Thursday, July 16, 2009

AsiaBSDCon 2009:The OpenBSD Release Process: A Success Story

Monday, July 6, 2009

Possible SSH 0-day vulnerability? And a couple of semi-helpful iptables tips.

Update 07/08/2009: This is starting to sound less and less like a 0-day and more like a single administrative error or lapse. Either way it's a warning; don't be lax with your SSH access. SSH is for the most part secure, but there's always the chance that it can be exploited.

Update 07/07/2009: SANS is also as vexed with the lack of info on this issue as everyone else I've contacted.  They're a great place to watch for more data as it becomes available.  If anything new happens I'll also update here, but I'll probably get it from SANS myself.

w9tedz

I'm sorta loathe to report this, since I don't have anything to substantiate it other than rumors flying on web hosting bulliten boards and Twitter, but there is word of a 0-day SSH vulnerability floating around.

Translated Rumor

Translated Rumor Source

I have no more information on this than that, other than hearing that several hosts are locking down SSH also.

So I've been running around tonight locking down my visible servers.

This is actually good practice for the most part.  SSH is a powerful service, so any vulnerability to it tends to get magnified in importance very quickly, and also as information on the vulnerability spreads attacks multiply quickly.

The fix is simple; block SSH access to untrusted IPs.  At this juncture even if it upsets your clients, you might want to until more information trickles out about the status of this vulnerability.

If you want an easy way to create and test some new iptables rules, you can do what I do (no warranties, etc).

  1. do an 'iptables-save > ~root/tmp_iptables'

  2. edit ~root/tmp_iptables and add the following lines before the line that says COMMIT.  Substituting the IPs and hostnames I have added for your own of course.
    -A INPUT -s 10.0.0.1 -p tcp -m tcp --dport 22 -j ACCEPT
    -A INPUT -s my.devlab.ca -p tcp -m tcp --dport 22 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 22 -j DROP

  3. do a 'cat ~root/tmp_iptables | iptables-restore' and cross your fingers


If things have gone horribly wrong, and I have led you down a terrible path, cutting off your SSH access, you can either console in and re-do that same process, but taking out the SSH rules, or you can have your service provider console in, or reboot the box.   The nifty thing about this method is that it's not a permanent change to your server.  It will only last until your next reboot, unless you have some process that automatically saves any iptables rules you put into place.

The Round-Up: May 26, 2008 #green

Link: The Round-Up: May 26, 2008

From the article:


Oil shock: China and Mexico, not Exxon, stupid
Prices are soaring, in part, because oil is denominated in U.S. dollars and the d...
[MORE]--The Round-Up: May 26, 2008

Sunday, July 5, 2009

Lunar Probe Sends First High-Res Images

Link: Lunar Probe Sends First High-Res Images

From the article:


NASA's Lunar Reconnaissance Orbiter has begun producing high-resolution and wide-angle images of the moon's surface.

...
[MORE]--Lunar Probe Sends First High-Res Images

Saturday, July 4, 2009

Happy 4th of July!, (Fri, Jul 3rd)

Link:
Happy 4th of July!, (Fri, Jul 3rd)


From the article:


Celebrate, watch fireworks, but don't click on links in emails or surf to sites with Fourth of July, ...(more)... ...
[MORE]--
Happy 4th of July!, (Fri, Jul 3rd)

Thursday, July 2, 2009

Bicycle Licensing in #Toronto: Why revisit this idea, Councillor Michael Walker?

Update 07/16/2009: Via Ross, Copenhagenize has a posting on this subject also and they've included a PDF of his motion.  You can also follow this discussion at the BikingToronto Forums.

Also I noted that I'm wrong below when I say that 5,907 tickets were issued to cyclists during the Toronto Police 'Safe Cycling' campaign, it was actually 1,373 tickets directly to cyclists.  5,907 is the total over all!

Update 07/07/2009: City Caucus also has a posting about this issue.

Welcome #green

Link: Welcome

From the article:



The Oil Depletion Analysis Centre (ODAC) is an independent, UK-registered educational charity working to raise international pu...
[MORE]--Welcome

Wednesday, July 1, 2009

Blog about quick-n-dirty repairs

Link: Blog about quick-n-dirty repairs

From the article:


Human ingenuity (and a touch of foolishness) on parade at thereifixedit.com (Thanks, Coop!)...


...
[MORE]--Blog about quick-n-dirty repairs