Picture of Jürgen Kreileder

Archive for the ‘Linux’ Category

32-bit compat evdev driver

I’m running a ppc64 kernel with ppc32. This combination has a few shortcomings. One was that the kernel’s evdev driver had no 32-bit compatibility. I couldn’t use XFree86’s evdev support because of this, and hal had some problems too. I finally was annoyed enough to hack the evdev driver. Here’s the ugly patch:
evdev-compat-2.6.11-rc3-mm2.patch

March 16th, 2005: The patch has been integrated into 2.6.11-mm3

Exim 4 and Dynamic IP-Addresses

I’ve recently changed my network connection at home to a provider which assigns dynamic addresses. Exim always provided a broken HELO/EHLO name to my smarthost since then because my externally visible hostname changes each time I connect. I’m now using Exim’s Perl interface to lookup the assigned hostname when connecting my smarthost:

  • /etc/exim4/exim.pl:
    Don’t forget to change ppp0 to the interface you want to handle!
    #! /usr/bin/perl
    
    # Requires libio-interface-perl
    
    use strict;
    use IO::Socket;
    use IO::Interface;
    
    sub get_remote_helo_data()
    {
        my $s = IO::Socket::INET->new(Proto => 'udp');
        my $addr = inet_aton($s->if_addr('ppp0'));
        my $hostname = gethostbyaddr($addr, AF_INET);
    
        $hostname = '' if (!$hostname);
    
        return $hostname;
    }
    
  • /etc/exim4/conf.d/main/50_exim4-localconfig_perl:
    #main/50_exim4-localconfig_perl
    perl_at_start = true
    perl_startup = do '/etc/exim4/exim.pl'
    
  • Add the following code to the appropriate transport, e.g. remote_smtp_smarthost:
    helo_data = \
      ${if >{${strlen:${perl{get_remote_helo_data}}}}{0} \
                     {${perl{get_remote_helo_data}}} \
                     {$primary_hostname}}
    

Mitigating SSH Brute Force Attacks with ipt_recent

As my SSH server only accepts public key based authentication, I’m not really worried about brute force password attacks. But these scans tend to clobber my auth.log. So after some discussion with Andrew Pollock, I’ve written a few custom actions for my shorewall setup. They use the ipt_recent module which allows to track seen IP addresses and match against them using some criteria.

The Limit action can be used to limit accepted connections per IP and timeframe. The hardcoded limit currently is 6 connections per 60 seconds. If an IP tries to connect more often, the attempts will be DROPed.

The Whitelist action provides some simple port-knocking whitelist. If you know the WHITELIST_PORT and can lift the limits imposed by the Limit action for your IP and 60 seconds by connecting to that port.

Here’s how you can integrate those two actions:

  • Create two empty files:
    • shorewall/action.Limit
    • shorewall/action.Whitelist
  • Copy Limit and Whitelist to the shorewall directory
  • Add Limit and Whitelist to shorewall/actions
  • Set WHITELIST_PORT in shorewall/params
  • Use Limit in shorewall/rules, for instance:
    Limit:ULOG:SSH    net  fw  tcp  ssh
    Limit:ULOG:IMAP   net  fw  tcp  imap,imaps
    

    Note: You must use the <action>:<log>:<tag> format for the rules. Limit uses the <tag> for the ipt_recent table name.

  • Optionally add a Whitelist rule:
    Whitelist:ULOG    net  fw
    

If you’re running OpenSSH 3.9 or later, you additionally might want to set MaxAuthTries to 1 (see sshd_config(5)).

May 9th, 2005: I have found a bug in the ipt_recent module, see this article for more information and a fix.