waffle

A week ago we were experiencing ssh attacks that were preventing login and slowing our server dramatically. Most likely the attack was from compromised machines running software bots looking for weak passwords.
This is not normally an issue for us as none of the FTP users have shell access (they can not login via SSH or terminal) and the root user account can not SSH in either. In fact there is only one account that has ssh login permission. Yet the machine was running dog slow and no users could login via FTP and we couldn’t login via ssh at all. Most worrying for a while.
I logged in via remote desktop and a quick check of the logs showed constant reports of failed login attempts – ah ha.

The problem was that when the ssh daemon was confronted with an incorrect password, it was checking against the password database multiple times, which was overwhelming the password services. A better explanation from [1] is “every time the attacking machine tried another key/password, it would spawn a new sshd process, which had to communicate with the password services (com.apple.SecurityServer) in order to validate the password. Eventually what ended up happening is that there were so many requests to the password services that they basically ended up just hanging, and anything that required a password: ssh, ftp, etc, just stopped working.”

Firstly I changed the default /etc/sshd_config file, un-commenting this line and changing yes to no:
ChallengeResponseAuthentication no
This edit does not stop attackers from trying but it does protect the password services from the attack.

Next I installed the most excellent sshdfilter [2] – a perl daemon that actively monitors ssh logins and detects signs of intrusion attempts and then blocks the attacking IP addresses. Blocked addresses are saved in between reboots and the he startup script is here:
/Library/LaunchDaemons/net.jonbell.sshdfilter.plist
(this runs /etc/sshdfilterLoad.sh which runs /etc/firewallrules)

To receive email notifications for each block, edit the /etc/sshdfilterrc file (the mail= and mail policy sections – there are comments in the policy).
“The default setting is to block most failed logins after 5 attempts, some common invalid logins after 0 attempts, incorrect root logins after 2 attempts, and logins to non-existent accounts after 3 attempts. Counters are reset upon a valid login. These thresholds can be modified in the sshdfilterrc file if desired. It is not currently setup to expire the blocks (even if you set it here in the configuration file, they will remain in the persisting file).”

[1] http://www.slicksurface.com/blog/2008-06/ssh-attack-and-password-problems-on-os-x

[2] Mac OS X sshdfilter Installer:

http://projects.seas.columbia.edu/sshdfilter/sshdfilter_mac.zip

sshdfilter Project Home:

http://www.csc.liv.ac.uk/~greg/sshdfilter/

I’m researching this months plaintext injection vulnerability in TLS (openssl). It’s real and affects all existing releases of the SSL and TLS protocol family. Good sysadmins will be installing as a matter of urgency (as of 12th Dec, Netcraft reported that 24 of the top 100 sites had updated).
In the spirit of the internet, 90% of the words below are not mine.

Vulnerability Database National Vulnerability Database (NVD) National(CVE-2009-3555)
“The TLS protocol, and the SSL protocol 3.0 as used in… mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l… does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions..”

TLS renegotiation attack. More bad news for SSL | Cupfighter.net
While the attack only works for the first request sent over a TLS session (subsequent renegotiation requests are sent in the encryption context and can thus not be inserted) M[an in the middle] could force the session to reset after x seconds of inactivity by sending a reset packet to both Client and Server, thus forcing a new TCP and TLS session to be re-established and thus gaining a new window of opportunity.
In response to this attack OpenSSL (Nov 8th) released OpenSSL 0.9.8l which does fix the vulnerability, but disables renegotiation completely. This change to OpenSSL may break certain applications so it should be carefully tested before it is implemented. [Server-side HTTPS will generally not be broken.]
This attack will first appear in highly targeted scenarios. Since the attack is a man in the middle attack the attacker will have to have control over all the traffic between client and server and vice versa in order to fully exploit the attack. With this attack TLS does not fully protect the integrity of the communication between client and server.

The root of the problem is servers that perform (allow) TLS renegotiations and make flawed assumptions about what a successful TLS renegotiation means for the data previously received.

PhoneFactors Status of Patches

Understanding the TLS Renegotiation Attack – Educated Guesswork
‘CVE-2009-3555 – apache/mod_ssl vulnerability and mitigation’ – MARC
Links » Another Protocol Bites The Dust
Extended Subset » Blog Archive » Authentication Gap in TLS Renegotiation
The Secure Goose: TLS renegotiation vulnerability (CVE-2009-3555)
Confidence 2009.02 – Cupfighter renegotiation vulnerability slides
TLS Test here:

Renegotiation Test | netsekure rn

This quote from Newsweek magazine, Nov 9 2009 issue, page 37, by Sharon Begley:

In a poll, he says [Al Gore], 80 percent of CEOs and CFOs said they would not spend money to make their factories more efficient and save money in the long run if it hurt their next-quarter bottom line. “That,” says Gore, “is functionally insane.”

I couldn’t agree more. Such short-term thinking from such highly paid people.
That sound you can hear is my mind boggling.

The Vendor Client relationship – in real world situations

In an interesting move (well, interesting if you sell software) Adobe have announced that you can now rent CS 3 Design Premium:
Creative Suite 3 Design Premium Subscription Edition
Adobe Creative Suite 3 Design Premium Subscription Edition is available to customers in Australia. The box price of AU$129 includes your first month of subscription service. Subscription pricing is AU$129 per month for a 12-month contract, and AU$199 a month on an ad hoc basis.

You get full CS3 versions of InDesign, Photoshop Extended, Illustrator, Flash Professional, Dreamweaver and Acrobat 8 Professional. All future updates are included as long as you are still subscribed. Coretech is taking preorders if you’re interested.

Be warned that the 12 month subscription can not be cancelled and automatically renews unless you turn off the “auto-renew-subscription” option.
At this stage this is the only product that you can get via subscription. I’m sure there’ll be more.

Good news from the rumour mill.
It’s old news that Vodafone will be selling iPhones in Australia (and lots of other countries) and now it appears that Optus will be as well.
With the US and UK running down stock and end-of-lining the first generation iPhones, it looks like we’ll be getting the second generation 3G iPhones! Yay.
Seems that none of these deals are “exclusive” so expect every telco and it’s dog to be selling these in the next few months. There is a vicious rumour that even Apple Resellers like Coretech will be able to sell them. We’ll have to hold our breath until June 9th for the low-down.

Some clients like to remove their MacBook or MacBook Pro battery when they are using their power adapter for a long time. The theory is that this will conserve their battery life.
Apple don’t like this idea:

If the battery is removed from a MacBook or MacBook Pro, the computer will automatically reduce the processor speed. This prevents the computer from shutting down if it demands more power than the A/C adaptor alone can provide.

Of course, if you bump the power adapter and unplug your laptop, you will lose all unsaved work. Not to mention that if dirt and dust collects on the battery connectors you may have problems later.

There’s an Apple article here explaining how to calibrate your battery – this should be done every couple of months.

Sounds kinda annoying to me, so I’m going to buy a second battery and one of Newertech’s battery charger and reconditioner units – gotta keep the MacBook Pro on 24/7….

I’ll let you know how I go.

If an application is playing up, it may be due to a corrupted preference file.
You can use the built-in command ‘plutil’ to verify any preference file – for example:

$ plutil -lint ~/Library/Preferences/com.apple.iChat.plist
/Users/waffleblog/Library/Preferences/com.apple.iChat.plist: OK

Please note that this utility will only check the syntax of the file, not the deeper meaning as understood by the owning application.

To check all preferences in your Library folder:

$ find ~/Library/Preferences -name “*.plist” -print0 | xargs -n1 -0 plutil -lint

(This uses -print0 and -0 to cope with spaces in filenames.)

I recently moved my 10+ years of Eudora email to Apple Mail.
The import worked well but I noticed that Apple Mail was really slow.
Thanks to Tim Gaden of Hawk Wings, it is now running much faster.
Essentially the following simple steps optimise the SQLite database (the “envelope index”) that Apple Mail uses to store indexes and subject lines of emails.

Here are the steps:
1. Quit Mail. Please BACKUP if you haven’t already.
2. Open Terminal (in Applications/Utilities).
3. Check your current ‘envelope archive’ size by entering this in the terminal:
ls -lah ~/Library/Mail/Envelope\ Index
4. Then enter the following:
sqlite3 ~/Library/Mail/Envelope\ Index vacuum;

On my 2.75GB worth of email (not including attachments) this command took about 4 minutes on my MacBook Pro – don’t worry if it takes longer.

Then check your envelope size by running the first command again. My Envelope Index went from 155MB to 134MB and the performance improvement was surprisingly good.

So we know that the humble Mac Mini can drive a SD TV just fine, but what about driving an HD TV? This guy played 1080p video with no dropped frames on a core duo Mac mini with only 512MB RAM. (Safari, Quicktime Pro and Activity Monitor were running.) Not bad for a machine with shared graphics memory.

There’s also his interesting comments on DivX versus H.264 codecs:
> you’re bound to hear a lot about DivX being better than h.264, some reasons are valid,
but for content providers (i do pro video work), h. 264 is preferred for a number of reasons – not the least of which is that its an open standard and the licensing fees are reasonable, and there is pro mac software for it. There is a ton of hardware that does broadcast quality h.264 encoding realtime – its what the pros are moving to for content distro. It streams better than anything else in its range (WM9, Real).
This is why DirecTV, Apple, Verizon, T-Mobile, Orange, Thales, and a ton of actual content makers are using h.264 rather than DivX….

This dude also uses his mini as a media centre running Vista so that he can use Microsoft’s latest Media Centre software and a remote control with more features than the Apple remote. This results in a richer TV interface than running a Mac OS X / Elgato solution but you do have to run windows.

Infinite Loop have a mini setup more as a media jukebox and less as a personal video recorder (PVR) (i.e there’s no Elgato digital TV receiver). There’s lots of good stuff in the comments here.

As a further note Elgato’s software, EyeTV now works with iTunes so you can record TV shows and have them automatically loaded into iTunes for playback on whatever device your mini is driving (HDTV with DVI to HDMI cable).

Hi All,

Just finished installing four Seagate 750GB drives into a Quad G5 on a Highpoint 2320 rocketraid card. Created one RAID 0 volume which gives a 2.73 Terrabyte volume and man, does she fly – check the picture below for speed test results…

Next week we’re installing three 750GB drives into a Quad 3GHz Mac Pro and will create a RAID 0 volume using the logic board – test results as soon as we get the Mac Pro…

The test results are in bold. The rest is the required drive throughput (speed) needed for various video standards.