Displaying Incoming Server Attacks By Giving Server Logs A Scoreboard

In the server world, it’s a foregone conclusion that ports shouldn’t be exposed to the greater Internet if they don’t need to be. There are malicious bots everywhere that will try and randomly access anything connected to a network, and it’s best just to shut them off completely. If you have to have a port open, like 22 for SSH, it’ll need to be secured properly and monitored so that the administrator can keep track of it. Usually this is done in a system log and put to the side, but [Nick] wanted a more up-front reminder of just how many attempts were being made to log into his systems.

This build actively monitors attempts to log into his server on port 22 and notifies him via a numerical display and series of LEDs. It’s based on a Raspberry Pi Zero W housed in a 3D-printed case, and works by interfacing with a program called fail2ban running on the server. fail2ban‘s primary job is to block IP addresses that fail a certain number of login attempts on a server, but being FOSS it can be modified for situations like this. With some Python code running on the Pi, it is able to gather data fed to it from fail2ban and display it.

[Nick] was able to see immediate results too. Within 24 hours he saw 1633 login attempts on a server with normal login enabled, which was promptly shown on the display. A video of the counter in action is linked below. You don’t always need a secondary display if you need real-time information on your server, though. This Pi server has its own display built right in to its case.

Continue reading “Displaying Incoming Server Attacks By Giving Server Logs A Scoreboard”

Can Solid Save The Internet?

We ran an article on Solid this week, a project that aims to do nothing less than change the privacy and security aspects of the Internet as we use it today. Sir Tim Berners-Lee, the guy who invented the World Wide Web as a side project at work, is behind it, and it’s got a lot to recommend it. I certainly hope they succeed.

The basic idea is that instead of handing your photos, your content, and your thoughts over to social media and other sharing platforms, you’d store your own personal data in a Personal Online Data (POD) container, and grant revocable access to these companies to access your data on your behalf. It’s like it’s your own website contents, but with an API for sharing parts of it elsewhere.

This is a clever legal hack, because today you give over rights to your data so that Facebook and Co. can display them in your name. This gives them all the bargaining power, and locks you into their service. If instead, you simply gave Facebook a revocable access token, the power dynamic shifts. Today you can migrate your data and delete your Facebook account, but that’s a major hassle that few undertake.

Mike and I were discussing this on this week’s podcast, and we were thinking about the privacy aspects of PODs. In particular, whatever firm you use to socially share your stuff will still be able to snoop you out, map your behavior, and target you with ads and other content, because they see it while it’s in transit. But I failed to put two and two together.

The real power of a common API for sharing your content/data is that it will make it that much easier to switch from one sharing platform to another. This means that you could easily migrate to a system that respects your privacy. If we’re lucky, we’ll see competition in this space. At the same time, storing and hosting the data would be portable as well, hopefully promoting the best practices in the providers. Real competition in where your data lives and how it’s served may well save the Internet. (Or at least we can dream.)

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter.

Want this type of article to hit your inbox every Friday morning? You should sign up!

That’s It, No More European IPV4 Addresses

When did you first hear concern expressed about the prospect of explosive growth of the internet resulting in exhaustion of the stock of available IP addresses? About twenty years ago perhaps? All computers directly connected to the internet must have an individual unique address, and the IPv4 scheme used since the 1980s has a 32-bit address space that provides only 4,294,967,296 possibilities. All that growth now means that IPv4 addresses are now in short supply, and this week RIPE, the body which allocates them in Europe, has announced that it no longer has any to allocate. Instead of handing new address blocks they will instead now provide ones that have been relinquished for example by companies that have gone out of business, and parties interested can join a waiting list.

Is the Internet dead then? Hardly, because of course IPv6, the replacement for IPv4, has been with us for decades and has a much larger 128-bit address space. The problem is that there is a huge installed base of IPv4 infrastructure which has always been cited as the reason to delay its adoption, so the vast majority of the internet-connected world has remained with IPv4. Even in an IPv4 world there are opportunities to be more efficient in the use of addresses such as the network address translation or NAT that many private networks use to share one address between many hosts, so it’s not quite curtains for your smart TV or IoT light bulb even though the situation will not get any easier.

The mystery comes in why after so many years we still use IPv4 so much. Your home router and millions like it will pick up an IPv4 address from your broadband provider’s pool, and there seems little reason why it can not instead pick up an IPv6 address and contain a gateway between the two. The same goes for addresses outside the domestic arena, and even in out community we find that IPv6 networks at events are labelled as experimental. Perhaps this news will spur the change, but meanwhile we don’t expect to be using an IPv6 address day-to-day very soon.

We know among Hackaday’s readership there will be people close to the coalface when it comes to IPv6 adoption. As always the comments are open, and we’d like to hear your views.

Header: Robert.Harker [CC BY-SA 3.0].

Hackaday Links: November 3, 2019

Depending on how you look at it, the Internet turned 50 years old last week. On October 29, 1969, the first message was transmitted between two of the four nodes that made up ARPANET, the Internet’s predecessor network. ARPANET was created after a million dollars earmarked for ballistic missile defense was diverted from the Advanced Research Projects Agency budget to research packet-switched networks. It’s said that ARPANET was designed to survive a nuclear war; there’s plenty of debate about whether that was a specific design goal, but if it was, it certainly didn’t look promising out of the gate, since the system crashed after only two characters of the first message were sent. So happy birthday, Internet, and congratulations: you’re now old enough to start getting junk mail from the AARP.

Good news for space nerds: NASA has persuaded Boeing to livestream an upcoming Starliner test. This won’t be a launch per se, but a test of the pad abort system intended to get astronauts out of harm’s way in the event of a launch emergency. The whole test will only last about 90 seconds and never reach more than 1.5 kilometers above the White Sands Missile Range test site, but it’s probably a wise move for Boeing to be as transparent as possible at this point in their history. The test is scheduled for 9:00 AM Eastern time — don’t forget Daylight Savings Time ends this weekend in most of the US — and will air on NASA Television.

Speaking of space, here’s yet another crowd-sourced effort you might want to consider getting in on if you’re of an astronomical bent. The Habitable Exoplanet Hunting Project is looking for a new home for humanity, and they need more eyes on the skies to do it. An introductory video explains all about it; we have to admit being surprised to learn that the sensitive measurements needed to see exoplanets transiting their stars are possible for amateur astronomers, but it seems doable with relatively modest equipment. Such are the advances in optics, CCD cameras, and image processing software, it seems. The project is looking for exoplanets within 100 light-years of Earth, perhaps on the hope that a generation ship will have somewhere to go to someday.

Space may be hard, but it’s nothing compared to running a hackerspace right here on Earth. Or at least it seems that way at times, especially when those times include your building collapsing, a police raid, and being forced to operate out of a van for months while searching for a new home, all tragedies that have befallen the Cairo Hackerspace over the last few years. They’re finally back on their feet, though, to the point where they’re ready to host Egypt’s first robotics meetup this month. If you’re in the area, stop by and perhaps consider showing off a build or even giving a talk. This group knows a thing or two about persistence, and they’ve undoubtedly got the coolest hackerspace logo in the world.

And finally, no matter how bad your job may be, it’s probably not as bad as restoring truck batteries by hand. Alert reader [rasz_pl] tipped us off to this video, which shows an open-air shop in Pakistan doing the dirty but profitable work of gutting batteries and refurbishing them. The entire process is an environmental and safety nightmare, with used electrolyte tossed into the gutter, molten lead being slung around by the bucketful, and not a pair of safety glasses or steel-toed shoes (or any-toed, for that matter) to be seen. But the hacks are pretty cool, like pouring new lead tabs onto the plates, or using a bank of batteries to heat an electrode for welding the plates together. We’ve talked about the recyclability of lead-acid batteries before and how automated plants can achieve nearly 100% reuse; there’s nothing automated here, though, and the process is so labor-intensive that only three batteries can be refurbished a day. It’s still fascinating to watch.

Continue reading “Hackaday Links: November 3, 2019”

DNS-over-HTTPS Is The Wrong Partial Solution

Openness has been one of the defining characteristics of the Internet for as long as it has existed, with much of the traffic today still passed without any form of encryption. Most requests for HTML pages and associated content are in plain text, and the responses are returned in the same way, even though HTTPS has been around since 1994.

But sometimes there’s a need for security and/or privacy. While the encryption of internet traffic has become more widespread for online banking, shopping, the privacy-preserving aspect of many internet protocols hasn’t kept pace. In particular, when you look up a website’s IP address by hostname, the DNS request is almost always transmitted in plain text, allowing all the computers and ISPs along the way to determine what website you were browsing, even if you use HTTPS once the connection is made.

The idea of also encrypting DNS requests isn’t exactly new, with the first attempts starting in the early 2000s, in the form of DNSCrypt, DNS over TLS (DoT), and others. Mozilla, Google, and a few other large internet companies are pushing a new method to encrypt DNS requests: DNS over HTTPS (DoH).

DoH not only encrypts the DNS request, but it also serves it to a “normal” web server rather than a DNS server, making the DNS request traffic essentially indistinguishable from normal HTTPS. This is a double-edged sword. While it protects the DNS request itself, just as DNSCrypt or DoT do, it also makes it impossible for the folks in charge of security at large firms to monitor DNS spoofing and it moves the responsibility for a critical networking function from the operating system into an application. It also doesn’t do anything to hide the IP address of the website that you just looked up — you still go to visit it, after all.

And in comparison to DoT, DoH centralizes information about your browsing in a few companies: at the moment Cloudflare, who says they will throw your data away within 24 hours, and Google, who seems intent on retaining and monetizing every detail about everything you’ve ever thought about doing.

DNS and privacy are important topics, so we’re going to dig into the details here. Continue reading “DNS-over-HTTPS Is The Wrong Partial Solution”

Run Your Own Phone To Bring The Dreamcast Back Online

Playing a video game online is almost second nature now. So much so that almost all multiplayer video games have ditched their split-screen multiplayer modes because they assume you’d rather just be alone at your house than hanging out with your friends. This wasn’t always the case though. In the early days of online multiplayer, systems had to rely on dial-up internet before broadband was readily available (and still had split screen if you didn’t even have that). Almost no one uses dial up anymore though, so if you still like playing your old Dreamcast you’re going to have to do some work to get it online again.

Luckily for all of us there’s a Raspberry Pi image to do almost anything now. This project from [Kazade] uses one to mimic a dial-up connection for a Dreamcast so you can connect with other people still playing Quake 20 years later. It’s essentially a network bridge, but you will need some extra hardware because phone lines use a high voltage line that you’ll have to make (or buy) a solution for. Once all the hardware is set up and working, you’ll need to make a few software configuration changes, but it’s a very straightforward project.

Granted, there have been ways of playing Dreamcast games online before, but this new method really streamlines the process and makes it as simple as possible. The Dreamcast was a great system, and there’s an argument to be made that the only reason it wasn’t more popular was that it was just slightly too far ahead of its time.

Thanks to [Rusty] for the tip!

Connecting New York City To The Backbone: Meet NYC’s Mesh Network

Access to fast and affordable internet is a big issue in the USA, even in a major metropolis such as New York City. Amidst a cartel of ISPs who simply will not deliver, a group of NYC inhabitants first took it upon themselves to ease this situation by setting up their own mesh-based internet connections way back in 2013. Now they will be installing a new Supernode to take the installation base far beyond the current 300 buildings serviced.

As a community project, NYC Mesh is run as a non-profit organization, with its community members supporting the effort through donations, along with partnerships with businesses. Its router hardware consists out of off-the-shelf equipment (with a focus on the Ubiquiti NanoStation NSM5) that get flashed with custom firmware containing the mesh routing functionality.

As this article by Vice mentions, NYC Mesh is one of 750 community-led broadband projects in the US. Many of those use more traditional fixed wiring with distribution lines, but NYC Mesh focuses fully on wireless (WiFi) links with wireless mesh networking. This has the obvious benefit that given enough bandwidth on the Supernodes that hook into the Internet exchange points (IXP) and an efficient mesh routing protocol, it’s quick and easy to hook up new clients and expand the network.

The obvious downsides of using WiFi and RF in general is that they are not immune to outside influences, such as weather (rain), RF interference (including from other WiFi stations) and of course fairly limited range if there’s no direct line of sight. In a densely populated city such as NYC this is not much of an issue, with short hops between roof tops.