A week ago we were experiencing ssh attacks that were preventing login and slowing our server dramatically. Most likely the attack was from compromised machines running software bots looking for weak passwords.
This is not normally an issue for us as none of the FTP users have shell access (they can not login via SSH or terminal) and the root user account can not SSH in either. In fact there is only one account that has ssh login permission. Yet the machine was running dog slow and no users could login via FTP and we couldn’t login via ssh at all. Most worrying for a while.
I logged in via remote desktop and a quick check of the logs showed constant reports of failed login attempts – ah ha.

The problem was that when the ssh daemon was confronted with an incorrect password, it was checking against the password database multiple times, which was overwhelming the password services. A better explanation from [1] is “every time the attacking machine tried another key/password, it would spawn a new sshd process, which had to communicate with the password services (com.apple.SecurityServer) in order to validate the password. Eventually what ended up happening is that there were so many requests to the password services that they basically ended up just hanging, and anything that required a password: ssh, ftp, etc, just stopped working.”

Firstly I changed the default /etc/sshd_config file, un-commenting this line and changing yes to no:
ChallengeResponseAuthentication no
This edit does not stop attackers from trying but it does protect the password services from the attack.

Next I installed the most excellent sshdfilter [2] – a perl daemon that actively monitors ssh logins and detects signs of intrusion attempts and then blocks the attacking IP addresses. Blocked addresses are saved in between reboots and the he startup script is here:
/Library/LaunchDaemons/net.jonbell.sshdfilter.plist
(this runs /etc/sshdfilterLoad.sh which runs /etc/firewallrules)

To receive email notifications for each block, edit the /etc/sshdfilterrc file (the mail= and mail policy sections – there are comments in the policy).
“The default setting is to block most failed logins after 5 attempts, some common invalid logins after 0 attempts, incorrect root logins after 2 attempts, and logins to non-existent accounts after 3 attempts. Counters are reset upon a valid login. These thresholds can be modified in the sshdfilterrc file if desired. It is not currently setup to expire the blocks (even if you set it here in the configuration file, they will remain in the persisting file).”

[1] http://www.slicksurface.com/blog/2008-06/ssh-attack-and-password-problems-on-os-x

[2] Mac OS X sshdfilter Installer:

http://projects.seas.columbia.edu/sshdfilter/sshdfilter_mac.zip

sshdfilter Project Home:

http://www.csc.liv.ac.uk/~greg/sshdfilter/

I’m researching this months plaintext injection vulnerability in TLS (openssl). It’s real and affects all existing releases of the SSL and TLS protocol family. Good sysadmins will be installing as a matter of urgency (as of 12th Dec, Netcraft reported that 24 of the top 100 sites had updated).
In the spirit of the internet, 90% of the words below are not mine.

Vulnerability Database National Vulnerability Database (NVD) National(CVE-2009-3555)
“The TLS protocol, and the SSL protocol 3.0 as used in… mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l… does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions..”

TLS renegotiation attack. More bad news for SSL | Cupfighter.net
While the attack only works for the first request sent over a TLS session (subsequent renegotiation requests are sent in the encryption context and can thus not be inserted) M[an in the middle] could force the session to reset after x seconds of inactivity by sending a reset packet to both Client and Server, thus forcing a new TCP and TLS session to be re-established and thus gaining a new window of opportunity.
In response to this attack OpenSSL (Nov 8th) released OpenSSL 0.9.8l which does fix the vulnerability, but disables renegotiation completely. This change to OpenSSL may break certain applications so it should be carefully tested before it is implemented. [Server-side HTTPS will generally not be broken.]
This attack will first appear in highly targeted scenarios. Since the attack is a man in the middle attack the attacker will have to have control over all the traffic between client and server and vice versa in order to fully exploit the attack. With this attack TLS does not fully protect the integrity of the communication between client and server.

The root of the problem is servers that perform (allow) TLS renegotiations and make flawed assumptions about what a successful TLS renegotiation means for the data previously received.

PhoneFactors Status of Patches

Understanding the TLS Renegotiation Attack – Educated Guesswork
‘CVE-2009-3555 – apache/mod_ssl vulnerability and mitigation’ – MARC
Links » Another Protocol Bites The Dust
Extended Subset » Blog Archive » Authentication Gap in TLS Renegotiation
The Secure Goose: TLS renegotiation vulnerability (CVE-2009-3555)
Confidence 2009.02 – Cupfighter renegotiation vulnerability slides
TLS Test here:

Renegotiation Test | netsekure rn

This quote from Newsweek magazine, Nov 9 2009 issue, page 37, by Sharon Begley:

In a poll, he says [Al Gore], 80 percent of CEOs and CFOs said they would not spend money to make their factories more efficient and save money in the long run if it hurt their next-quarter bottom line. “That,” says Gore, “is functionally insane.”

I couldn’t agree more. Such short-term thinking from such highly paid people.
That sound you can hear is my mind boggling.

The Vendor Client relationship – in real world situations

In an interesting move (well, interesting if you sell software) Adobe have announced that you can now rent CS 3 Design Premium:
Creative Suite 3 Design Premium Subscription Edition
Adobe Creative Suite 3 Design Premium Subscription Edition is available to customers in Australia. The box price of AU$129 includes your first month of subscription service. Subscription pricing is AU$129 per month for a 12-month contract, and AU$199 a month on an ad hoc basis.

You get full CS3 versions of InDesign, Photoshop Extended, Illustrator, Flash Professional, Dreamweaver and Acrobat 8 Professional. All future updates are included as long as you are still subscribed. Coretech is taking preorders if you’re interested.

Be warned that the 12 month subscription can not be cancelled and automatically renews unless you turn off the “auto-renew-subscription” option.
At this stage this is the only product that you can get via subscription. I’m sure there’ll be more.

Good news from the rumour mill.
It’s old news that Vodafone will be selling iPhones in Australia (and lots of other countries) and now it appears that Optus will be as well.
With the US and UK running down stock and end-of-lining the first generation iPhones, it looks like we’ll be getting the second generation 3G iPhones! Yay.
Seems that none of these deals are “exclusive” so expect every telco and it’s dog to be selling these in the next few months. There is a vicious rumour that even Apple Resellers like Coretech will be able to sell them. We’ll have to hold our breath until June 9th for the low-down.

Some clients like to remove their MacBook or MacBook Pro battery when they are using their power adapter for a long time. The theory is that this will conserve their battery life.
Apple don’t like this idea:

If the battery is removed from a MacBook or MacBook Pro, the computer will automatically reduce the processor speed. This prevents the computer from shutting down if it demands more power than the A/C adaptor alone can provide.

Of course, if you bump the power adapter and unplug your laptop, you will lose all unsaved work. Not to mention that if dirt and dust collects on the battery connectors you may have problems later.

There’s an Apple article here explaining how to calibrate your battery – this should be done every couple of months.

Sounds kinda annoying to me, so I’m going to buy a second battery and one of Newertech’s battery charger and reconditioner units – gotta keep the MacBook Pro on 24/7….

I’ll let you know how I go.

If an application is playing up, it may be due to a corrupted preference file.
You can use the built-in command ‘plutil’ to verify any preference file – for example:

$ plutil -lint ~/Library/Preferences/com.apple.iChat.plist
/Users/waffleblog/Library/Preferences/com.apple.iChat.plist: OK

Please note that this utility will only check the syntax of the file, not the deeper meaning as understood by the owning application.

To check all preferences in your Library folder:

$ find ~/Library/Preferences -name “*.plist” -print0 | xargs -n1 -0 plutil -lint

(This uses -print0 and -0 to cope with spaces in filenames.)

I recently moved my 10+ years of Eudora email to Apple Mail.
The import worked well but I noticed that Apple Mail was really slow.
Thanks to Tim Gaden of Hawk Wings, it is now running much faster.
Essentially the following simple steps optimise the SQLite database (the “envelope index”) that Apple Mail uses to store indexes and subject lines of emails.

Here are the steps:
1. Quit Mail. Please BACKUP if you haven’t already.
2. Open Terminal (in Applications/Utilities).
3. Check your current ‘envelope archive’ size by entering this in the terminal:
ls -lah ~/Library/Mail/Envelope\ Index
4. Then enter the following:
sqlite3 ~/Library/Mail/Envelope\ Index vacuum;

On my 2.75GB worth of email (not including attachments) this command took about 4 minutes on my MacBook Pro – don’t worry if it takes longer.

Then check your envelope size by running the first command again. My Envelope Index went from 155MB to 134MB and the performance improvement was surprisingly good.

So we know that the humble Mac Mini can drive a SD TV just fine, but what about driving an HD TV? This guy played 1080p video with no dropped frames on a core duo Mac mini with only 512MB RAM. (Safari, Quicktime Pro and Activity Monitor were running.) Not bad for a machine with shared graphics memory.

There’s also his interesting comments on DivX versus H.264 codecs:
> you’re bound to hear a lot about DivX being better than h.264, some reasons are valid,
but for content providers (i do pro video work), h. 264 is preferred for a number of reasons – not the least of which is that its an open standard and the licensing fees are reasonable, and there is pro mac software for it. There is a ton of hardware that does broadcast quality h.264 encoding realtime – its what the pros are moving to for content distro. It streams better than anything else in its range (WM9, Real).
This is why DirecTV, Apple, Verizon, T-Mobile, Orange, Thales, and a ton of actual content makers are using h.264 rather than DivX….

This dude also uses his mini as a media centre running Vista so that he can use Microsoft’s latest Media Centre software and a remote control with more features than the Apple remote. This results in a richer TV interface than running a Mac OS X / Elgato solution but you do have to run windows.

Infinite Loop have a mini setup more as a media jukebox and less as a personal video recorder (PVR) (i.e there’s no Elgato digital TV receiver). There’s lots of good stuff in the comments here.

As a further note Elgato’s software, EyeTV now works with iTunes so you can record TV shows and have them automatically loaded into iTunes for playback on whatever device your mini is driving (HDTV with DVI to HDMI cable).

Hi All,

Just finished installing four Seagate 750GB drives into a Quad G5 on a Highpoint 2320 rocketraid card. Created one RAID 0 volume which gives a 2.73 Terrabyte volume and man, does she fly – check the picture below for speed test results…

Next week we’re installing three 750GB drives into a Quad 3GHz Mac Pro and will create a RAID 0 volume using the logic board – test results as soon as we get the Mac Pro…

The test results are in bold. The rest is the required drive throughput (speed) needed for various video standards.

With the four drive bays, extra firewire and USB ports, a bay for a second optical drive (or even more hard drives?) and the ability to natively run Windows on top of two very fast dual core processors – these machines get a big solid tick of approval with hearty handshake and slap on the bum thrown in for good measure.

If you’re running universal binary apps (Final Cut Pro 5, iMovie etc) then the Mac Pros hoon!
If you’re running PowerPC apps (Adobe CS suite) then expect roughly the same performance as a Quad G5 from the Quad Intel 2.66GHz and about a 35% increase from the Quad Intel 3GHz beast.

According to GeekPatrol the Quad 3GHz Intel Mac Pro is 35% faster than the Quad 2.5Ghz PPC G5. Their tests showed the Quad 2.66GHz Mac Pro to be 7% faster than the Quad 2.5Ghz G5. However this test used only two RAM modules in the Mac Pro and so is probably wrong. See below for explanation.

It is important to note that you will get dramatic speed improvements by striping (RAID 0) discs and these new Mac Pros make that very easy – no need to install expensive hardware RAID cards – just use the available bays.

Read the rest of this entry »

A really good way to backup all your users home folders is to use Network Home Directories where their entire home folder resides on your server. However if you have a slow server, network or too many users an excellent option is to use Portable Home Directories (PHD).

Using PHD the user’s home directory is synchronised to the server only at login and/or logout. This greatly reduces the network traffic, allows the user to leverage the full power of their workstation while also ensuring their data is backed up. Great for users who primarily use one machine and mobile users with laptops.

The following instructions are taken without permission from the Apple Discussions list. Many, many thanks to Derek (DY-E)!

Read the rest of this entry »

Here’s a good article on how to finally get shared, editable calendars in iCal – YAY!

…cause a client asked…

There is no Utopia in lightning protection. Lightning may ignore every defense man can conceive. A systematic hazard mitigation approach to lightning safety is a prudent course of action.

http://www.lightningsafety.com/nlsi_lhm/lpts.html

The best you can do to protect yourself from lightning is to have all equipment and power single grounded and install a decent surge filter (or divertor) at your mains power panel. Note that if the house is situated in a dry or rocky area getting a good ground may be problematic. If you are in a heavy lightning area then a copper lightning rod (commonly called air terminals) may be prudent. On top of your low impedance, well-bonded equipotential ground system and mains power surge arrestor you may want to get (from Coretech of course) surge protectors for your computer and data equipment.

If you provide a list of the equipment that you will be using we can get a quote to you for surge protection equipment in your home office. If you want backup battery power included – please let me know how long you’d like to run what in a power outage.
“The importance of a single-point protection ground cannot be stressed enough. All equipment should be bonded to one single earth ground. If you have some equipment on one ground, and other equipment on another ground, it is quite likely that in a nearby strike that there will be a large voltage difference between the two grounds. This means that the equipment will be at different voltages, sometimes high enough to get arcing from one to another.

A Single Ground Rod is Seldom Enough: Tests done over the past few years show that in most cases, a single 6 or 8 foot ground rod is NOT enough, even when the ground is salted to improve conductivity. The problem is, in arid climates with dry soil, it could take as many as a dozen rods to get it down to the 10 ohms ground resistance that is usually accepted as the optimum (25 ohms is the NEC minimum). To get down to the 25 ohm NEC minimum, you may have to use 2-3 10 foot rods, all bonded together with #6 wire and copper wire clamps. However, if you cannot do this, something is better than nothing. In some cases you may have to go so far as to bury lengths of bare copper wire or copper pipe in trenches.”

http://www.windsun.com/Lightning_Protection.htm

Importantly you should also get the telephone circuit protected. Lightning striking 300 meters away will generate a large electro-magnetic field that will fry modems (and maybe computers) connected to phone and power lines – modems are especially sensitive to this. An external modem is usually a good idea (Apple USB External Modem at $79 is excellent value).

Most of the work to protect you from lightning strike should be done by a good electrician who knows the standards. Lightning strikes generate between 10,000 and 30,000 amps in a few microseconds so having a well grounded system is the first and most important step.

Not due for release until later this year, the [Bella Catapult](http://www.bella-usa.com/Catapult.htm) is a battery driven box that plugs into your digital camcorder via firewire and records the video onto your iPod or USB hard drive. It does pre and post-recording, time lapse and remote trigger recording (using a motion detector this is useful for surveillance or wildlife video.)

Cool. Pack a couple of 120GB pocket drives and your camcorder and capture video data straight to drive. Get back to the office, no need for any real-time importing, it’s already done – just plug your drive in, open the clips in Final Cut Pro and start editing.

[Focus Enhancements](http://www.focusinfo.com/solutions/catalog.asp?id=3) have been selling this kind of box for a while – their products are aimed at video professionals whereas the catapult at US$300 seems to be aimed at the consumer level.

A very useful OS X troubleshooting step is to start the problem machine in Safe Mode. Restart your machine and immediately after you hear the startup tone, press and hold the Shift key.
The Shift key should be held as soon as possible after the startup tone but not before. You can relase the shift key when you see the gray Apple and the spinning gear on the display.

Remember that this is a troubleshooting step – third party software such as Suitcase won’t work nor will any Airport cards, DVD player and your modem. If the problems disappear when you Safe Boot you can be reasonably certain that that a StartupItem (such as Norton’s Antivirus) is causing the problem.

[Here's](http://docs.info.apple.com/article.html?artnum=107392) what Safe Booting actually does:

- It forces a directory check of the startup volume.
- It loads only required kernel extensions (some of the items in /System/Library/Extensions).
- Mac OS X 10.4 Tiger only: It disables all startup items and any Login Items.
- In Mac OS X 10.3.9 or earlier, it runs only Apple-installed startup items (some of the items in /Library/StartupItems and /System/Library/StartupItems – and different than login items).
- Mac OS X 10.4 Tiger only: It disables all fonts other than those in /System/Library/Fonts .
- Mac OS X 10.4 Tiger only: It moves to the Trash all font caches normally stored in /Library/Caches/com.apple.ATS/(uid)/ , where (uid) is a user ID number such as 501.

Taken together, these changes can work around issues caused by software or directory damage on the startup volume.

Got Tiger? Noticed that there is no Apple Hardware Test CD? No cause for alarm – boot from the install DVD and hold down the D key. Abracadabra! Mac boots into diagnostics – good for checking for faulty RAM.

Another helpful hint from the [coretech](www.coretech.net.au) team.

There are [reports](http://arstechnica.com/staff/fatbits.ars/2006/4/27/3777) that Chris Emura, the Filesystem Development Manager within Apple’s CoreOS organization is interested in porting Sun’s ZFS file system to OS X. This is potentially good news as there are a few of things that ZFS does that HFS+ can not:

1. Keep snapshots of the file system. Deleted a file ten days ago that you really need? Check the snapshots and restore.

2. Silent, live detection and repair of data corruption and bad blocks. This is really cool!! The auto-repair works on RAIDed volumes with error checking and reporting on single volumes. Essentially everything is checksummed and checked for corruption in the background. This may mean we will lose a lot of our work doing data rescue and drive recovery at Coretech!

3. Grow and shrink volumes automatically. Want more space? Add a drive and hey presto, more space. ZFS does not use partition tables, all storage is shared and all bandwidth available.

4. Everything is copy-on-write – no need to fsck or Disk Warrior your drive ever again.

5. Immense capacity as it’s a 128 bit file system. A terrabyte is 1000GB, a billion terrabytes is a zettabyte and ZFS can support up to 256 quadrillion zettabytes!! (A quadrillion is a 1 followed by fifteen zeroes – I just love large numbers.)
There’s a good PDF describing ZFS [here.](http://www.opensolaris.org/os/community/zfs/docs/zfs_last.pdf)

If this pans out, it will be great news for Apple customers. ZFS incorporates some excellent ideas, and may fundamentally change the way people look at storage. In a way, it provides an abstraction similar to virtual memory, only for disk based storage. As such, adding storage is hardly any more difficult than adding memory. Oh yeah it’s open source too. Can it get any better than a self repairing RAID that checks for data and hardware errors constantly and can be expanded automatically??

Nerd Bliss State Reached. I only hope Apple go with this….

[Excellent page](http://www.methodshop.com/mp3/ipodsupport/diagnosticmode/index.shtml) showing one how to use the inbuilt diagnostic functions of your iPod – all versions!

Very Cool!