I’ve been having some big “WTF” moments recently where suddenly I’m thrown backwards from my life, and looking at it all invokes a sense of awe and mystery.  It doesn’t help to realize my birthday’s approaching again and soon I go wandering through my head, contemplating life, humanity, and experience.

I reflect on my life a lot.  Daily almost.  The series of events that led to who I am at this point in my life couldn’t have even been designed by Rube Goldberg.  It’s when I start really digging deep and remembering events and people from the most chaotic period of my life (mostly the college years) that I start feeling like Bill the Cat of Bloom County fame.

Maybe not quite like this Bill. But close.

Everyone I’ve met has changed me in some way.  Some good ways, but there are some bad ways.  I’m nowhere near the nice person I think I used to be, but maybe that’s not totally because of the people.  I digress.

I’ve got a better sense of humor about things, developed some tolerance for certain things and a complete intolerance for other things.  One thing that surprises me is when I think about the women I’ve dated in the past (especially in college) and some interesting trends start to appear.  It starts making me go slack-jawed and then “thbbft”.

The evolution of relationships that led to me marrying my wife reads almost like a series of unfortunate events.  I took away a little bit of important knowledge from each one and a realization of what works for me and what doesn’t.  That’s how it works, right?

I dated one girl who was really into me but was then led astray by a guy who, as she found out, only wanted to get her in bed.  When she realized her mistake she felt like she should tell me she ditched him. I guess she had hoped for reconciliation, but I was done with that.  There was the girl who confided in her best friend she “hoped she could find a guy just like” me when she was ready to settle down.  Imagine my surprise when I learned I had all the qualifications for the position, but apparently didn’t submit an application or something.  Or maybe she was just broken from a previous bad experience.

Not quite the "round, shiny" object someone was led to expect for Christmas apparently. I was not the douchebag in question.

There was the freshman virgin who’s legs apparently spread like peanut butter and the whole campus was loaf bread, and who can forget the the extended stay in CrazyTown that was ‘dating She-Who-Shall-Not-Be-Named’ (but now has at least one suicide credited to her and at least a half dozen broken men in her wake.  You go girl.)   Maybe I’ll start referring to her as Volde-whore.

"Let's watch Will and Grace and listen to Tori Amos. Not like you have any balls anyway."

There was the rape victim, the abuse victim, the nympho, the party girl, the girl with too many guy friends, and at least one or two other scary people I’ve apparently blocked out.  The pattern though?  Once I hit that pocket of mentally ill or otherwise broken set, the severity eventually started decreasing.  Now I’m married to an amazing woman who, despite her flaws, is the best thing that’ll ever happen to me.  Thbbft!

The past year has been extremely trying to say the very least about it.  I’ve endured the stress of a marriage, my father’s failing health and then death, job stress, broken friendships, financial hardships, and finally loss of control of my own ability to handle my emotions and the guilt of seeing everyone I care about suffering and hurt as a result.  I’ve tried all sorts of ways to relieve the burden and found no solace, but it’s something I have been used to for quite a many years of my life.  I’ve been inconsolable, unable to find comfort in the words or actions of anyone.  It’s not surprising, because I’ve felt that way since my teenage years.

The social pressure in high school, along with the bullying and rejection, left me feeling powerless.  Hopeless.  Fearful.  Anxious.  This followed me into my adult years, and I finally found myself getting explosive anger at what most people would find irrational.  In fact, I found it irrational.  The senselessness of it all added to the aforementioned emotions but I found myself unable to break away from the patterns of thought and defensive behaviors that had protected me from perceived harm.  I was afraid, all of the time, of making a mistake…  Of looking awkward or inept.

I hope I’ve found some relief now.  I’ve never been a fan or advocate of modern medicine’s solution to these types of problems, I must admit:  I’ve tried anti-depressants, and the side effects were at times worse than the illness itself.  Luckily I have an MD now that I feel I can trust, and so far I feel better now that I’m on a different medicine that’s not in that class of drugs.

It’s strange, feeling a sense of peace and inner calm I haven’t felt in a long time.  Even if it lasts for only a short time, I feel like I’ve had a small awakening.  I can enjoy things again; I see and can appreciate what life has to offer even though it saddens me to see so many people fighting for control that, like I discovered, is incorporeal.  Control always has been an illusion. The Phrygian king stuck in the mire, always reaching for the unattainable if only at the prospect of tasting its sweetness for but a brief time.  Yet people use religion, politics, fear… all attempting to control the human soul, which was made free by our Creator even at the risk of our own annihilation.

Sitting at work, I’m watching the bits fly by and get a query from someone about their inability to get some stock quotes from CNN Money.  I look, and the widget on the page that he’s wanting to get quotes from has a click-thru link that, regardless of whether you wanna do it or not, you get redirected to an ad server and are forced to suck up yet another dose of blatant commercialism.

Seriously?  People so freakin’ averse to actually clicking on advertisements on the internet that companies have to now  resort to what basically equates to click fraud in my mind.  They’re getting advertising revenue whether you actually click on their stupid ads or not, and you have no recourse.  Want to block ads?  Too bad, that means the content you want is blocked too.

It’s a silly situation, but there’s little we can do about it.  Hey, it sucks for them that legitimate clicks on their products’ ads just sit there without any action, but to force people to “click” the ads to get anywhere?  Seriously?  It’s like a bad form of capitalistic terrorism.  We see pop-up ads everywhere (adopted early on by some of the most dubious businesses on the internet), on many pages there are more advertisements than actual content, the usability of these ad-laden sites is mediocre at best (and confusing), and what’s worse is that people *SHOULD* be afraid to click on advertisements!  There’s so much malware and software exploits out there that clicking on the wrong albeit-harmless-enough-looking advertisement can result in the loss of personal information including but not limited to the theft of passwords, account information, real time, and real money as you try to repair the damage that whatever junk has caused.

We can assume security companies are all trying to keep us safe like with Microsoft Security Essentials but as the almighty dollar continues to be easily obtained and the internet continues to provide unscrupulous companies with the possibility of earn tens of thousands of “pennies” per day on click through revenue we’ll continue to be subject to the rules of the people with the money.

Spammers, brute force attacks, malicious packets… none of these things you want on your network if you can avoid it. Unfortunately a good portion of this comes from countries without the computer crime laws that the United States has implemented. Granted, the US’s laws aren’t the greatest in the world but it’s better than nothing.

I’m going to show you how to implement a little hack I found that will let you drop traffic from specific countries using their two-letter country code in iptables. It should in theory work on most Linux distros but more specifically I’ll be guiding you through doing this on CentOS.

The first two things you’re going to need to make this work: your current kernel’s source code, and the source for the version of iptables you’re using. No worries, we just need them to compile modules and we’re not actually going to update the kernel nor iptables.

Unfortunately I found that getting the source RPMs through the CentOS Yum repositories *sucks* so we’ll just get the tarballs for each of them. We’ll also have to get the GeoIP stuff.

1. Find out what kernel version you have

uname -r

2. Check and see if you’ve got your kernel source. In CentOS you can look under /usr/src/kernels/ and see if there’s a directory in there that matches what you saw in step 1. If not, check out the code block. For the sake of organization, all the downloads are gonna go under /root.

yum install kernel-devel

3. Go out and get the GeoIP tarball from the netfilter website.

wget http://people.netfilter.org/peejix/patchlets/geoip.tar.gz

4. Get your iptables source code downloaded. This example uses IPTables 1.3.5, so modify it according to whatever your version of iptables is using. If you’re not sure, just stick a -h at the end of your iptables command. Don’t worry about a minor version difference. As long as you’re on the same major release you should be alright.

wget http://www.netfilter.org/projects/iptables/files/iptables-1.3.5.tar.bz2

5. Go get patch-o-matic-ng from the Netfilter website too while we’re at it.

wget http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20070414.tar.bz2

6. Let’s get all of this stuff extracted, organized, and ready to hopefully not break anything.

cd /root
mkdir geoip

And…. extract

cd /root
tar xjf iptables-1.3.5.tar.bz2
tar xjf patch-o-matic-ng-20070414.tar.bz2
tar xzf geoip.tar.gz -C patch-o-matic-ng-20070414/patchlets/

Now here’s where it can get a little hairy. I’m assuming you already have all the stuff you need to compile code. If you don’t, then Google it for your distro.

We’re going to use patch-o-matic-ng to patch the source code for the kernel and iptables. Don’t worry, it’s not going to modify your kernel and when you update it using Yum.

cd patch-o-matic-ng-20070414
./runme geoip

It’s going to ask you for the paths to your kernel source, and then your iptables source. Just give it the information of where we extracted the iptables source, and where our kernel source is located. The following has examples of how I accomplished it on my CentOS box:

Hey! KERNEL_DIR is not set.
Where is your kernel source directory? [/usr/src/linux] /usr/src/kernels/2.6.18-194.8.1.el5-i686
Hey! IPTABLES_DIR is not set.
Where is your iptables source code directory? [/usr/src/iptables] /root/iptables-1.3.5

It’ll go through a bunch of stuff, I’ll let you read it if you so desire but it’s just debugging information and an explanation of the geoip patch. It’ll come to a line that looks like this… hit y to apply the patch:

------------------------------------------
do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y

You can ignore the messages about recompiling the kernel and iptables. This is a lazy admin blog isn’t it? However, we’ve got to build the module to install via modprobe, and then build the shared object for iptables. We’re gonna do a little trickery so it doesn’t recompile all the modules though.

cd /usr/src/kernels/2.6.18-194.8.1.el5-i686
make oldconfig

It’ll scroll a bunch of stuff you probably won’t find important, then it’ll come to this line, to which you’ll want to answer “m”:

geoip match support (IP_NF_MATCH_GEOIP) [N/m/?] (NEW)

Now we’re going to modify the makefile for the netfilter modules. Make a backup of the Makefile in /usr/src/kernels/2.6.18-194.8.1.el5-i686/net/ipv4/netfilter because we might want it someday. Then use vi to create a new makefile and paste the following into it…

obj-m = ipt_geoip.o
KVERSION = $(shell uname -r)
all:
make -C /lib/modules/$(KVERSION)/build M=$(PWD) modules
clean:
make -C /lib/modules/$(KVERSION)/build M=$(PWD) clean

Now it’s building time…

cd /usr/src/kernels/2.6.18-194.8.1.el5-i686
make -C $(pwd) M=net/ipv4/netfilter modules

Unless something was broken or otherwise went horribly wrong, you should now have the file ipt_geoip.ko sitting in /usr/src/kernels/2.6.18-194.8.1.el5-i686/net/ipv4/netfilter/ and we want to copy it to where all your other libraries are:

cp /usr/src/kernels/2.6.18-194.8.1.el5-i686/net/ipv4/netfilter/ipt_geoip.ko /lib/modules/2.6.18-194.8.1.el5-i686/kernel/net/ipv4/netfilter/

Now… to build the shared library for it…

cd /root/iptables-1.3.5
make KERNEL_DIR=/usr/src/kernels/2.6.18-194.8.1.el5-i686/ extensions/libipt_geoip.so

Again, if everything was happy and it didn’t blow up… you should have a file called libipt_geoip.so sitting in /root/iptables-1.3.5/extensions/
so copy it to where iptables is going to be looking for it.

cp extensions/libipt_geoip.so /lib/iptables/

Now all we have to do is modprobe the module into kernelspace and then we’re ready to use it.

depmod
modprobe ipt_geoip

Lastly, we have to have a working database file for the iptables country lookups, so off we go to do two more downloads…

cd /root
wget http://www.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip
unzip GeoIPCountryCSV.zip

Now we need a utility to convert this wonderfully huge text file into a binary file:

wget http://people.netfilter.org/peejix/geoip/tools/csv2bin-20041103.tar.gz
tar xzf csv2bin-20041103.tar.gz
cd csv2bin/
make
./csv2bin ../GeoIPCountryWhois.csv

Now to put things where they need to be…

mkdir /var/geoip
mv geoipdb.* /var/geoip/

If everything worked up til now, you just need to write iptables rules using the GeoIP module… here’s an example:

/sbin/iptables -A INPUT -m geoip --src-cc CN -j DROP

Have fun!

I had a moment of reflection and thought for a moment about the years following my birth into the electronic generation of the 80′s-90′s. Is it really a sign of something bigger when people have more memories of chat text on a screen or interface behind a keyboard, or of more conversations and ideas passed through reading it in an IRC chat room than by live social interaction?

I thought of my years between 16 and 18, and then between 19 and 22. I have no tangible memories I can associate with those periods of my life that don’t involve interacting with someone only through a computer.

Weird.

In a dream, I was a web application developer.  Okay, so it’s not really a dream but sort of a renewed hobby of mine.  Many years ago I was interested in developing web content before the days of dynamic content, but some free time at work and some interest in creating some useful apps in PHP to help me out at work have spurred a new drive to learn.

PHP isn’t something I’m a master at by any shot, but I know enough to be dangerous.  In addition, I’ve taken to learning jQuery so I can add some neat features to my app.

However, I’ve found an interesting effect of using XHTML tags with jQuery… apparently it doesn’t like it.  In a few places I’ve got some append() functions to stick text into several <DIV> sections with various IDs and strangely they hadn’t been working.  I thought there was something I was missing (apparently so!) and tried various other code examples and variants in trying to make it work.  Then I had an idea.

Instead of closing my DIV tags with <DIV /> I changed it to </DIV>.  The result?  My appends were working correctly.  I’ll have to do some Googling to find out what the reason for this is, but it certainly had my hands tied for a while.  I can only hope some other novice doesn’t get snagged on this like I did…

Lots of stuff’s been going on since the last time I made a post, but here’s a little tip for anyone else who’s using an ISP who has decided to implement an advertising saturated “URL helper” which redirects you to an annoying “did you mean this?” page.  Apparently it’s all the rage now to generate ad-based revenue for ISPs, but it can break things for geeks and just generally be annoying.

The answer is simple really:  manually set your DNS entries, flush your DNS cache, and clear your browser cache.  I use the DNS servers at 4.2.2.2 and 4.2.2.1 and never seem to have a problem with them.  That’ll teach these overbearing ISP bastards for forcing their idiotic improvements on everyone!

BTW if you don’t know how, just Google your OS and “DNS settings” and I’m sure something will pop up.  Good luck!

Lenny Zeltser posted this little list over at SANS.org, and I thought it was good.  It was funny though, because I was asked to do the 8th bullet on the list last month.

http://isc.sans.org/diary.html?storyid=5644

Luckily the policy was for a separate office that has no internet accessible server, and with their firewall completely closed off from the outside they’re safe from incoming threats.  Then again, most threats usually come from within an organization….

I’ve found probably my newest favorite place to eat in my little town.  There’s a new place called Lazy Lunches that’s opened, and it’s a refreshing change of pace from all the fast food joints in town, or the expensive sit-down restaurants.  For me it’s great, because the place lives up to its name.

The guy makes all of his sandwiches ahead of time, and keeps them in warmers where they stay nice and moist, and he makes new sandwiches throughout the day.  He takes homemade bread dough, rolls it out, puts ingredients in the middle, rolls the dough up around the stuff, and bakes it whole.  The outcome is positively mouth-watering.  The combination of fresh baked bread with such delicious sandwiches as the standard club, italian beef, ham and cheese, and he also makes other specialities like cheeseburger roll-ups, which is just like you’re probably imagining.  The beef is lightly seasoned with pepper and other spices, and baked up as deliciously as everything else.  He also makes and sells his own desserts there.

I’m hoping that maybe by blogging about the place more people from my town will give the place a try.  It’s in a sort of hard to find place, but seems to be gaining popularity with college students.  There aren’t enough places like this around here and I’m hoping he’ll stick around.

This article just tickled me pink!

http://www.eweek.com/c/a/Security/Notorious-Web-Hosting-Service-Linked-to-Spam-Campaigns-Goes-Offline/?kc=rss

Let me give you an example of how this affected my company.  The following are some of our recent spam statistics, starting on November 11 (which is the date the spam host was cut off) and a couple of days following it.

Date        Total Mail   Spam    % that is spam

11/11     4,429          3165    71.5
12/11     1,288          228      17.7
13/11     1,344          211      15.7

Those percentages are drastic changes.  The article estimates that the company was responsible for around 75% of the total spam worldwide, because they held control servers for several of the major spam botnets out there.   Botnets, if you don’t know, are basically a cloud of computers worldwide that are infected with a trojan, usually without the computer owner’s knowledge or consent, that basically makes the computer a zombie that accepts commands from a central location to both try infecting other computers and to send out the Viagra ads, the breast enlargements, and the other various X-rated spam emails that pretty much everyone gets from time to time.

Good riddance to them.  Oh by the way, I looked up the owner records for the domain that went offline… looks like it has a Newark, NJ address registered to it.  That ought to help some of the internet vigilantes out there!