[Tfug] IPTables + good hosting deal + BBSes + Ernie vs. Bert (cage match)
Quag7
deepspace at dataswamp.net
Fri Oct 5 01:50:49 MST 2007
On Thursday 04 October 2007 10:51:24 pm Felix Tilley wrote:
> At the happy hour tonight, there was a brief conversation about
> IPTables. I find the man page confusing. Sample scripts would be
> useful, but no one is willing to post sample scripts in a public forum,
> such as comp.os.linux.security.
> If the conversants send me their email addresses, I will them send my
> script. The logs are very wide, and I will also send bash scripts for
> reading the pertinent fields. AWK is faster than bash for this, but I
> don't speak AWK.
>
> Felix
Really don't mind if you sit this one out (like the song goes). It is an
e-mail/post that starts out quite topical, and then goes a bit pear shaped.
You can really stop reading now if you're short on time. I won't mind. You
see, I'm procrastinating. But there are a few good bits in here about a
cheap dedicated serving company I found, and BBSing in the 21st century, if
that kind of thing interests you.
First...Felix:
I'm curious if what I'm doing is similar to what you're up to.
One of the first Perl scripts I ever wrote - a sort of naive, innocent Hello
World experiment gone to cocaine and whores - tailed the log that iptables
writes to, tokenized each line, and generated some readable output to stdout:
(53) ns02.nllb.nl.mozilla.com - (Unknown) - Unknown, Unknown, Unknown
(81) slashdot.org - (US) - Cary, NC, United States
(80) slashdot.org - (US) - Cary, NC, United States
(53) bs1.dfw.xpc-mii.net - (US) - Englewood, CO, United States
(53) 209.107.94.15 - (US) - Englewood, CO, United States
(22) 218.108.28.228 - (CN) - Hangzhou, 02, China
(80) indesit.netcraft.com - (GB) - Bath, A4, United Kingdom
(80) indesit.netcraft.com - (GB) - Bath, A4, United Kingdom
The city and country data is just from the GeoIP class/database, also (if I
recall) in CPAN. This is the free one - so it's not completely accurate but
close enough for my purposes; I can manually traceroute or whois anything I'm
more interested in.
During much of the day, I have an IRC window open. I run an eggdrop bot that
polls for the log file the above script redirects to in ten second intervals.
If the file exists, it writes its contents to me in a private message, then
deletes/resets the file.
In time, I set up all sorts of other scripts to write output to this same file
when interesting events occur. This way, I can quickly see (in realtime)
anything interesting happening on my home network, from anywhere I can get an
internet connection. For me, this is easier than manually looking at logs or
having separate realtime monitoring consoles. Everything goes into one
place. I've always felt that some mechanism like this in GUIs would be
infinitely superior to pop-up error, status, and alert windows, which I
*HATE*, especially when they steal your focus.
I am imagining a window, perhaps, with a color-coded tail of events - errors,
crashes, alerts, and so on, which runs in the system tray. Maybe the system
tray application could blink or something to let you know that something had
crashed or finished running. I would like to see the abolition of pop-up,
focus stealing boxes and windows in my lifetime. I am sick and tired of this
treachery. Focus stealing is, to me, as emotionally and metaphysically
involving as, oh, statism, or a booger you can't shake off. And yeah,
Linux is way better at this than Windows, but I still don't like crap popping
up on my screen, ever.
But I digress...Anyway, this script provides messages via the IRC bot like:
[dataswamp.net Hits - last 24 hrs]: 5 - (159 since 2007-07-31)
[Soulseek DL]: /incoming/soulseek/sonic\ youth\ -\ secret\ girl\.mp3
(One thing about being a Sonic Youth fan - it either cements your credibility
or destroys it with anyone familiar with them. And it does so by the same
mechanism. People either think you're pretty hep if you listen to Sonic
Youth, or they think you're lame because you're trying to be hep by listening
to Sonic Youth. I'm always afraid to bring up Sonic Youth, the same way I'm
afraid to bring up agnosticism, or the proper way to make pizza (New York
style) or guns. It never ends well. I tried bringing up all of these one
time at the Marxist-Leninist Students League meeting I was cruising for
chicks at. It did not end well, even though all of the bespectacled posers
in the room were enthusiastic about all, and we were, on these matters, in
agreement (principally).
Marxist-Leninists have no sense of humor whatsoever. Or sometimes, they'll
make a joke but then have to have a big disclaimer about how dictatorship of
the proletariat or dialectics or the valorization of labor capital is no
laughing matter, as if *anyone in history* has ever claimed that, like,
Soviet communism is a *laughing* matter. I recall Rik's immortal quote from
The Young Ones regarding the Friends of Stalin Show Your Bottom Competition.
I forget the actual joke, but that phrase is enough to keep me warm and
satisfied when people get too serious about their politics.
Oh, speaking of commies, I had this moment of utter self-hatred about three
weeks ago when I found myself midway through The Way We Were. I liked the
story and all but it's kind of hard to keep yourself together when you
realize an hour of your life has been spent on a BARBRA STREISAND film. I
was pretty mortified. It's one thing to not want to admit this to your
drinking buddies or fellow football fans, but I was ashamed to admit this to
my *cat.* And my CAT is a CHICK. I do not recommend this.
And no, the detail that I was both watching a Streisand film AND own a chick
cat is NOT lost on me, so don't bother. I'm manly as hell. Sometimes I
don't, for example, empty the lint trap in the dryer because danger is, kind
of, my life. Yeah it's a fire hazard. What are you, some kind of pussy?
Sometimes I stack broken-down carboard boxes by my hot water heater, too. Do
not be threatened by my virility. This is just an e-mail.
Always have something on hand as a sort of chaser in those situations -
something manly and addled with testosterone and/or stupidity and/or titties
like, say, Faster, Pussycat Kill! Kill! - a Russ Meyer movie which you keep
thinking will have some nudity but never does. A letdown in that regard
(sort of). But no one will ever call you a pansy for having watched it,
though you might feel a bit like one (the lack of nudity really does give a
dude the impression he's been cheated.)
Alternately, there's Road House. Which is a horrible disaster of a movie, an
affront to those even with the most crude semblance of aesthetics,
sophistication, or intelligence. I've seen it like 15 times. The name....is
Dalton.)
Where was I.
Oh, I strongly recommend - and maybe this is obvious to everyone by now - to
check out the File::Tail class from CPAN. I'm sure there are equivalents for
other languages. But one of the biggest challenges I had when I started
running Linux was pulling meaningful data out of logs. There can be a lot
in there, depending on what level you log at. I'm sure everyone's been
through this.
I solved this problem with a simple, obvious, and traditional strategy: tail,
tokenize, generate human readable output, then stick a nice human readable
one-liner somewhere. I run the thing in screen, for weeks at a time.
I have snort running as well, but I rarely look at it, since my own poor-man's
log cooker gives the data to me in precisely the kind of minimalist form I'm
interested in. If something is awry, I can always go to snort or some other
tool to look closer.
Now, as to iptables, first, you're not the only one to find the iptables
documentation less than ideal. I remember struggling a bit with it at first.
For some reason, a lot of Linux documentation just doesn't like to give you
examples. When I learn, I want to see an example first, and then I want to
see an explanation of it, bullet point by bullet point. Show me the thing,
first, and then show me how it's put together.
This is not Trading Spaces or one of those odious shows, where I want a long
man page (or README or documentation set) to work up into some great
dramatic "reveal." Show me the practical code first, then show me what it
does or how I can modify it. And show me something really basic first, and
then show me the whizzo switches and additions I can make to get finer
grained functionality. I do not have time to become some kind of expert on
every single thing I run. I have nachos to make. I have cats who need
launching. I have Miracle Whip to spread on inappropriate surfaces.
I have a life to lead. I have some serious, full-bore procrastination to get
to, and I hate it when they're like, RTFM so you can figure out some stupid
thing like how to add all sorts of irrelevant cusswords as options to ps's
bash-completion.
In time, I will read the documentation for everything, but for the love of all
that is good and worthwhile on this earth, provide concrete examples first,
for the impatient, the weird, and the sexy.
Some documentation is written this way, and some is not. I can learn with
almost any kind of documentation but it takes me longer if I don't have a
concrete example somewhere.
In my case, I simply drop everything that isn't ESTABLISHED or RELATED. I
surrender to Comcast. It is simply too much effort to try to run any kind of
a server. Breaking the rules/AUP/TOS is just too much work. So I've moved
any server needs out to the net. This has been liberating in a way, because
it means I just keep everything closed until I need to open a port for some
kind of recreational activity like filesharing.
Not that I share files; that would be illegal. Only GPL ones. HURD sources.
That kind of thing. Useful, in-demand stuff.
And for those who would like a Linux (or FreeBSD) machine out on the internet
but cannot rationalize the price of dedicated hosting (shared hosting is an
unsatisfying fraud. Like Celerons, coprocessor-less chips, and ice in
scotch, it's just lame unless your needs are minimal), I recommend checking
out this incredible deal I found online (no, this is not elaborate spam, I
assure you - I am not employed by nor invest in this company):
$29.99/month dedicated hosting, and your choice of most of the major distros.
You will not get a l33t b0x capable of DOSing Deep Thought, but for the kind
of basic mail, web serving, and shell happiness most hobbyists and after-
hours types seek, this does the trick:
http://www.serverpronto.com/
This is a side-project of Server Beach. The basic idea here is, we'll give
you this here humble box, but do not bother us. There's no phone support,
and I think they give you one reboot free, then they charge for each incident
after that. They will then charge for each ticket you submit, and have a
flat fee for a re-imaging if you completely screw up your box or get hacked.
They provide nothing - no firewalls, just a bare, exposed Linux/BSD box on a
fat pipe, and 300 gigs of bandwidth a month.
I mention this because, for $29.99 a month, you get a reasonably functional
(if unimpressive) rackmount in their disaster-proof datacenter with your
choice of Fedora, Debian, Gentoo (!), FreeBSD, Ubuntu, OpenBSD (!), CentOS,
or SuSE. I was going to use it to put up a BBS, like a Synchronet or
something, but so far I've just used it as a remote shell with some light web
hosting.
The Gentoo box I got had the wrong image on it (2006.0). I was able to
successfully update their pathetic genericized CFLAGS (586, I think they were
set to?), upgrade GCC to 4.whatever, upgrade the profile to 2007.0, and build
a nice lean kernel with the latest unstable (~arch) sources, reboot the
thing, and have it work, all from a few (thousand?) miles away. This is
the part where, if you're not a Gentoo user, you roll your eyes at me for
being a RICER. Well, the CFLAGS bit anyway.
And I am a complete moron, or at best, a bull in a china shop (yes I saw that
Mythbusters episode too), when it comes to Linux systems. I can keep a Linux
system clean, conservative, and in perfect working order the same way Dick
Cheney doesn't shoot dudes in the face.
If you can handle the stress of remote reboots (I absolutely hate those,
especially when you're dealing with a new kernel and hardware you're not 100%
certain of, spec-wise), it's completely doable. If I feel the need to seed a
torrent (which Comcast is screwing with), I can now do it from this machine
if I need to. Or anything else. The AUP is pretty broad. They just want to
forget you exist, collect your money every month, and otherwise don't mess
with you. They don't even ask for your root password unless you put in a
ticket that requires it. If you want to wipe the machine and switch to some
weird obscure distro, #387 on Distrowatch's popularity list or something,
they're cool with that, too.
I wonder if anyone is still reading. This is long. It is long because I am
procrastinating. I am the Cobra Kai sensei of procrastination. Miyagi can
take me down but I am nowhere near Miyagi right now.
Oh - one more thing about network visualization -
Etherape is great fun to watch (and actually brings the aging CPU in my router
to a near halt) during massive torrent swarms, such as when a new ISO for
pretty much any major distro is released.
A screenshot here for anyone who is unfamiliar with it. It's a nice way to
visualize your bandwidth distribution if you're like me and are sending and
receiving data from like a million people at once. Note that this is an
extreme scenario involving p2p AND a torrent at once, specifically for the
effect of making my screen look all wicked cool. This is not a typical
situation, though it may be if you're a total porn hound. Not that I would
accuse anyone of being a total porn hound.
http://tinyurl.com/yr7par
I'm curious what kind of visualization/logging others do on their home
routers, if any. In my case it is more this weird fascination I have
with "internet background radiation" more than any practical concern. The
breadth of the internet and the number of things people are up to still
fascinates me greatly. That's the only reason I run these
applications/scripts. Anyone actually penetrating my network is in for some
serious boredom and disappointing upstream bandwidth/mangled packets (&^@$!*%
Comcast) anyway. The unsorted "I'll get to it someday" incoming directory on
the .4 box, well, that's got shareware from like, 1998. Probably older.
Maybe like, the Commodore 64 version of Jumpman in a "0 day warez" directory.
Anyway, it's got some old stuff in it.
I never got to unzipping a lot of that from back in my Windows days. All of
the Brian Wilson SMILE stuff was uploaded by this psychotic guy on IRC who
insisted he'd change my mind about the Beach Boys once I heard SMILE.
It did not.
On a related note, I came across this Cult of the Dead Cow project which I
hadn't heard of before:
http://www.philtered.net/~adam/app/prayterm_what.html
One wonders what other similar projects are going on and might explain some of
that "background radiation." I'm sure 99% of it is port scanners, worms, and
the like, but you know there have to be people up to other things.
Well, it's like I always say, so long as they're doing it without pants, it's
fine by me. There's a lot of downtime, no matter how busy you are. You can
play some wretched version of computer solitaire, or you can portscan Comcast
customers from Korean cybercafes. I'm more down with the latter. You look
cooler portscanning in sunglasses than you do playing solitare in sunglasses.
Playing solitare is a bit like unicycling - it may serve a purpose but it's
hard to look cool doing it. You won't find Chow Yun Fat / Yun Fat Chow about
to go all two-gun action in slow motion, playing solitaire. You probably
won't find him portscanning either (especially in the Hong Kong era John Woo
films like The Killer), but of the two, you're more likely to find him
portscanning, I think.
Whiddling, I think, would be better than either choice, but how often do you
find yourself with a piece of wood and a whiddling knife, midday? The
Appalachian/Ozark banjo music tends to upset the cube farm ecosystem anyway,
or some annoying berk (yes, I said berk) comes over and can't shut up about
Allison Krause or Nickel Creek. And no one wants that.
I am talking Roscoe Holcomb.
Suicidal, grizzled white guys with no teeth, or merely enough to hold a piece
of hay.
Not Grand Ole Opry stuff.
My father tried to tell me once that the Bobby Bare version of "500 miles" was
better than Hedy West's. He was *wrong*. My father will listen to anything
played in glittery suits in places like Nashville and Branson. I don't get
it. He claimed to be a Marianne Faithfull fan but I didn't believe him. So
one day I played him her cover of Roger Waters's "Incarceration of a Flower
Child" and not only did he hate it, he could not tell me who was singing.
That poser. I love him though. When I was 13 he took me to a gun range in
Pennsylvania where I got to fire a .44 magnum, the first gun I ever shot.
You gotta appreciate it when someone hooks you up with that kind of
experience when you're 13.
Sometimes, high tech people, they frown on this kind of music anyway. Not
that they've earned the right. Most of them listen to the same 4/4 "WE ARE
FLYING THROUGH SPACE" psychedelic trance music all day. Or use the
word "chill" as an adjective, which drives me absolutely batshit insane.
Monty Python quotes, which (as Motorhead's Lemmy points out), tend to cause
virginity.
Speaking of the world's great Lemmys, there is usually some cool chick over in
graphic design sitting in front of a Mac, with an Alphaville shirt on, maybe
something cool like a Che Guevara-like stencil of Lemmy Caution on the back,
with a quote from, say, Heidegger underneath. She doesn't listen to trance
but assumes you're a dweeb because you're spending your whole day with Monty
Python quoting, Trance-listening nerds. You never get to even have a
conversation with her, even though you really want to because you desperately
need someone to explain Alphaville to you. And also cos she's kind of hot.
In that alterna-chick riot grrrrl kind of way. You can see how bitterly
caustic psychedelic trance flying through space music and Monty Python can be
to the soul.
Don't even get me started about Dr. Who. I have never seen the color drain
out of a girl's face faster than when this guy I used to know who was really
into wardialing (back in the 80s) went on a fifteen minute soliloquy on
everything that was wrong with Sylvester McCoy, and everything that was right
with Tom Baker. If anyone is reading this at this point, and feels the need
to comment, don't bother if you expect to me discuss a preference of actors
to play the doctor - I don't watch the show. I simply vividly remember
watching this guy not get laid and the conversation sticks in my head for
some reason.
And because the assumption that some girl would want to hear all about
Sylvester McCoy vs. Tom Baker strikes me as one of the most ill conceived
plans in all of human history. It turned out okay though. Some years later
he called me up to announce that he was in the middle of a sexual act (as a
form of braggadocio) I will not describe here, and I haven't talked to him
since. He did write a nifty 950 code hacker that I used until I went to
college and became all, you know, moral.
Oh lastly - there is a new version of Syncterm out for Linux, which is
excellent, in case anyone here still calls (telnets to) BBSes (yes, there are
still thousands out there). It supports Zmodem transfers, high ASCII/ANSI
graphics, PETSCII (!) and ATASCII(!) . It is, in essence, the only term you
ever need if you want to telnet around to boards. There are a whole bunch of
Commodore 64 and Atari boards that just went up, often on original hardware
(via serial + tcpser or equivalent, to a PC), or else on emulators, running
the original BBS software from way back when (All American, C-Net, Image,
Color64, etc.). On modern monitors, 40 column PETSCII looks absolutely
HILARIOUS, but it's retro-cool nonetheless. CTRL-Enter will take you to
fullscreen, and for the PETSCII stuff, this is absolutely essential. Nothing
like 40 columns stretching across, say, a 21" monitor. Fantastic!
http://www.syncterm.net has both a binary (which works well here on my Gentoo
system) and source via CVS (Windows and MacOS versions are also available).
If you don't use boards normally, start here for a good BBS list - Fidonet,
DOVE-Net, and RIME (I think), plus others, are still around:
http://www.dmine.com/telnet/
Good day.
-Quag7
More information about the tfug
mailing list