Integrating PF with Fail2ban 0.9

2011-03-20 20:27:04 by chort

Many security practitioners are familiar with Fail2ban, an application that scans log files for various types of suspicious failures and bans the source IP after too many attempts. Most users implement it to protect their Linux systems (via Netfilter/iptables and TCP wrappers), but it also includes methods for Sendmail and IPFW (FreeBSD and OSX).

What is notably missing from the above list is the wildly popular PF (Packet Filter). It was originally designed by Daniel Hartmeier to replace IPF in OpenBSD, but has since been adopted by FreeBSD, NetBSD, and DragonflyBSD. PF is widely embraced due to the simplicity and clarity of the syntax, and the comprehensive array of professional-grade features available.

Ironically, PF is probably better known now due to FreeBSD than the originating project, OpenBSD. It's somewhat startling that no one has yet included PF support in Fail2ban. It's also disappointing that Apple hasn't switch from IPFW to PF as their packet filtering firewall (hint hint).

In the spirit of the Open Source "submit a patch or GTFO" mentality, here's how you can use Fail2ban to insert rules into your PF firewall.

Read the rest of this story...

US Populace Doesn't Understand Satire

2011-03-07 14:00:44 by chort

I've been noticing a trend lately. The people participating in online "communities" these days are so blinded by the perceived inherent rightness of their beliefs that they are unable to see how their opinions are viewed by others.

This first struck me in an obvious way as I was wasted a perfectly good night on Youtube a few weeks ago. I got sucked-into The Key of Awesome. It's a Youtube channel that parodies pop music (fairly well, in my opinion). The creator often reads feedback on camera, most of which is facepalm-inducing. Most of the criticism goes along the lines of "dear so-and-so, I really love most of your videos, but the one about [my favorite artist] was totally ignorant! [my favorite artist] is awesome, and the fact that you made fun of them shows you don't understand their genius!"

What the hell is wrong with these people that they think any artist could be so perfect as to transcend criticism, or even caricature? They apparently have no concept of the difference between an opinion and a fact. Aside from that, if you can't even chuckle when someone adeptly roasts your idol, you have some real insecurity issues.

Another example of this can be seen in the Retarded Emails section of The Oatmeal comic. Apparently you can pick any arbitrary topic as the basis for your comedy and people will hate you for it, regardless of the obvious lack of seriousness.

This all makes me think: The massive push in the last 20 years to value self-esteem over any objective measure of merit has convinced each kid that their opinions are the only thing in the world that matters, utterly oblivious that every other human being in the world also has an opinion. We need to be teaching kids how to objectively evaluate themselves in the context of the world around them, or we are in for a future that makes Charlie Sheen look like a thoughtful critical-thinker.

Unauthenticated SSL Sends a Dangerous Message

2011-03-05 16:45:30 by chort

Recently I decided to write an application for Twitter to report changes in my friends and followers. As part of the process I went looking for a pre-built library of methods that I could use to interact with the Twitter API. I settled on python-twitter as an actively-developed solution that should keep up with changes to the API.

Due to Twitter's rocky past with SSL/TLS (henceforth simply SSL) support on their web interface, I decided it would be prudent to investigate whether their API used SSL. It turns out that it does, and it has a properly signed certificate. Then I looked at twitter-python to see if it had and option to connect over SSL, and was pleased to notice that it does by default. On a hunch I checked out the underlying library that python-twitter is using to make HTTP requests, and I was shocked at what I found.

Read the rest of this story...