by R.I. Pienaar | Aug 11, 2004 | Code
After blocking China and Korea recently I have still been getting quite a bit of scans and unfriendly traffic. Especially people who have been trying to log into my SSH servers with some simple user accounts like guest or by trying root logins. It’s purely automated and hit all my IP addresses. This comes from Japan mostly so I decided it is time to rid my world of the Japanese as well.
Problem was getting a good source for IP ranges. Turns out Maxmind publish their GeoIP Free Country database in CSV format as well, so then it was just a matter of writing up a tool to take their ranges of IP’s and create cidr notation entries and produce ipfw commands from those.
I got a bit of code from Gary Colman to do the translation from ranges to cidr notation and built that into my existing firewall builder script.
by R.I. Pienaar | Jul 22, 2004 | Code
I blocked China and Korea off my machine yesterday around lunch time. After 24 hours of these rules in place I have blocked 3500 packets already, thats shocking!
I scripted it all to block these countries and also to block a number of other things like proxy scanners from irc networks, windows networking ports etc. I simply drop the rules into a set using ipfw and move the temp set over the old set to activate the new rules, works a charm and enables me to rebuild the blocking rules regularly without disrupting my other rules.
Now I wonder what these 3500 packets were, so I might enable logging and do some stats on the stuff.
by R.I. Pienaar | Jun 14, 2004 | Code
A while ago I was again frustrated by the limitations in FreeBSD ports. I did a few portupgrade’s on some software only to discover later on that I did not specify the same environment variables as last time I did it, the result was a bunch of badly behaving ports.
After some discussion on IRC we all agreed it would be pretty simply to just store a per-directory environment somewhere. I mentioned this to Neil who pointed me at penv.
penv is a utility which helps manage persistent per-directory environment settings. In other words, it saves you the trouble of setting or specifying the same environment variables over and over again when executing programs in a specific directory. The main reason for the initial development of penv was its use with the FreeBSD Ports Collection , but it may be used for other day-to-day tasks, too.
While this sounds very nice, it has some issues, if you install port a which required port b something has to run penv when building port b else it won’t work. The penv author has a patch to make which works very nice but is a bit drastic to my liking.
Some reading of the portupgrade man page got me to the -M command line option which the man page is something to prepend to the commandline of make. Did not sound right at the beginning but eventually this turned out to be just the ticket.
In my /usr/local/etc/pkgtools.conf file I put the following:
PORTUPGRADE_ARGS = ENV[‘PORTUPGRADE’] || ‘-M penv’
and now for each port that I have specific build requirements I simply do:
# cd /usr/ports/net/centericq/
# penv -c mkdir
# penv -S WITH_MSN=1
# penv -L
WITH_MSN=1
And any further portinstall or portupgrade operations on the centericq port will always build it with MSN support.
by R.I. Pienaar | Jun 10, 2004 | Code
UPDATE: There is now an Official Exim FAQ Entry for this, You should use this for best results as the method below does not work on all versions of authdaemon. If you were having issues with Debian and the solution below, look at the comments section for an update from Debian.
I have been meaning to get SMTP AUTH going on my server for a while, there are a few samples I saw that was looking very nasty for getting authdaemon and exim to talk to each other. Eventually Leon got one of my machines to work in a way that I quite liked, this is my current setup in exim 4. All it requires is that the user that exim runs as can read and write to the courier authdaemon socket.
# Unix clients
plain:
driver = plaintext
public_name = PLAIN
server_condition = \
${if eq {${readsocket{/usr/local/var/authdaemon/socket}\
{AUTH ${strlen:exim\nlogin\n$2\n$3\n}\nexim\nlogin\n$2\n$3\n}}}{FAIL\n} {no}{yes}}
server_set_id = $2
# Windows clients
login:
driver = plaintext
public_name = LOGIN
server_prompts = Username:: : Password::
server_condition = ${if eq {${readsocket{/usr/local/var/authdaemon/socket} \
{AUTH ${strlen:exim\nlogin\n$1\n$2\n}\nexim\nlogin\n$1\n$2\n}}}{FAIL\n} {no}{yes}}
server_set_id = $1
Very nice and simple, now I can SMTP auth against my SQL and PAM based auth that is in use on my machines. Works well with Outlook and Evolution.
by R.I. Pienaar | Jan 9, 2004 | Code
I handle mail for about 40 domains on my servers at the moment, some are secondary and some are primary, they all get spam.
I have been keeping close track of all emails in and out of my machine. I keep lots of meta information about these emails including to, from, sender hostname, subject, attachments, time spent processing, is it spam or not etc. I do this partly because there are certain legal requirements for this to be done in the EU and because i like the kind of stats I can pull out of this.
It has now been a year since I started keeping this stats and my SpamAssassin has tagged 55 000 emails as spam. I religiously check my own spam folder for false positives and do not get much, but I am aware of some html newsletters that gets tagged as spam when it shouldn’t be. Overall though I believe that my tagging is fairly accurate.
What follows in the extended entry is a bit of analysis I did on this data to find out what ISP’s, Countries and so forth are to blame for this plague.
It is important to note that I am not setting out to have a hugely scientific approach to this or even a highly accurate one. If there were a very accurate way to identify spam we would not have a problem with it, this is merely interesting observations made on a small system.
(more…)
by R.I. Pienaar | Nov 22, 2003 | Code
Ever since I started using Sharpreader I have been missing out on some feeds I used to read. Newzcrawler has the ability to read NNTP and show it in the same style interface as RSS feeds which is really nice for reading mailing lists via gmane.org‘s SMTP to NNTP service.
At the moment I read FreeBSD Stable, FreeBSD Security Announce, NT Bugtraq and Bugtraq through this gmane.org so you can understand that it was rather traumatic to loose this ability.
(more…)
