ciplogic.com
Live with grace. Write superb software.

security

  • Change Your SSH Server Port

    A while back, in November 2014, I was posting an article showing that over the course of a year and a half or so (my blog was rehosted from February 2014), fail2ban blocked 1633 IPs.

    Today I checked again, and to my surprise I got:

    [root@ciplogic ~]# iptables -L -n | grep REJECT | wc -l
    5853

    For the first time segment (273 days period) I averaged 5.98 IP bans a day. From that day to today I got: 5853-1633 = 4220 new bans. The time period from November 2014 to today is 573 days.

    That means in the last year the banning grew to 7.36 bans a day (~20% increase). And we need to remember that this is also with the previous backlist.

    So today, beside applauding fail2ban's relentless work, I changed the port of the SSH server.

    To my surprise from this morning, until now, there is radio silence from the fail2ban new bans. I guess most scanners don't do a port scanning first, and they just try to find default or weirdly configured SSH servers.

    So here's my second tip. Change your SSH server port.

  • Fail2Ban Doing Real Work

    I see that some people try to access my host, even if they are not me.

    Crazy, right?

    Here is a small statistic in less than a year, on how many attackers fail2ban managed to ban, when trying to bruteforce this website via ssh:

    1
    2
    [root@ciplogic ~]# iptables -L -n | grep REJECT | wc -l
    1633

    Awesome!

    So if you don't have it yet, and run some linux, definitelly install it.

    If you use CentOS just do:

    1
    [root@ciplogic ~]# yum install fail2ban

    Happy admining.

  • sun.misc.Unsafe It's Being Removed. And That's a Good Thing.

    An interesting article is making waves on dzone and twitter:

    http://blog.dripstat.com/removal-of-sun-misc-unsafe-a-disaster-in-the-making/

    TL;DR: the sun.misc.* package it's going to be removed, a bunch of libraries are using it, apocalypse will ensue, just because Oracle removes packages for "no reason".(I kid you not, the dripstat author actually states that).

    No it's not a new thing. No it's not the apocalypse now either. Let's break it down on why:

    1. It's not at all a "no reason" change

    It's because Java has become so full of security exploits, it's not even funny at this moment. It's scary to see how in January a patch fixed 19 security holes, with 13 of them being show stoppers. Oracle themselves explains it at length even.

    It's not because:

    "This engineer hates the Unsafe class for no real reason at all.."

    That's a silly statement, to say the least. (To be honest, I get my blood boiling a bit just reading that sentence, because it's insulting to the engineer)

    It is because people are loosing trust in the platform. Why would you go with a platform ridden with bugs like that? What's the point in using whatever framework that is allegedly super secure, if the JVM itself it's the weakest link. That is what makes Java now loose billions.

    That's the reason why Apple dropped Java altogether, because its security was in the gutter.

    2. It's a private package of the JVM

    If you're bold enough to use it, you should be bold enough to write your own thing. Why should Oracle be bound by some form of moral requirement to document some whatever cryptic legacy code, that people reverse engineered in the first place? What. The. Hell.

    Probably this tweet captures the essence of the whole thing: 

    It's not even such a big deal. I swear!

    Do you know what else introduced breaking API changes for public APIs? The endorsed folder. It's what stuff like WebLogic uses to overwrite already published public APIs. I'm going to reiterate this: There is already the endorsed folder, that allows overwriting public APIs from the JVM, and people are using it. This is a great thing actually, especially if the API was not finalized. Why getting stuck with an API for the next two years?

    Public APIs! And you see that the universe imploded? Billions of dollars were lost? Calm down people, jeeeez.

    3. There will still be YEARS of Java 8 support

    Oracle doesn't just throw away JVMs, and then just plugs support out. If the program you're using, and its creepy library that needs the sun.misc.Unsafe are that important, go buy support. I mean, for crying out loud, you can still get Java 6 support that people were using to connect to dinosaurs. And the Java life cycle support it's for 11 (eleven!!) years.

    So finally, please all, can you just chill out?

    It's all for the better I promise.

    PS: I am not affiliated with Oracle in any shape or form, beside I'm developing and using Java, and I'm a certified JEE5 Enterprise Architect.

Germanium

The one to rule them all. The browsers that is.

SharpKnight

SharpKnight is an Android chess game.

MagicGroup

MagicGroup is an eclipse plugin.