Playing Ping Pong

64 bytes from funkyhost.mydomain.com (12.37.112.12): icmp_seq=17 ttl=254 time=1.35 ms
wrong data byte #12 should be 0xc but was 0x4
#8      8 9 a b 4 d e f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27
#40     28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 36 37

Well, WTF ! An in depth study can found here. According to Randy Kramer "Turns out that there is a bug in ping which causes me to see the "wrong data byte #0 should be" 0x59 (0xhh?) "but was" error message, if the ping response takes longer than 1 second. Thanks to Pierre Fortin for pointing this out(...)"

$SSH_ORIGINAL_COMMAND

It is possible to limit the commands that one machine can excute on the other by entering a command
in .ssh/authorized_keys, along with the authorized key. Now any command gets diverted to that one command. The cool trick is, that the original command is still available in the titled variable !
The allowed command can then be a more or less simple script that evaluates the variable.
A simplified example:

vi /root/bin/validate_command:
case $SSH_ORIGINAL_COMMAND in
   rsync*) $SSH_ORIGINAL_COMMAND ;;
        *) echo "You must be joking..."
esac

The official Bash History

History in bash is a drag. You log in you find a history. You need a second shell, you log in, but the history of the first shell is gone. You reboot from the shell and all histories are gone. Nuissance....All History for a given shell stays only in memory as long as the shell is open. Only if it exits cleanly is the history written. So I defined


alias h="history -a"


in .bashrc. Why ? I can quickly type "h", and then the current shells history gets written to disk.
So then all histories are the same. HISTSIZE=10000 might help your memory as well...

No name, no number... no service

On a mailserver level there is one setting, that keeps out 90% of the spam for me. In postfix this setting is called "reject_unknown_client_hostname" or earlier "reject_unknown_client". Every connecting client must have an IP --> name mapping and a matching name---> IP mapping. Hijacked Windoze dial-in boxes and similar don't have that. Whatever the reason, on my server 90% of the ill traffic gets halted before it even gets near the spam filter. Of course the less discipined of your mailing friends might get caught on that one too, because the forward and reverse DNS Mapping of domains sometimes get out of sync, since they often reside on different nameservers. In these cases the somewhat more lenient
"reject_unknown_reverse_client_hostname" might be a wiser choice.

Searching an ftp Server

echo ls| ftp ftp://server/dir/subdir/ | grep -i package


This is so cool. Mind you, it does not search recursively. Also, the "/" at the end of the path is important. But you can load your repositories into a variable and then search for software anytimefast.(Unless the trick gets too popular and the ftp-servers break).

Note: On Gutsy it seems "ftp" does not do this, use lftp instead.

Anti Brute Force !

#!/bin/bash

# These Rules can be loaded onto your mail or other server. Adjust
# values as needed. An IP, that connect to often, gets shut out
# for 5 minutes. Special rules for special ports might be needed.
# This works well for me.

# Make two new chains:
iptables -N OFFENDER
iptables -N BADBOYS

# This chains is for new IP's that open too many connections.
# Adjust values for "limit" and "limit-burst" to your needs
# in order to not stop legit traffic

iptables -A OFFENDER -m limit --limit 1/sec --limit-burst 20 -j RETURN
iptables -A OFFENDER -m recent --set --name DEFAULT --rsource
iptables -A OFFENDER -m limit --limit 6/min -j LOG \
--log-prefix "OFFENDER " --log-level 6 --log-tcp-sequence \
--log-tcp-options --log-ip-options
iptables -A OFFENDER -j REJECT --reject-with icmp-host-unreachable

# This chains is for repeated offenders:
iptables -A BADBOYS -m limit --limit 6/min -j LOG \
--log-prefix "BADBOY: " --log-level 6 --log-tcp-sequence \
--log-tcp-options --log-ip-options
iptables -A BADBOYS -j REJECT --reject-with icmp-host-unreachable

# These get inserted into INPUT chain, as early as possible.
# after localhost and maybe localnets. The first rule shuts
# repeated offenders out for 5 minutes -- hehe.
iptables -I INPUT 5 -m recent --rcheck --seconds 300 \
--name DEFAULT --rsource -j BADBOYS
iptables -I INPUT 6 -m state --state NEW -j OFFENDER

New Tools !

So here's to my new Compaq 6710b: Dual Core with Virtualisation Extensions , 2GB , Total of 320 GB Harddisk, Firewire, USB, UMTS Bluetooth, you name it and we've got at least two of it ...
But then...how to migrate my good old, far-travelled Fujitsu Slab with a well grooved-in Gutsy, that served me so well.
I decided to not discard the Vista Business Edition that we paid for. Only the latest Version of the GParted Live CD was able to resize Vista flawlessly.
Then I partitioned the rest with LVM using OpenSUSE 10.2 (menu driven!),installed minimal, booted to a rescue system, did an "rm -r /mnt" (Oh boy, this I always wanted to do!) and rsynced Gutsy from my old notebook, edit fstab, menu.lst, install bootsector, reboot: Done ! Everything still works, down to browser cache and special routes, great...EXCEPT: WPA encrypted wireless traffic. After spending a day on that, I got 2.4.24.3, compiled with "make oldconfig" and voila: Wireless ok, now the sound is dead...new kernel had compiled every sound module, except the one I needed. Rev up the compilers again, compile the module: Now it's complete done.
There's been quite some renaming in Intel Notebook kernel modules, it seems that's the background of all that.
Anyways, my new notebook is great. :-)



Remember: A fool with a tool is still a fool!

Rugged way to list space used

df -m | awk 'BEGIN {i=0};/.*dev.*/ {i=$3+i};END {print i}'


= Total Space used in MB

Busy in the tank

Currently involved in a project involving linking three ESX Server to a 3TB SAN Storage. Moving 25 Virtual Machines into the Servers.
Storage is a hard subject, as everything you do can possibly disastrous.
ESX is funny animal, expensive, but still sometimes handling like good old Linux.