Archive for September, 2011

Amazon Linux AMI 2011.09

September 26, 2011

Today is the release of the 2011.09 Amazon Linux AMI.

The AMI IDs are listed near the bottom of the detail page, along with the release notes.

If you are running the command line tools for accessing EC2, you can find the AMI IDs in your region by running:

$ euca-describe-images -o amazon | grep 2011.09.1 | grep amzn.*ami

Change euca- to ec2- if you are using the Amazon EC2 API Tools.


A few Cygwin tips.

September 25, 2011

My primary work laptop these days is a Windows 7 machine.

In an effort to make this a more Linux-friendly environment, the first thing that I installed on it was Cygwin, a collection of tools which provide a Linux look & feel and compatibility layer on Windows.

As an aside, the second thing that I installed was Tomboy, because Gnote is not available for Windows. Over the years, the Tomboy/Gnote application has become essential to my daily workflow.

What am I using Cygwin for? First and foremost, as an SSH client into my Linux desktop and a bunch of other Linux boxen, where all the real work gets done. For me, PuTTY isn’t a good enough SSH client for Windows. Secondly, for text editing with vim and nano. Finally, Cygwin provides the comfortable environment of bash, grep, less, find, and all the other main Linux utilities.

If you are also using Cygwin, here are some of my suggestions for maximizing your user experience:

(1) Install mintty, which is part of the Cygwin package set though not selected by default. It is far superior to the default Cygwin terminal emulator.

(2) Install the ncurses package so that the clear command will exist in your environment.

(3) Remove the bash-completion package, which dramatically speeds up the time between launching a mintty instance and getting a prompt.

(4) Configure vim to remember the last location of your cursor by adding the following to .vimrc:

" Only do this part when compiled with support for autocommands
if has("autocmd")
  augroup redhat
    " When editing a file, always jump to the last cursor position
    autocmd BufReadPost *
    \ if line("'\"") > 0 && line ("'\"") <= line("$") |
    \ exe "normal! g'\"" |
    \ endif
  augroup END

(5) Improve bash completion by adding the following to .inputrc:

set show-all-if-ambiguous on
set mark-directories on
set mark-symlinked-directories on

Firewalling SSH brute force attacks.

September 21, 2011

Anyone who runs their own Linux server knows the annoyance of looking through the log files to see automated SSH brute force attacks trying to find a login to the machine. In the past, I’ve avoided this problem simply by running sshd on a non-traditional port, which makes all the automated scripts that attack port 22 fail.

I recently had to move sshd back to port 22, and I quickly tired of seeing 5k failed login attempts every day.

UPDATE: After some Googling, and after taking into account a lot of good advice from the comments, as well as from John and Smooge, here’s how I’ve rewritten my firewall to protect against brute force ssh attacks.

# set default policies
iptables -P INPUT DROP

# all pre-established clients
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# new inbound ssh, protecting against brute-force attacks
iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT

The changes improve efficiency by moving all the RELATED and ESTABLISHED filtering to the beginning of the checks. Also, the order of the checks on the NEW ssh connections have been fixed based on the suggestions in the comments.

The blocked IPs are stored in /proc/net/ipt_recent/SSH.

Meeting Neal Stephenson.

September 21, 2011

If I were only allowed to read one set of books for the rest of my life, I would choose The Baroque Cycle by Neal Stephenson without a second thought.

I had an opportunity to meet him tonight at a reading and signing in support of his latest novel, which was released today.

Seattle is Neal’s hometown, and there were about 800 people in attendance. He read some excerpts from the book and then did some Q&A.

I asked Neal to talk about the tools and tactics that he uses to keep all of the details of multi-thousand-page epics organized, allowing him to pull it all together in the end and to insert references, callbacks, and foreshadowing that cross over multiple books and multiple years of writing time.

His answer was essentially “there’s really nothing special about it”. He compared himself to pretty much anyone in a job that requires constant attention to many details, and claimed that most people keep a tremendous amount of details straight in their heads alone, and that he is no different.

After the Q&A, he stayed long enough to sign everyone’s books, Kindles, iPads, etc. I got my hardcovers of REAMDE and Quicksilver signed and had a chance to shake Neal’s hand. He was incredibly polite, humble, and nice. Given the insane number of hours that I’ve spent reading and re-reading his works, meeting my favorite author was a great experience.