Re: Man, they'll try anything to hack your system...
On Thursday 26 January 2006 14:49, Thomas Charron wrote: On 1/25/06, Paul Lussier [EMAIL PROTECTED] wrote: Oy. I almost never look at my apache logs. I probably should, but I don't. Tonight I was perusing them and noticing the activity in the access.log and was amazed at the things these people try: I enjoy poking at any sort of logs for something connected to the net now adays. The sheer amount of SSH attempts per day boggles the mind. A week or so ago I setup a new box on a VMWare instance, and just forwarded port 22. *wham* Blions of login attempts from all over the world.. Yep. Which is largely why I moved my ssh off of port 22. Ssh attacks went to zero after that. There's a V.1 vulnerability that was exploited once, so I now make sure V.1 ssh is disabled. As far as apache logs, for my major websites, I do keep a ssh [EMAIL PROTECTED] tail -f logfile running for both access and error logs. The error logs are highly amusing. Constant queries for non-existent pages and directories for some of the most popular web-based software. It's nice, though, seeing the queries happen in realtime, as I learn a lot that way. Bot activity represents 90+% of the traffic, and there are all kinds of bots that I had never seen before, along with the usual Slurps, GoogleBots, and MSNBots that are my friends. I've been debating if I should disallow all the other bots since they do put quite a load on my servers. I've gotten comments from some others that watching the logs in realtime is very Matrix-like, though I have yet to see the blonds, brunettes, and red-heads in them! ;-) -Fred ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Cohosting around Lebanon - suggestions?
Christopher Schmidt writes: On Fri, Jan 27, 2006 at 01:05:22AM -0500, Ken D'Ambrosio wrote: On Thu, January 26, 2006 11:54 pm, Bill McGonigle wrote: We'd probably want to fund a terminal server/remote power unit to share for decent non-driving management. I have a Zyplex with lots of serial ports but it only speaks telnet, so there would be need for a pokey ssh box in front of it, which might not be worth another U. Somewhere, I've got a power strip that allows remote access. Not sure what protocols it speaks. I think it's an APC, so that probably says something to someone. I'd be glad to contribute it for this project; I imagine poking around with the docs could get it up and running fairly quickly. [I, too, have an older-than-death Ethernet-to-RS-232 gizmo. Since it actually has an AUI port, in addition to the 10-Base-T port, I imagine it only supports telnet.] Presumably this is an APC Masterswitch. I actually wrote a perl script to talk to one of those things at Wedu. They're typically pretty simple: You telnet in, you can get a status of plugs, you can turn them off or on or cycle. We used it to do our heartbeat STONITH (Shoot the Other Node In the Head) step. Worked pretty well when we wanted to kill a machine and din't want to drive to the colo (even though it was only a mile away). It does only support telnet, and only 8 char passwords at that. (At least, ours does.) Note that this was determined by trial and error, and was not documented anywhere obvious. APC materswitches can also be controlled via snmp which is how I control mine. See http://centerclick.org/temp/ms-reboot Also, I have a spare 24port 10/100 managed rackmount ethernet switch that I can bring along. It supports dot1q so we could use a seperate vlan for local equipment such as materswitch/console server/etc.. -- Dave ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Cohosting around Lebanon - suggestions?
I might be interested in rackspace as well... the downside is I'm using 70+ GB of transfer a month already, it might be best just to stay with my dedicated server. --Drew Van Zandt Sensatronics LLC
Disallowing bots (was Re: Man, they'll try anything to hack your system...)
Fred wrote: I've been debating if I should disallow all the other bots since they do put quite a load on my servers. My understanding is that you do this with robots.txt which the bots and spiders read. So it's basically an honor system that keeps out the good ones. How do you keep out the bad ones, the ones that ignore robots.txt? Larry ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Man, they'll try anything to hack your system...
On 1/27/06, Fred [EMAIL PROTECTED] wrote: On Thursday 26 January 2006 14:49, Thomas Charron wrote: On 1/25/06, Paul Lussier [EMAIL PROTECTED] wrote: Oy. I almost never look at my apache logs.I probably should, but I don't.Tonight I was perusing them and noticing the activity in the access.log and was amazed at the things these people try: I enjoy poking at any sort of logs for something connected to the net now adays.The sheer amount of SSH attempts per day boggles the mind.Yep. Which is largely why I moved my ssh off of port 22. Ssh attacks went to zero after that. There's a V.1 vulnerability that was exploited once, so Inow make sure V.1 ssh is disabled. Personally, I'm just leaving it there. If the machine happens to get compromised, I have VMWare taking a snapshot each day, and I store a few days worth of snapshots, and one a week keep a snapshot that I'll keep for a month. If/when it gets compromised, I can just revert to a previous snapshot. Since the nature of the box is development, it should be ok. I've gotten comments from some others that watching the logs in realtime isvery Matrix-like, though I have yet to see the blonds, brunettes, and red-heads in them! ;-) Hehehe. Well, sometimes, you can see where they're coming from, and I do tend to look at, say, french IPs wearing a little hat, etc.. ;-) Thomas
Re: Disallowing bots (was Re: Man, they'll try anything to hack your system...)
On Jan 27, 2006, at 10:41, Larry Cook wrote: How do you keep out the bad ones, the ones that ignore robots.txt? The bad ones usually _read_ robots.txt to figure out where the juicy stuff is. So you can do: Disallow: /robottrap.html And then have something tail your access log and instantly iptables anything that accesses /robottrap.html. -Bill - Bill McGonigle, Owner Work: 603.448.4440 BFC Computing, LLC Home: 603.448.1668 [EMAIL PROTECTED] Cell: 603.252.2606 http://www.bfccomputing.com/Page: 603.442.1833 Blog: http://blog.bfccomputing.com/ VCard: http://bfccomputing.com/vcard/bill.vcf ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Man, they'll try anything to hack your system...
In the vein of Strange things seen on the Internet, I'm noticing a few domains have MXes pointing to hosts with addresses in RFC-1918 private IP address space. I noticed this because our mail server was trying to send DSN bounce messages to the domains, and so was trying to connect to some hosts with bogon IP addresses. Our firewall caught it and dropped it, and since it was from our server, it was highlighted in a log report. Anyone else seen this? Is it just net.stupidity on the part of some mail server operators somewhere, or are spammers/attackers trying something new? -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Man, they'll try anything to hack your system...
On Fri, Jan 27, 2006 at 01:13:46PM -0500, Ben Scott wrote: In the vein of Strange things seen on the Internet, I'm noticing a few domains have MXes pointing to hosts with addresses in RFC-1918 private IP address space. I noticed this because our mail server was trying to send DSN bounce messages to the domains, and so was trying to connect to some hosts with bogon IP addresses. Our firewall caught it and dropped it, and since it was from our server, it was highlighted in a log report. Perhaps the domains use mail only internally? So I could set up mail for crschmidt.net to point to a local mail host and only people at 'home' could deliver to that address usefully? -- Christopher Schmidt Web Developer ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Man, they'll try anything to hack your system...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ben Scott wrote: | In the vein of Strange things seen on the Internet, I'm noticing a |few domains have MXes pointing to hosts with addresses in RFC-1918 |private IP address space. I noticed this because our mail server was |trying to send DSN bounce messages to the domains, and so was trying |to connect to some hosts with bogon IP addresses. Our firewall caught |it and dropped it, and since it was from our server, it was |highlighted in a log report. | | Anyone else seen this? Is it just net.stupidity on the part of some |mail server operators somewhere, or are spammers/attackers trying |something new? I've seen that for several years. It appears to be a technique used by spammers/crackers. I suspect it is coupled with another attack/scoping vector, but I haven't delved very deeply. - --Bruce -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFD2mjX/TBScWXa5IgRArGuAJ9eIETIweC+IhwS32j+nDuOt8RO7gCdGzVM OOF+mFDHKtL0lykvOvnQnhM= =lcqK -END PGP SIGNATURE- ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Man, they'll try anything to hack your system...
On 1/27/06, Bill McGonigle [EMAIL PROTECTED] wrote: Now that you mention it, I've seen few in the past few days with no MX records for the sending domain, even with a PTR record for the sending host. Not the same, but similarly strange and recent. Well, the RFCs say that if there is no MX record for a domain, but there is an A record, treat the A record as if one had specified it as an MX host. A lot of people aren't aware of that when they configure their www.foo.com domains and see mail attempts coming to their web server. All that said, somebody might have just messed up their BIND views. Or just be dumb. I can see people adding their private address space servers and wondering why they don't get any mail. :-) -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Man, they'll try anything to hack your system...
On Jan 27, 2006, at 13:30, Bill McGonigle wrote: I'd be happy to add a SpamAssassin or postfix rule to ignore mail from senders with no reachable MX for a reply. Found this for postfix: smtpd_sender_restrictions = reject_unknown_sender_domain Reject the request when the sender mail address has no NS A or MX record. The unknown_address_reject_code parameter specifies the response code for rejected requests (default: 450). The response is always 450 in case of a temporary DNS error. I bet the code for this directive could be adapted pretty easily to check for the three private ranges - call it reject_private_sender_mx or some such. I'd give it a shot but I'm not on a current postfix quite yet. -Bill - Bill McGonigle, Owner Work: 603.448.4440 BFC Computing, LLC Home: 603.448.1668 [EMAIL PROTECTED] Cell: 603.252.2606 http://www.bfccomputing.com/Page: 603.442.1833 Blog: http://blog.bfccomputing.com/ VCard: http://bfccomputing.com/vcard/bill.vcf ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Man, they'll try anything to hack your system...
On Jan 27, 2006, at 13:13, Ben Scott wrote: Anyone else seen this? Is it just net.stupidity on the part of some mail server operators somewhere, or are spammers/attackers trying something new? Now that you mention it, I've seen few in the past few days with no MX records for the sending domain, even with a PTR record for the sending host. Not the same, but similarly strange and recent. I'd be happy to add a SpamAssassin or postfix rule to ignore mail from senders with no reachable MX for a reply. All that said, somebody might have just messed up their BIND views. -Bill - Bill McGonigle, Owner Work: 603.448.4440 BFC Computing, LLC Home: 603.448.1668 [EMAIL PROTECTED] Cell: 603.252.2606 http://www.bfccomputing.com/Page: 603.442.1833 Blog: http://blog.bfccomputing.com/ VCard: http://bfccomputing.com/vcard/bill.vcf ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Man, they'll try anything to hack your system...
On Friday 27 January 2006 01:13 pm, Ben Scott wrote: Anyone else seen this? Is it just net.stupidity on the part of some mail server operators somewhere, or are spammers/attackers trying something new? I can imagine a scenario where this may be helpful to people. Can't imagine a way to misuse that sort of entry, but imagine that a company has a mail server on an internal IP address that receives incoming traffic from the outside world through NAT. So that external address gets NAT'd down to the internal address. Any servers on that internal network that try to send email to their domain, looking up the external IP, and try to connect. Because of the NAT, then that may be difficult to route properly. Even if they can the NAT to translate the stream to the mail server, the mail server will likely just reply directly to the internal address of the client server because that's the source of the incoming connection post-NAT. This will cause connections to fail and hang and all that stuff. If however, they have an MX record for both the internal and external IP addresses and don't setup anything to allow routing from inside to the public IPs, then those machines that might try to connect to it will fail to connect to the first MX record (the public IP) and fall back to the secondary MX record (internal). It's a hack, but if you don't have good DNS views setup or have difficult routing with NAT without the ability to do two-way NAT, then it should work. -N ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
PHP Templates and/or Web Frameworks
Working on my third major PHP application, and it's time to stop re- inventing the wheel. I'd welcome some recommendations on tools, templates and/or frameworks. I've got a couple of simple PHP apps in production. Lotsa data, simple layout. These were ugly but workable apps, where the client was delighted with tables in black, border 1 with white backgrounds. Just the facts, ma'am. That much artistic talent I have. The next client is interested in a public-facing application, with lots of data and dynamically generated pages. Ideally, I'd like a templating engine or web framework where the business logic can be encapsulated separately from the interface, and the interface portions could be edited by a graphic designer with his or her choice of tools (Dreamweaver, GoLive, Mozilla, etc.). I've played around with PEAR's HTML_Template_ITX and they look okay. A peek at SourceForge tells me that everyone has written a framework, version Zero-Point-Four, fast approaching version one as one page put it. No surprise there. I'd welcome recommendations from those who have actually shipped an app based on a PHP framework or templating package they'd recommend (or warn me off!). Basic specs: XHTML 1.0, CSS, data entry/CRUD application with MySQL 4.1x as backend, managed hosted RHEL4 dedicated server environment. Ted Roche Ted Roche Associates, LLC http://www.tedroche.com ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss