May 13th, 2008
The last couple of days, it seems there’s some kind of ssh botnet trying to spread out. Since I installed DenyHosts some weeks ago, I usually got 5-10 notifications of blocked IP addresses. Last weekend however, I got more than 200 notifications.
Although I feel rather safe having installed DenyHosts (which I urge you to install on every SSH accessible server), as a lot of hosts out there aren’t protected, I fear a new botnet is in the making.
Clearly, someone thinks I need to get more junk in my mailbox. Let me tell you though, 1400 spam mails a day is enough already…
That’s why I wrote a very rudimentary script that hooks into DenyHosts and queries a whois server for an abuse email and sends it an email when found.
Update:
I didn’t notice the difference between the PLUGIN_DENY setting and the mail behaviour of DenyHosts.
By default, DenyHost will send you an email everytime it adds a new host to /etc/hosts.deny, whereas the PLUGIN_DENY script will be invoked every time it adds or readds a host to /etc/hosts.deny. That’s why I now first grep a file with hosts whose hostmaster I already notified of the abuse
The script is ridiculously easy:
#!/bin/bash
# Get parameter
IP=$1
# Check whether we've already seen this host.
if `grep $IP /var/lib/denyhosts/notified_abuse > /dev/null` ;
then
echo host already seen
exit
else
echo new host, added to logfile
echo "`date` $IP" >> /var/lib/denyhosts/notified_abuse
fi
# Try to lookup the abuse mailbox
abuse=`whois $IP|grep ^abuse-mailbox:| tail -n 1 |sed -e "s/abuse-mailbox: //"`
# if found an abuse mailbox, send a mail.
if [ "x$abuse" != "x" ];
then
cat << EOF | mail -a "From: Pieter Barrezeele <xxxxxx@xxxxxxxxxx.be>" -s "SSH brute force attack from $IP" $abuse
Dear Sir/Madam,
Today we experienced an SSH brute force attack originating
from $IP, a host under your responsibility. This probably means
the host in question is compromised.
Please take action to stop this host from attacking us again.
Thanks in advance,
Pieter Barrezeele
PS: this is an automated mail, any errors in this mail are caused by parsing errors.
EOF
fi
I’d advise you to send the mails to yourself for a few days until you see only new hosts are added. Alternatively, you could copy the contents of /etc/hosts.deny into /var/lib/denyhosts/notified_abuse as well.
Posted in Uncategorized | 3 Comments »
May 13th, 2008
Last weekend the Iris festivities took place in Brussels. One of the headliner acts were performances by Daan and Ozark Henry. Of course I couldn’t miss out on that last one. We arrived just in time to enjoy Housewife, one of Daan’s latest and greatest songs after which it was Piet Goddaer’s turn to entertain the masses arrived at the Paleizenplein just in front of the royal palace.
As usual, this concert was a nice mix of his recent work as well some of his older hits, including “Sweet Instigator”, “Word up”, “Rescue” and even “Inhaling”.
To conclude, I’d like to say: “Merci, Piet!” 
Posted in Uncategorized | No Comments »
May 5th, 2008
Need to monitor a SQLserver with Nagios? There’s check_mssql.sh in the latest nagios plugins’ contrib folder. This check command only works with SQLServer 7 and 2000, though.
To make it work with SQLServer 2005, you only need to change 1 line in the script. Find this line:
echo -e "select loginame from sysprocesses where spid > $spid ...
and change it to
echo -e "select loginame from sys.sysprocesses where spid > $spid ...
Now, if your freetds installation (the actual SQLServer client that does all the magic) supports SQLServer 2005, you can run the script as though you’re checking a SQLServer 2000 installation.
Tags: Monitoring, Nagios
Posted in Nagios, Work | 1 Comment »
April 19th, 2008
And it was good. Well, it’s actually not over yet. A lot of enthousiasts chose to sleep over at the Martelarenplein in front of Leuven’s railway station, to show solidarity with streetchildren in third world countries. Hopefully, this event will reach its goal by gathering enough attention to its cause.
A lot of workshops ranging from street cooking to street dancing, short sets by street artists for this occasion: Milow, Klaas from Yevgueni and Anton Walgrave, an election of the “nicest” street shelter made from rubbish.
I’m really impressed by the courage these people show by sleeping outside on this cold, rainy night. Hats off!
A small impression:
Posted in Uncategorized | No Comments »
April 18th, 2008
Well, actually it’s my girlfriend that’s looking for such a case. She wants to do something ‘artistic’ with it, but I can’t tell you what… yet.
So if anybody knows where to find such a case… (none of the innards have to be in working condition, but the case should look good from the outside), let me know!
Posted in Uncategorized | No Comments »
March 26th, 2008
Puppet, my favourite system administration tool, gathers facts about its managed hosts which can be used in administering these hosts.
These default facts are collected by Facter, one of Puppet’s dependencies. One can use these facts by querying using ‘facter’ on a managed host and in Puppet recipes, i.e. a description of how you want your hosts to be configured. A rather big set of facts are supported out of the box. Adding facts, however, can help you in making your recipes more clever.
That’s what I’ve been doing over the last couple of days. This page, “Plugins in Modules“, explains rather well how to add your custom facts. What it fails to tell you is that facts added through this mechanism are only available to Puppet and not to Facter.
So reading this blog post can save you hours trying to figure out why you custom facts don’t show up in the output of facter, because they never will. Executing a mail statement in which you mail the output of a fact, will show you the contents of your facts, however…
Tags: Puppet
Posted in Puppet, Work | No Comments »
March 22nd, 2008
Well, not really Xen related, but I noticed that our blades became unreachable once the bridging scripts had run.
After reading a lot of bug reports about bugs in the default Xen networking scripts, a posting on the Xen mailinglist pointed me in the direction of the network driver.
Apparently, some versions of the Broadcom NetXtreme II network driver are somewhat buggy which reflects in broken bridges. In particular, the version included with the binary distribution tarball of Xen 3.1 is affected.
Luckily for us, the bnx2 driver included in the 2.6.18-6-xen-686 kernel available in Debian etch is OK and after a reboot, I had my fully working bridge.
I hope this post reaches other people with the same problems, because it cost me a lot of time to fix.
Update: This problem also occured randomly on some of our other servers, all running the same Xen 3.1 bnx2 driver. After an update of the kernel, these problems disappeared.
Tags: Xen
Posted in Work, Xen | 1 Comment »
March 4th, 2008
Yep, why not abuse my own, much-read blog…
I started my own little company! Go see my projects page!
In order to help out a friend for whom I helped troubleshoot some problems, I started an on-the-side activity with which I try to broaden my experiences. I even have my own business cards, designed especially for me! 
Go check it out, maybe I can be at your service someday.
Posted in Uncategorized | No Comments »
May 26th, 2006
Kris pointed me to a nice video showing another nice possibility of the AMS sensor that is in all recent Apple notebooks.
Sometimes, it amazes me how a simple idea can turn out to be so cool: just detect a tap on your screen to switch screens. This idea was Erling Ellingsen’s idea.
I just installed it this afternoon and it’s really cool, though it will need some finetuning so it always switches in the right direction…
I have some doubts whether I will continue using it, because I like Exposé more than DesktopManager…
Anyway, one feature request would be to filter out annoying colleagues’ banging on the table…
Posted in Computers and stuff | 1 Comment »
May 19th, 2006
Yesterday I gave a small workshop on how to use a Linux machine as a digital multimedia center. As the intended audience was not the Linux-savvy geeks, I chose to use KnoppMyth and built myself a machine with MythTV 0.19-fixes on some very nice hardware, thanks to Kris: a total of 300 GB harddisk space and a Hauppauge PVR-500.
Anyway, if you want to read more about it, I’ve put my presentation online. You can download it here.
Tags: Debian
Posted in Computers and stuff, Work | 1 Comment »
