Another Linux Desktop progress update

It's been over a month and I'm sticking with Linux on the desktop. Too many things "just work" for me to go back, my data actually feels more secure than it did before and the computer does what I ask of it, poorly written software aside.

What poorly written software? Nothing too vital. I just wanted to play some movie trailers online with Opera but that's proving almost impossible, even with MPlayer-plugin, plugger et al. Nothing seems to make it work whereas FireFox runs it just as it should with the same plugins.
I've followed every page I could find on getting these plugins to work with Opera but they just display a blank box or throw up lots of stdout errors, or both. That's no big deal, I could just use Firefox, but I like the way Opera works faster for day-to-day browsing and is integrated with RSS, news, mail, etc.

The other program that was giving me hell was KPlayer. Some files it just would not display properly, displaying what appeared to be vsync problems (a single tear at a certain point on the screen while displaying video). I first noticed this while playing a DVD. Putting KPlayer into X11 rather than XV mode solved it but it took too much CPU. MPlayer GUI showed no such problems (despite KPlayer using MPlayer to display) but I didn't like it or any of it's skins.

I could NOT find any difference between how KPlayer and MPlayer were rendering the clips but KPlayer always looked different. Eventually, Xine came as a good middle ground, showing all the clips I want it to while not displaying any artifacts, using the computer's hardware acceleration to it's full and having a usable GUI.

Using ALSA-only for sound is a great leap forward and the only problems I get are the soundcard-sharing issues that are well documented and easy to fix with dmix plugins. I've tried those and they work perfectly.

I investigated KDE 3.4 for a while, even downloading the KLAX live CD (a new version of KDE on a SLAX LiveCD, based on Slackware). 3.4 seemed faster, more responsive, cleaner and more bug-free but I'm wary of upgrading it until I've made a tar.gz of my system as it is at the moment. That's another thing that I love about Linux... the low-level config is all runtime-determined and the remaining config is hardware-independent.

I can transfer this disk image to any other machine in the world and it would boot up (after running lilo) and work just as before, with only a few minor tweaks to support non-detected hardware. The point is that, unlike Windows, I could move this hard disk to any machine should this one go wrong and be up and running again in minutes rather than hours and use the exact same settings as I have now. You just CANNOT do that with Windows. Even changing your motherboard pretty much requires a reinstall but in Linux, it hardly cares about what motherboard you are running.

I've gone onto Linux 2.6 now, given the fact that it supports more hardware, has ALSA built-in at the kernel level, has lots of bugfixes and new features. It meant that I had to tweak the startup scripts somewhat to enable me to dual boot and compile software for whatever kernel I happened to be running (mainly just symlink magic) but that didn't take long and was hardly necessary anyway... I think I've only booted back into 2.4 once.

KNemo has replaced my Zonealarm because now I have the power of an iptables firewall, I just miss the little flashing lights that indicated network activity. :-)

SSH logins are now working flawlessly and, following advice from a number of sites, I've got non-root passwordless SSH up and running, with an su providing all the power I need. I do see this as a little unnecessary root had his own private key that was the only way to log in but it's working now. I can use PuTTY from work and log in to my home machine and laugh at all the login attempts I see bouncing off port 22:

203.73.40.40 only tried 2 times.
210.96.200.24 only tried 2 times.
212.19.84.19 only tried 2 times.
210.204.129.27 only tried 3 times.
211.160.17.13 only tried 3 times.
212.160.93.188 already blocked for 5 attempts.
61.16.165.148 already blocked for 5 attempts.
70.183.189.207 already blocked for 5 attempts.
210.178.215.221 already blocked for 6 attempts.
211.169.117.119 already blocked for 6 attempts.
211.248.77.194 already blocked for 6 attempts.
213.179.250.115 already blocked for 6 attempts.
218.108.89.205 already blocked for 6 attempts.
61.219.67.127 already blocked for 6 attempts.
66.14.195.102 already blocked for 6 attempts.
202.180.175.138 already blocked for 7 attempts.
61.218.8.110 already blocked for 7 attempts.
202.127.24.198 already blocked for 8 attempts.
211.112.77.28 already blocked for 9 attempts.
211.114.170.161 already blocked for 9 attempts.
203.199.69.160 already blocked for 10 attempts.
201.144.107.203 already blocked for 11 attempts.
213.21.187.186 already blocked for 11 attempts.
202.141.12.146 already blocked for 12 attempts.
84.45.142.57 already blocked for 12 attempts.
220.65.55.130 already blocked for 13 attempts.
202.201.0.246 already blocked for 15 attempts.
210.51.12.238 already blocked for 15 attempts.
211.114.177.138 already blocked for 15 attempts.
211.114.195.7 already blocked for 15 attempts.
62.76.207.201 already blocked for 15 attempts.
163.27.7.2 already blocked for 18 attempts.
81.190.223.110 already blocked for 21 attempts.
64.49.222.180 already blocked for 24 attempts.
222.53.117.195 already blocked for 28 attempts.
210.51.25.217 already blocked for 32 attempts.
202.183.229.200 already blocked for 34 attempts.
66.82.4.25 already blocked for 39 attempts.
211.147.7.88 already blocked for 43 attempts.
212.89.111.97 already blocked for 44 attempts.
62.65.85.126 already blocked for 44 attempts.
81.214.131.217 already blocked for 44 attempts.
61.220.76.58 already blocked for 57 attempts.
220.130.3.60 already blocked for 61 attempts.
212.251.61.243 already blocked for 77 attempts.
211.250.189.5 already blocked for 89 attempts.
217.160.130.112 already blocked for 89 attempts.
24.10.130.62 already blocked for 89 attempts.
80.190.249.210 already blocked for 89 attempts.
82.235.174.242 already blocked for 89 attempts.
12.26.192.66 already blocked for 108 attempts.
165.229.65.86 already blocked for 108 attempts.
64.208.57.92 already blocked for 108 attempts.
81.208.31.177 already blocked for 109 attempts.
203.177.36.178 already blocked for 114 attempts.
80.183.225.131 already blocked for 122 attempts.
219.101.165.151 already blocked for 154 attempts.
195.70.198.199 already blocked for 216 attempts.
66.236.248.139 already blocked for 216 attempts.
211.26.36.3 already blocked for 221 attempts.
128.252.171.31 already blocked for 348 attempts.
211.172.225.111 already blocked for 382 attempts.
211.144.101.203 already blocked for 413 attempts.
61.193.182.107 already blocked for 425 attempts.
218.149.85.18 already blocked for 467 attempts.
202.30.198.245 already blocked for 519 attempts.
137.195.182.25 already blocked for 701 attempts.
213.251.132.146 already blocked for 702 attempts.
218.179.255.249 already blocked for 1409 attempts.

That's the output from my custom script which I add new features to whenever I feel like it:

#!/bin/sh
#
# Script to search logs for SSH brute-force attempts and block IP's

# Log a message saying we have started.
logger -t SearchLogs -p cron.notice -- Starting Log Search...

# Search through /var/log/messsages for "Failed" lines from SSH.
# Strip out IP from each line.
cat /var/log/messages* |grep sshd |grep Failed\ password\ for | sed s/.*from\ // | sed s/\:\:ffff\:// |sed s/\ port\ .*// > /tmp/ssh_attempt_ips.txt

# Similarly for "Invalid" lines
cat /var/log/messages* |grep sshd |grep Invalid\ user | sed s/.*from\ // |sed s/\:\:ffff\:// >> /tmp/ssh_attempt_ips.txt

# Similarly for "Did not recieved identification string" lines
cat /var/log/messages* |grep sshd |grep Did\ not\ receive\ identification\ string\ from | sed s/.*from\ // |sed s/\:\:ffff\:// >> /tmp/ssh_attempt_ips.txt

# Sort IP's and weed out any duplicate lines to rid us of multiple IP's.
# Also, add a count of each IP so that we can judge how many attempts
# they had and strip out some whitespace.
#
# Also, ignore any line containing 212.85.1.15 as that's our main IP for
# logging in from, similarly for 127.0.0.1.
cat /tmp/ssh_attempt_ips.txt |sort |uniq -c -d |sort |sed s/\ */\ / | sed '/.*212.85.1.15/d' | sed '/.*127.0.0.1/d' > /tmp/ssh_attempt_counts.txt

# Remove whitespace from beginning of line, place | in between counts and IP's.
cat /tmp/ssh_attempt_counts.txt |sed s/\^\ // | sed s/\ /\|/ > /tmp/ssh_prioritised_list.txt

if [ -f /tmp/ssh_prioritised_list.txt ]
then
# For each line...
for BAD_IP in `cat /tmp/ssh_prioritised_list.txt`
do
# Strip the count from the IP...
COUNT=`cat /tmp/ssh_prioritised_list.txt |grep $BAD_IP | sed s/\|.*//`
IP_TO_BLOCK=`cat /tmp/ssh_prioritised_list.txt |grep $BAD_IP | sed s/.*\|//`

# If a particular IP had more than 5 goes...
if [ "$COUNT" -gt "4" ]
then
EXISTING_LINE=`iptables -n -L INPUT |grep $IP_TO_BLOCK`

# Add to permanent blacklist.
echo $IP_TO_BLOCK >> /etc/ssh_blacklist.txt

# If it's not already on the firewall blocklist
if [ -z "$EXISTING_LINE" ]
then
# Print out a message and add to firewall.
echo Blocking $IP_TO_BLOCK for $COUNT attempts
logger -t SearchLogs -p cron.notice -- Blocking $IP_TO_BLOCK for $COUNT attempts
logger -t SearchLogs -- Blocking $IP_TO_BLOCK for $COUNT attempts
echo iptables -A INPUT -s $IP_TO_BLOCK -j DROP
iptables -A INPUT -s $IP_TO_BLOCK -j LOG
iptables -A INPUT -s $IP_TO_BLOCK -j DROP
else
echo $IP_TO_BLOCK already blocked for $COUNT attempts.
logger -t SearchLogs -p cron.notice -- $IP_TO_BLOCK already blocked for $COUNT attempts
fi
else
# Just warn.
logger -t SearchLogs -p cron.notice -- $IP_TO_BLOCK only tried $COUNT times.
echo $IP_TO_BLOCK only tried $COUNT times.
fi
done
else
echo "Can't read /tmp/ssh_prioritised_list.txt"
fi

cat /etc/ssh_blacklist.txt |sort |uniq > /tmp/ssh_blacklist.txt
cp /tmp/ssh_blacklist.txt /etc/

# Log a message to say we've finished
logger -t SearchLogs -p cron.notice -- Log Search Ended.

#---------------------------------------

I have that running as a cron job and it produces the output you see above. It's amazing how many attempts you get. Looking up the IP's on DShield shows that I'm not alone on being attacked from some of these IP's. It's tempting to move the SSH port just to avoid the log spam.

Overall, thoroughly impressed. I wouldn't class it as a perfect system but it's a damn sight closer than Windows ever was and when you consider that people who are giving their time and effort away are doing a better job than the largest company in the world pumping billions into research, you have to ask yourself whether you've ever been right to give them money.