Archive for May, 2009

SSH Security with Fail2Ban on Gentoo

I accidentally looked at my syslog messages on my home (Gentoo) Linux server and found that there were thousands of SSH connection attempts from all over the world: people trying to brute-force my root password. The worst bit was that it was filling up my logs and causing lots of things to die when the computer ran out of disk-space. It needed a bit of playing around to get this to stop, but in case you run across the same situation, I’ve documented what I did:

  • Make sure you have the tcpd USE-flag on net-misc/openssh. If you don’t, the easiest way to add it is with the command echo "net-misc/openssh tcpd" >> /etc/portage/package.use
  • Emerge fail2ban
  • If you’re using syslog-ng, you need to configure it to log sshd logs to a different place (reduces load on the server) by adding the following lines to /etc/syslog-ng/syslog-ng.conf
    filter f_sshd {match('^sshd\[[0-9]+\]:'); };
    destination sshd { file("/var/log/sshd.log"); };
    log { source(src); filter(f_sshd); destination(sshd); flags(final); }
  • Enable the ssh-tcpwrapper setting in /etc/fail2ban/jail.conf, checking that the logpath is pointing to your log file. It should end up looking something like

    [ssh-tcpwrapper]
    enabled = true
    filter = sshd
    action = hostsdeny
    logpath = /var/log/sshd.log
  • Set up the hosts allow/deny files (if you don’t have them) by pumping out the following commands to bash

    touch /etc/hosts.allow
    touch /etc/hosts.deny
    chmod 644 /etc/hosts.allow
    chmod 644 /etc/hosts.deny
  • Reload syslog-ng /etc/init.d/syslog-ng reload, restart openssh /etc/init.d/sshd restart, and start fail2ban /etc/init.d/fail2ban start && rc-update add fail2ban default

That should do it. I also recommend disabling the root account and disabling password authentication in your /etc/ssh/sshd_config file.

2 Comments

Voice chat in Facebook Chat???

So was looking through the debug logs for Facebook chat and stumbled upon this:

"enableVC":false

in all the users properties. Does VC stand for voice chat? Lets wait and see 🙂

Edit: It gets even better. There’s lots of “POPOUT_TYPE_VIDEOCHAT” and “if (this.inVideoChat)” messages in the source code in the Facebook Javascript.

1 Comment

Gzip Encoding

On PHP pages that I get control over, one of the first things I do is add Gzip encoding. This compresses the text on the page for browsers that can handle it, and really reduces network traffic, speeding up page load/download times on dial-up (well, and broadband) connections significantly.

On PHP this is really easy, its just one line of code at the top of the page:

ob_start('ob_gzhandler');

But until now, I had trouble finding out how to do this for .NET sites. All I could find was that you can enable it server-wide on IIS but now I found this handy bit of code that can go at the top of your .NET pages.

string AcceptEncoding = HttpContext.Current.Request.Headers["Accept-Encoding"];
if (!string.IsNullOrEmpty(AcceptEncoding) && AcceptEncoding.Contains("gzip"))
{
    HttpContext.Current.Response.AppendHeader("Content-Encoding", "gzip");
    HttpContext.Current.Response.AppendHeader("Vary", "Content-Encoding");
    HttpContext.Current.Response.Filter = new System.IO.Compression.GZipStream(HttpContext.Current.Response.Filter, System.IO.Compression.CompressionMode.Compress);
}

And that’s it. Tasty Gzip encoding for all. The next step is testing it, which I use the mod_gzip_test site for. You can see an example of the changes we made to gameplayer.co.nz (a .net site) here

1 Comment