[ Home | Articles | Account | People | Projects | FAQ ] Name: Steve Kemp
Member since: N/A
Last Login: 2008-09-01 11:31:30
Homepage: http://www.steve.org.uk/
Notes:
[For the curious I live in Edinburgh, Scotland ..]
I'm a big believer in the benefits of the open source software, so much so that I joined the Debian Project where I can help those who've given us so much.
On other fronts I've written, or contributed, to a large number of Open Source projects including GNU Emacs, GNUTella, GoGo, GNUMP3d, MP3Blaster.
My largest single contribution to the OS world is the GNU MP3 / OGG streaming. Initially this was written in C, later C++ now it is 100% pure Perl. If you're interested in why that occurred I posted an article about it on Advogato.org - one of only two articles I've posted here.
If you want me to .. I will program for cool stuff ;)
Nowadays I guess the most visible thing I do in my spare time is run a site I created for Debian/GNU Linux System Administration.
My commercial interests mostly revolve around SPAM protection.
Other than that I continue working on the Debian Project, and was recently added to the Security Team largely as a result of the work I'd done auditing source code in the past.
4 Sep 2008 (updated 4 Sep 2008 at 23:10 UTC) »
I don't have no other pants!
OK so I've knocked up a simple blacklist:
The source code behind it all is open.
Currently it is setup to import IPs which denyhosts has downloaded every hour, and it will also receive updates from several systems under my direct control.
If you wish to begin submitting your own reports you may get in touch, or read the documentation in the source repository. I'll document that on the site itself publically in a couple of days.
So far I see several people have rsync'd my zonefile a few times. I guess the domain name was a bit predictable.
ObFilm: The Great Muppet Caper
Syndicated 2008-09-05 22:14:56 (Updated 2008-09-04 23:10:07) from Steve Kemp's Blog
Wash your face and try again, if you survive.
There are many online blacklists which are populated by volunteers. I'm looking for such a blacklist which contains records of hosts conducting portscans, ssh brute-forcing, or other similar "badness".
dshield looks good - but doesn't make the scanning IP availble - just shows the port data.
denyhosts allows you to upload/download a list of IPs trying to run ssh bruteforce attacks - but when I wrote my own RPC code to poll that list of IPs I found I couldnt' get the full list.
I'm aware that I could run denyhosts on a spare IP, then just copy the IPs it downloads but that feels icky...
I'm unaware of any existing service that I could use for my purposes.
So would there be any interest in a service listing only portscanning/ssh brute-force IPs? (Allowing DNS queries, XML-RPC, or rsync downloads of the submitted data.)
Obviously I have my own reason for wanting such a list of bad IPs... Those are probably obvious, but it does seem like it would be generally useful.
I'd be willing to host a server to process the submitted reports, and make the results available, but I guess thats the easy part. The hard part is persuading people to run my "submit IP" client. Which has to understand ssh logs, iptable logs, or something similar.. Ugh.
I guess between the machiens I work with and the machines I host myself I've got a fair number of IPs which I could collect scans from - I could populate the database myself. But this is a perfect job for distributed submission.
ObQuote: Batoru rowaiaru
If you don't learn to behave yourself - there won't be a tonight
Yesterday I made a new release of the chronicle blog compiler. This fixes a bug in the handling of comments.
Previously comments were sorted badly, when they crossed a month boundary. Now they are always sorted first to last - which makes reading entries with multiple comments more natural.
Other than that I've been readying for the launch of a new MX machine for my mail filtering service. The process went pretty smoothly, and so I'm happy.p>Still have that paranoid feeling that something will break, but at the very least I'll hear about it quickly thanks to the SMS-alerts!
ObMovie: Brief Encountery
There can be only one
When volume becomes high enough you start to observe patterns in SPAM pretty easily. I think that this is primarily because people like to see patterns, whether they are present or not.
The trick is determining whether they are real patterns or not, and then to a lesser extent whether they are useful patterns.
For example I host mail for a business domain. That means that incoming messages come primarily from existing customers, and very rarely from potential new ones.
In practise that means that email is expected to arrive from 9am til 6pm (+/-2hours) Email received at 2AM? Either it is somebody working remotely, a foreign contact, or much more likely it is SPAM.
Now clearly you cannot dump all messages received at unusual times of the day, but it is a surprisingly robust SPAM indicator for that particular domain.
All heuristics are fallable, but some are useful regardless..
I'd love to know what people can learn from their SPAM. This week I'm handling approximately 80,000 messages a day, per MX, which isn't huge (ie. 2-3 million a month).
ObQuote: Highlander
He could eat the whole colony
I've updated my simple Simple SDL based perl game, so that:
I still need to work on the rebound-angle but otherwise it is as complete as it will probably ever become. It would also be nice if the balls could collide with each other, and be different colours..
Regardless it was a fun diversion for a few hours, and probably tells me that I shouldn't attempt to waste more time doing gamy things, and that maths is too hard for me these days.
ObQuote: Interview with the vampire
Stevey certified others as follows:
Others have certified Stevey as follows:
[ Certification disabled because you're not logged in. ]
FOAF updates: Trust rankings are now exported, making the data available to other users and websites. An external FOAF URI has been added, allowing users to link to an additional FOAF file.
Keep up with the latest Advogato features by reading the Advogato status blog.
If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!
del.icio.us
Digg
Google bookmark
reddit
Simpy
StumbleUpon
Furl
Newsvine
Technorati
Tailrank