REJECT: Comment attempt by 210.113.83.6 rejected. Reason: Invalid secret token: 'pleaseDontSpam'
REJECT: Comment attempt by 210.120.79.179 rejected. Reason: Invalid secret token: 'pleaseDontSpam'
REJECT: Comment attempt by 200.156.25.4 rejected. Reason: Invalid secret token: 'pleaseDontSpam'
REJECT: Comment attempt by 220.125.164.243 rejected. Reason: Invalid secret token: 'pleaseDontSpam'
REJECT: Comment attempt by 69.57.136.39 rejected. Reason: Invalid secret token: 'pleaseDontSpam'
...

The list goes on. Well over 50 invalid tokens were found. The 'pleaseDontSpam' was the original secret token I used. Just goes to show that, for the moment, most spam bots don't review the page before submitting.

Admittedly, 2 spams got through, I have not investigated why, yet.

Ever since I added comments to this site, I've started getting comment spam. To combat this, I hacked together a comment management system using jquery and python. It lets me search comments and delete them via web interface.

I'm bored of deleting comments by hand. So, I wrote a little antispam plugin. This plugin creates a token that expires after a given period of time. This token is used as a hidden item in the comment form. If this token is expired when the form is submitted, the comment is rejected.

Spam seems to come entirely from solo-connection POST requests. This means that the bots don't bother viewing the page first. In theory, the bots will be using a cached idea of the form, which will be expired. We'll see how well this works.

Right now it just uses a timestamp. If that fails, I'll add other tokens such as source IP, etc. Perhaps cookies too? This should be simple to filter out, becuase the spam bots don't act anything like humans with regards to browsing behavior.

I have enabled the plugin on this site. I'll post the source when I see it actually working correctly.

Waiting for spam bots to come by is boring :(

I wrote a new article (due to overwhelming demand of 1 person asking) about how to get dynamic dns and dhcp working.

articles/dynamic-dns-with-dhcp

In /var/log/auth.log today, I see:

Jul 19 04:37:21 dns sshd[5072]: Invalid user test from 211.154.254.73
Jul 19 04:37:22 dns sshd[5074]: Invalid user guest from 211.154.254.73
Jul 19 04:37:26 dns sshd[5080]: Invalid user user from 211.154.254.73

No authentication failures, just invalid user notifications.

FreeBSD has (for a while?) disabled simple "password" authentication in it's base sshd config. What does this mean? If client connects requesting only "password" authentication, it will be rejected. Period. Example:

dns(~) !255! % ssh -o "PreferredAuthentications password" happytest@dhcp
Permission denied (publickey,keyboard-interactive).

If you check /var/log/auth.log, you'll see:

Jul 19 06:10:32 dns sshd[5403]: Invalid user happytest from 192.168.0.252

However, try the same with a valid user. Nothing is logged (by default). Still, you are denied outright.

The important point, is that I guess pam_captcha is not necessary at this time. Every ssh client I have used has supported both public-key and keyboard-interactive authentication, so disabling 'password' everywhere should be a viable option. FreeBSD disables password auth by default, and no one seems to be complaining.

If you're worried about brute force attacks over ssh, then just disable 'password' authentication. In sshd_config:

PasswordAuthentication no

This probably requires that you use public-key or keyboard-interactive (PAM) to authenticate. Keeps normal users happy, and blocks brute force bots. That is, until the bot scripts are updated to use keyboard-interactive, perhaps? Who knows...

I've finally got non-free internet access. Prior to that, I was using Google's free wifi. Turns out there's a wireless node quite close to my apartment. To get online, I used my soekris net4501 w/ wireless card to associate to google's wifi. Google wifi rocks, it's so nice. Internally, I ran used dhcp and nat to provide multiple machines with network access through the soekris box, and thus google wifi. This worked quite well.

Now that I have Comcast, I can use the wireless card in the soekris as an access point, rather than a client. The setup is as follows:

• wired subnet: 192.168.0.0/24 (gateway on soekris)
• wireless subnet: 192.168.10.0/24 (gateway on soekris)
• vpn subnet: 192.168.1.0/24 (gateway is vpn server)
• vpn/dhcp/dns server running in FreeBSD on vmware on Windows
• dhcprelay on soekris relaying dhcp requests from wifi to wired.
• nat everything through the soekris box, which connects to Comcast
• dhcp with ddns so I don't have to remember IP addresses

So far, everything's working well. My new Dell (2.8gHz/1gig) runs vmware well. With Candice's help, I was able to get a poptop server going quite easily. Now I can vpn into my apartment from Windows and FreeBSD, which is good if I want an easy, secure connection while I'm on wifi. I'll post a howto about poptop+freebsd later.

The next step is to "secure" wireless. I don't care to block people, because someone will just get arond it. I plan on filtering unauthorized wireless access, limiting it so only ssh/http/https/icmp/dns and little else. Bandwidth-limited, ofcourse. My traffic is more important than yours!

After that, I'd like to automate network maintenance. That is, have a single script that will push changes to wherever is necessary: firewall, dhcp, dns, vpn, whatever. Then, perhaps some network optimizations such as a transparent squid proxy, etc.

I'm hoping that I can work on my pam_captcha research soon, too, now that I have a machine with a real IP online.

Doing this network setup has been quite the refresher on DNS, DHCP, et al. I'd prefer having this kind of crap documented, so I'll hopefully get around to writing an article about it.

I've been searching for a decent recursive descent parser for Python. Too bad I haven't found one :(

None are truely standalone, though many claim to be generators. Either generate code or give me a nice parser library, not half-assedly in the middle! Urgh!

ANTLR depends on import antlr and Java. PLY does similar. Others simply suck. Who wants to lug around piles of libraries and modules? I don't. PLY may be an option, but it may be some time before I can make a decent grammar with it. Perhaps in a day or two when I have more time.

Granted, I'm probably just frustrated from many hours of trying parsers without success. It's not that there aren't any parsers that don't work. It's that there aren't any parsers that are as easy to use as perl's Parse::RecDescent.

All I want is to parse an extremely simple config file of my own design. I may not even need recursive descent, seeing as how I only go 1 level deep. Though, I would prefer a token parser that suited my needs (cfgparser is too limited, shlex is broken), I haven't been able to find one.

I was able to get a config file parser with older grok using Parse::RecDescent in only a few hours, and even after 10 minutes I was using it successfully. Have parsers fallen to the way-side with the advent of XML as a cure-all?

This pisses me off. I should be able to say, "here's the grammar for my data" and be happy. I really wanted to get the config parser done in py grok tonight. I'm giving serious consideration to adding multiline and statefulness support to grok, just so I can parse a damned config file. That is, use grok to read it's own config file so that we can grok whatever data the config file says.

If you're reading, and you have suggestions for python text parsing modules that do not suck, please let me know.

Much to my surprise, python dict objects can be merged. I've needed this a few times but never knew about it mostly due to 'pydoc dict' not mentioning 'merge' anywhere.

>>> a = { 1: 2, 3: 4 }
>>> b = { 1: 100, 5: 6 }
>>> b.update(a)
>>> print b
{1: 2, 3: 4, 5: 6}

dict.update() takes any number of arguments, all of which must be dict objects. This lets you merge serveral dicts into one. Conflict resolution, it seems, is "last one in wins."

I spent a few hours tonight working on new features for grok and kept running into problems keeping track of data structures in my head. Grok currently makes heavy use of hash-of-hash-of-hash-of-ha...-type datastructures in perl. Remembering context is annoying and slows development.

I decided that grok could use some serious refactoring. So much refactoring, that I could probably get away with rewriting it faster than redesigning portions of it. Since I need to know Python better, and I am more familiar with OO in Python than I am in Perl, I figure I should rewrite grok in Python. Python already has one critical feature that I need in grok, named captures. The hack for this in perl is unwieldy and potentially unmaintainable if future perl versions change the format or deprecate it. It is listed in 'perldoc perlre' as experimental.

At any rate, I made a little prototype that tries to be very OO. My experience with Good(tm) object oriented programming is still limited. The CS curriculum at RIT sucked for teaching proper OO, too many professors taught wildly different styles or were unclear about what Good(tm) OOP should look like.

Therefore, rewriting grok is a good opportunity to explore test-driven development and maintainable object-orientation. Oh, and synergism too. *shifty eyes*

I've got a bit of code up and running already, and writing "for tests" seems to be a very cool way to think about programming. If I force myself to write easily-testable code, then writing tests is easy. Furthermore, initial experience seems to show that adding new features is much easier when all of the code is compartmentalized.

If nothing else, I wrote a somewhat cool debug method that accesses the call stack for function, class, module, etc. Check out the 'debuglib.py' file. The output looks something like this:

grok/groklib.py:52] RegexGenerator.saveRegex: happy message here

The file, line number, class and function name are all discovered magically in debug(). I like this.

If you get bored, you can look at the original stuff here: scripts/grok-py-test

Using at(8), I can schedule jobs to occur, say, when I need to wake up.

nightfall(~) % atq
Date                            Owner           Queue   Job#
Thu Jul 13 07:30:00 PDT 2006    jls             c       14
Thu Jul 13 08:00:00 PDT 2006    jls             c       15
Thu Jul 13 08:20:00 PDT 2006    jls             c       16

All of those jobs run my 'wakeup.sh' script which is somewhat primitive, but it does the job.

Using this script: scripts/wakeup.sh

I found some time tonight to convert one of my slideshows to S5. It's not fully done, but I have a working slideshow. It took about 5 lines of xslt different from the presenter.xsl stylesheet to turn my slideshow stuff into S5. I still need to learn about S5, but it seems to have many of the features I want - have I mentioned this before? ;)

It's *much* slower than xmlpresenter when switching slides. I can move at many slides-per-second with xmlpresenter and it takes 1-2 seconds to switch slides with S5. However, I'm not sure 'slides-per-second' is even a meaningful metric worth considering. Who does multiples slides in a second anyway? Still, I'm concerned for the overall speed of the software if switching slides takes a while.

my vim presentation in s5: presentations/s5/vim.html