Peter's Blog

I was studying the statcounter logs for this site and lamenting how the country info only lists the last 100 page views. Because one visitor can look at 50 pages, their country will appear to take 50% of traffic, giving a distorted view of proceedings.

So I decided to update my awstats config with GeoIP to give long term country information. GeoIP is a library from MaxMind that converts IP addresses to countries. Country lookup is free, you can pay for higher resolution lookup (city etc) if you have the $$$.

I installed it as follows:

• Installed the MaxMind GeoIP C Library and perl library from here
• I downloaded and installed the country database.
• I let these configure and install themselves. This may lead to an unholy mix with my debian apt setup but it is more likely to work than if I start messing with it.
• I went into webmin and enabled the GeoIP plugin. A word of recommendation here, webmin does a great job of managing multiple sites with awstats. In fact webmin does a great job of most things.

There is an old version of GeoIP that comes as a debian package but it installs in a debian way and was not picked up by the MaxMind Perl module so I installed the MaxMind stuff by the book.

It seems to be running, it is showing visitors from germany and stuff but I need to let it run for longer and see if the number of visitors from unknown countries goes down (it probably doesn't add country info to old records only new ones).

This may end up simply telling me where the bots that make up a large number of my visitors come from: so far this month this site has used 1.15G of bandwidth. Accursed Inktomi Slurp (which I think is yahoo) has taken 177Mb of this. Googlebot has taken 77M but given me 7073 visitors against 182. Slurp is a good name. It has probably uploaded all the text on the site 100 times. I don't change it that much.

For my ssh server I have disabled root login and I have chosen a slightly less common username and reasonably tough password but still I get people testing the locks. In the log files it is typically shown as a burst of login failures due to unknown name/incorrect password. This is no more than an annoyance, log files full of rubbish, but I'd like to prevent it and who knows, some day someone may hit the jackpot.

Linux iptables has a neat trick to limit the rate of connection attempts: three failed connection attempts and you can ban whatever is trying to connect for a couple of minutes. This is cool as it will still allow you yourself in as long as you get the password right in the first attempt or two.

I use the firewall module in webmin to manage iptables and I figured out how to implement this feature. It can be edited through webmin but I found it easier to edit the /etc/webmin/firewall/iptables.save file directly and to use webmin to apply it. This is the important bit:

# Allow connections to our SSH server from my IP address
-A INPUT -p tcp -m tcp -s 12.34.56.78 --dport ssh -j ACCEPT
# Allow connections to our SSH server from my other IP address
-A INPUT -p tcp -m tcp -s 65.66.67.68 --dport ssh -j ACCEPT
# Allow connections to our SSH server from localhost
-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport ssh -j ACCEPT
# Allow three connection attempts in 60 seconds for anyone else
-A INPUT -p tcp -m tcp -m state -m recent --dport ssh \
   --state NEW  --set
-A INPUT -p tcp -m tcp -m state -m recent --dport ssh \
   --state NEW -j DROP  --update --seconds 60 --hitcount 3

One objection I have read to this technique is that it can allow someone to lock you out of your own server by continually hitting it with spoofed IP packets of your own originating server. For this reason I added rules to let connections from my normal haunts straight in: if someone bothers to IP spoof these addresses then they are talking directly to sshd and cannot do much more than a DOS attack, no different to if the firewall was not there. This also means I can get the password wrong or open and close connections as often as I like from the computers I normally use.

I could simply deny access from any alien IP except that the IP address of my home PC is not technically static (although it doesn't change very often) and I don't want to lock myself out if it suddenly changes. Besides, who knows, I may be out and about and want to log in (putty and a USB memory key, the world is mine).

This appears to work in both ubuntu and debian.

One problem I did have during the Django tutorial was at the point where I entered:

>>> p.add_choice(choice='Not much', votes=0)

I got an error to say the add_choice method was not an attribute of p. Django automagically defines attributes and methods according to the fields available in a database table, in this case add_choice was a method to add a new choice object to a poll object. As it knew the database schema Django is supposed to create methods and attribues according to the fields in tables and the relationships between tables. In this case Django hadn't managed this, but why?.

I had a look through the Django code to try to resolve this but it is heavily obfuscated by flashy python tricks and it was not obvious to me how these magic methods were being created. Running dir and help on the p opject gave no clues. Eventually I stopped and restarted the Django server and this code started working.

I was reminded about this by this post complaining about disappearing methods.

I don't really like the python trick of dynamically creating methods as it does make code harder to follow and debug. I prefer the code generation approach, read the database tables and generate code for simple classes to encapsulate them. Easy to understand, easy to debug, easy to single step through.

However, I haven't written any significant python applications so what do I know?

Now I have debian and webmin running on my oneandone server I must admit to being happy. It is much more to my taste than the plesk and fedora setup preinstalled on the server. I've lost the web reselling tools but I've got a powerful server that I feel I have some control over.

Installed webmin firewall module on oneandone debian server to make ipchains (or is it iptables? confused) setup a little easier. Enabled only ssh and http as incoming and can still connect to the box on ssh but I cannot telnet into the mail server.

I wasn't keen on making the webmin server open to all so I set up webmin to only allow local access on 127.0.0.1 and I wrote a batch file to create an ssh tunnel to get to it:

ssh -L 10000:127.0.0.1:10000  me@myserver.org

Opening localhost:10000 and I'm webminning.