I've posted previously about what can be done about ssh bots. In this same context, I've just finished working on a new idea: Tracking the username/passwords used by the bots.

To track the login attempts, I wrote a new pam module: pam_logfailure. The goal of pam_logfailure is to log the passwords used by bots attempting to bruteforce logins. However, when I installed the module, I found that it wasn't working properly:

Dec 20 12:24:50 kenya2 pam_logfailure: host:125.243.206.194 user:john pass:^H ^M^?INCORRECT

I saw line after line of these, and couldn't figure out why the bots were using this as a password. Turns out they aren't. This password is what OpenSSH forces upon pam for users that do not exist. This is apparently by design:

auth-pam.c: static char badpw[] = "\b\n\r\177INCORRECT";

If you are an invalid user, or are trying to login as root while root login is disabled, the password you sent is replaced with 'badpw' above. This makes it kind of hard to track what passwords bots are using...

Thankfully, I was already one step ahead of myself when I wrote a function injection tool back in September (liboverride). So, all I had to do was inject my own 'getpwnam' function to spoof data when a user did not exist to trick OpenSSH into passing the password through.

After injecting my own getpwnam(), pam_logfailure started working just fine:

Dec 22 11:17:47 kenya2 pam_logfailure: host:218.1.65.233 user:admin pass:admins

So where will I go next with these ssh-bot games?

• Reverse-hack. I picked 3 random ssh bot hosts from my logs, and all of them run sshd. It would be pretty trivial to take the password attempts used against my machine and try them on the host the bot is coming from. Seems likely that turning the bot's actions on itself will grant me access to the infected machine.
• Redirect to a honeypot. We could detect when a bot is trying to login, and add a firewall rule that would put future ssh attempts from these hosts into a honeypot which accepts all logins to see what happens.
• Fingerprint ssh bots by behavior.

The usage of getpwnam.over is like any other liboverride code. 'make getpwnam.so' and then use "LD_PRELOAD=/path/to/getpwnam.so ". In this case, I added this line to /usr/local/etc/rc.d/openssh (my sshd start script):

export LD_PRELOAD=/path/to/getpwnam.so

Here is the code:

• getpwnam.over
• liboverride-2007122.tar.gz
• pam_logfailure-2007122.tar.gz

Last night, I mentioned that I wanted (?{ code }) in ruby and python.

I got bored tonight and decided to see how hard this would be to implement in ruby. Turns out it's not as bad as I thought, not that I'm finished yet.

This ruby script shows a demo of what I have so far. The output is in comments in the script. There's a few strange bugs yet, but I've nearly got it working properly. Something about my coding or the way oniguruma does backtracking/failures keeps this from working correctly on strings with multiple potential matches.

Long story short...

File: 'connect.over' contains

#include <netinet/in.h>

override(`connect', `
  {
    // code to inject before the connect() call is actually made
  }
')

Output is 'connect.so' which overrides libc's connect function.

% LD_PRELOAD=./connect.so nc google.com 80
stream connect: fd=3 host=64.233.187.99:80
% LD_PRELOAD=./connect.so nc -u 129.21.60.9 53 
dgram connect: fd=3 host=129.21.60.9:53
% LD_PRELOAD=./connect.so ssh scorn           
stream connect: fd=3 host=129.21.60.26:22
stream connect: fd=4 host=109.112.47.115:12148
scorn(~) %

The output by nc was due to my function above outputting this.

The strange ssh connection on fd=4 above is seemingly due to ssh calling connect() on a tty? fstat says:

jls      ssh         3221    4 /dev        122 crw--w----   ttypd rw

inode 122 on /dev is /dev/ttypd.

There are some rare cases when you need to have your screen locked, but still have the current display visible without a screensaver or blanker.

Here's a hack to do it with xscreensaver and xdotool:

#!/bin/sh
while true; do
  xdotool search --onlyvisible --name xscreensaver \
  | xargs -r -n1 sh -c 'xdotool windowsize $1 1 1' -
  sleep 3
done

Run this and lock the screen. Every 3 seconds this script will try to shrink the xscreensaver window to 1x1 pixels and reveal your desktop below it. Useful if you need it.

Yesterday, I talked about macros. I spent some time coding today and I now have a tool that will let you execute raw keyboard and mouse input into X using the XTEST extension.

The primary example I used was focusing firefox's URL bar without the mouse. The sequence was this: Switch to Desktop 2 (I press Alt+2), focus firefox's URL bar (using control+l) and clear it.

The result is a simple tool I'm tentatively calling 'xdo'. You can download the source here. Compile instructions are at the top of the file.

The top of xdo.c details the implemented commands, so let's cut to an example:

% echo 'key alt+2; sleep 1; key ctrl+l; key BackSpace' | ./xdo

It does exactly what you think. The 'sleep' command has values in milliseconds, and is only necessary to slow down so that events can propgate fast enough (window focus changes, etc).

Another reasonable example would be to say "firefox, open a new tab and load the URL in my clipboard":

# My clipboard contains a valid url, say, "http://www.google.com/"
(echo "key alt+2; sleep 1; key ctrl+l; key BackSpace;"
 echo "move 55 55; sleep 1; click 2; key Return") | ./xdo

Seems complex, but look at what's really happening: Go to desktop 2, focus urlbar, hit backspace (clearing it), move the mouse cursor to 55,55 (a point inside the urlbar for me), hit middle mouse button to paste.

Change "ctrl+l" to ctrl+k (unix firefox) to focus the "Search" box instead, and change the 'move' command to cursor over the search box to paste instead, and suddenly you can bind a simple keystroke to search for whatever is in your X clipboard. Useful.

One of the neater features is that you can 'type' text:

% echo 'type echo hello there; key Return' | ./xdo
echo hello there
% echo hello there
hello there

I'm almost guaranteed to be wearing headphones while at work. I like music. However, when I leave my desk, I rarely pause mplayer. This leaves my headphones leaking out some barely audible nois that may annoy coworkers.

I always lock my workstation when I'm not at my desk. How do I automate a solution here?

xscreensaver lets you watch the state of the screensaver. Let's use this to pause mplayer when I leave, and unpause it when I return.

xscreensaver-command -watch \
  | while read a; do
    echo "$a" | grep '^LOCK' && pkill -STOP mplayer
    echo "$a" | grep '^UNBLANK' && pkill -CONT mplayer
  done

Running the above, mplayer gets suspended when I lock my workstation, and resumed when I unlock it.

In my last post, I discussed a way to perform additional assertions on a given captured group while still inside of the regex state machine.

I spent some time today and implemented it in grok and it works like a charm! This kind of functionality gives you extreme power in the kind of matches you can specify.

Here's an example: How can we find the first number on a line that's greater than 20?

% jot 50 | xargs -n15
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
31 32 33 34 35 36 37 38 39 40 41 42 43 44 45
46 47 48 49 50

Using the above as our sample input:

% jot 50 | xargs -n15 | perl grok -m "%NUMBER>20%" -r "%NUMBER%"
21
31
46

The assertion '>20' is applied during the regular expression match. This is sweet!

Another example would be to 'grep' the output of 'ls -l' for any lines containing a number greater than 5000:

% ls -l | perl grok -m "%INT>5000%"
-rw-r--r--  1 jls  jls   21590 Apr  2 20:17 foo
-rw-r--r--  1 jls  jls   22451 Apr  2 23:52 grok
-rw-r--r--  1 jls  jls  129536 Apr  2 23:47 grok-20070402.tar.gz
-rw-r--r--  1 jls  jls   13539 Mar 22 14:22 grok.1

The equivalent awk statement would look like this:

% ls -l | awk '$5 > 5000'

But if you look at the awk statement, you have to count columns. With grok's solution, all you need to know is you want any line with an integer greater than 5000. You are able to specify the specifics of your match without having to know the precise layout of the data you are matching.

What do you get if you can chain predicates? I haven't added that functionality yet, but it would be trivial to add, so expect it soon.

If you're interested, please try the latest version.

I always run across commands I want to run more than once, but don't necessarily merit an alias in my zshrc file. For these commands, I abuse environment variables and use them as prefixes.

For instance, I have one command that runs mplayer in a loop, in case the connection drops:

while true; do mplayer -cache 48 -prefer-ipv4 http://foo.com/streamthing; done

Normally, I might use !while to re-invoke this command. However, I have lots of oneliners in my shell history that start with while. So, let's hack around it:

MPLAYER= while true; do mplayer -cache 48 -prefer-ipv4 http://foo.com/streamthing; done

This will set the environment variable 'MPLAYER' to an empty string and pass it to the while subshell (and thus mplayer), but since MPLAYER isn't used as an environment variable in mplayer, we won't break anything.

Now, any time I want to rerun this specific command, I can just do !MPLAYER and we're all set. Doing this is *extremely* useful and allows you to define alias-like procedures in real-time, assuming you have a persistent shell history. If you don't have a persistent shell history, set it up, as it's useful for more things than the above hack.

I finally got my Verizon EVDO card working in FreeBSD. The following steps are necessary:

1. Add a new vendor line to sys/dev/usb/usbdevs
2. Add a new product line to sys/dev/usb/usbdevs
3. Download http://www.cs.cmu.edu/~dga/dot/fbsd_pc5220/ugencom.c
4. Update sys/conf/files with a new entry

usbdevs changes

In /usr/src/sys/dev/usb/usbdevs, add the following:

vendor QUALCOMM3        0x0c88  Qualcomm
product QUALCOMM3 CDMA_MSM      0x17da  CDMA Technologies MSM phone

Download ugencom.c

http://www.cs.cmu.edu/~dga/dot/fbsd_pc5220/ugencom.c"

Download this to /usr/src/sys/dev/usb/ugencom.c. Now, you need to make a slight change to this file. Change the following the following line:

        { USB_VENDOR_AIRPRIME, USB_PRODUCT_AIRPRIME_PC5220, -1 },

To this:

        { USB_VENDOR_QUALCOMM3, USB_PRODUCT_QUALCOMM3_CDMA_MSM, -1 },

Update sys/conf/files

In /usr/src/sys/conf/files, add the following just after the line containing 'uplcom.c'

dev/usb/ugencom.c               optional ugencom ucom

Build your kernel

Add the following to your kernel:

device ucom
device ugencom

Rebuild your kernel. This device should show up as a usb serial device: /dev/cuaU0

ppp.conf

This is mostly stolen from another fellow, but modified the authname and added the comment regarding it.

# Start by running ppp -ddial evdo  
evdo:
 set device /dev/cuaU0
 set speed 230400
 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \
           \"\" AT OK-AT-OK ATE1Q0s7=60 OK \\dATDT\\T TIMEOUT 40 CONNECT"
 set phone "#777"
 # The authname and authkey are meaningless, but you need to have them set.
 # Verizon's servers don't seem to care what you auth as.
 set authname "doesn't matter"
 set authkey "doesn't matter either"
 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
 add default HISADDR                    # Add a (sticky) default route
 enable dns

Now that I'm nearly settled in my new apartment, I need to start working on some new, cool projects to make it better.

pimp, version 5

Pimp v4 was my excuse to learn python. It's great, but needs serious work. Now that I know python better, I think it's time to revisit this project with a complete rewrite. Reinventing the wheel isn't always good, but it's a fun exercise and certainly a useful project.

web-based home automation

Home automation kits are extremely expensive. I'm hoping to leverage LIRC, my X10 equipment, and the web to create a one-shot portal for controlling most of the devices in my apartment. The end-goal is to be able to click a button and have the TV switch to "input 3" and tell my receiver to switch to "dvd". Perhaps some sexy light dimming or something, aswell, with my x10 stuff. Mostly with one or two button clicks.

If you've got lirc experience, let me know. I'm looking to build both a receiver and transmitter. Receiver for recording IR signals from my other remotes and the transmitter for obviously replaying those signals.

Other hacks will probably include low-tech ones to hide wire mess, etc.