multiple instances of sshd - and so I looked for an easy way to stop this. The obvious solution is to move sshd off port 22, but I couldn’t be bothered with the user education for this to happen. Another option is to use something like DenyHosts, but as that has its own history of security invulnerabilities I decided against that as well.

Enter pf, and a trivial rule such as this:

pass in on $ext_if inet proto tcp from any to { $fork, <jails> } port ssh \
flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/40, \
overload <bruteforce> flush global)

So we have a table called ‘jails’ which contains a list of IP addresses for each hosted jail, and a persistent tabled called ‘bruteforce’. SSH to port 22 is allowed, however if there are more than 15 connection from one source, or if the connection rate exceeds 5 every 40 seconds, they’re stuck into the ‘bruteforce’ table. And right at the top, we have:

block quick from <bruteforce>

So they’re instantly blocked and tracked for future reference. A few days later…..

$ sudo pfctl -t bruteforce -Tshow | wc -l
130

So 130 IP addresses caught and tracked. Nice.

We’re now 95% live with the new hosting arrangement. Everything is sat on a not-so-shiny IBM x330 which is a dual 1.3GHz P3, 1GB of ECC RAM, 400GB of mirrored storage, and FreeBSD 6. I’ve migrated across pretty much all of the e-mail setup, some people’s websites, and of course my own personal stuff - which includes me using lighttpd instead of Apache httpd within my jail, and it’s a hell of a lot faster. The bandwidth and dedicated server performance helps matters as well though :)

Moving forward I’ll probably set up a mailing list so that people hosted on this new box can be easily notified of any work / outages, and I’ve been threatening to resurrect the old freebsd.cx website as I know you can import old PHPNuke sites into WordPress…