2008/03/21登七星山

之前走春沒走到的七星山….沒登上去，一直覺得是個遺憾，
尤其是Sharon都不知爬了幾次，我們久久單車嘴砲團，
竟然還沒攻頂過，實在是太丟臉了，
於是Frankie安排了鐵人三小項，來完成此次任務，
單車加爬七星山加泡湯游泳，怎麼感覺好像是去郊遊的，
也大概我是這種想法，所以穿了像去郊遊，
還穿牛仔褲，被大夥唸了一噸，
該帶的都沒帶，不該帶的卻又帶了…我那一件厚外套，
沒法…誰叫我天生怕冷，
照例出發前一定要拍一張，

就這樣一路慢慢的騎到苗圃登山口
就發現腿好像斷了，
實在是太久沒騎單車了，
加上一路都是爬坡，
在經過約三十八秒的開會，決定縮短單車行，
增長爬七星山距離，
當下就在苗圃登山口吃起午餐，
開始這段登七星山主峰的任務，
看似簡單，卻因騎單車那段造成腳酸無比，

於是乎花了較長的時間才登上七星山主峰，

真是一個爽….
難怪有人喜歡爬山….
有一種說不出的舒坦
而一路下山泡湯那就更舒坦了，
這次選了川湯的隔壁皇池，
聽同事說皇池的大眾池不錯，
所以就來一探究竟，
也順便在這吃晚餐…
吃的不錯….除了那一鍋鳳梨苦瓜雞湯…
就是不對味….
終於要完成最後一項任務….泡湯游泳
泡湯是不錯….但溫度太高…我還是沒游成

Frankie拍的照片
在Franike相本

~~

解了我這幾天的疑惑

在使用super daemon的方式啟動vsftpd之後，發現log會出現如下訊息
Exiting: another instance running? '/tmp/blockhosts.lock' already locked
經詢問Google 大神，似乎跟patterns有關，
但我又不會python，
經公司同事Terry指導修正增加patterns，如下
"vsftpd-pam_unix":
r'{LOG_PREFIX{vsftpd}} pam_unix.*? authentication failure.*? rhost={HOST_IP}',
終於Blockhosts 2.3.1-1 for vsftpd 2.0.4 於 Fedora 5 可以正常Block ip
真是一整個開心
真的很感謝Terry的幫忙

Preventing Brute Force Attacks With BlockHosts

Preventing Brute Force Attacks With BlockHosts
官方網站:http://www.aczoom.com/cms/blockhosts
安裝步驟如下
1.安裝blockhosts套件，看是要用rpm或tarball安裝都可
2.修改blockhosts.cfg
3.修改 /etc/hosts.allow
4.確認要安裝的機器是否已有在使用的iptables rules，如有請修改blockhosts.py程式第861行，參閱本文最後一段，如沒有請跳過此步驟
5.crontab 設五分鐘跑一下(Romove Rules會用到)

測試環境 Fedora 5
vsftpd-2.0.4-1.2
proftpd-1.3.0a-3.fc5
openssh-4.3p2-4.12.fc5
安裝blockhosts版本是 2.3.1-1

如是用rpm 請到以下網址抓取rpm檔
http://www.aczoom.com/cms/blockhosts/download

rpm -ivh BlockHosts-2.3.1-1.noarch.rpm
vi /etc/blockhosts.cfg
修改如下
[...]
HOSTS_BLOCKFILE = "/etc/hosts.allow"
[...]
HOST_BLOCKLINE = ["ALL: ", " : deny"]
[...]
LOGFILES = [ "/var/log/secure.log", "/var/log/proftpd/proftpd.log", ]
[...]
COUNT_THRESHOLD = 7
[...]
AGE_THRESHOLD = 12
[...]
MAIL = True
[...]
NOTIFY_ADDRESS = 'root@localhost.localdomain'
[...]
SMTP_SERVER = "localhost"
SENDER_ADDRESS = 'BlockHosts '
[...]
IPBLOCK = "iptables"
In HOSTS_BLOCKFILE we can specify either /etc/hosts.allow or /etc/hosts.deny. It doesn't matter which one we choose. I'm using /etc/hosts.allow here. In the LOGFILES line we specify the log files that BlockHosts should look at. OpenSSH is logging failed login attempts to /var/log/auth.log, ProFTPd to /var/log/proftpd/proftpd.log. COUNT_THRESHOLD specifies the number of failed login attempts from the same host after which BlockHosts should block that host. AGE_THRESHOLD is the numer of hours after which blocked hosts get unblocked. IPBLOCK specifies if you'd like to block hosts with iptables or iproute in addition to adding these hosts to /etc/hosts.allow (or /etc/hosts.deny).

Next we must modify /etc/hosts.allow. First back up your current /etc/hosts.allow:
cp /etc/hosts.allow /etc/hosts.allow.bak
vi /etc/hosts.allow
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# ----
# see "man 5 hosts_access" for details of the format of IP addresses,
#services, allow/deny options. Also see "man hosts_options"
#
# permanent whitelist addresses - this should always be allowed access
ALL: 127.0.0.1 : allow
# ALL: 192.168.0. : allow
# permanent blacklist addresses - this should always be denied access
# ALL: 10. : deny
# ----------------------------------------
# next section is the blockhosts section - it will add/delete entries in
# between the two marker lines (#---- BlockHosts Additions)
#---- BlockHosts Additions
#---- BlockHosts Additions
# ----------------------------------------
# finally, the command to execute the blockhosts script, based on
# connection to particular service or services:
sshd: ALL: spawn /usr/bin/blockhosts.py --verbose --mail --iptables \
--echo "%c-%s" --check-ip "%h" >> /var/log/blockhosts.log 2>&1 & \
: allow
#---
# add --iproute to enable null-routing, or add --iptables to enable packet
# filtering, which blocks all network communication from blocked hosts
#---
# remove >> /var/log/blockhosts.log 2>&1 if no logging to blockhosts.log
# is needed - without this, it will still log to syslog (minimally)
#sshd: ALL: spawn /usr/bin/blockhosts.py --verbose --echo "%c-%s" & : allow
#---
# above commands will use default config file - /etc/blockhosts.cfg, edit
# it as needed to specify local configuration options
# See "man hosts.allow" for info on %c and %s identifiers
# for non-verbose, with identification, to syslog only (/var/log/messages),
# triggered on any service (using ALL as first word):
#ALL: ALL: spawn /usr/bin/blockhosts.py --echo "%c-%s" & : allow
#----
# To test hosts.allow, and to find out exact names of SSH/FTP services,
# add this line to the beginning of hosts.allow, use ssh/ftp to connect
# to your server, and then look at the log (/var/log/messages or
# blockhosts.log) to see the name of the invoked service.
# IMPORTANT: after your test is done, remove this line from hosts.allow!
# Otherwise everyone will always have access.
#ALL : ALL: spawn (/usr/bin/blockhosts.py --verbose --echo "%c-%s" >> /var/log/blockhosts.log 2>&1 )& : allow
# -------------------------------------------------------------------------

Now we need to initialize BlockHosts. First, we do this with the --dry-run option to see if there are no errors:
blockhosts.py --dry-run --verbose
The output could look like this:
[root@videotest log]# blockhosts.py --dry-run --verbose
blockhosts 2.3.1 started: 2008-03-16 16:06:55 CST
... loaded /etc/hosts.allow, starting counts: blocked 0, watched 0
... loading log file /var/log/secure, offset: 664
... loading log file /var/log/messages, offset: 406
... discarding all host entries older than 2008-03-16 15:06:55 CST
... final counts: blocked 0, watched 1
#---- BlockHosts Additions
#bh: ip: 10.1.8.232 : 1 : 2008-03-16 16:06:55 CST

#bh: logfile: /var/log/secure
#bh: offset: 2630
#bh: first line:Mar 16 14:39:43 videotest sshd[850]: Accepted password for root from 10.1.1.135 port 1436 ssh2

#bh: logfile: /var/log/messages
#bh: offset: 986
#bh: first line:Mar 16 05:07:23 videotest syslogd 1.4.1: restart.

#---- BlockHosts Additions

# ----------------------------------------
# finally, the command to execute the blockhosts script, based on
# connection to particular service or services:

proftpd, sshd: ALL: spawn /usr/bin/blockhosts.py --verbose --mail --iptables \
--echo "%c-%s" --check-ip "%h" >> /var/log/blockhosts.log 2>&1 & \
: allow
Commands (tentative) to run for IPTables filtering:
... created user-defined chain blockhosts
... creating jump from INPUT to blockhosts chain
... no email to send.

[root@videotest log]#
Looks ok (apart from the IPv6 error which you can ignore), so we can run it without the --dry-run option:
blockhosts.py --verbose
This should look like this:
blockhosts 2.3.1 started: 2008-03-16 16:10:12 CST
... loaded /etc/hosts.allow, starting counts: blocked 0, watched 1
... loading log file /var/log/secure, offset: 2630
... loading log file /var/log/messages, offset: 986
... discarding all host entries older than 2008-03-16 15:10:12 CST
... final counts: blocked 0, watched 1
... no email to send.
Creating A BlockHosts Cron Job For Non-TCP_WRAPPERS Services
To block hosts from non-TCP_WRAPPERS services such as Debian's ProFTPd, you can run
blockhosts.py --iptables --verbose
on the command line. Of course, you don't want to do this every few minutes, therefore we create a cron job for this.
First we create a little wrapper script for /usr/bin/blockhosts.py:
vi /usr/local/sbin/blockhosts

#!/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
/usr/bin/blockhosts.py --iptables --verbose >> /var/log/blockhosts.log 2>&1

The purpose of this wrapper script is to pass the correct PATH to the /usr/bin/blockhosts.py script; if we use /usr/bin/blockhosts.py directly in the cron job, we will get errors saying that iptables could not be found.
Of course, we must make /usr/local/sbin/blockhosts executable:
chmod 700 /usr/local/sbin/blockhosts
Then, we create a cron job like this:
crontab -e
*/5 * * * * /usr/local/sbin/blockhosts &> /dev/null

參考網址: http://howtoforge.com/blockhosts_debian_etch

測試過程中，發現如已有設iptables rules的機器會有如下的問題
Iptables firewall and blockhosts
Hi,
I use iptables based firewall and now I set up blockhosts. The problem is that when blockhosts creating the rule to the INPUT chain it uses --append. In my case the deafult policy for INPUT is DROP and there are a number of rules which allow access to the services hosted on the server. Because blockhosts rule was appended to the INPUT chain as the last rule it did not fulfill the functions.
What I did is that I modified the blockhosts.py file so that it inserts the rule before the first one in INPUT chain.
On version 2.3.1 it is in line 861. It should look like this:
cmd = path + " --insert INPUT -j %s" % chain
Hope this helps to someone!
Daniel
參考網址: http://www.aczoom.com/cms/forums/blockhosts/iptables-firewall-and-blockhosts

目前測試sshd及proftpd都沒有問題，但測試vsftpd會發生登入時卡住的情況，發現要使用super daemon 的方式，才不會有登入的問題，而在blockhosts.cfg中關於vsftpd的patterns似乎跟在log中看到的也不同，需要做個修正才行，要不然blockhosts似乎沒有判斷到vsftpd的訊息，如有那位大大知道如何修改，請指導一下

鼎玉鉉鵝肉店

昨天跟女友打算去看電影
但因故沒看成
就漫無目的開車亂逛
這是女友最喜歡做的事
她覺得這樣常會發現不同的驚喜
這次還真的發現好康的事情...
開車在找吃的東西時，女友看見一家豬腳店想吃
二話不說馬上在附近找車位，
停好車走過去，發現店內人好像很少，
而隔壁的店…. 鼎玉鉉鵝肉店卻很多人…

而我們就改吃鵝肉店…..

看了一下鵝肉飯五十元，好像不錯，
就點了二碗，
給女友一百去付錢
而我去佔位置
女友端著鵝肉飯過來，
說不用錢(店內用鵝肉飯不用錢)
我說真的假的啊…有這種事…
這樣店不會被吃垮啊
問了同桌的伯伯
才明白原來是每個月的一號
店內食用鵝肉飯是不用錢的(限一碗)
真開心有這樣的店….還剛好遇到…
女友馬上拿出行事曆看了一下….
啊….未來幾個月的一號…..都沒放假…真是可惜..
不過還是很推薦這家店…
鵝肉飯不錯吃，附湯也不錯
我們因有點不好意思…
所以後來也多點了一個鵝腿來吃，也不錯吃
如有經過此家店，歡迎去品嚐品嚐

2008/11/1 更新
每項菜...都漲了十元

小油坑走春

話說春酒完，一定要來個走春，
而挑選的地方是由sharon建議的七星山，
聽說走這一趟會比去年的象山還要累，
集合地點是在士商路上的科學教育館，
上次討論遲到者要罰五百，
果然有效….沒人遲到
而人生有趣的地方，
就在於常常很多事都世事難料，
或者說計畫永遠趕不上變化，
沒想到陽明山花季尚未結束，本想停車的入山口處不能停車，
則一轉就來到竹子湖派出所的停車場，
入口處一變，而後面的行程，也因這個改變，而微妙地改變

本想走到七星山，但在途中發現距離似乎還有點遠，
衡量之下，隊長宣佈今天就到小油坑
(果然是久久團隊，一切都充滿彈性)
一句話今天馬上變成輕鬆行，完全沒流汗，

大夥在小油坑一連串的拍照後

就慢慢前往公車亭等公車，準備前往川湯吃飯
不過來的公車(108)都沒前往竹子湖
該來的小九始終不來
等到我全身都開始覺得很冷
於是我們三名駕駛，打算用跑的跑回派出所取車，
當跑到山下路口….看到小九緩緩地開了過來
使勁地喊小九，從沒那麼開心地看到公車，
心想好家在有來，要不然我們三人跑回去，腿大概會廢了
在川湯吃飯泡湯之後

畫下今天完美的句點