Archive for February 2007

qemu 9 and kqemu for ubuntu dapper and edgy

Open source processor emulator qemu of the 0.9′th version is out, and the new version of kqemu acceleration module is released under GPL. That is the first reason to install or to upgrade them. The second reason is current absence qemu 0.9 and kqemu packages for ubuntu edgy and dapper. And the final reason for a someone can be the kernel panic issue in the guest os runnig in qemu installed from the official ubuntu repository (happend for me only with kqemu).

You can install a packages of qemu 0.9 and kqemu for ubuntu dapper and edgy from my repository. The qemu in my repository is a packaged official binary build of qemu. And the kqemu packages are from from debian experimental repository. In addition qemu package will automaticaly initialise a recommended for qemu system parameters and will insert a kqemu modle if such is installed, after the system bootup (check /etc/init.d/qemu file), even if last is installed not from a package.

instalation

At first add my repository to /etc/apt/sources.list for edgy:

deb http://ubuntu.tolero.org/ edgy main
deb-src http://ubuntu.tolero.org/ edgy main

Or that lines if you’re running dapper (simply mepis 6.0):

deb http://ubuntu.tolero.org/ dapper main
deb-src http://ubuntu.tolero.org/ dapper main

The installation is better to do from the console package manager, rather then from the graphical one. Ensure that you have also ubuntu universe repository included to the sources.list. If so, cross your fingers and pass one by one to the console the next commands:

  1. sudo aptitude update
  2. sudo aptitude install kqemu-common kqemu-source
  3. sudo aptitude install module-assistant
  4. sudo m-a prepare
  5. sudo m-a build kqemu
  6. sudo m-a install kqemu
  7. sudo aptitude install qemu

The commands from 4 to 6 will install a kernel headers, compiller and other assistant packages, will build a kqemu-modules package for your kernel version package and install it. If all ok – the all is done.

ssh password brute force protection

You can protect your linux hosted ssh server from the password brute force attack with pam-abl. This plugin to the ssh pam authentification module measures the amount of login tries by an specific IP address or exact login name. If tries count exceeds the allowed limit, pam-abl will block IP address or login name.

Manual installation of pam-abl is not much complicated, however requires some time to be spended with a few manipulations in console. I have builded a deb package of libpam-abl for ubuntu edgy and ubuntu dapper (mepis 6.0). It fully automates the process of installation and proper configuration process. All you have to do, to protect your ssh from brute force attack, is just to install the package. It is necessary to say, that libpam-abl is shipped with fedora linux since fedora core 4 release by default, but only debian based distributions lack that useful security package.

Important note for ubuntu (mepis) linux users: the openssh-server package bounded with distros contain a bug â„–405041 which makes the libpam-abl to work unproperly. My repository contains a patched version of openssh-server package, which you have to update to.

For a curious linuxers there are source packages available for both, openssh-server and libpam-abl.

how to install

At first of all add my repository to your /etc/apt/source.list configuration file.

For ubuntu 6.06 dapper (SimplyMEPIS 6.0):

deb http://ubuntu.tolero.org/ dapper main

For ubuntu 6.10 edgy:

deb http://ubuntu.tolero.org/ edgy main

And execute the next four commands:

sudo aptitude update
sudo aptitude upgrade
sudo aptitude install libpam-abl
sudo /etc/init.d/ssh restart

First command is to fetch the repository listing. Second is to upgrade the openssh-server package to patched version (openssh-client will be also updated). Third is to set up a protection plugin. And the fourth is to restart a server with a new security plugin.

That is all! Now your’s machine ssh shold be protected with pam-abl.

How to check that all is working

To check that pam-abl is installed properly just try to login onto your ssh server. Simply execute the

ssh localhost

command, and input a wrong passwords for all tryes. That failed attempt will be listed in a pam-abl statistic. You can see it by the command

sudo pam_abl

And you should see there your failed attempt. If you see only <none> indicatiors, this signs that you are running not patched version of openssh-server package, and you have to install it from my repository, and restart ssh daemon.

The pam_abl utility is a control instrument over libpam-abl plugin statistic. You can unblock any host or account only by it. Refer to it’s --help for details.

What does my libpam-abl.deb package do

Many of readers do not have a need to read this chapter. It is mostly for a curious guys.

Excepth the simple extraction of a pam-abl files in to their followed places, my package performs a configuration job.

As the first, it creates a default configuration file for a pam-abl plugin. You can find it as /etc/security/pam_abl.conf. The default configuration is aimed to block any IP address or login name (except the root account) for three failed attempts in hour, or thirty attempts in a day. If you wish, you can easily change the limits right after installation.

The second point is altering the /etc/pam.d/ssh file, to include a pam-abl.so library to participate the authentification process. Adding required line into the right place of configuration file on installation, and removing it on deinstallation of the package is fully automated.

Collected information about failed login attempts is stored under the /var/lib/abl/ path. This directory is created during installation, and removed only when package is deinstalled with the --purge flag. The same is with pam_abl.conf file. That is the common behavior for all in debian packages.

Blogs and forums spam bots protection

Preamble

Forum and blog spam is an absolute pest for a last years. I see a lot of their’s holders complaints, and I also see a lot of polluted content. Spammers do their dirty job by the two ways: automaticaly by the bots and manualy writing to the forums. The basic threat is made by an automated spam, and I’ll explain protection from it there.

There is a lot of standart techiques to protect from the spam. We all know them: captha, email confirmation, user interative and so on. All of them are less or more require odd user attention. And because they are visible for a spammers, they are not invulnerable. Captcha is breakable with a cheap porno traffic, email confirmation is easily automated with a scripts and free mail services, user interactive sometimes confuse users.

But there is another good method, not disturbing users, and not so obvious to bypas – behavior tracking. This is a good way to protect yor blog or forum from spam, because this protection is hidden, and spammer don’t know where exactly you are checking him.

Bot’s behavior

The main goal of spammers is to spam as much as possible. As the result – the lack of the real user behavior. Spammers are very prudent to the traffic, and do not perform a many usual steps. For example, the user browser after loading the page always loads at least a CSS file from the site, because it is required to display the page properly. But the CSS is not required to be received by the spammers. The same is with the images from the page – they also are not downloaded by the bot (but sometimes they are not downloaded by a real visitors, for example if user is on GPRS and tryes to reduce the traffic).

Most smammers recognize the site only once, and perform a spam after a some time (usualy next day). The “one recognition” is also a speedup from their side. This means that they will do not download the page containing a form every time before to do the message post. I also think that they are using a two types of software: one for a crowling across the web in search for a forum or a blog, and another for the messages posting. This can explain why do they mostly post the spam on the next day after their spider reaches a victim site.

Antispam protection

There is a several simple recommendations from me, how to track a spammer:

  1. Do the check for a previously downloaded CSS or image by the poster’s IP address. The best is to check for the image receiving: site page always contain several images, and it is not easy to understand for a spammer which of them is checked by you (or maybe all of them are checked). You can display the pictures manualy by the scripts. With the thing like mod rewrite this will not be obvious for a spammer. Or you may check the access.log file of your site. If you’re hosted on the unix compatible machine, this can be easily and effectively done with the bundled tail and grep utilitys together.
  2. Add the additional hidden parameter to your html form. This parameter should be unique for each minute, and it should be easy to understand for you (but not for a spammer) to which minute it does belong. Then you can drop all posts which are submitted with a ancient parameter value.
  3. The spammers do not implement JavaScript enjine into their tools. It is possible to mask by composing a message html form with a JavaScript. But be careful, generate you form with the several steps. Do not simply write it by one fucntion call. If spammer is using a regular expressions instead of html parser, it is possible that he will catch a footprint of a html form, and your trick will not help.
  4. Always check a Referer field in HTTP headers. Some spammers do not pass a valid Referer. Typical user browser always submit message with a valid Referer in HTTP headers to the page containing html form.
  5. Check a HTTP UserAgent. There is a little amount of dummy (but very annoying) spammers, wich do not supply a relevant UserAgent. And there is another group of too much “intelligent” spammers which use a browsers UserAgents, but they are changing them on each access. I suppose they always pick them randomly from an array in a script. So, if the html form was transmitted from your site to the one UserAgent, but submitted with another, also discard a message.

Conclusion

All this tricks were used by me on a several projects, and showed a good result. For sure, if the spammer is interested in spamming exactly your resource, and he is creating a specialized software, and having a good experience, he can finally pass throug all your barricades. But he well need a several hours of bashing his head over the keyboard, tearing a hairs from all places over his body, and shouting “how? why? where?”, and maybe he will leave you away.

If you found this article useful. If you’re using your own tips and tricks to protect a resources. Feel free to submit a commet. And do not mind to share a link to this article with your friends – let’s resist together!

xfce 4.4.0 packages for ubuntu edgy

Из-за отсутствия пакетов xfce 4.4.0 для Ubuntu edgy, я пересобрал пакеты из репозитория Ubuntu fiesty. Так же я пересобрал пакет xubuntu-desktop и все сопутствующие ему из fiesty, так как он несёт дополнительные зависимости, не обозначенные на данный момент в пакетах xubuntu в edgy. Несмотря на то, что пакеты успешно работают для меня, я не даю никаких гарантий и не отвечаю за возможный вред приченённый в результате их использования. Если Вы всё ещё желаете обновить xfce, можете воспользоваться моим репозиторием. Для этого просто добавьте в файл /etc/apt/sources.list следующее:

deb http://ubuntu.tolero.org/ edgy xfce-4-4-0
deb-src http://ubuntu.tolero.org/ edgy xfce-4-4-0

И в своём менеджере пакетов сделайте update и upgrade. Я полагаю что всё, как и у меня, пройдёт успешно, но если что-то не заладится – я готов помочь.