Updating the anti-SIP attack script

The anti-SIP attack script has been doing a great job, but I did note a few shortcomings I wanted to fix.  For one thing, I was noticing a few “clusters” of networks that justified (to me) blocking larger networks.  No one outside the US has any reason to connect to my server, for example.  I can block entire /8 networks…  but doing so manually was cluttering up the iptables rule sets.

I modified the script to store a little more information in the text file, so i can go through it manually from time to time and make changes.  It’s easy to run the file through sort -n and see if it’s time to block a /16 or /8 network.

#!/bin/bash
/bin/grep "No matching peer found" /var/log/asterisk/messages|cut -d "'" -f 4 | \
   cut -d "." -f 1-3 |sort -n |/usr/bin/uniq >> \
   /root/anti-sip-attack.tmp
for d in `cat /root/anti-sip-attack.tmp`
do
  if [ `/sbin/iptables -L -n | grep -c $d` = "0" ]; then
    /sbin/iptables -I INPUT -s $d.0/24 -j DROP
    echo $d.0/24 >> /root/anti-sip-attack.txt
  fi
done
rm /root/anti-sip-attack.tmp

Exploring Mars

Last night I took Lauren (my grand-daughter) to the National Geographic Exploring Mars presentation at the Holand Center.  Kobie Boykins was the speaker; Kobie is originally from Omaha and manages the engineering team that designed and built all of the moving parts of the Mars roving science lab Curiosity.  Pretty awesome evening!  Lauren and I both enjoyed it.  Many thanks to Lisa Van Stratten for providing the tickets.  After the presentation Lauren got to meet Kobie and had her picture taken holding one of the wheels used for testing a couple of the earlier Mars rovers.

2014-04-22_21-54-41_943

Squelching SIP attacks

Since I run an Asterisk server, it seems every third-world slime crawler wants to see if they can get free phone calls.  So far none have succeeded, but if you let a million monkeys keep pounding on keyboards, eventually they’ll guess something right.

Unfortunately Asterisk doesn’t have any facility for doing anything with SIP attacks other than logging them.  I finally got tired of seeing thousands of connection attempts from various places and blocking them individually, so I came up with a script to add the offending IP addresses to my iptables filter.  When an invalid connection attempt comes in, I block their entire /24 net just for good measure.

#!/bin/bash
/bin/grep "No matching peer found" /var/log/asterisk/messages|cut -d "'" -f 4 | \\
  cut -d "." -f 1-3 |sort -n |/usr/bin/uniq >> /root/anti-sip-attack.tmp
for d in `cat /root/anti-sip-attack.tmp`; do
  c=`grep -c $d /root/anti-sip-attack.lst`
  if [ "$c" = "0" ]; then
    /sbin/iptables -I INPUT -s $d.0/24 -j DROP 
    echo $d >> /root/anti-sip-attack.lst
  fi
done
rm /root/anti-sip-attack.tmp

This script gets run from cron every few minutes…  so far it’s worked quite well.  The next step is to tee the Asterisk log file and do it in real time, so they only get one shot and they’re blocked.  As it is now they have up to five minutes to try to brute-force their way in.

Neato vacuum update

My only complaint is that we only have one.

Rosie, our Neato robotic vacuum, has been doing a great job of keeping the floors vacuumed in the rooms where she runs.  I still haven’t done anything to the living room to keep her from getting hung up on the coffee table, but I’ve turned her loose in there once or twice anyway.  Once I used the magnetic strip to keep her out from under it, the other time I flipped it (the table) on its side.

The family room and upstairs, though, are now getting vacuumed a couple times a week.  I am always amazed at the amount of crud that comes out of the carpet even when it seems clean.  I’ve only had to intervene a couple of times when something got left on the floor (like a blanket) and sucked up, or once when the bot got hung up on a lamp base.  Overall — well worth the money.  I empty the dust bin after each run and occasionally vacuum off the paper filter; I just replaced it for the first time.  It came with 4 spares, and it looks like they only cost 3-4 bucks each.  Not bad if it means having your carpet vacuumed regularly.

Experiments in media servers

For the past week or two I’ve been doing some work toward some distributed media (audio, video, etc) for various parts of the house. What I’d like to do, ideally, is be able to watch HD TV on any TV in the house without the added monthly expense and hassle of a digital cable receiver from Cox. I’d also like to be able to record the shows we regularly watch, play them back from anywhere in the house, stream music wherever we want it, that sort of thing.

So far Windows Media Center seems to be a really good fit for the DVR portion of the job… unfortunately, it would also require a fairly expensive box be attached to each TV.  It would also mean two remotes per TV, or a universal – and good luck getting one to actually work.  I suppose I could build some Windows boxes fairly cheaply, but we’re still talking about $150-plus per instance, and that’s assuming I re-use any old hardware I have around such as hard drives.

After some reading, including some stuff I quite frankly didn’t really believe, I bought a Raspberry Pi with a wifi adapter to play around with.  Now, admittedly I’m a little late to the Pi community, but it’s really a pretty slick little board.  The Raspberry Pi is a tiny Linux system running on an ARM processor with half a gig of memory, and using an SD card for storage.  There are a couple of Pi-specific XBMC distributions, and they worked great for music and movies.  It was pretty impressive to see a sub-$50 computer the size of a pack of Camel Lights streaming HD video over a wifi link, without a hiccup.  Unfortunately, XBMC doesn’t have native ability to handle a cable tuner like the HD Homerun.

I ordered an HD Homerun Prime-CC and picked up a CableCARD from Cox.  The monthly rental on the CableCARD is not unreasonable at $1.99, although I do think it simply sucks that they are encrypting pretty much everythign other than the local broadcast channels.  They certainly earned their two bucks over the past few days; since Friday of last week I’ve dealt with five or six Cox support people on the phone, and two on-site service calls trying to get the CableCARD setup working.  It seems that all of the problems we encountered were in the initial setup and (mis)configuration of the hardware from the Cox network end.  Once I got a tech who knew how to get a CC set up, it went pretty well… until they shut off our cable receiver, then managed to un-pair the CC again when I called about the receiver. Once we got that straightened out, though, things started really coming together.

Once the HD Homerun and CableCARD are working, you need a PVR (Personal Video Recorder) back-end to feed video to the Pi or anything else running XBMC.  I’m running Windows Media Center on a Win7 machine, with ServerWMC installed.  ServerWMC is a free program that allows remote XBMC systems to connect to WMC and pull video and program guide information.  So the setup here is [Cox cable] –> [HD Homerun Prime with CableCARD] –> [E4200 Wifi router (via gig-Ethernet)] –/(wifi)/–> [Raspberry Pi / OpenELEC XBMC] –> [Insignia 28″ LED TV].  If I were ambitious I’d make a Visio diagram, but I’m lazy…  and no one reads this crap anyway.

As of today I have streaming music, HD video and live TV thorough this system.  I haven’t tried playing back recorded TV, but that may  require transcoding…  I’m not sure if ServerWMC will stream recorded TV files or not, but if not they’re in a format the Pi can’t play, so they’ll need to be converted to something it can play.

Possibly the coolest part?  I was not expecting this, but the Pi has a CEC adapter built in.  CEC lets you control XBMC from the TV remote.  The TV sends remote button signals through the HDMI interface to the Pi, so only one remote is needed — no IR receiver on the Pi, no need for a universal remote.  Too cool.  That doesn’t even work on the little Windows EEEBox in the other room – I’d need to add an external CEC adapter for that.

I can see using Raspberry Pis for other things as well.  Having an inexpensive Linux machine, powered by a common cell phone charger and equipped with wifi, wherever you happen to need it — pretty nice.  I’m thinking one of them with the add-on dedicated camera (5Mpixel, 720p video) that I could set in a window to catch whoever has been letting their dog crap in the side yard would be nice.  A video doorbell seems like a fun project.  And one of them will make a nice backup for the Asterisk server.

Roku: meh.

I spent some time playing around with a new Roku 3 over the past week or two.  From a hardware standpoint, it’s a pretty cool little box.  Wifi, HDMI, remote with accelerometers, all kinds of coolness.  Unfortunately, its use as a streaming media player is limited at best, at least for what I wanted.

If all you need is a player for Netflix/Hulu Plus/Amazon and similar paid services, it’s fine.  If you’re the type who loves video game blogs, old movies no one has ever heard of and similar stuff, I guess it would be grand. In general, though, the free content that’s available is worth exactly what it costs (if you don’t count the cost of the Roku), and I’m not looking for more places to send money every month.

My intent was to use it to play movies, recorded TV and live TV streamed from a MythTV backend.  The success rate ranged from great to zero, depending on what I was trying to do.  The Roku would have me transcoding every single video recording I have (no thanks, really).  The Plex and MythTV frontends I found were pretty buggy.  The “Brightscript” language used to build content channels is not something trivial to pick up, and I’m really not looking for a second career as a programmer.  I finally decided that if I do build a whole-house TV/movie/music/DVR system, I’ll probably have to use little dedicated boxes running either XBMC or Mythtv, and talking to a dedicated MythTV backend.

Fortunately, Roku has a pretty good return policy.  This one’s going back.  It doesn’t seem to be a bad little box for what it does, it just doesn’t do what I need.

Thanks, Microsoft! (really!)

So today I looked at some new laptops.  For various reasons I won’t go into, I really need to set up a new (well, another) Windows machine.  Wine (the Linux program that lets you run Windows software) has made a lot of headway over the past few years, but some apps that I depend on just don’t act right.  So, we stopped in at Best Buy to see what was up.

What’s up is Windows 8.  For some reason, the stupidity in Redmond has reached a level where they can no longer distinguish the difference between a cell phone and a laptop or desktop computer.  Hint, guys — what works great on Droid phone doesn’t make sense on a laptop.  It’s cute, and I’m sure they’re selling a shitload of new laptops with Windows 8, but I’m baffled at how anyone could actually use one for anything productive.

So, really, guys — thanks.  You saved me from wasting $750 or so on a new machine.  Instead I’ll re-purpose a desktop I have here and load it with Win7, for which I think I may still have a spare OEM license.  Or something.  All I know is, Apple should be sending you guys flowers and candy.  Windows 8 is enough to make even OSX look good.

 

Weirdness, and good timing

Yesterday morning, for reasons we haven’t been able to figure out, both my wifi router and what has to have been the most disappointing phone base unit ever created suddenly and simultaneously went to that big recycle bin in the sky.  Our Internet connectivity went away as I was trying to send out a meeting invitation for work, and when I went down to reboot the router I saw the phone base was dark too.  After ruling out any common power issues and verifying that the two wall warts were indeed working, I had to conclude that both boxes were dead.  How very odd.  The only common thing between them is that there was a direct Ethernet connection, but nothing else on the network took a hit.  The Gigaset box had a phone line plugged into it, but that phone line passes through the A400 VOIP card in the server — neither of which were damaged.

Anyway.  I happened to have a spare non-IP base for the phones, so I connected that and had phone service back an hour or so after the loss.  The wifi router, though, was another matter.  In a very strange twist of timing, my new E4200 Linksys was on the UPS delivery truck – all I had to do was wait for it.

I’m not completely thrilled with the E4200V2.  Its performance seems to be excellent, and the signal strength reported by my cell phone and the Roku are substantially higher.  I wish to hell it ran DD-WRT; I really missed some of that firmware’s troubleshooting and logging capability.  I doubt I’ll return it, though.  Swapping out the router is disruptive enough, and while DD-WRT is great, I was mostly using it to overcome some real deficiencies in the old hardware.  It’s not a perfect solution, but the price was attractive and it will do.

What I learned from this is that I need better disaster plans, and need to test them more thoroughly.  I had a backup of the router configuration — but it’s a binary file.  Of course it’s completely useless on a different router, and I didn’t have all of the port forwarding and other rules written down anywhere.  My Asterisk backup plan failed miserably, I have to fix that.  I really need a seamless, fault tolerant VOIP setup with failover that actually works.  I’ve got some work to do on that stuff to avoid the headaches the next time something unexpectedly goes TU.

 

It pays to shop around…

I need to upgrade the wifi router in the house.  The old Linksys WRT54G has been working for years, but it just can’t handle HD video streams.  So, I went shopping for a new Linksys E4200 V2, which is supposed to be the baddest, fastest one out there.  Dual band, 900 MBPS and all that.

Best Buy has the E4500, but I don’t want that one — it requires a constant connection to Cisco.  WTF?  Newegg was the same, only the E4500.  No thanks.  So I looked on eBay and Amazon.  It seems that they go for $125 and up new, and around $80 or so on up used.  I’m not in the mood to screw with someone else’s used router, so I was looking only at new and factory-refurbed.

Then I find the Linksys on line store…  factory refurb, 30 day warranty, $79.99 with free shipping.   Sold.  Anyone want a nice, current generation WRT54G already loaded with DD-WRT?  I have one for sale cheap.  🙂

 

Greylisting for the win!

I’ve seen a dramatic drop-off in email spam since implementing a greylist program a couple of months back.   As odd as it may sound, greylisting works by initially rejecting all new incoming email with a response indicating a temporary rejection.   A “real”, legitimate mail server will retry sending the email after a few minutes.   A spam-generating virus program running on a hijacked computer generally will not.   As a result, nearly all spam email just simply goes away…   and none of the “good” mail gets lost.

The system keeps track of senders that have successfully delivered mail, and adds them to a whitelist of “known good” senders so that future mail from those senders doesn’t get delayed.

This system has allowed me to retire a very long list of filter rules to try to catch spam.   The amount of time I have to spend dealing with it has dropped from a couple of hours per week to a few minutes per week.   It’s not perfect — but then, nothing is.   My employer spends tens or hundreds of thousands of dollars on anti-spam technology, and I still seen one get through every once in a while.   For zero cost and near zero hassle, this works pretty well.