Fail2ban

I’ve recently setup fail2ban [1] on a bunch of my servers. It’s purpose is to ban IP addresses associated with password guessing – or whatever other criteria for badness you configure. It supports Linux, OpenBSD [2] and probably most Unix type OSs too. I run Debian so I’ve been using the Debian packages of fail2ban.

The first thing to note is that it is very easy to install and configure (for the common cases at least). For a long time installing it had been on my todo list but I didn’t make the time to do it, after installing it I realised that I should have done it years ago, it was so easy.

Generally to configure it you just create a file under /etc/fail2ban/jail.d with the settings you want, any settings that are different from the defaults will override them. For example if you have a system running dovecot on the default ports and sshd on port 999 then you could put the following in /etc/fail2ban/jail.d/local.conf:

[dovecot]
enabled = true

[sshd]
port = 999

By default the Debian package of fail2ban only protects sshd.

When fail2ban is running on Linux the command “iptables -L -n -v|grep f2b” will show the rules that match inbound traffic and the names of the chains they direct traffic to. To see if fail2ban has acted to protect a service you can run a command like “iptables -L f2b-sshd -n” to see the iptables rules.

The fail2ban entries in the INPUT table go before other rules, so it should work with any custom iptables rules you have configured as long as either fail2ban is the last thing to be started or your custom rules don’t flush old entries.

There are hooks for sending email notifications etc, that seems excessive to me but it’s always good to have options to extend a program.

In the past I’ve tried using kernel rate limiting to minimise hostile activity. That didn’t work well as there are legitimate end users who do strange things (like a user who setup their web-cam to email them every time it took a photo).

Conclusion

Fail2ban has some good features. I don’t think it will do much good at stopping account compromise as anything that is easily guessed could be guessed using many IP addresses and anything that has a good password can’t be guessed without taking many years of brute-force attacks while also causing enough noise in the logs to be noticed. What it does do is get rid of some of the noise in log files which makes it easier to find and fix problems. To me the main benefit is to improve the signal to noise ratio of my log files.

Serious Begging

This evening I was driving through one of the inner suburbs of Melbourne when a man flagged me down. He said that his mother was dying and he needed a taxi ride to some hospital far away and needed to borrow $200. He was saying something about his phone, I wasn’t sure if he was planning to give me his phone number so I could call him to ask for repayment or offering his phone as collateral on the loan (incidentally a well known scam is to offer a stolen phone as collateral for a loan, it’s a way of selling a locked phone that doesn’t have cables).

I’ve encountered many beggars over the years, but he was by far the most serious about it – he demonstrated the level of desperation that I’ve only previously seen documented in history books and reports from travelers who visited developing countries. I will never know if his mother was dying, there are lots of other reasons why someone might urgently need cash (most of which won’t get much sympathy).

I gave him $20 as a gift. If his story was legitimate then I gave him 10% of what he needed so he only had to find another 9 people willing to do the same. If he was lying then I can afford to lose $20. In any case I definitely wasn’t going to do what he asked and withdraw hundreds of dollars from an ATM for him. Also regardless of whether he was telling the truth I didn’t want to have him repay me, if he’s telling the truth then I’m happy to give money to him and if he’s not then I’m better off avoiding him in future. If I had $50 I would probably have given it to him, but $200 is too much.

As I drove off I looked in my rear-vision mirror and saw him running between cars on the road trying to flag someone else down. Running through moving traffic on a Saturday night is another indication of how serious he was, generally someone who’s in a good state of mind and wants a long and healthy life won’t do that.

It’s Election Time Again

Linux People and Voting

Chris Samuel (a member of LUV who’s known for his work on high performance computers and the “vacation” program) has described why he’s voting for the Greens [1]. His main reasons are the Greens strong support of human rights and for science-based policy.

Paul Dwerryhouse (a member of the Australian Linux community who’s currently travelling around the world and who has made contributions to a range of Linux projects including SE Linux) has described his thoughts about the “Filter Conroy” campaign [2]. He gives a list of some of the high profile awful candidates who could possibly win a seat and therefore deserve a lower position in the preferences than Conroy.

SAGE-AU and Voting for the Internet

There has been some discussion by members of the System Administrators Guild of Australia (SAGE-AU) [3] about issues related to the election. As you would expect there was no consensus on which party was best. But there was a general agreement that the Greens are the only significant party to strongly support the NBN (National Broadband Network – fiber to the home in cities and fast wireless in rural areas) and to also strongly oppose censoring the Internet. SAGE-AU has an official position opposing Internet filtering, and while the organisation hasn’t taken a position on the NBN it seems that the majority of members are in favor of it (I am in a small minority that doesn’t like the NBN). So it seems that political desires of the SAGE-AU members (and probably most people who care about the Internet in Australia) are best represented by the Greens.

Note that SAGE-AU has no official policy on this, the above paragraph is based on discussions I’ve had on mailing lists and in private mail with a number of SAGE-AU members. Also note that not all the SAGE-AU members who agree that the Greens advocate their positions on Internet issues plan to vote for them.

The Green support for the NBN is based on the importance of the Internet to all aspects of modern life, the social justice benefit of providing decent net access for everyone (particularly people in rural areas) is very important to the Greens. I still oppose the NBN and believe that it would be better to just provide better ADSL in all suburbs, better net access (through whichever technology works best) in rural areas, and fiber to the central business areas. But the NBN isn’t really that important to me, human rights and a science based policy are much more important and are the reasons why I’ve been supporting and voting for the Greens.

No Wasted Votes

One thing to note is that the Australian electoral system is designed to avoid wasted votes. There are two ways of considering a vote to be wasted in Australia, one is if you live in an electorate where both the upper and lower house elections have an almost certain result such that no expected swing can change the outcome – I doubt that this is possible for any region in Australia given the way the upper house elections work, although a large portion of the lower house seats have a result that is almost certain.

The other way of having a wasted vote is to vote for someone who doesn’t actually represent you. Lots of people mindlessly vote for a party that seems to represent them, either they identify with unions and vote Labor every time, they regard themselves as “conservative” and vote Liberal every time, or they live in a rural area and vote National every time. The Labor and Liberal parties don’t differ much in policies and members in safe seats typically don’t do anything for the people who elected them. If you generally support the policies of one of the major parties then it can be a good tactic to give your first preference to a minor party. For example if you tend towards Labor then vote Greens first and preference Labor over Liberal. The result will be that your vote will count towards Labor in the lower house and it sends a message to Labor and prevents them from being complacent.

Before Australian elections there is always some propaganda going around about wasted votes, this is usually part of a deliberate campaign to try and prevent people from voting for smaller parties. Because the news has many mentions of wasted votes in US elections (which are watched closely in Australia) it seems that some Australians don’t realise that there are significant and fundamental differences between the political systems in Australia and the US.

Volunteering

Last time I checked the Greens were still accepting volunteers to hand out “how to vote” cards, so if you want to do more for the Greens than just vote for them then this is one way to do it. If you want an uncensored Internet with freedom of speech and a lot of investment in infrastructure (as well as good support for all human rights) then you really want to help the Greens win more seats at the election on Saturday.

Tidal River

Tim (a member of my local LUG) writes about some observations he has made of a nearby river and speculates on a tidal bore-like phenomenon [1].

One thing that surprised me was how short the list was on the Tidal Bore Wikipedia page [2], and the fact that is it missing an entry for Tidal River at Wilson’s Promontory [3] (where my family often spent the Christmas holidays when I was young).

Some of the tidal bores are described as having a wave as high as two meters, Tidal River is not so impressive, my observation was that during the 80’s it was about 40cm near the mouth of the river. The area near the river mouth had many bends when I last saw it which absorbed some of the energy of the wave (but I expect that the river changes course constantly so it might be straight from time to time).

On one occasion I River Surfed [4] about 500 meters upstream at Tidal River on a surf-mat (an inflatable surf-board).

I have searched for research into this issue, the Tidal Bore Research Society [5] seems to just maintain a list of tidal bores and not do any real research. Pierre Lubin, Stephane Glockner, and Hubert Chanson published a paper titled “Numerical simulation of turbulence generated by a tidal bore” [6]. Hubert Chanson at the University of Queensland has written an interesting paper titled “Physical Modelling of the Flow Field in an Undular Tidal Bore” [7]. Hubert seems to have published more papers related to tidal bores than anyone else (or at least more papers that are publicly accessible).

TED – Defining Words

I recently joined the community based around the TED conference [1]. The TED conference is expensive ($6000US) and has a long waiting list (the 2009 conference is sold out) so it seems quite unlikely that I will ever attend one. But signing up to the web site is easy and might offer some benefit.

optional words to define yourself as a TED member

One thing that interested me was that part of the sign-up process requests that you select up to 10 words from the list above to describe yourself. Some of the words seem almost mandatory for anyone who is interested in what TED has to offer (I find it difficult to imagine someone declaring that they are not an “activist” or a “change agent” while wanting to be involved with TED in any way). The range of words also seems quite strange, there are some professions mixed with educational status, marital status, and religion. The way it is laid out would tend to encourage people to make a decision as to which aspects of their life are more important, is career, marital status, or religion more important?

Given the nature of TED I’m wondering whether the intentionally did a bad job of that part of the site design to encourage people to think about these issues.

It seems to me that a better way of doing this would be to provide a few suggestions and allow people to fill in text fields with their own values. Even defining marital status can require many choices and there is no limit to the number of religions and careers. If you try to make a comprehensive list then you will end up doing what British Airways did with their frequent flyer membership application page [2]. Even disregarding the choices of spelling (EG Admiral vs Admiraal and Brig Gen vs Brig General vs Brigadier General) the British Airways list is unreasonably long, and I doubt that anyone who deserves the title “Her Magesty” or “His Holyness” is going to be interested in frequent flyer points.

Also I wonder which of the entries in the TED list would be most commonly accepted by the free software community. It seems that activist and technologist would be quite popular.

Here is the list in text form for those who can’t get the picture above:
Continue reading “TED – Defining Words”

What is Appropriate Advertising?

Colin Charles writes about a woman who is selling advertising space on herself [1]. Like Colin I haven’t bought a t-shirt in about 9 years (apart from some Cafepress ones I designed myself). So it seems that the price for getting some significant advertising at a computer conference is to buy a few hundred t-shirts (they cost $7 each when buying one at a time from Cafepress, I assume that the price gets lower than $3 each when buying truck-loads). I have been given boxer-shorts and socks with company logos on them (which I never wore), I think that very few people will show their underwear to enough people to make boxer-shorts a useful advertising mechanism, socks would probably work well in Japan though.

It seems to me that many people regard accepting free t-shirts as being an exception to all the usual conventions regarding advertising. Accepting gifts from companies that you do business with is generally regarded as a bad idea, except of course when t-shirts and other apparel are given out then it’s OK. Being paid to wear a placard advertising a product is regarded as degrading by many people, but accepting a free t-shirt (effectively being paid $7 for wearing advertising) is regarded as OK by almost everyone.

I don’t mind being a walking advert for a company such as Google. I use many Google products a lot and I can be described as a satisfied customer. There are some companies that have given me shirts which I only wear in winter under a jumper. The Oracle Unbreakable Linux [2] shirt is one that I wear in winter.

Now I would not consider accepting an offer to have advertising on my butt (although I’m pretty sure that it doesn’t get enough attention that anyone would make such an offer). I would however be happy to talk with someone who wants to pay me to wear a t-shirt with advertising when giving a lecture at a conference. I am not aware of any conference which has any real dress requirement for speakers (apart from the basic idea of not offending the audience). The standard practice is that if your employer pays you to give a lecture as part of their marketing operation then they give you a shirt to wear (polo more often than t-shirt). I am currently working on some things which could end up as papers for presentation at Linux conferences. If someone wanted to sponsor my work on one of those free software related projects and then get the recognition of having me wear their shirt while giving a lecture and have me listed as being sponsored by that company in the conference proceedings then that seems like a reasonable deal for everyone.

One thing that you need to keep in mind when accepting or soliciting for advertising is the effect it has on your reputation. Being known as someone who wants advertising on their butt probably wouldn’t be fun for very long.

On the Internet advertising seems to be almost everywhere. It seems that more than half the content on the net (by the number of pages or by the number of hits) either has an option to donate (as Wikipedia does and some blogs are starting to do), has Google advertising (or a similar type of adverts from another company), is a sales site (IE you can buy online), or is a marketing site (IE provides background information and PR to make you want to buy at some other time). Note that my definition of advertising is quite broad, for example the NSA web site [3] has a lot of content that I regard as advertising/marketing – with the apparent aim of encouraging skilled people to apply for jobs. Not that I’m complaining, I’ve visited the National Cryptologic Museum [4] several times and learned many interesting things!

I think that Internet advertising that doesn’t intrude on the content (IE no pop-ups, page diversions, or overly large adverts) is fine. If the advertising money either entirely pays people to produce useful content or simply encourages them to do so (as in the case of all the blogs which earn $10 a month) then I’m happy with that. I have previously written about some of my experience advertising on my blog [5] and how I encourage others to do the same.

I don’t think that space on a t-shirt is any more or less appropriate for advertising than space on a web site hosting someone’s blog.

Finally there is one thing I disagree with in Colin’s post, that is the use of the word “whore“. It’s not uncommon to hear the term “whoring” used as a slang term for doing unreasonable or unworthy things to make money (where “unreasonable” and “unworthy” often merely means doing something that the speaker wouldn’t be prepared to do). But using the term when talking about a woman is quite likely to cause offense and is quite unlikely to do any good. The Wikipedia page about prostitution [6] has some interesting background information.

Wyndham Resorts is a Persistent Spammer

Over the last week I have received five phone calls from Wyndham Resorts asking if I would like to be surveyed. Every time I tell them that I am not going to do their survey, on all but one call I had to repeatedly state that I would not do the survey for more than two minutes before they would go away.

The advantage of phone spam over email spam is that the caller pays, I guess that they have a time limit of three minutes when calling a mobile phone to save on calling costs.

There have been a number of proposals for making people pay for email to discourage spam. Even a cost of a few cents a message would make spam cease being economically viable for a mass audience (a smaller number of targeted spams would be easier to block or delete). But such plans to entirely change the way email works have of course failed totally.

But for phones it could work. I’d like to have a model where anyone who calls me has to pay an extra dollar per minute which gets added on to their phone bill. When people who I want to talk to call me I could reimburse them (or maybe be able to give my phone company a list of numbers not to bill).

This could also seamlessly transition to commercial use. I would be happy to accept calls from people asking for advice about Linux and networking issues for $1 per minute. With all the people who call me about such things for free already it would be good to answer some questions for money.

Offensive Blog Posts

There has been ongoing debate in the Debian community for a number of years about what standards of behavior should be expected. Matthew Garrett sets a new low by making a joke about Jesus being molested as a child [1]. While I believe that debate and discussion about religion is a good thing, such comments about someone who is widely regarded as a God (part of the Holy Trinity) seems to provide no value and just needlessly offends people. I used to be a Christian, and while I have great disagreements with most Christians about issues of religion I still believe that Jesus (as described in the bible) was a good person and deserves some respect. I don’t believe that blasphemy should be illegal, but some minimum standards should be observed when discussing religion.

Next there is the issue of child molesting, most people agree that there’s nothing amusing in that – so I hope that nothing more needs to be said about violating babies.

Finally there is the issue of rape in general often being treated as a joke in the computer industry (I am not sure how prevalent this is in the wider community). One example that is from a Wired article: “We were raped by Microsoft. Bill Gates did it personally. Introducing Gates to the president of a small company is like introducing Mike Tyson to a virgin” [2]. I admit that finding examples of this on the web is not easy, part of it is due to such slang use being more common in spoken communication than in written communication, another is the vast number of slang terms that are used.

A Google search for “male rape” [3] turns up some informative articles. One FAQ suggests that 3% of men will be raped as an adult [4] – I expect that some guys will decide that it’s not so funny when they realise that it could happen to them.

For people who’s knowledge of the English language is not as good as that of Matthew and I, here is the dictionary definition of the word “violated” [5].

Solar Powered PC

I’ve just read an interesting post on TomsHardware.com about a solar powered PC [1]. It describes all the steps involved in creating a modern high-performance low-power computer.

They have a lot of interesting information. One surprising fact (from page 3) is that the PSUs tested (both for AC and DC input) were more efficient when idle (I expected the greatest efficiency to be when under load).

An AMD processor was chosen due in large part to the fact that chipsets in suitable motherboards used less power. For the CPU itself Intel had a competitive offering but no matching motherboard was power efficient enough (from page 7).

Page 8 documents how using a cooling fan (instead of passive cooling) reduced the power requirements of the CPU to such a degree that it always saved power use overall. Why do CPUs take less power when they are cooler?

Page 9 mentions that a small passively cooled video card can draw 88.5W when idle! That sucks pretty badly, it seems that having a video controller integrated with the motherboard is the way to go if you want to save power.

It’s interesting to note how much energy can be used by RAM. Page 13 shows that the difference between 2*1G and 2*512M can be as much as 3.4W and that the difference between different brands of RAM for the 2*1G can make as much as 1.2W difference. Their final system drew 61W when idle, my latest 64bit system takes 52W when idle [2] (which compares to the 38W of their system without a monitor), so we are talking about 9% of system power being saved by using less RAM or 3% being saved by using a different brand of RAM.

The summary of hard drive power use on page 14 is interesting, the fact that 2.5 inch laptop disks use less power than 3.5 inch desktop disks is hardly surprising, but the difference when idle is very surprising (apparently one of the 3.5 inch disks spends 8W on turbulence and friction in the bearings). It’s unfortunate that they didn’t compare any of the server-class 2.5 inch disks, it was about 6 months before the article was written that HP announced that in future they would cease shipping 3.5 inch disks and only use 2.5 inch disks (I wonder if this is related to all HP’s recent work on server cooling). Rumor has it that many server class 3.5 inch disks have platters that would fit into a 2.5 inch case because at high rotational speeds a larger diameter platter would not be strong enough.

The information on DVD power use on page 15 is quite shocking. From now on when I install machines as servers which don’t have a need for for a CD-ROM drive I’ll remove the drive prior to deployment. Even if it saves only 0.47W then it’s still worth doing on a machine which uses less than 40W! An additional benefit of this is that it might speed up the boot process as the system won’t need to check for a bootable CD.

It’s unfortunate that most computer parts don’t have published documentation on how much power they draw. Even if you don’t want to run on solar power there are still significant benefits to saving electricity (including reducing the noise from cooling fans and heat problems in summer). If technical data was published then people could make informed decisions about which parts to buy.

Update: Changed the percentage savings for different types of RAM to be based on the system power use without the monitor. I’m most interested in saving power for servers and for idle desktops (running a desktop machine 24*7 is pretty common) so most of the time the monitor will be turned off.

It’s interesting to note that they power their system uses is about the same as a P3 system and could be less if they used a different hard drive.

Buying Old PCs

I install quite a number of internet gateway machines for one of my clients. While eventually he will probably move to using an ASUS EeePC [1] or something similar, the current plan is to keep using desktop PCs (unfortunately server-class machines make too much noise).

P4 machines use an unreasonable amount of power and don’t seem worth getting second-hand. P3 machines are the most power efficient machines that have been commodity PCs (with keyboard and monitor), see my computer power use document for an example [2].

So what I would like is to get a dozen name-brand P3 systems at a reasonable price. Currently the only companies I can find selling such machines are charging ridiculous prices (such as $300) with the aim of reaming corporations who want to complete a set of old machines rather than upgrading them all. Most online auctions etc are selling P4 and Celeron 2GHz as the minimum hardware. The Celeron machines are better than P4 (at around 50W) but not as good as P3 (at less than 40W).

If you read this post and are in Melbourne, Australia and have a name-brand P3 desktop system that you want to sell then let me know. If you have any suggestions of how to buy such machines then I’m interested in advice.