:

f i r e f o x

I take care of servers (i.e. computer clusters, web page server, web service server, etc.). Apparently, for all my passed jobs, I need some sort of servers. I've taken care a 16-node (Dell running Rocks) cluster for stressing networked storages, web server and now again a web server too. Being an administrator for a web server (not sure how a IT guy takes it), you get a bit paranoid when you check the logs of your servers. Having the server outside the firewall, you get all sorts of logs, from the common SSH bruteforce attack, to Apache mysql, php addon attacks. It looks like it is matter of time before holes are found.

Currently, my web service is essentially my work machine. It is a mac. Whilst the university has a compus firewall, my mac needs to be sitting outside the firewall due to the various web service that I need to run my genome computation on. Further, as I have my programs running overnight and over the weekend, I need to able to remote login into my mac and check on the status and restart the program is things happened. In conclusion, I can't just firewall the whole mac.

Of the little things that I do on the server that I administer, is to change the SSH port. For my low users (less than 3) server, taking care of the SSH service is pretty easy as I'll do not have to worry about easy to guess username and weak password. However, bruteforce attack on the port 22 does make the log lengthy and may distracts/annoys you until you missed the important stuff. Hence, to avoid hobbist SSH brute-forcing, I change my port to other port. This solve some of the issue.

Amongst the services that make me paranoid are those services (open ports) that I'm not aware and those that my own add-on scripts on apache. For the apache script issue, I'm rather confident as for all my scripts that I installed and webpages that I'm hosting, I put it under my username directory, which is difficult to guess. And the location of the scripts are not in the common place. As such, even if there is an exploitable bug in any of the scripts that I use, chances are, they won't be able to find it on a brute-force scan. Still, I don't like the fact that my apache log is filled with bruteforce attacks. I tried the standard intrusion detection system (IDS) software, snort, which I know nothing about, and hope that it's webserver plugin will solve my apache bruteforce attacks, magically some how. Other than the fact that snort is a pain to install and to use, and also the fact that it doesn't do what I hope it will do, all snort does is make me more paranoid with new alert on top of all the brute force attacks I'm already getting from my apache. Paranoid attack!

I have also did a nmap on my own mac and supprisingly, there are a lot of open port. This ranges from my mysql, iTunes, CUPS (for printers), to some unknown 50001 port. Surprisingly, these ports are accessible from the internet too! That makes me paranoid. Whilst Mac has a good reputation of being solid. I'm not taking any chances. My first thought is to patch the ports with the built-in firewall. Being an ultra user friendly firewall, Mac Leopard firewall is no help for paranoid person like me in patching up ports. Then, I look at the under utilized ipfw that comes with a mac. I did some research on it and found that it is quite user (or rather admin) friendly, and decide to start a weekend project on writing a Java (yes, I'm a Java person) program that will be triggered by snort alert, and apache logs. This program will then identify the culprit ip and block it using ipfw. To avoid overflowing the ipfw table, I'll (i.e. the Java program) have a log (again!) on the blocked ip, in order to schedule the remove blocked ips after fix time interval. This should keep some hobbiest brute-forcer at bay. I've tested the concept (it works!) and prepared to start the weekend project, then, my friend (a techy person with a pet bull, which we refer as cow) suggested to me of running a virtual machine (VM) to take the hit (if security is breached). Initially, I was a bit skeptical about the idea (i.e. slow performance, and expensive software?) but later, it turned out to be perfect!

Tutorial on how to secure your Mac Leopard with VM and ipfw.

UPDATE: My PocketPC version of the Blender is now released! [Details and download here]. It is XXTea edition (I love my 'Blender' artwork there), including a nifty user manual.

During my PhD candidature, I was investigating possible applications for the my distribution strategies in large data processing. One of the many feasible applications is cryptography. I did some readings on it and was tempted to go into it as all the analytical stuff there are very interesting. And, 'interestingly', it is one of the 'thing' that doesn't go boom but is still classified as 'weapons' (with good reason) by the US government (i.e. there are export restrictions on it). Currently, I'm still doing some tinkering in my spare time, investigating any possible work to be done here. And among the things that I thought of, came Blender!

There are so much information to remember these days. However it is quite worrying to have any sensitive information (e.g. your user id for internet banking) written down anywhere insecure. However, in some cases, you just need to have them written down in somewhere accessible. I usually have these information stored on my PDA phone. However, for me, it is either having these information in plain text (which gets me worried), or in some encryption programs (which can be rather big to have it around). Hence, I've written a software myself that encrypts and decrypts information in a very simple but effective way. The cipher engine is based on the well known (proven to be unbreakable) One-Time-Pad encryption method - NOTE: as with all other security product, it will be unbreakable only if you use it correctly.

I've written the software as a Java Web Start application such that everyone can use it anywhere, and anytime (including myself). In short, the encryption (symmetric) method involved shuffling (S-Box - ish) and encrypting (Polyalphabet - XOR) a given text based on the given password. I have also added XXTea algorithm into the software incase others really needed some reassuring on the secure-ness of the program

The software is code named 'Blender'. Try the software here via Java webstart. I'll post the details on the encryption process (together with a user manual) later, for security experts to evaluate its strength. Some of the advantages of my software is [1] Small simple, accessible on the web [2] The encrypted text is optimized to be smallest possible (i.e. short messages yield short encrypted texts) [3] The encrypted text is base 64 encoded (i.e. it should be compatible with all digital text format storage) and can be easily copied-pasted.

UPDATED: I've make 'Blender' web friendly. Try the beta version here via webstart