Thinking Aloud

Two new-to-me techniques for keeping your server free from SSH brute force attacks by tuning up your /etc/ssh/sshd_config file. I know that using IP Address based security is probably more secure, but I wanted to find a solution that could yield higher security without limiting IP addresses. I like to be able to access the machines I need to access without having to be at a specific location, or have a vpn, or ssh through a couple machines before I can access the machine I need. I recognize those solutions are likely more secure but, I’m trying to avoid, IP based security restrictions if possible.

Stop people from attempting to login as root

Add (or find and modify the this line:
PermitRootLogin no
This simply doesn’t allow people to login directly to your box under the root user. Simple enough. Not letting people log in directly as root takes away one of the well known users that people will attempt to login as. This means that everyone who wants to gain root will first have to login as another (more obscure) user on the system, which leads me to.

Only Allow Logins from specified users

Add (or find and modify the this line:
AllowUsers username1 username2
This means that only these users are allowed to login. Every other user cannot. This is handy because it eliminates all those other user accounts that are created on the system, which probably aren’t but might currently have ssh access.

Neither of these techniques strike me as silver bullet solutions, but as I’m realizing there are no silver bullet solutions in keeping a machine secure. So consider these two more possibilities for further guarding the machines. Like a moat around the castle walls.

For the uninitiated CMC BC = Canadian Management Consultants of BC! CMC BC held their first conference in Richmond at the River Rock Casino two weeks ago. Through Terry Rawchalski I had the opportunity to present on what I feel were the salient points in creating a valuable and rock solid web presence.

You can see my slides below

I tried focus not on the technical parts but on the aspects of that are readily accessible to anyone aiming to develop an effective educational tool/lead generator/etc. that is invincible to search engine algorithm changes (isn’t that the definition of the stormy sea for a website). For your enlightenment, the 30 second version of what I said 40 minutes to say at the conference is this:

The search engines are getting smarter, closer and closer to being as smart at knowing what we want as we are ourselves (a bit creepy) so let’s focus on creating the creating the really awesome, compelling, interesting and helpful stuff that would like to find on the Internet. Put this kind of content onto your site and the search engines are going to reward you with strong search rankings. Because… We the collective people who use the Internet, love great information and tools. I did also touch on how to give the search engines signals that you’ve got some great stuff, via keyword planning/alignment, linking, more linking and patience. But those details, while very helpful and important are never going to make up for a lack of great content. Show me a site that ranks without content and I’ll show you a short lived win. Show me a site that has great content, and I’ll show you a great opportunity.

I really appreciated the audience participation, it’s a pleasure to present where people are involved in taking in what is being said and dishing out meaningful questions.

As is becoming usual, there turned out to be far too many slides and the last portion of my talked had similarities to an inkblot test. I flash a slide on the screen and say one sentence that describes what feels like the most important aspect of that slide. An exercise in brevity.

Thanks to Terry and Chris Burdge for their parts in what turned out to be a great and well-rounded introduction to creating an effective web presence.

This Spring I had the good fortune to have the opportunity to go to Word Camp Victoria and both listen to a few of the presentations/workshops as well as lead one of the workshops about plugins for Wordpress.

I had the good fortune to sit in on a workshop with Tim Ayres as he gave the masses a little of his hard fought wisdom being a blogger/real estate agent in Sooke and looking for ways to be effective as a blogger for business. It was an interesting discussion, as he told basically how much time and effort he put into creating an interesting blog. It was a great reminder how you can build a name for yourself, a following and some online presence by simply putting your head down and writing. I’m not in a position reight now where daily blogging is possible but I can say that it is something I would like to work toward.

Next I sat in with Paul Holmes as he expounded on the world of blog aggregators, their strengths and weeknesses. He pointed out the BC bloggers network. That was a new one for me. Which reminded me that it would be fun to setup a planet for Victoria. I feel like Victoria wide would be local enough to keep the contents interesting. I do enjoy reading planet.debian.org would I enjoy reading a planet.victoria.org. Hard to say

Next was me! I talked about in plugins for Wordpress, it’s a huge topic and in spite of the fact that I prepped a presentation, I pretty much abandoned it immediately in favor of simply taking questions and doing my best to put together some answers from the expertise in the crowd. That was my plan help everybody help one another. If you were expecting me to be the fountain on knowledge… well… you would have been disappointed. But I thought we did pretty well to address a few issues that people were having with forms, caching, signups, etc.

Finally, I sat in on Raul’s talk about having a blog for personal/life and a second blog for professional purposes. This was great to hear his take on it. I’ve though about this tons. Especially with relationship to different topics. He did a good job of drawing things back to your goals for your audience and first defining those and then letting everything flow naturally from that starting point. Maintaining two blogs is obviously more work, but if you really are trying to reach separate audiences, it just makes sense.

That was it! It was a great afternoon at Wordcamp! I enjoyed having the chance to lead a workshop and hope that the folks in the workshop were able to learn a thing or two!

My presentation from this WordCamp Victoria this weekend!

Too many passwords these days. Way too many. I’ve been keeping passwords on kitchen recipe cards ever since the passwords that get handed out at work started to become completely cryptic and beyond my ability to remember them. Which may seem like a pretty insecure way to keep passwords. But, if the bad guys are actually sitting at my desk, I figure I may have bigger problems.

Finally, I’ve decided to take the risk of actually storing my passwords on my computer. I’m not real jazzed about the idea, seeing as how if the hackers get into my machine and then into my password file then I’ll really have given them the keys to the castle. But, with way too many passwords, what is the average hacker to do.

I work on mostly Debian/Gnu linux systems these days (hurray free software!!). So if you’re working on some other operating system this may be completely irrelevant to you. So, for myself and others here’s how I’ve attempted to secure my passwords.

Enter GPG

GPG is some state of the art encryption techniques are often used to sending encrypted emails. But I found a few people who have used them for encrypting password files. So, this is the technique that I’ve chosen to follow. To get started you need a private key. At the terminal command line run

gpg --gen-key

I used the defaults for the questions it asked and then entered my details and non-forgettable, non-write-downable passphrase. More specific detail on getting started with GPG. Seems too simple, yeah, to me too. That provides a private key with which we can encrypt files. And you can encrypt whatever you would like, but it requires remembering a bunch of command line stuff that I would rather not try and recall, ( more about encrypting files for personal use from the command line here). Note: Once the password file is encrypted it’s not necessary to encrypt it by hand again.

So I created a new file called memories.txt and then encrypted it by typing on the command line

gpg --encrypt --recipient 'Jeff Richards' memories.txt

This produces a file called memories.txt.gpg. Now the original memories.txt can be deleted. Great! now how to add passwords, view them easily and re-encrypt the file as needed.

Vim and GPG plugin – Making Encryption Easier

At this point, ideally I’d have an encrypted file that I can open with my passphrase, and then read, write and close in an encrypted fashion. Enter vim plus the gpg plugin. Turns out someone has handily figured all this out. NOTE: the standard Debian install comes with vim-tiny. which doesn’t support plugins so the first step is to install vim proper (package name: vim).

Once that’s installed, next step is to install the gpg plugin file.

• Grab the gpg plugin code and save it into a called gpg.vim.
• Copy gpg.vim into the /home/your-username/.vim/plugin/ directory
• If the directories .vim/plugin/ doesn’t exist, create it!

And… that’s it! try and open the encrypted file with vim, in my case

vim memories.txt.gpg

Enter the passphrase and your in, add and subtract and the file is encrypted when you exit the program.

My reading of the vim plugin seems to indicate that there won’t be any temp files created or saved anywhere. If anyone has any tips as to why if/how this is a terrible/insecure way to keep passwords, please let me know!

.

There has been quite a bit of fuss around stopping advertising from coming into your home. There’s two usual routes for people to try and get their message to you, the phone and the mail. Stopping people from soliciting is getting a little easier. On the phone side there’s the national do-not-call list. And on the mail side, there is the Red Dot Campaign

Stopping Mail One Box at a Time

The Red Dot Campaign is dead simple. In a nutshell, you put a red dot on your mailbox that says “No Junk Mail Please” and that’s it. The mail person stops putting the junk mail in your box. The campaign organizers have pdf that you can print out and tape onto your mailslot and one that you can print out and put on your mailbox (it’s bigger). Or if you’re really feeling spenfy you can buy some red dot campaign stickers.

This isn’t a Crazy Environmentalist Thing, Canada Post is Onboard

The best thing is that Canada Post is totally onboard for this. They’ve said in their FAQ’s that:

Customers who do not wish to receive advertisement mail should put a note to this effect on their mailbox if they receive door-to-door delivery. For a community mailbox, group mailbox or postal box, the note should not be placed on the inside or the outside of the door. The note should be placed on the inside lip of the box. When the letter carrier puts the mail into the community mailbox, group mailbox or postal box, the door panel is open and not in view

They’ve even got a splashy little page encouraging you to do the right thing for the environment and stop the junk mail. The folks at the Red Dot Campaign claim:

The Consumer Choice database is decremented for each person opting out, and advertisers reduce their print quantities accordingly

But, I couldn’t find that on Canada Post’s site, although I reckon if enough people opt out of receiving flyers the message will travel up stream soon enough.

Results – Look Ma, No Junk Mails

Honestly, I am in awe of the fact that a small sticker stopped the seemingly endless stream of junk mail, but it did. We now get no junk mail. Big thank you to Canada Post and my mail delivery technician for making this easy.

Problem: I live in Canada (and Canadian’s love Facebook), no matter how awesome Identi.ca, Twitter or any of the other microblogging services are most of my friends still use facebook, nearly exclusively. I like my friends, I want to know what’s up with them, however I don’t want to login to facebook 5,10,20 times a day to see what’s up.

Wouldn’t it be great if Facebook status updates could funnelled into status updates into my Gtalk/XMPP/Jabber or any other instant messenger.  But how… Googling around didn’t turn anything useful up.  I was stuck, I got an RSS Feed from Facebook and resigned myself to reading it occasionally. Then iafter reading a ReadWriteWeb Article on notifixio.us I started thinking it may be possible to feed notifixio.us the facebook RSS feed and get IM facebook status updates that way. Unfortunately, notifixious is dealing with a problem regarding Facebook RSS feeds, however, in my travels I discovered that FriendFeed could rebroadcast the RSS feed and Facebook status updates via IM possible!

Notifixio.us + FriendFeed – Helping Facebook Instant Message

Notifixio.us is a service that polls RSS feeds and sends the updates to you via GTalk/XMPP. So generally you could just plug in the rss feed that you get from Facebook and bingo, bango, bongo you’d have Facebook updates coming to you via IM, but there’s a problem that stops that from working at the moment. So it’s time to introduce FriendFeed. While FriendFeed is generally used to consolidate one’s online posting activity so that friends can stalk (I mean, keep up with) all your online activity in one RSS feed, however, with a little encouragement we can use FriendFeed to re-broadcast the Facebook RSS feed in a form that Notifixio.us likes . [Update 2009-02-16: There's something funny with either friendfeed's news feed or else notifixio.us it seems that I only tend to get a portion of the status updates. Not all status updates come through]

Here’s how:

1. Log in to Facebook
2. Click on the Friends Section in the Top Navigation
3. Find the “Friends’ Status Feed” on the Left of the Page
4. Copy the link location to the clipboard
5. go to FriendFeed and get a new account. We need a new account because we don’t want this account to be crowded up with all the personal stuff that generally gets collected in FriendFeed.
6. After you’ve worked through the registration process, Click Add/Edit Services (it’s on the right)
7. Click See All 59 services at the bottom of the screen
8. Click on “Custom RSS/Atom” (it’s under Miscellaneous)
9. Enter the URL for your facebook status updates RSS and click “Import Custom RSS/Atom”
10. Go to your FreindFeed homepage and get the RSS feed link address for that page (It’s way at the bottom)
11. Go to Notifixio.us and register
12. Go to “Settings” and work your way through the Gtalk/XMPP setup process
13. Click “Add Source” and paste in the Friends’ Status Feed Url that we copied out of FriendFeed And Click “Go”
14. Choose how you’d like to be notified, for me it’s my Gtalk/XMPP username
15. A confirmation IM immediately saying that updates will be coming soon

That’s it! Facebook updates by IM. Wait patiently for one of your friends to post some banal detail of their daily life and enjoy reading about in close to real-time via your favorite IM protocal!

What about Other Status/Microblog Services

Identi.ca Works with Gtalk/XMPP/Jabber out of the Box

One thing that I really like about identi.ca is that you CAN send and receive updates from your people through Gtalk/XMPP/Jabber. This is great, because you can have updates from your friends, or followers coming into your life in real time. It is so handy when you’re at an event and people are sending updates about not just life changing thoughts, but activities that are happening at the time. This is great, my same old Gtalk chat application all the identi.ca updates streaming in, realtime. Awesome!

Twitter can work with Gtalk/XMPP/Jabber with some Fiddling

I searched around for a way to do this with twitter. And sure enough tweet.im is offering a similar service. You can sign up with them, hand over your twitter username and password. (ugh, ouch! who are these guys anyways? But so far so good haven’t seen any rogue posts yet.) and then just like identi.ca does out of the box updates from your twitter friends start flowing into your Gtalk/XMPP/Jabber instant messenger. It’s great requires no special apps, only downside is handing over those login credentials. At this point I consider this a necessary evil. Message to twitter: seize the future start making Instant messenger Support Native to your platform. Please!

Technical Reflections on Polling (skip if not interested)

RSS has one really big flaw, you have to poll the server to see if anything new is there.  This means that every RSS feed you subscribe to means that a computer now has to poll that site to see if there is anything new there.  Which is no big deal if you’ve just got a few subscribers, but if you’ve got tons like twitter, you’re servers are getting polled ALL THE TIME, so we’re eating up band width to find out if anything is new on the site.  This is at least one reason why twitter’s fail whale is so well known.  That’s a lot of requests all the time, twitter limits polling to once a minute, jsut to keep their servers noses above water. XMPP is the future, this is a good first step.

Well, this is going to be one of those very geeky posts that is really just a reminder to me as opposed to for anyone else.

Rsync its just a tool that synchronizes directories.  So why have I been finding this tool so handy lately?  Well it all relates to music.  I have a subscription with emusic which tends to have some pretty great, if somehwat obscure albums.  They serve up high quality mp3’s which you can play and listen to anywhere!  Sweet!  Now the problem is that I tend to download these things everywhere.  I find some music that I want and I download onto my laptop, then I download it onto my work computer, then the desktop.  This music is all over the place.  And now when I want it, where can I find it.

So i have a central location on my server where I put all this music.  I’ve been using ftp to move the files around, but to be honest, it is just a little too time consuming, and consequently, I don’t do it.

Enter Rsync

rsync lets you take the contents of one directory and copy it to another. That’s it.  The impressive thing is that it can do this through an ssh connection.  So now, where ever I may be, if I hace access to a command line I can quickly send the music on that computer to my computer!

The commands:

send from this computer to the server

rsync -avz -e ssh /home/jeff/Music/ username@jrichards.ca:/home/username/Music

or get music off the server

rsync -avz -e ssh username@jrichards.ca:/home/username/Music/ /home/jeff/Music

that’s it.  be careful with the slashes at the end, they’re important.

Where the Hell is Matt? (2008) from Matthew Harding on Vimeo.

I’m not sure if this is JUST a promotion for stridegum as teh ending would make you think. But It is still a really good watch. There is something that kind of resonates seeing so many places and so many people all dancing together.

I just wanted to share/remember this great blog series from Merlin Mann at 43folders.com that outlines how important it is to have a limits about who, when and how much access other people have to contact us.   Here’s a bite of it.

“For myself, I think it’s critical to set reasonable expectations about how, when, and where people can expect to have authentic, honest-to-God contact with us, and here’s why: if you leave every channel open to everybody and anybody, all the time and without limit, you necessarily prevent yourself from ever stepping away from the fray for long enough to focus. You’ll never make the time that it takes to produce the sort of good work that theoretically made you so appealing in the first place.”

http://www.43folders.com/2008/08/07/clear-line