hawking's weblog

ufs2 write support for linux

hawking — 2007-04-06T08:33:32+03:00

I've been booting gentoo/freebsd and gentoo for a while and one problem I've faced is a decent filesystem for the operating systems to share. FreeBSD has read-write support for ext2 and read-only support for reiserfs. ext3 is also supported as it's backwards compatible with ext2.

Well ext3 is a cool filesystem to use but I've been experiencing weird problems with it on FreeBSD. So I went on to check for linux kernel changes today to see if there is any plan to add UFS2 write support anytime in the future. I was shocked :). There are already patches written and it's planned to be added on 2.6.21. I quickly got the git-sources and tried it. It works like charm so far :). I can mount ufs2 partitions r/w on both systems. Many thanks to Evgeniy Dushistov who wrote the patches.

The patches are here:
[RFC] [PATCH 1/3] ufs2 write: mount as rw
[RFC] [PATCH 2/3] ufs2 write: inodes write
[RFC] [PATCH 3/3] ufs2 write: block allocation update

sshguard-2

hawking — 2007-03-12T03:45:55+03:00

I've been experimenting with sshguard today. It turns out it won't parse the log messages when sshd is using pam for authentication. pam_tally might be used to prevent brute forces but I don't think it's as practical as sshguard so I decided to add support for PAM messages to sshguard.
On my system this is how a PAM authentication failure looks like:

Mar 12 03:24:11 mars sshd[10656]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1  user=hawking

I added a regex to parse the messages among with the other changes. The patch and the updated ebuild are here. It works fine now. To check just start entering wrong passwords to sshd:

hawking@mars ~ $ ssh mars.solar
Password: ..wrong password..
Password: and again
Password: and again..
Permission denied (publickey,keyboard-interactive).
hawking@mars ~ $ ssh mars.solar
Password: ..wrong password..

After four tries sshguard blocked me :-)

Mar 12 03:24:11 mars sshguard[10658]: Blocking 127.0.0.1: 4 failures
over 12 seconds

I think sshguard will be cool when it has a list of different regexes to parse with. I'm planning to let upstream know about it.

sshguard

hawking — 2007-03-11T03:01:46+03:00

There are many tools to prevent SSH brute force attacks. My favourite is sshguard. First of all it's not a script, it's written in C and it's pretty easy to configure.
For those who are interested I wrote an ebuild for it, it's in sunrise overlay right now.
As a short tutorial here is how I configured it. First you need to make syslog-ng call sshguard in case of an authentication failure. Adding these lines to syslog-ng.conf would do it:

destination sshguardproc { program("/usr/sbin/sshguard"); };
filter sshd { facility(authpriv) and match(ssh); };
log { source(src); filter(sshd); destination(sshguardproc); };

For efficiency make sure sshd doesn't use DNS when logging IP addresses. This can be done by adding

UseDNS no

to /etc/ssh/sshd_config.
Last but not least we need the iptables configuration to make sshguard work. First create a new chain called sshguard. Then pass all SSH traffic to this chain:

iptables -N sshguard
iptables -A INPUT -p tcp --dport 22 -j sshguard

All done :-)

versioning /etc with subversion

hawking — 2006-12-15T09:51:44+03:00

Although portage takes care of configuration files very well, no system can have enough protection from human errors. Versioning configuration files under /etc is a nice solution to this. If you do a mistake and delete some file or any other silliness that might happen , you just revert to a former revision and solve the problem.

This can be achieved very easily:

First create a svn repository
```
svnadmin create /root/svn
```

Then import /etc to the repository

svn import /etc file:///root/svn -m 'Initial import'

Checkout the project

rm -rf /etc
svn ci file:///root/svn/etc

Now change some configuration files and do 'svn status' When you change your configuration files you can commit them to the repository:

cd /etc
svn ci -m 'Changed MAKEOPTS=j2 in /etc/make.conf'

Linux rulez!