[mike@3po][~]$ grep -c default.ida
[mike@chipotle][~]$ grep -c default.ida
Interesting how the numbers can sometimes be very different from system to system.
Kind of a weird day today. It actually rained. Walked toward work around 1:00 PM, when the tornado sirens went off as per their monthly testing cycle. Thought about the effects of warning people. Some people don't care, often for good reason. My building has had the fire alarms go off a few times -- I never go. Of course, we're also in an apartment right next to the stairwell.
The media has often been unneccessarily scaring folks. They don't know how to properly target their stories at the people that need to hear them. There more concerned about ``how can we fit this story into the demographic that's watching now?''
Maybe I should float my name around and see if someone will contact me the next time they need someone who knows what they're talking about.
14 yesterday (GMT), so:
[mike@3po][~]$ expr $(grep -c default.ida
/var/log/apache/access.log) - 14
The CAIDA graph shows an uptick around midnight GMT. It's going to be an interesting couple of weeks.
Finally added a procmail recipe for getting rid of those stupid SirCam messages. Still testing it, though.
I am now of the opinion that someone should write a worm to go out and disable IIS on vulnerable servers. Shut down the service and set it to be disabled. Perhaps even remove an important EXE or DLL file that is required for it to start up. If nothing is done, the Internet will continue to be polluted by garbage traffic from worms like that.
Makes me think of the noises that surround us every day, and the light of the city at night that keeps people from seeing the stars...
Considering possibilities for active response to the IIS worm. I suspect that many servers that aren't patched for the IDA vulnerability also aren't patched against the Unicode vulnerabilities. It'd probably be easy enough to make a script that references a URL like this , but it requires testing.
49 through the first two days (GMT)
[mike@3po][~]$ expr $(grep -c default.ida
/var/log/apache/access.log) - 49
Still haven't gotten any SirCam worms to test my new .procmailrc on. I suspect the university finally started filtering them out.
Looks like caida's graphs disappeared again. Too many people must have been looking at them or something.
Just put together a script for making small histograms. Currently it outputs in three formats. Unix time vs. number of attempts per n seconds, ASCII `*' histogram, and HTML output. That needs a small image to be available, though. See it in action here.
74 through the first three days (GMT)
expr $(grep -c default.ida /var/log/apache/access.log) -
Went to the TCLUG meeting today. Pretty good presentation on DNS. At the end, I asked about IPv6 stuff.. I hope there'll eventually be a meeting on that (even half a meeting would be really good).
Went to Annie's afterward for a really good hamburger. I had thought about getting a malt as well, but didn't. Maybe I'll have to drag some people over there again soon.
Had to drop back to a week-old version of Mozilla since recent versions have scrollbars that are only half as wide as they should be. Annoying.
Roommate's rent check arrived today. It's due by the 5th, which is tomorrow (Sunday). Not sure if he'll get stuck with a late fee or not.
Trying to get an IPv6 gateway going with freenet6. Having some trouble. Everything seems to look right, and the other system on the network can properly autodetect my router, but nothing seems to be getting through..
105 through the first four days (GMT)
expr $(cat /var/log/apache/access.log*|grep -c
default.ida) - 105
I need to find some other form of entertainment..
Downloaded lxdoom and played it, since Doom apparently rates #1 in games for all time (so far). Unfortunately, it appears that not a whole lot of work has been put into making it work at higher resolutions. It was nearly unplayable at 1024x768 on my 1.3GHz Athlon (and I think it was only scaling the image, not even rendering at that resolution). Reminds me of what it was like on my 386sx/25. The mouse control seemed somewhat screwy too, but maybe it's all due to Xinerama..
Figure I'll put a post up to the LUG and ask if there are any ideas as to what I'm doing wrong with my IPv6 gateway.
Went to Little T's in Uptown for supper tonight. When we were leaving, a few guys commented on my Penguin Computing ``Born to Frag'' t-shirt with Tux holding a rocket launcher from Quake III.
127 through the first 5 days (GMT)
expr $(cat /var/log/apache/access.log*|grep -c
default.ida) - 127
Hmm.. Seems to be around 1/hour. Slowly getting more and more CodeRedII scans. Like I said before, I think it would have been better if a newer variant had just shut down IIS..
Posted a note regarding setting up IPv6. Got one response so far, which wasn't very clear. One thing was that I apparently need a usagi kernel. I think I'll try other stuff suggested first, as I don't really feel like compiling a new kernel..
I should really find some work to do..
Wow. Some people are getting way more hits frome Code Red than I am. Glad I'm not on a cable modem, I guess. Strange how nearly all cable modems are in the 24.x.x.x block. Was that intentional? I live in the 206.blah range, which seems to be spread across a lot of varied stuff, and it appears to be very geographically separated as well.
Sounds like the power company wants people to start turning stuff off. Reminds me that we have the thermostat set pretty low at the apartment. At least one of my roommates likes it cold, which really bothers me. I don't exactly like it hot, but I can't stand it when when my fingers start to get chilled... I think we have finally found a spot that works okay for all of us, but it's still cooler than what I'd like to have it run at.
Of course, we're running it lower than we would if we were paying for electricity separately from our rent...
I think I'm done watching my own logs for Code Red. I now have a script to do that for me ;-)
I'm not getting hit much by CRII, but my family's cable modem is getting hit once every few minutes, for a total now of nearly 2000. I read that CRII has a cutoff date: Oct. 1, 2002.
I need something in my life to change. I feel motivated for a few days, or maybe a few weeks, then I just start to drone on.
Dinks.. I like `csom.umn.edu' just the way it is..
Following is the policy for standardizing URLs. The purpose of standardizing our URLs is to create a logical URL system so the user can easily find the site they are seeking.
The Carlson School URL is www.CarlsonSchool.umn.edu The standard URL style for programs/departments/etc. is www.CarlsonSchool.umn.edu/xyz [or www.xyz.CarlsonSchool.umn.edu]
Under no circumstance should Carlson School be abbreviated as csom or shortened to Carlson.
Heh.. Google rocks
Yay! I got IPv6 routing going. Turned out that I just needed to add a route to 2000::/3 with `ip route add 2000::/3 dev sit1'.
Now I think I'm off to take a shower to see if I can wake up before 9:00..
Installed Debian on a PPro 200. I think that machine is one of only two or three PPros I've ever touched. Rare beasts.
Anyway, it took very little time to install the stuff I needed, since it's just going to be a webserver. Right now, I think the Java development environments on there take up about half the used disk space ;-) I was contemplating using mod_dav, but I'm not sure how to use/secure it yet.
Installed Jakarta Tomcat on the system, and it seems to actually work with Blackdown's 1.3.1 Java 2 environment. Need to find where I'm supposed to put the files so I can actually test it.
Strange that the default.ida PHP responder script I put up yesterday only works against Code Red II. Something about the way Code Red (I) works causes Apache to return a `400 Bad Request' error, so the script doesn't even get run against those hosts. Code Red II handles its HTTP connections differently and allows the script to be run.
Went to the campus net-people meeting yesterday. Always interesting. The first bit was obviously on Code Red. Considering the size of the U of MN, things have gone very well. They said they'd responded to about 40 incidents (probably more infections than that, if it hit a lab or something). Very small for a campus of 40,000+ people (well, when school is in session). They were very agressive about scanning for vulnerabilities when Code Red first popped up, and I think they had been looking for systems with the IDA vulnerability even before then.
Of course, I have no idea how things would have been if school was in session and students had their systems in the reshalls. Of course, the networking folks probably would have blocked port 80 to the dorms starting near the end of June.
Anyway, heard that the state of South Dakota went offline over the weekend due to Code Red II. Not sure if that means the entire actual state, or just state-run agencies like the universities, etc. -- the State of South Dakota.
Real-Time, the ISP that hosts the TCLUG website, was forced to block access to port 80 to most of their dialup, DSL, etc., customers. Their routers' CPUs were pegged at 100%, so they had to do it to save the infrastructure. They did notify their customers about what was going on, though.
I'm not weird for being worried about these worms! I think lots of routers were probably not designed to handle the heavy many-to-many traffic, instead tested for few-to-many or many-to-few.
Hmm.. My thought processes are apparently cutting off in mid-sentence now..
Anyway, migrated our Netsaint/MRTG box from a P200/32MB to a PIII-600/256MB. Got a SCSI drive in the process, and we're ordering another processor. Of course, now that we have more horsepower, we'll be able to scan more systems -- the Novell and Windows systems. It also now has a 100Mbit ethernet card, so I think we'll have to enable 100Mbit speed on the etherjack soon.
Contemplating how to get the wireless firewall going at work. I'm thinking of supporting two modes of operation.
In `Router' mode, the client system will obtain an IP address through DHCP. This will set up the client to have a default gateway of the firewall. Using IP Tables, all attempts to connect to port 80/tcp will be redirected to port 80 on the firewall. All DNS traffic to port 53 would also be directed to a caching DNS server, so if someone types in `www.yahoo.com', they'll actually get a response. A mini web server running there will only serve HTTP redirects to the secure web server running on port 443. This will present the user with a web page requesting authentication.
I'm still figuring out how to do authentication, but we can either use the local Lotus Notes user IDs, or the campus X.500 directory, both through LDAP (I think). Using the local IDs would only allow people who have e-mail accounts in the School to connect. Using X.500 would allow anyone who has a campus-wide account to get online.
Anyway, the authentication would require a valid username/password, and the request must come from an IP/MAC address combination that was served by the DHCP server. Authenticating would cause the IP/MAC combo to be added to a IP Tables chain, allowing all IP traffic to/from that host.
Nothing would be encrypted, unless it was done at the protocol(?) layer (I need to brush up on that Taco Bell 7-layer model). Therefore, at authentication time, there would be a warning in BIG RED LETTERS that the user is responsible for keeping data secure. We may actually restrict certain traffic to keep people from doing anything stupid, like preventing access to Lotus Notes servers unless data is going over SSL.
Cron jobs would run every 20 minutes or so to flush out the IP Tables entries for hosts that have been idle for a while. They'd probably also try to flag when strange things were happening, like tremendous amounts of traffic flowing to/from certain hosts.
In `Secure Gateway' mode, the clients would authenticate somehow (RADIUS?) and get a single-hop VPN tunnel set up. If I'm not mistaken, this requires two IP addresses per client box, which is really annoying.
Still working out how that would all work.
Interesting how some scary organizations can sometimes get it right. Well, ``get it right'' is not quite what I'm looking for, since the Taliban is still probably going to try to kill these folks. I dunno.. I just don't think that helping people should involve religion (well, a religious organization helping people who are of the same religion is fine, I guess). Gah.. Why don't I know if President Bush's ideas about Federal funds going to religious organizations went through or not? That was a Really Bad Idea in my book.
Oh well, I don't want to talk too much about that. I know how mentions of religion can cause flare-ups in here..
I was helping our LUG's mailing list dictator set up a default.ida script at his ISP. His server didn't have a compiler, so he couldn't build any new Perl modules. He did have PHP, though, and tried my script. I still haven't heard if any of these scripts for talking back to Code Red II work at all.
I guess I should really try to put one together that starts up Internet Explorer and points it at a page on my system (or probably just a redirect), just so I know if it works or not.
The graph looks so weird now.
Hmm. Very tired. Need to eat something..
I bought two games from Loki yesterday morning, Railroad Tycoon II and SimCity 3000. Then I saw the Chapter 11 notice. Kind of scary. However, I think I've seen a lot of companies float in and out of Ch. 11 without too much trouble.
I also bought three shirts at ThinkGeek, linux kernel, linux, and I don't work here. It got shipped right away, and it'll even arrive on Thursday! A rarity that anything shipped by UPS ground ever reaches here without going over the weekend.
Don't know when my games will ship, though, and no tracking numbers (AFAIK), as they're going by USPS.
Slowly working on helping some guy print from his Unix account. Not sure when that will wrap up today. I'm not sure of what his exact problem is, and I wouldn't be surprised if it took all day to find out.
I should really head upstairs and talk to my boss a bit about various little things.
I expected to get a working firewall today, and I did. Always nice to accomplish things.
I have a PHP login script that connects to one of our Lotus Notes servers via LDAP (I hope to go to LDAP/SSL soon) and authenticates. If authentication succeeded, an IP Tables rule is added that matches an IP/MAC pair.
Any packets that don't come from an authenticated address are marked. Of these marked packets, only the ones that are connecting to DNS servers are allowed through. The nat table also has a rule to forward packets destined for port 80 to the local system.
Unauthenticated systems get directed to the firewall's web server on port 80, which replies with a Redirect to the SSL server running on 443.
It's not too complicated, though we'll have to see how hard it will be to deploy.
...when pigs fly!
Spent much of the day tracking down why the wireless firewall couldn't authenticate to the LDAP server.
It was connecting to the wrong system.
My rommate is piling up stuff in our room.
We need a loft.
My back started hurting yesterday morning when I ran to catch the bus. The day before, I had helped my roommate move in. I guess I should have stretched before carrying all that stuff.
Oh well, I guess I'll just have to take it easy for a few days, and then start exercising my back in the mornings (sit ups, stretches).
I hope I'll actually do it -- I have a terrible track record for exercise..
Hoping to get our wireless firewall authenticating to the University's X.500 directory rather than our local Lotus Notes server. Need an LDAP version of it, though.. Hopefully things will work the same. (we currently just do ldap_connect, ldap_bind with server, username, and password, and then ldap_close)
Exchanged a bit of mail with one of the campus networking folks that has been thinking of how to do firewalls. Sounds like what I came up with is almost exactly the same as what he had, though I used Linux and he used FreeBSD. He said that BSD couldn't filter based on MAC address and IP address (at least not at the same time), which works out well for me ;-) On the other hand, if it's decided that IPSec is a good thing to have on these boxes, Linux is still behind (AFAIK).
Oh yeah.. I should go start playing with IP Filter on Solaris..
I neglected to realize when I bought Railroad Tycoon II and SimCity 3000 that those games are meant to take quite a while to play. Time that I probably don't have.
Saw that Caldera's OpenUNIX 8 contains a `Linux Kernel Personality' which is probably a lot like Linux's iBCS (or whatever it's called these days) for running software on other Intel-based Unices as well as Solaris on UltraSPARC.
Of course, it's probably much easier for a Unix company to add a Linux `personality' than it is to add a proprietary Unix personality to Linux (which is why we aren't running Linux on our Suns right now).
God I hate Solaris..
Not sure what it is about music, but I always have to keep hearing more of it. I need to listen to new stuff, or my brain turns to mush.. It's something I realized several years ago, though I've always had trouble actually finding music, since nobody on the radio will tell you what they just played. I don't really like it, but I've ended up turning to MTV and (mostly) MTV2 and actually occasionally hearing music I like. At least they label their music..
Tuned in recently to notice Sugar Ray. Some cognitive dissonance there.. I actually like a lot of the music from that guy/group, though I thought I didn't.. Also heard Michelle Branch, who reminds me a lot of a girl I was obsessed over in high school. Strange that the one song of hers I've heard reminded me how I felt back then..
I'll have to pick up some more music to see if I can get my brain to unstick and start thinking again..
Last little note about this: I was watching something about Neanderthals/Cro Magnons last night, and they mentioned something about the brain. They aren't really sure if Neanderthals came up with art and jewelry on their own, or if they learned it from the Cro Magnons. It's interesting because they said something to the effect of, ``The jewelry was a manifestation of something more inside,'' suggesting to me that art is something more than I thought it was. The creative process, I guess, involves art, music, engineering, science. Everything. And if parts are taken away, we stop moving forward. The ``don't touch'' attitude is bad, I think..
I need more art in my life
and a girlfriend..
Exchanged some e-mail with one of the campus networking guys. He's interested in getting together at some point to discuss my firewall ideas in more detail. I should really talk to my boss a bit about it (and the discussion should go all the way up the chain and around the staff, probably). I shouldn't be representing the whole School without some more support (I'm only an underling, so I may have overstepped some bounds..)
I forget how much time can be spent playing games. SimCity moves too slow sometimes. Of course, it moves excruciatingly slow with disasters. Things just don't seem to burn as fast as they did in the previous versions ;-)
I kind of think Loki should see if they can port some older games. Hell, a lot of great old DOS games won't even run on Windows these days
Bah, talking too much. I should get to work.
Kind of a disappointing CD. I think the artist is good, but encumbered by a poor producer that was determined to put those hip-hop wiggy wiggy noises in their somewhere.
Anyway, the summer is coming to an end too quickly for me. I need to also get in to see an advisor about some stuff, make sure that I haven't utterly destroyed my chances of getting through college.
There have been some curious numbers shoved around by the campus newspaper this summer. They've been saying that about half of incoming freshmen don't graduate in six years. They also say that about half don't graduate at all. Not sure if there's overlap there or not.
Folks are starting to show up for Marching Band. I'm not in it this year, but I'm looking forward to hearing them around campus. Also, I hope I'll run into some friends in these next few days.
I think I'm taking an `Internet Programming' class this fall. I'll have to ask a lot of questions about buffer overruns, and how to prevent them.
I've thought for a while now that the `GNU is Not Unix' statement has turned out to be quite true. GNU is better than Unix, IMHO. The utilities that have been developed are certainly more user-friendly than anything I've found native on Solaris (the only Unix that I've really had a large amount of experience with).
Additionally, Unix is certainly a great example to base an operating system off of, but there's no extreme need to follow that guide exactly.
I'm out of thoughts at the moment. Probably because I got up pretty early today.
I think I'm going to install Debian on the Linux half of my NT box..
Got Quake III (the real thing, not the demo) going on my computer at home yesterday. It's kind of annoying to play, though, since I usually run a dual-head setup with a Matrox G400, which can't run OpenGL in Xinerama mode. However, it is possible to start up a second X server with DRI going.
I have two layouts now. One is the normal Xinerama layout, and one is for Mesa3D/DRI. The Xinerama layout is default (I think.. I may have had to specify that for gdm), and I can start another X server with `X -layout DRI :1'.
However, it appears that you must load the kernel agpgart and mga modules *before* running even the Xinerama desktop. I'm getting around that problem by adding those modules to /etc/modules. I'm also running an AMD 760 northbridge chipset, which apparently isn't automatically recognized by Linux 2.4.7. I had to create a file in /etc/modutils that contained `options agpgart agp_try_unsupported=1' in it, and then run update-modules.
Fortunately, I have plenty of RAM (512MB), so it's not a problem for me to run two big X servers.
Unfortunately, the DRI X server is so slow and cumbersome at switching video modes that Quake III crashes whenever I try to change the video configuration at all. I still get a decent framerate at 1024x768 and the texture detail all the way up, plus bunches of other goodies turned on, but I'd like to see how fast I can get it all going.
Need to look up what the different variables in q3config.cfg mean.
Heading home today, for the weekend (well, go home Friday, come back Sunday).
Wonder when Debian testing will get XFree86 4.1.0 and kernel 2.4.9. Should make gameplay better..
Hmm. Now to find some work to do..
Cool. Cyclades has two new standalone units for accessing serial consoles over Ethernet. The TS400 and TS800 have an embedded version of Linux on 4MB of Flash, plus 16 MB of RAM. Dual (low-power?) PowerPC CPU.
It might actually be in our price range, finally. We really don't want to take up space with a big PC, PCI card, and the serial port dongle hanging off the back. Not sure if it's worth paying 2-3x the price, though.
Haven't posted for a few days. Been busy getting transferring stuff from an old server to a new one. The new one doesn't seem to broadcast it's NIS domain (or, perhaps, doesn't respond to broadcast queries), so clients have to be specifically told where the NIS server is. That's not so bad, I guess. It's running Solaris 8, while the old one ran Solaris 2.6.
I want to figure out how to enable IPv6 on the new system as well. There was an option when installing, but we were forced to re-install with the network initially disabled (and then clean up the mess afterwards. Why the hell Sun set up /etc/nsswitch.conf the way they did, I'll never understand..
Anyway, the new system is a dual-processor Sun Enterprise 220R, which makes licensing some software more difficult, as the system can support four processors, and some software vendors like to squeeze as much money out of us as they can. We ended up dropping at least one package (though it's still running on another server that is outside of the NIS domain). My boss ordered the Cyclades TS800. We'll have to see how well it works. I suppose we'll have to find some DB25->RJ45 connectors. Maybe we'll be lucky and they'll come with the box. Though they'd probably come with DB25 connectors for PCs, not Suns.
I'm trying to figure it out, are the serial connections on Suns `backwards' compared to PC serial ports? Do you actually need a null-modem cable to connect a PC to a Sun, or can you just use a straight-through cable?
Ordinary null-modem cables obviously don't work, since a female connector won't fit onto another female..