Subscribe to this feed

The story of the purple frog.

Thursday, 15th October 2015

A bunch of crypto geeks were on a week long bender and were chilled out from smoking copious amounts of weed. One of them suggested that instead of hashing the password and transmitting it that they should hash the username and the password. Everyone said cool and after thinking about that for a good while they fell asleep in their chairs.

Later that day they laid into some shrooms and someone else said that the purple frog on that giant toadstool just invited me to his realm so how about we hash the username, the password and the realm and transmit that. Everyone thought that was cool, so the purple frog drafted the digest md5 rfc and now we have an ambiguous screwed up standard that makes you wish they hadn't done that.

The end.

Warning of impending peril to your waves

Saturday, 26th September 2015

I passed my general amateur operators certificate exam on Thursday night, so I have a certificate that claims that I'm competent to operate a radio in the amateur bands. Heh.

The equivalent qualification in the USA has about three different exams, so in contrast it is amazingly easy to get in NZ.

I Can't decide if it's good to eliminate all the pointless red tape or dangerous to let folks who barely know which direction the antenna fires the radio waves loose in the bands. I guess it is the Kiwi way.

WTF is up with the ntp defaults on Cisco?

Thursday, 27th February 2014

So, it turns out that configuring an ntp peer on a Cisco router enables an ntp server that is open on every interface that that router has.

The only valid excuse I can come up with for this is that the defaults were chosen so long ago that the internet was a much nicer place.

So how do we fix this up?

There isn't a nice knob that says 'Don't serve client requests to anyone' ( which is screaming out to be the default ). So excluding ACL's applied directly to interfaces, we have to fake it with what there is.

There is the ability to appy ACL's on the ntp service for three classes of ntp packets; peers, querys and servers. This isn't as useful as it sounds, when you apply an ACL to a query class it triggers a default drop in all of the other classes, so if you apply a default deny to the query class, then you have to put in an ACL to permit the NTP servers that you have configured to talk to you.

Depending on what version of IOS you have, you may only be able to configure numbered access lists on your ntp service. The configuration that should work on anything running an old version of IOS as long as you are only doing IPv4 is the following:

ip access-list standard 99

ntp access-group peer 99

If you have IOS 15.3 or newer and IPv6 configured you want something like the following:

ip access-list standard v4-ntp-servers

ipv6 access-list v6-ntp-servers
permit 2001:4428:0:13::10
permit 2001:4428:0:6::66
permit 2001:4428:0:6::67

ntp access-group ipv4 peer v4-ntp-servers
ntp access-group ipv6 peer v6-ntp-servers

Speaking of defaults

Friday, 11th October 2013

I just recently noticed that I set up the page layout ( a heap of years ago ) on this site so it could fit full screen on a browser running 800x600.

I hope no poor sod still browses the web in 800x600 anymore, but if they do I expect they are doing it on a phone or other such limited platform that deals with that okay.

I put in a few quick adjustments to the css so it is at least set up for 1024 pixels wide less a margin of safety and did a new logo backing png. I guess if I really felt like doing some work I would do something that scales nicely with screen size. I really can't be bothered though and I reckon it is always going to look dorky maximised on a 2560x1440 desktop unless there is a heap of horizontal stuff that all scales nicely too.

Getting manufacture dates from cisco serial numbers

Tuesday, 8th October 2013

I've just added a javascript utility that gets the manufacture dates from a Cisco serial number and prints it out.

It turns out that it is in plain view other than the offset in the year value. The format is described in the text above the decoder, so you can write your own or do it in your head if you like to remember trivia like that.

Brute force for the win

Friday, 4th October 2013

If you are going to try an brute force passwords over ssh you should probably try better usernames than ferlac and gyurushop.

I wish I had logs of what sort of password ferlac and gyurushop would have.

Oct 4 14:56:15 wombat sshd[12240]: input_userauth_request: invalid user ferlac [preauth]
Oct 4 14:56:15 wombat sshd[12240]: pam_unix(sshd:auth): check pass; user unknown
Oct 4 14:56:15 wombat sshd[12240]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=
Oct 4 14:56:17 wombat sshd[12240]: Failed password for invalid user ferlac from port 38348 ssh2
Oct 4 14:56:17 wombat sshd[12240]: Received disconnect from 11: Bye Bye [preauth]
Oct 4 14:59:19 wombat sshd[12271]: Invalid user gyurushop from
Oct 4 14:59:19 wombat sshd[12271]: input_userauth_request: invalid user gyurushop [preauth]
Oct 4 14:59:19 wombat sshd[12271]: pam_unix(sshd:auth): check pass; user unknown
Oct 4 14:59:19 wombat sshd[12271]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=
Oct 4 14:59:21 wombat sshd[12271]: Failed password for invalid user gyurushop from port 58955 ssh2

Defaults chosen for another era

Tuesday, 1st October 2013

I had to set up squid last week for a reverse proxy type arrangement and I was pretty amazed to see that the default config file that comes with ubuntu still has the same example memory and disk cache entries that were probably around when I first set it up in the late 90's on Slackware.


cache_mem 100 MB

cache_dir ufs /var/spool/squid3 100 16 256

100mb may have been a lot of memory way back when, but for the box I was using last week 28GB was a bit more like it. As a practical issue I was left wondering if the cache_dir entry was actually in GB and had to look it up.

Makes me wonder if everyone uses varnish or some other such new shiny these days and if there is some kind of beautiful symmetry around dinosaurs such as me using old dinosaur software like squid.

Google Adsense over SSL

Wednesday, 18th September 2013

It looks like Google have started offering adsense ads over an SSL transport in the last few days, so I've made the relatively minor change to take advantage of it.

With the scary warnings and other messages taken care of plus me finding the smaller wide format text ads I think I'm happy enough to leave them on the site.


© 2009 Lincoln Reid <lincoln@osoal.org.nz>