[2005-09-02]

Miscellanous patches, scripts and programs

Introduction

This page collect various patches, scripts and programs and other things which might be of interest to some small portion of the internet populace.

dnsbl-delister

dnsbl-delister is a perl script whose purpose it is to allow you to automatically get delisted from DNS blacklists. Alternatively, it can be used to warn/inform you if your current (dynamic) IP is listed somewhere.

Delisting is currently only supported for 'dsbl.org', but the code is easy to extend to support other lists too, assuming they supply some sane way to request delisting. Many do not.

Check the README for instructions.

(dnsbl-delister obsoletes dsbl-check.pl)

sshd_failed_ips.pl

(New in version 1.1: Control scoring based on account name. Directly block root, mysql, webmaster, etc)

I looked around for something to stop the increasing number of brute force login attempts on my SSH daemon (sshd, Debian GNU/Linux), but couldn't find anything that suited my taste (see also: BlockHosts, Login Sentry). I didn't want a daemon or heavy-weight script, I wanted something simple. I decided that I would use a simple script to collect IPs from the auth.log and deny them through TCP wrappers. I also decided to not try and complicate things by having to manually code for expiration of old IPs (or worse, managing that by hand), or even worry about spoofing (an unlikely attack in my case). This is going to be a "setup and forget" setup.

First, download the perl script, which can be saved pretty much anywhere. We'll call it from hosts.allow later. I place all my scripts in a directory under /etc, so this one is /etc/scripts/sshd_failed_ips.pl

This code is simple, and doesn't have any dependencies, except of course perl. Don't forget to chmod +xr it.

Now all that is needed is configuring /etc/hosts.allow to update and match against a database using the script:

sshd: ALL EXCEPT /etc/ssh/sshd_blacklist_dynamic : spawn (/etc/scripts/sshd_failed_ips.pl >/etc/ssh/sshd_blacklist_dynamic)
ALL: LOCAL
ALL: 192.168.0.1

It's important to understand that the matching of rules aren't "most restrictive", so if for instance you have "ALL: ALL" in the file, the EXCEPT clause for sshd won't do a thing! Now you can also see why we don't worry about spoofing or even our own clumsiness. We simply explicitly grant rights to local hosts as needed.

As I mentioned, since the database is dynamically regenerated each connection attempt, we don't have to worry about expiration -- as logs gets rotated the blacklist will adapt. Here though is an important point: The value of $block_threshold should be scaled to fit the duration for which the scanned log(s) are kept. If you keep a log for a month and users fail to login once per day, you'd start blocking them after about a week if you didn't tune this important variable.

You can build on this. One thing I've done is to run the script before rotating my log (see logrotate) and capture the IPs into a second file which is also tested against in hosts.allow. If you append to this file each time, you'll keep IPs denied forever. If you overwrite, the last rotation will carry over.

I also suggest you define and use AllowUsers, MaxAuthTries and MaxStartups in your /etc/ssh/sshd_config

Let me know of any success or failure, especially if the reg-exp fails to match due to a different log format.

PROS: Very simple, so fast to install and get running. Doesn't require active administration. No weird dependencies. Not a daemon.

CONS: Scanning huge logs each connection attempt can be slow on ultra-low-end hosts. Will abort scanning on first log that can't be opened.

gefix

A small program I wrote in order to migrate my old Gecho (keywords: BBS, tosser, scanner, echomail) installation to a new location. Will scan through the relevant Gecho configuration file (areafile.ge), replacing the "hardcoded" drive letter for each area with one you pass on the command line. Win32 binary, linux binary and c++ source (Public Domain) included. Easy to extend if you need to do more fancy processing, like for instance rewriting more of the path.

Download gefix here.

get510ip.pl

When you're connected to the internet via a service that assign you an IP dynamically, you'll have to have some way to update the external DNS when your IP changes. Some cable modems support this natively, other simply export the IP to a real computer which can then be made to run scripts when it's assigned a new IP. For the rest of us, we must rely on the somewhat inelegant solution to poll some source for our current external IP, reacting if it's changed since last time we looked.

Typically this is accomplished by requesting a web page from a remote server which would in its output carry the IP of the requester. This works, but it's a bit redundant, we're basically asking some remote server to tell is the IP of piece of hardware connected to the local network.

Now, I own an Alcatel SpeedTouch 510 (v4) cable modem. Not the best piece of hardware I've seen, but not the worst either. The problem is that it does not support dynamic DNS updating in the firmware, and there's no documented nor obvious way to get it to spit out current configuration information, such as the currently assigned DNS server or the external IP (edit: somewhat fixed in later firmware). I therefore decided to write a small script to simulate a login in on the modem console ("telnet"), command it to dump the info I need and then capture and parse the output. This way we can retrieve our IP address.

The result is the following few lines of perl which when configured correctly -- you need to fill in the password and IP to use to log in -- will spit out the currently assigned external (WAN-side) IP:

#!/usr/bin/perl

# get510ip.pl
#
# SpeedTouch 510v4 IP polling script v1.0
# (C)2004 Eddy L O Jansson 
#
# This software is provided under the terms of the GNU General Public License.
# See the included file COPYING or http://www.gnu.org/licenses for information.

use strict;
use Net::Telnet();

 my %config = ( USERNAME => 'admin', PASSWORD => 'enter-password-here', HOST => '192.168.0.254', IP_SERVICE_STRING => 'pppoe' );
 my $t = new Net::Telnet(Timeout => 5, Prompt => '/\=\>(\[.*\])?$/');

 $t->open( $config{HOST} );
 $t->login( $config{USERNAME}, $config{PASSWORD} );

 $t->cmd("ip");
 my @result = $t->cmd("aplist");
 my $line_nr = 0;

 foreach my $line (@result)
 {
   if( $line =~ /[0-9]+.*$config{IP_SERVICE_STRING}.*Type.*$/ )
   {
     @result[$line_nr+1]  =~ m/.*ip-addr:((\d+\.\d+\.\d+\.\d+)).*$/;
     print $1;
     last;
   }
   ++$line_nr;
 }

The code depends only on perl, obviously, and on the Net::Telnet package which is readily available off CPAN.

YabbSE avatars-be-gone

I don't mind web-based message boards as long as they're reasonably slim. One thing that I find irritating is the thing called 'avatars', ungracious pictures which serve no practical purpose but to incur overhead and download delays. In the best of all worlds the viewer would get to decide what s/h/it wants to see/download, so I developed this patch for the popular YabbSE bulletin board software with the hope that it would be adopted in mainline and trickle out to boards that I frequent.

Unfortunately I later found out that YabbSE is no longer GPL'ed, and the development process is closed and weird. This isn't anything I'm going to maintain, but here it is.

What it does? It extends the admin interface with options to allow users to decide for themselves whether or not they want to see other users avatars and/or signatures. Once the admin allows it, each user will get new options in their preferences to disable these things, individually.

I presented this patch here. Please note that the first version I presented was in fact b0rken, but I fixed it some hours later. This version is, I believe, perfectly fine.

The license? I guess the license is 'whatever'. Whatever fits YabbSE. I really don't care, it's such a trivial thing.

oggid3fix

Some people and/or encoders are brain-dead and add ID3 tags to Ogg files. This is a quick hack to remove any prepended and/or appended ID3 tags from an Ogg [Vorbis] file. Win32 executable and c++-ish source included.

pscp resume

I like to scp things, even under win32. When you transfer large files and suddenly face a 'broken pipe' you soon tire, so I went in and implemented download resume in pscp. It's a fairly trivial change, but then, I didn't have to consider the 'big picture' or anything. It works for me and I've used it quite extensively.

These archives contains both my binary and the patches. You can chose between the 2004-08 (post putty 0.55 security fix) or 2003-08 version.

I suggest you try the latest one. The default behaviour is like all pscp versions, but if you supply the new command line switch -XR (for eXperimental Resume) pscp will resume existing local files instead of overwriting them, doing no rollback (which I think isn't needed anyway, but feel free to prove me wrong).

[ back to projects page ]

©2004 Eddy L O Jansson. All rights reserved. All trademarks acknowledged.