Rantings of a Lunatic

So, I have recently made some changes to my computing environment at home. I will update the farm page soon, but, I haven’t finalized all the changes yet. I can say that I upgraded a motherboard, which allowed me to put all of the original parts back in my Dell Dimension E520n, and set it up as a FreeNAS NAS device. It had its own set of issues in setting it up, but, its currently running a Core2Duo @1.86Ghz, with 4Gb of RAM, and 4.5TB of HD space. I ended up setting it into a RaidZ ZFS filesystem, using 1 disk for parity. Which ends up giving me around 2.6TB of usable space I believe.
I have started copying most of my online data to the array, however, I had a problem with the EXT4 file system that my old Linux workstation used to run off of where the superblocks had become corrupted. I tried everything over the last 5 days to get it working, and had nothing but problems. One of the biggest problems was using a SATA -> USB bridge on my netbook to try and run fsck against it. At 12Mb/s, USB1.1 really sucks for any kind of serious data transfer, and when you consider that fsck is going to read the whole 500Gb, and then write the whole 500Gb, I may have gotten impatient one or two times, and killed it so that I could try to get it to go over the SATAII bus. I finally got it to repair the superblocks by booting from a Gparted Live CD with it connected into the SATAII ports last night. And now I am sitting here booted off of an Ubuntu 9.10 Live CD, so that I could mount my NAS over NFS, and salvage what data I could from the drive before I wipe it. I know of about 6 files that grew from 1.5Gb to about 17Gb in the corruption, and there are another 4 more that I saw had shrunk to 16Kb. I am not worried about any of those files, as I can always reconstitute them from backups in one way or another. Unfortunately, when I signed up for Uverse, I just let them use their router, and as I haven’t had to do too much inter-machine transport, I hadn’t ever noticed that it has a 100Mb switch built in. I am now really wishing I had a 1Gb switch, as I can litterally see where that is the weak point in my current setup.

Anyway, its transfering over, and I will salvage what I can. Then I will do a low-level clone of the drive in my Hackintosh, which is what I built with all of the upgrades that I had stuffed into the Dell over time, and expand its root drive from 250Gb to 500Gb. I already have TimeMachine backing up to a dataset on the NAS, and its sharing through with AFP just fine. I don’t have Zeroconf/Bonjour working correctly yet I don’t think, but, it does work if I use the Go -> Connect to server path, and I know how to do that, so I am not too worried about it.

So, I got home from work, and booted up my computer. While it booted, I turned back to the mail, to see what was in the coupon section, because I was planning on going grocery shopping tonight. When I finished with the mail, and was about to go take care of some other tasks, I noticed the icon on the menu bar for Little Snitch was blinking like mad. As I had only started up the computer, and it was just sitting at the finder, this caught me a little off guard, so I clicked the icon to investigate. The response from little snitch was that there were two processes of sshd with the ip address 218.107.139.2 running, and constantly transferring data. I am an IT guy, so, I have an array of ip addresses memorized, however, that was one I didn’t recognize, so I fired off a quick whois, to find out who was trying to ssh into my computer.

Here is the whois on the offender:

$ whois 218.107.139.2

OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU

ReferralServer: whois://whois.apnic.net

NetRange: 218.0.0.0 - 218.255.255.255
CIDR: 218.0.0.0/8
NetName: APNIC4
NetHandle: NET-218-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: NS-SEC.RIPE.NET
NameServer: TINNIE.ARIN.NET
Comment: This IP address range is not registered in the ARIN database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or http://wq.apnic.net/apnic-bin/whois.pl
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to http://www.apnic.net/apnic-info/whois_search2/abuse-and-spamming
RegDate: 2000-12-07
Updated: 2009-10-08

OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3188
OrgTechEmail: search-apnic-not-arin@apnic.net

# ARIN WHOIS database, last updated 2010-03-01 20:00
# Enter ? for additional hints on searching ARIN’s WHOIS database.
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at https://www.arin.net/whois_tou.html
% [whois.apnic.net node-3]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 218.107.128.0 - 218.107.191.255
netname: UNICOM-BJ
descr: China Unicom Beijing province network
descr: China Unicom
country: CN
admin-c: CH1302-AP
tech-c: SY21-AP
status: ALLOCATED NON-PORTABLE
mnt-by: MAINT-CNCGROUP
mnt-lower: MAINT-CNCGROUP-BJ
changed: hm-changed@apnic.net 20050407
source: APNIC

route: 218.104.0.0/14
descr: China Unicom CncNet
country: CN
origin: AS9929
mnt-by: MAINT-CNCGROUP-RR
changed: abuse@cnc-noc.net 20060329
source: APNIC

person: ChinaUnicom Hostmaster
nic-hdl: CH1302-AP
e-mail: abuse@chinaunicom.cn
address: No.21,Jin-Rong Street
address: Beijing,100140
address: P.R.China
phone: +86-10-66259940
fax-no: +86-10-66259764
country: CN
changed: abuse@chinaunicom.cn 20090408
mnt-by: MAINT-CNCGROUP
source: APNIC

person: sun ying
address: fu xing men nei da jie 97, Xicheng District
address: Beijing 100800
country: CN
phone: +86-10-66030657
fax-no: +86-10-66078815
e-mail: hostmast@publicf.bta.net.cn
nic-hdl: SY21-AP
mnt-by: MAINT-CNCGROUP-BJ
changed: suny@publicf.bta.net.cn 19980824
changed: hm-changed@apnic.net 20060717
changed: hostmast@publicf.bta.net.cn 20090630
source: APNIC

The second thing I did, as I didn’t recognize a computer in China that I would have been connecting to was to kill the SSH service, (Remote Login in System Preferences -> Sharing). That instantly stopped the transfer of data, but, it didn’t really tell me what had been going on, so I started looking at the logs.

A quick scan through Console.app showed to me that the culprit hadn’t gained access, but was just trying dictionary attacks to find a username that was enabled. As I only installed Snow Leopard last night, I am not yet sure if I can configure sshd in any other way, or hopefully to run only off of keys, as that is generally presented as a more secure way of running it.

For the record, here is the output from /var/log/secure.log:

Mar 2 19:01:57 mr-texs-mac-pro sshd[327]: Invalid user admin from 218.107.139.2
Mar 2 19:01:59 mr-texs-mac-pro sshd[329]: Invalid user admin from 218.107.139.2
Mar 2 19:02:01 mr-texs-mac-pro sshd[331]: Invalid user admin from 218.107.139.2
Mar 2 19:02:03 mr-texs-mac-pro sshd[333]: Invalid user administrator from 218.107.139.2
Mar 2 19:02:05 mr-texs-mac-pro sshd[335]: Invalid user administrator from 218.107.139.2
Mar 2 19:02:07 mr-texs-mac-pro sshd[337]: Invalid user administrator from 218.107.139.2
Mar 2 19:02:09 mr-texs-mac-pro sshd[339]: Invalid user tads from 218.107.139.2
Mar 2 19:02:11 mr-texs-mac-pro sshd[341]: Invalid user tads from 218.107.139.2
Mar 2 19:02:13 mr-texs-mac-pro sshd[343]: Invalid user tads from 218.107.139.2
Mar 2 19:02:15 mr-texs-mac-pro sshd[345]: Invalid user tip from 218.107.139.2
Mar 2 19:02:17 mr-texs-mac-pro sshd[347]: Invalid user tip from 218.107.139.2
Mar 2 19:02:19 mr-texs-mac-pro sshd[349]: Invalid user tip from 218.107.139.2
Mar 2 19:02:21 mr-texs-mac-pro sshd[351]: Invalid user myra from 218.107.139.2
Mar 2 19:02:22 mr-texs-mac-pro sshd[353]: Invalid user myra from 218.107.139.2
Mar 2 19:02:24 mr-texs-mac-pro sshd[355]: Invalid user myra from 218.107.139.2
Mar 2 19:02:26 mr-texs-mac-pro sshd[357]: Invalid user jack from 218.107.139.2
Mar 2 19:02:28 mr-texs-mac-pro sshd[359]: Invalid user jack from 218.107.139.2
Mar 2 19:02:30 mr-texs-mac-pro sshd[361]: Invalid user jack from 218.107.139.2
Mar 2 19:02:32 mr-texs-mac-pro sshd[363]: Invalid user sya from 218.107.139.2
Mar 2 19:02:33 mr-texs-mac-pro sshd[365]: Invalid user sya from 218.107.139.2
Mar 2 19:02:36 mr-texs-mac-pro sshd[367]: Invalid user sya from 218.107.139.2
Mar 2 19:02:38 mr-texs-mac-pro sshd[369]: Invalid user wang from 218.107.139.2
Mar 2 19:02:40 mr-texs-mac-pro sshd[371]: Invalid user wang from 218.107.139.2
Mar 2 19:02:42 mr-texs-mac-pro sshd[373]: Invalid user wang from 218.107.139.2
Mar 2 19:02:43 mr-texs-mac-pro sshd[375]: Invalid user marvin from 218.107.139.2
Mar 2 19:02:45 mr-texs-mac-pro sshd[377]: Invalid user marvin from 218.107.139.2
Mar 2 19:02:47 mr-texs-mac-pro sshd[379]: Invalid user marvin from 218.107.139.2
Mar 2 19:02:49 mr-texs-mac-pro sshd[381]: Invalid user andres from 218.107.139.2
Mar 2 19:02:51 mr-texs-mac-pro sshd[383]: Invalid user andres from 218.107.139.2
Mar 2 19:02:53 mr-texs-mac-pro sshd[385]: Invalid user andres from 218.107.139.2
Mar 2 19:02:55 mr-texs-mac-pro sshd[387]: Invalid user barbara from 218.107.139.2
Mar 2 19:02:57 mr-texs-mac-pro sshd[389]: Invalid user barbara from 218.107.139.2
Mar 2 19:02:58 mr-texs-mac-pro sshd[391]: Invalid user barbara from 218.107.139.2
Mar 2 19:03:00 mr-texs-mac-pro sshd[393]: Invalid user adine from 218.107.139.2
Mar 2 19:03:02 mr-texs-mac-pro sshd[395]: Invalid user adine from 218.107.139.2
Mar 2 19:03:04 mr-texs-mac-pro sshd[397]: Invalid user adine from 218.107.139.2
Mar 2 19:03:06 mr-texs-mac-pro sshd[399]: Invalid user test from 218.107.139.2
Mar 2 19:03:08 mr-texs-mac-pro sshd[401]: Invalid user test from 218.107.139.2
Mar 2 19:03:10 mr-texs-mac-pro sshd[403]: Invalid user test from 218.107.139.2
Mar 2 19:03:12 mr-texs-mac-pro sshd[405]: Invalid user guest from 218.107.139.2
Mar 2 19:03:14 mr-texs-mac-pro sshd[407]: Invalid user guest from 218.107.139.2
Mar 2 19:03:16 mr-texs-mac-pro sshd[409]: Invalid user guest from 218.107.139.2
Mar 2 19:03:18 mr-texs-mac-pro sshd[411]: Invalid user db from 218.107.139.2
Mar 2 19:03:19 mr-texs-mac-pro sshd[413]: Invalid user db from 218.107.139.2
Mar 2 19:03:21 mr-texs-mac-pro sshd[415]: Invalid user db from 218.107.139.2
Mar 2 19:03:23 mr-texs-mac-pro sshd[417]: Invalid user ahmed from 218.107.139.2
Mar 2 19:03:25 mr-texs-mac-pro sshd[419]: Invalid user ahmed from 218.107.139.2
Mar 2 19:03:26 mr-texs-mac-pro sshd[421]: Invalid user ahmed from 218.107.139.2
Mar 2 19:03:28 mr-texs-mac-pro sshd[423]: Invalid user alan from 218.107.139.2
Mar 2 19:03:30 mr-texs-mac-pro sshd[425]: Invalid user albert from 218.107.139.2
Mar 2 19:03:32 mr-texs-mac-pro sshd[427]: Invalid user alberto from 218.107.139.2
Mar 2 19:03:34 mr-texs-mac-pro sshd[429]: Invalid user alex from 218.107.139.2
Mar 2 19:03:36 mr-texs-mac-pro sshd[431]: Invalid user alex from 218.107.139.2
Mar 2 19:03:38 mr-texs-mac-pro sshd[433]: Invalid user alex from 218.107.139.2
Mar 2 19:03:40 mr-texs-mac-pro sshd[435]: Invalid user alfred from 218.107.139.2
Mar 2 19:03:42 mr-texs-mac-pro sshd[437]: Invalid user alfred from 218.107.139.2
Mar 2 19:03:43 mr-texs-mac-pro sshd[439]: Invalid user alfred from 218.107.139.2
Mar 2 19:03:45 mr-texs-mac-pro sshd[441]: Invalid user ali from 218.107.139.2
Mar 2 19:03:47 mr-texs-mac-pro sshd[443]: Invalid user ali from 218.107.139.2
Mar 2 19:03:49 mr-texs-mac-pro sshd[445]: Invalid user ali from 218.107.139.2
Mar 2 19:03:51 mr-texs-mac-pro sshd[447]: Invalid user alice from 218.107.139.2
Mar 2 19:03:53 mr-texs-mac-pro sshd[449]: Invalid user alice from 218.107.139.2
Mar 2 19:03:55 mr-texs-mac-pro sshd[451]: Invalid user alice from 218.107.139.2
Mar 2 19:03:57 mr-texs-mac-pro sshd[453]: Invalid user allan from 218.107.139.2
Mar 2 19:03:59 mr-texs-mac-pro sshd[455]: Invalid user allan from 218.107.139.2
Mar 2 19:04:01 mr-texs-mac-pro sshd[457]: Invalid user allan from 218.107.139.2
Mar 2 19:04:03 mr-texs-mac-pro sshd[459]: Invalid user andi from 218.107.139.2
Mar 2 19:04:05 mr-texs-mac-pro sshd[461]: Invalid user andi from 218.107.139.2
Mar 2 19:04:07 mr-texs-mac-pro sshd[463]: Invalid user andi from 218.107.139.2
Mar 2 19:04:08 mr-texs-mac-pro sshd[465]: Invalid user andrew from 218.107.139.2
Mar 2 19:04:10 mr-texs-mac-pro sshd[467]: Invalid user andrew from 218.107.139.2
Mar 2 19:04:12 mr-texs-mac-pro sshd[469]: Invalid user andrew from 218.107.139.2
Mar 2 19:04:14 mr-texs-mac-pro sshd[471]: Invalid user amanda from 218.107.139.2
Mar 2 19:04:16 mr-texs-mac-pro sshd[473]: Invalid user amanda from 218.107.139.2
Mar 2 19:04:18 mr-texs-mac-pro sshd[475]: Invalid user amanda from 218.107.139.2
Mar 2 19:04:20 mr-texs-mac-pro sshd[477]: Invalid user angie from 218.107.139.2
Mar 2 19:04:21 mr-texs-mac-pro sshd[479]: Invalid user angie from 218.107.139.2
Mar 2 19:04:23 mr-texs-mac-pro sshd[481]: Invalid user angie from 218.107.139.2
Mar 2 19:04:25 mr-texs-mac-pro sshd[483]: Invalid user angela from 218.107.139.2
Mar 2 19:04:27 mr-texs-mac-pro sshd[485]: Invalid user angela from 218.107.139.2
Mar 2 19:04:29 mr-texs-mac-pro sshd[487]: Invalid user angela from 218.107.139.2
Mar 2 19:04:31 mr-texs-mac-pro sshd[489]: Invalid user anita from 218.107.139.2
Mar 2 19:04:32 mr-texs-mac-pro sshd[491]: Invalid user anita from 218.107.139.2
Mar 2 19:04:34 mr-texs-mac-pro sshd[493]: Invalid user anita from 218.107.139.2
Mar 2 19:04:36 mr-texs-mac-pro sshd[495]: Invalid user anna from 218.107.139.2
Mar 2 19:04:38 mr-texs-mac-pro sshd[497]: Invalid user anna from 218.107.139.2
Mar 2 19:04:40 mr-texs-mac-pro sshd[499]: Invalid user anna from 218.107.139.2
Mar 2 19:04:42 mr-texs-mac-pro sshd[501]: Invalid user arthur from 218.107.139.2
Mar 2 19:04:43 mr-texs-mac-pro sshd[503]: Invalid user arthur from 218.107.139.2
Mar 2 19:04:45 mr-texs-mac-pro sshd[505]: Invalid user arthur from 218.107.139.2
Mar 2 19:04:47 mr-texs-mac-pro sshd[507]: Invalid user aron from 218.107.139.2
Mar 2 19:04:49 mr-texs-mac-pro sshd[509]: Invalid user aron from 218.107.139.2
Mar 2 19:04:51 mr-texs-mac-pro sshd[511]: Invalid user aron from 218.107.139.2
Mar 2 19:04:53 mr-texs-mac-pro sshd[513]: Invalid user austin from 218.107.139.2
Mar 2 19:04:54 mr-texs-mac-pro sshd[515]: Invalid user austin from 218.107.139.2
Mar 2 19:04:56 mr-texs-mac-pro sshd[517]: Invalid user austin from 218.107.139.2
Mar 2 19:04:58 mr-texs-mac-pro sshd[522]: Invalid user magic from 218.107.139.2
Mar 2 19:05:00 mr-texs-mac-pro sshd[525]: Invalid user magic from 218.107.139.2
Mar 2 19:05:01 mr-texs-mac-pro sshd[527]: Invalid user magic from 218.107.139.2
Mar 2 19:05:03 mr-texs-mac-pro sshd[529]: Invalid user bart from 218.107.139.2
Mar 2 19:05:05 mr-texs-mac-pro sshd[531]: Invalid user bart from 218.107.139.2
Mar 2 19:05:07 mr-texs-mac-pro sshd[533]: Invalid user bart from 218.107.139.2
Mar 2 19:05:09 mr-texs-mac-pro sshd[535]: Invalid user ben from 218.107.139.2
Mar 2 19:05:11 mr-texs-mac-pro sshd[537]: Invalid user ben from 218.107.139.2
Mar 2 19:05:13 mr-texs-mac-pro sshd[539]: Invalid user ben from 218.107.139.2
Mar 2 19:05:15 mr-texs-mac-pro sshd[542]: Invalid user beny from 218.107.139.2
Mar 2 19:05:17 mr-texs-mac-pro sshd[544]: Invalid user beny from 218.107.139.2
Mar 2 19:05:18 mr-texs-mac-pro sshd[547]: Invalid user beny from 218.107.139.2
Mar 2 19:05:20 mr-texs-mac-pro sshd[549]: Invalid user bert from 218.107.139.2
Mar 2 19:05:22 mr-texs-mac-pro sshd[551]: Invalid user bert from 218.107.139.2
Mar 2 19:05:24 mr-texs-mac-pro sshd[553]: Invalid user bert from 218.107.139.2
Mar 2 19:05:26 mr-texs-mac-pro sshd[555]: Invalid user bill from 218.107.139.2
Mar 2 19:05:28 mr-texs-mac-pro sshd[557]: Invalid user bill from 218.107.139.2
Mar 2 19:05:29 mr-texs-mac-pro sshd[559]: Invalid user bill from 218.107.139.2
Mar 2 19:05:31 mr-texs-mac-pro sshd[561]: Invalid user bind from 218.107.139.2
Mar 2 19:05:33 mr-texs-mac-pro sshd[563]: Invalid user bind from 218.107.139.2
Mar 2 19:05:35 mr-texs-mac-pro sshd[565]: Invalid user bind from 218.107.139.2
Mar 2 19:05:37 mr-texs-mac-pro sshd[567]: Invalid user bob from 218.107.139.2
Mar 2 19:05:39 mr-texs-mac-pro sshd[569]: Invalid user bob from 218.107.139.2
Mar 2 19:05:40 mr-texs-mac-pro sshd[571]: Invalid user bob from 218.107.139.2
Mar 2 19:05:42 mr-texs-mac-pro sshd[573]: Invalid user bobby from 218.107.139.2
Mar 2 19:05:44 mr-texs-mac-pro sshd[581]: Invalid user bobby from 218.107.139.2
Mar 2 19:05:46 mr-texs-mac-pro sshd[583]: Invalid user bobby from 218.107.139.2
Mar 2 19:05:48 mr-texs-mac-pro sshd[585]: Invalid user bret from 218.107.139.2
Mar 2 19:05:50 mr-texs-mac-pro sshd[587]: Invalid user bret from 218.107.139.2
Mar 2 19:05:52 mr-texs-mac-pro sshd[589]: Invalid user bret from 218.107.139.2
Mar 2 19:05:53 mr-texs-mac-pro sshd[591]: Invalid user brian from 218.107.139.2
Mar 2 19:05:55 mr-texs-mac-pro sshd[594]: Invalid user brian from 218.107.139.2
Mar 2 19:05:57 mr-texs-mac-pro sshd[596]: Invalid user brian from 218.107.139.2
Mar 2 19:05:59 mr-texs-mac-pro sshd[598]: Invalid user bruce from 218.107.139.2
Mar 2 19:06:01 mr-texs-mac-pro sshd[600]: Invalid user bruce from 218.107.139.2
Mar 2 19:06:03 mr-texs-mac-pro sshd[602]: Invalid user bruce from 218.107.139.2
Mar 2 19:06:04 mr-texs-mac-pro sshd[604]: Invalid user carl from 218.107.139.2
Mar 2 19:06:06 mr-texs-mac-pro sshd[606]: Invalid user carl from 218.107.139.2
Mar 2 19:06:08 mr-texs-mac-pro sshd[608]: Invalid user carl from 218.107.139.2
Mar 2 19:06:10 mr-texs-mac-pro sshd[610]: Invalid user cesar from 218.107.139.2
Mar 2 19:06:12 mr-texs-mac-pro sshd[613]: Invalid user cesar from 218.107.139.2
Mar 2 19:06:13 mr-texs-mac-pro sshd[615]: Invalid user cesar from 218.107.139.2
Mar 2 19:06:15 mr-texs-mac-pro sshd[617]: Invalid user clark from 218.107.139.2
Mar 2 19:06:17 mr-texs-mac-pro sshd[620]: Invalid user clark from 218.107.139.2
Mar 2 19:06:19 mr-texs-mac-pro sshd[622]: Invalid user clark from 218.107.139.2
Mar 2 19:06:21 mr-texs-mac-pro sshd[624]: Invalid user clinton from 218.107.139.2
Mar 2 19:06:22 mr-texs-mac-pro sshd[626]: Invalid user clinton from 218.107.139.2
Mar 2 19:06:24 mr-texs-mac-pro sshd[628]: Invalid user clinton from 218.107.139.2
Mar 2 19:06:26 mr-texs-mac-pro sshd[630]: Invalid user corinna from 218.107.139.2
Mar 2 19:06:29 mr-texs-mac-pro sshd[632]: Invalid user corinna from 218.107.139.2
Mar 2 19:06:31 mr-texs-mac-pro sshd[634]: Invalid user corinna from 218.107.139.2
Mar 2 19:06:32 mr-texs-mac-pro sshd[636]: Invalid user craig from 218.107.139.2
Mar 2 19:06:34 mr-texs-mac-pro sshd[642]: Invalid user craig from 218.107.139.2
Mar 2 19:06:36 mr-texs-mac-pro sshd[644]: Invalid user craig from 218.107.139.2
Mar 2 19:06:38 mr-texs-mac-pro sshd[647]: Invalid user daniel from 218.107.139.2
Mar 2 19:06:40 mr-texs-mac-pro sshd[661]: Invalid user daniel from 218.107.139.2
Mar 2 19:06:42 mr-texs-mac-pro sshd[664]: Invalid user daniel from 218.107.139.2

I haven’t looked into who these people are, or if they are just a bot, or what, but, it is interesting to see this happen. If you run a Mac, I recommend Little Snitch, its $30, and well worth it. If you are less geeky than me, you may find it a little irritating initially, but, once you have it setup, it will be unobtrusive, but, will really help you to know what’s going on with your computer. Thinking about it, I wonder how often this happened on my Linux box, which preceded the mac, and I just didn’t realize it. I am curious if the linux box had been blocking SSH attempts after a set number when this sort of thing had happened, or if it hadn’t happened. Which makes me also wonder why the Mac didn’t at least ignore ssh attempts from that ip after 5 separate failed attempts. With the only real configuration being on/off, and User Access List for SSH, I would like to think that Apple would do some more intelligent intrusion prevention under the hood, but, maybe that’s just wishful thinking. Maybe the simpler is easier school of thought transcends the interface and persists in the underlying code as well.

Either way, SSH is off for now, and will remain that way until I can find a better way of managing it. One of the things that I really liked with my old Linux box was that I had ssh on, but, vnc was disabled, even though I always ran it through an ssh tunnel, I would run a script on connecting that enabled the vnc daemon, and then my connection would work, and before killing the tunnel, I would run the script again, which would kill the daemon. I wonder if I could set some sort of logic in motion where something like that could be done with SSH. Like I text message my toaster, and have it send an X11 packet through the electrical system to alert my computer to enable the ssh service. Obviously this is just theory, my toaster isn’t on a 3G network right now, because I really have no need for an extra bill for it, but, maybe if that is a more secure way of doing things…

Back to my Chinese friend, I found this online (http://www.tatsukichi.gr.jp/):

The Criminal 218.107.139.2 in the Criminal Beijing Province China Unicom network (min Co. Ltd., Beijing, China联合Course Center Hack communication) in the Criminal China Unicom (联通China) (CN) (2010.2.10)
Malicious and huge ssh brute force attack (6 login attempts) focusing on the root password only.
This is the 8th attack by the Criminal 218.107.139.2 since Feb 8 2010, Feb 7 2010 (twice), Feb 3 2010, Dec 25 2009, 11 Dec 2009 and Dec 7 2009.
Add 218.104.0.0/14 and 218.108.0.0/15 to the permanent block list.

My Japanese is sort of rusty, so the translation of that page doesn’t make much sense to me, but, it appears that is a SORBS (Spam and Open Relay Blocking System) list. And it looks like in the last 3 months, there have been multiple attacks originating from that ip address, and apparently the Chinese telecommunications company has no desire to do anything about it, so they recommend permanently blocking all traffic coming from that ISP. I think that the scorched earth policy is pretty rough, but, in all honesty, I don’t really see a reason not to.

While it has fallen off the list, it was at http://sysdeny.net/bf.txt on Feb 15, 2010 08:31:38 GMT according to Google’s Cache.

http://www.sidata.com.tr/cmn/pubservices/offensive_details.html?id=574625 is another page that details how they are brute force attacking ssh servers.

Thats enough dealing with it for tonight, but, tomorrow is another day.

Just some more RRDtool images, because I was curious how my work session today was going.

I have been working a lot recently, and, one of the most frequent frustrations with work is waiting on my computer. I think I have found the way to illustrate that my issues are with memory allocation on 32bit systems though, and am looking forward to moving my workstation to Windows 7. The reason is that I will be able to move to the 64bit version, and hopefully will be able to upgrade my ram to 8Gb. I have 8Gb at home, and it makes a couple of the projects I am working on fly so much faster. But, now on to the graphs. I use Cacti at work to monitor a few machines, and our router, so that I can have a record of statistics. As I was setting up the system, I found a way to set it up on my windows xp system, so I also track things like CPU utilization, and memory usage.
First, here is a pretty normal day, some web development, some IT management, maybe SSH for some database stuff or RDP for Server stuff. Nothing too taxing on my quad core machine.

And now the 14th, mostly the same stuff, probably with some extra image manipulation, PDF editing and creation, maybe some audio or video work as well. I love the CS4 master suite, though, I also hate some of the things it does.

And here is today, when I was editing video, animating, and editing audio all day. I kept having to wait, because I was paging too much data, and couldn’t keep the processor supplied with the appropriate data from RAM.

If I had a cacti server at home I would post relevant comparisons, but, this machine runs Ubuntu, and only boots into Windows when I have to do something in it,but more often than not, its in linux. Though, I keep trying to get to the point of trying some other distros. I have been quite happy with Fedora 12 on my netbook, and I have a Gentoo install on this box, but, its the most bare of installs, really nothing more than a stage 3 tarball unpacked. But, there is a planned computer upgrade coming, probably a new motherboard, move the quad-core to that with its 8Gb of ram, and get some new 1.5Tb drives for it, then put the old dual core and its 4Gb of ram back in this, and turn this machine into a file-server, and put the more powerful machine into a more energy efficient power scheme. If I do that, I could see spending some more time tinkering with a source-based distribution. But, until that happens, I will not make any changes that keep me from having access to my computer for too long.

For the month of November, I kept a pretty awesome mustache all month. For the month of December, I gave up shaving. For Christmas, I was given a wet shaving kit, which I had been looking at, but just too cheap to buy. So, today, I shaved off my beard. First, that might have been a dumb way to try to learn the art of wet shaving. But, it worked out. I just trimmed it down to my normal Van Dyke, which may not be as straight as it should, but, thats ok. My face feels great, and the shave is close. I did two passes, mostly because I didn’t want to mess up my sideburns or the region I had designated to remain. I think I might get a little braver, and try for a third pass, to see if I can get it any smoother later this week. Using the brush was awesome, I can’t believe that I didn’t get one, and use it sooner. I think that if I keep this up for a few months, I might make the jump all the way to the straight razor. I keep thinking about it, possibly because its manly. I don’t know, and I don’t want to know if its not the truth, but I assume that Sam Elliot uses a straight razor. Long, sharp, and with some sort of bone handle. But, thats a digression. And I have a project to finish, so, maybe I will post some pics later.