As I mentioned in an earlier post, about 2 years ago: Café Vingerhoeds in Oirschot, the Netherlands has amazing tomato soup. I also said i'd go back there sometime in the future. As it happens, I was in the area today, so uh..
Yum!
My parents invited me to come along for a visit to the Floriade, a horticultural expo that is held once in a decade. Every time it's held, the expo is situated in a different part of the country, and this time it was in Venlo.
The park was split in 5 themes: World Show Stage, Environment, Education & Innovation, Relax & Heal and Green Engine. We didn't feel like rushing through the park, so we decided to just take it easy and see where we would go. Eventually we managed to visit Environment, Education & Innovation and World Show Stage before my mom's batteries ran out and we decided to head home; so we still visited quite a big chunk of the park.
Click here for the full album.
One thing worth mentioning was the catering, and in particular the "soup". As is traditional with theme parks, the catering was ridiculously expensive. When we entered the restaurant, our hunger disappeared quite fast as soon as we saw the pricetags on the menu's. They had the balls to charge € 7,- for a hamburger which roughly consisted of a bread bun, a thin slab of meat, a slice of tomato and a leaf of lettuce; condiments were to be purchased separately for € 0,50 per packet.
Eventually we decided to go for the organic tomato soup (€ 5.70 per bowl), a choice we ended up regretting quite a bit. Somehow I suspect that they opened a 1 liter can of soup, then added half a liter of coffee creamer, 5 liters of water and 500grams of vegetables to it; and that was to be the soup of the day. It was just a very lean broth with a tomato-ish flavor to it.
All in all a great day, but next time i'm bringing my own food
Last night I attended a concert of the Finnish metal band Nightwish at the ISS Dome in Düsseldorf, Germany.
The performance and pyro show were awesome, the fireworks, sound and venue itself were huge, but unfortunately so was the price of the drinks: € 5,- for a glass of cola
It was totally worth it, though. Awesome concert!
It took me a while to find a decent one, but I finally have a boonie hat in Second Life
While browsing a bit on YouTube, I came across an electro-pop group called Donkey Boy. They're a little fruity, but very refreshing.
It's definitely one of those songs that will get stuck in your head for a long time.
" ... I don't know who you are, or if you even really exist; but I want you to know that I miss you and will always love you. "
I had a dream last night that has left me a bit shaken up. I've had many weird dreams in the past, but I never had a dream where I lost a friend or a lover.
-
I was doing some urban exploration of an old, abandoned factory somewhere in The Netherlands. When I opened a random door, I suddenly found myself in some kind of large store that sold furniture, kitchens, bathrooms, etc... Since the store was closed, and it was night-time; there was nobody around. I decided to sneak around a bit, in the hope that they might have a restaurant in the store where I could steal some snacks.
As I was ransacking the fridge in the restaurant, I heard some sounds coming from the store. I snuck back into the store, to see who or what was making that sound; and escape back to the abandoned factory if needed. When I was sneaking through the bathroom section of the store, I heard a sound again; but the sound seemed to come towards me somehow. I decided to hide in an empty bathtub and cover my black clothes with some white towels. When the sound passed me by I peeked over the edge of the bathtub and, to my surprise saw the back of a blonde girl in a tight black outfit that was hiding behind a small closet.
on the other side of the store, I could see a couple of flashlights coming our way; obviously some security guards that were patrolling. It was obvious to me that the girl would be spotted any moment, and that she was unaware of that situation. Swiftly and silently I snuck up on the girl, put my hand over her mouth, pulled her back into the bathtub and covered us both up with towels again. The girl was trying to release herself, but when I pointed into the direction of the guards and let her peek over the edge, she cooled down quite fast and lay still.
When the guards were gone again, I let her go and she thanked me. She said her name was Sandra, and she had a very distinct Polish accent. When I asked her what she was doing here, she said "Well the same as you, apparently". When I told her I wasn't a burglar, she laughed and asked me why I had a bag full of cola cans and candy bars. Shamefully I had to admit that I had stolen them from the restaurant, and she laughed even harder. After a bit of talking and flirting, we moved towards another section of the store, to keep clear of the guards that seemed to patrol the same route every hour or so.
Our new "hideout" was a large sauna cabin that had only a small window with frosted glass. We had a long conversation about random stuff and eventually decide that since we were in the sauna cabin anyway, we might just as well strip naked and turn the steam on. It didn't take long before we were laying on the floor of the sauna cabin making love. When were done with the lovemaking, we heard even more sounds outside of the cabin. A quick and careful peek outside told us that the lights were turned on and staff members were walking around making sure that everything was ready for opening the store. We decided to wait till there were customers in the store, and mingle with the customers to sneak out.
Over the next few weeks our relationship evolved, and we made love quite often. One day, Sandra seemed very down and I asked her what was up. She told me that she wasn't feeling too well, and had visited the doctor. The doctor did some blood tests and told her she was diagnosed with leukemia and would have 2 to 3 months to live at most without immediate treatment. The next day I brought her to the hospital. At the hospital some nurses took blood and urine samples from Sandra for examination, apparently to determine how to treat the disease. I told Sandra that I had to visit a friend and blow off some steam, but that I would be back the next day.
When I visited my friend Daniel, he was playing some kind of game that involved being chased by alligators and it looked like quite a bit of fun. After playing the game a bit, I received a phone call from the hospital. The nurse said that the first blood tests that the doctor did were wrong, and that Sandra didn't have 2 to 3 months to live, but 4 to 5 days at most. I immediately rushed back to the hospital, only to find Sandra's room full of strangers. They all gave me a weird look and it became clear to me that they were Sandra's family, whom I hadn't met yet.
When I finally made my way to Sandra's bedside, she looked at me and whispered that she had been waiting for me to get back. We held hands and looked each other in the eyes for a short while, and Sandra nodded at me. With tears in my eyes I nodded back at her and understood that the time had arrived. With great effort Sandra managed to whisper "I love you", but even before i managed to whisper " I love you too" back at her, her grip on my hand loosened and she was gone.
I didn't see her online for a few days, till she came online and told me that she was hospitalized because the blood test told her that she had leukemia. Over the next few months she came online sparingly and told about her time in the hospital. Then one day received a private message from her character, but not from herself. The private message was sent by a friend of the girl who informed me that the girl had passed away; and had requested this friend to let me know.
It was just very awkward and heartbreaking at the same time. Kind of like this dream, come to think of it...
Sometimes you come across a video that just makes you happy; The following clip is, in my opinion, definitely one of those videos.
It has everything you could ever wish for in life: super hot chicks in tight rubber outfits that kick serious ass while carrying guns, knives and Zippo lighters... mixed with some awesome music.
"Anything that can go wrong, will - at the worst possible moment." I've mentioned Finagle's Law of Dynamic Negatives a few times earlier, and as I also mentioned; it's always there. So, when I decided, or rather attempted, to spice up my server a bit by tweaking some kernel parameters that handle TCP/IP traffic, it just had to go wrong!
So here's what happened: I had been reading up a little on improving latency, and in my local network it all seemed to work perfectly. Among other things I fiddled with the timeouts for Maximum Segment Lifetime, Explicit Congestion Notifications and time-out values for ACK, SYN and FIN packets in the firewall. But just because it works great in a finely tuned LAN, doesn't mean that it will work great on the internet.
So when a couple of search engines visited my site and started sniffing around, shit started to hit the fan. For some reason, presumably the tweaks I did to the firewall and TCP/IP stack, communication between my server and the search engines got disrupted, and a lot of TCP packets were sent back and forth trying to (re)-establish communication. The result was that my server was pulling an average of 21 Megabits per second for about 4 hours, burning up a substantial sum of my monthly data bundle in the process. And the biggest hoot is that during that time the server registered only 147 page views.
Needless to say I wasn't very happy with it burning up 96GB of useless traffic, due to my "improvements". The phrase 'If it's not broken, don't try to fix it." comes to mind. I've undone all the tweaks and will consider it a lesson learned.
*sigh* Yeah...
It's a common sight and source of annoyance for many system administrators: people attempting to do brute force hacking on your server. Often the /var/log/auth.log file will contain a truckload of error messages and authentication failures.
A common error message would be the "reverse mapping" message:
Feb 15 17:41:58 ams01 sshd[1516]: reverse mapping checking getaddrinfo for user.145.126.222.zhong-ren.net [222.126.145.202] failed - POSSIBLE BREAK-IN ATTEMPT!Another variant is that the reverse DNS lookup doesn't match the forward DNS:
Feb 19 00:55:28 ams01 sshd[32031]: Address 212.156.126.210 maps to 212.156.126.210.static.turktelekom.com.tr, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!Or the log file contains a long chain of error messages where someone is trying to log on with a single user, using a vast array of passwords:
Feb 22 12:01:24 ams01 sshd[77812]: error: PAM: authentication error for root from 60.54.248.46 Feb 22 12:01:27 ams01 sshd[77815]: error: PAM: authentication error for root from 60.54.248.46 Feb 22 12:01:31 ams01 sshd[77818]: error: PAM: authentication error for root from 60.54.248.46And in another scenario, the log file could contain a single IP that is trying to log on with a variety of usernames and passwords:
Feb 23 13:53:01 ams01 sshd[473]: Invalid user db2inst1 from 222.174.35.3 Feb 23 13:53:10 ams01 sshd[477]: Invalid user prueba from 222.174.35.3 Feb 23 13:53:19 ams01 sshd[481]: Invalid user postgres from 222.174.35.3
There are many variants of brute force hacking, and they can be annoying as hell; especially if your server sends you a daily security report containing all the log file entries. I don't know about you, but seeing all those hacking attempts makes me nervous... what if one of them succeeds ? Given enough time, one of them has to come up with my username/password combination... I don't like that idea at all! Fortunately, there are things like bruteblock. Bruteblock is a little program that does just that: it blocks brute force hacking attempts (Yay! ).
The way it works is pretty simple: it reads the log entry, checks it against some regular expressions and if it registers X amount of matches within Y seconds, it adds a table to the firewall to block that IP address. Of course this could lead to some problems, because some ISP's have dynamic IP address allocations, so you could be blocking half a country after a while. Bruteblock solves this by adding a timestamp to the firewall table. A small daemon that runs in the background monitors the firewall table, and after an X amount of time removes the blockade.
The first step is to tell your logging facility that it needs to pipe the authentication messages to bruteblock. This is easily done by adding a single line to /etc/syslog.conf:
auth.info;authpriv.info |exec /usr/local/sbin/bruteblock -f /usr/local/etc/bruteblock/ssh.confWe don't want to restart the syslog daemon just yet, because we still have to determine what bruteblock should check and how it should handle matches against the regular expressions. /usr/local/etc/bruteblock/ssh.conf contains some pre-fabricated regular expressions for common sshd authentication failures. To get rid of even more log file spam and brute force attempts we will add an additional two regular expressions:
regexp4 = sshd.*reverse mapping checking getaddrinfo for \S+ \[(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\] failed - POSSIBLE BREAK-IN ATTEMPT!
regexp5 = sshd.*Address (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) maps to \S+, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
The configuration file also contains some settings on how many matches per how many seconds it should detect before blocking an IP address, a duration for the blockade and which firewall table to use for the IP addresses. The default duration is 600 seconds (10 minutes), which we will change to 84600 seconds (24 hours). The other settings can be left at to: 4 matches in 60 seconds will trigger action, and the IP addresses will be added to table 1.
Next, we'll want to decide what to do with the IP addresses that are trying to do brute-force hacking on us. We'll add a few rules to /etc/rc.firewall:
## Block SSH brute force scanners.
##
${fwcmd} add deny all from me to "table(1)"
${fwcmd} add deny all from "table(1)" to me
We'll want to place these rules as early as possible in the chain of rules for performance issues; I'll write a separate article on rule-chains sometime in the (near) future. Next we can either restart the entire firewall, or just add the two rules manually by adding a chain number; just be sure to add the rules to the firewall script as well, so they don't get lost at the next reboot.
Allright, after we've added the rules to the firewall, we can restart syslogd and start bruteblockd (the daemon that handles the cleanup for the firewall table):
/etc/rc.d/syslogd restart /usr/local/etc/rc.d/bruteblockd start
And that's pretty much all there is to it. After a few days we can take a peek at /var/log/auth.log and see something like:
Feb 28 07:39:21 ams01 sshd[96155]: Did not receive identification string from 220.172.191.31 Feb 28 07:43:24 ams01 sshd[96253]: Invalid user arun from 220.172.191.31 Feb 28 07:43:27 ams01 sshd[96257]: Invalid user arun from 220.172.191.31 Feb 28 07:43:31 ams01 sshd[96261]: Invalid user arun from 220.172.191.31 Feb 28 07:43:34 ams01 sshd[96265]: Invalid user arun from 220.172.191.31 Feb 28 07:43:34 ams01 bruteblock[95217]: Adding 220.172.191.31 to the ipfw table 1Great, It looks like it works! Bruteblock matches 4 rules, and at the 5th it adds the IP address to the firewall table. A quick peek in at the firewall table shows that the IP address has been added, including a timestamp:
ams01# ipfw table 1 list 124.95.128.162/32 1330485366 193.34.145.55/32 1330527853 200.113.185.227/32 1330491753 213.165.165.130/32 1330487447 220.172.191.31/32 1330496014And the firewall rules also confirm that traffic has been blocked:
ams01# ipfw -a list | grep table 01200 210 103040 deny ip from me to table(1) 01300 152 14488 deny ip from table(1) to me
So with a few simple steps, brute force hackers will have to be extremely patient and switch IP addresses every 4 attempts. It won't stop hackers completely, but it will definitely make it a bit harder for them
It was Friday night, I was browsing through my favorite online newspaper before going to bed when I saw a video where they talked about a release-date for Far Cry 3. Since I really enjoyed playing Far Cry 2, I decided to check it out. The news about Far Cry 3 was nice and I'm looking forward to playing it, but the video also mentioned a little bit of news about other games.
It mentioned that a game called "Dear Esther" was going to be released for Apple computers and they showed a tiny bit of video from the game. The video looked interesting, and I decided to check the game out. The game is available on steam for the modest price of € 7,99. This may seem like a lot of money for what is, basically, a user-created mod; but it's a very low price for what turned out to be the most awesome piece of art that I've ever enjoyed. Dear Esther is not like any game you've ever seen. In fact, I wouldn't even call it a game to begin with. There are no enemies, no weapons, no obstacles, no challenges or goals what so ever. In a way it's more of a digital storytelling or VR-experience.
The blunt of the story is this: Somehow you (the first person) arrived on an island somewhere in the Outer Hebrides, which is a group of Islands off the north-west coast of Scotland. A voice cites, what appears to be, a passage from a letter that a dying elderly man wrote to a woman called Esther at some point in time. From here on you are set free to explore the island that has a couple of ruined, decaying cottages, a huge cave system and a very prominent beacon tower on it. As you traverse across the island, various locations will trigger music and more passages of the elderly man telling about his life. Even though the route you take across the island is always the same, it never gets dull or boring. Every play-through has a unique sequence of snippets from the letters that the man sent to Esther.
The end result is just a mind-blowing experience. The story is touching as it is, and the sad music and often eerie sound effects put an amazing emphasis on the gloomy atmosphere. And the visuals are just... Wow! It will suffice to say that jaws will drop and drool will flow abundantly. Even though they use the 7-year old graphics engine from Half-Life 2, this game has the most photo-realistic graphics that I've ever seen in a game. It all just adds up: the water reflecting on the walls in the caves, the pebbles that all look different, the grass that waves in the wind... the details are just mind-boggling.
All in all, I highly, highly recommend this "game" to anyone that loves a good, touching story, loves to explore caves and decayed houses, or just wants to try something other than getting "pwned" by 12 year olds with a big mouth on shooter games. Seriously, guys.. give Dear Esther a try and world peace will be around the corner.