Sunday, April 21, 2013

Back to Google Analytics


I'm not a visitors statistics addict, but I must admit that knowing there is some visitors is a pleasure. So I decided to check my number of monthly unique visitors since the beginning of the project and to share it.

Month
The teapot htcpcp.net
English
Blog error418.org
French
Blog error418.fr
October 20120714
November 2012710271224
December 2012522248249
January 2013867366394
February 2013945448347
March 20131556635369

Now I will add my number of visitors to my report on the consumption of the month.

Saturday, April 13, 2013

Server monitoring - Uptime Robot


I had mentioned in one of my posts that I wanted to be able to monitor the uptime of my teapot.
Thanks to a comment from Peter (one of the few readers of this blog :-) I found the service UptimeRobot.


There are other services offering availability to monitor servers uptime... but most of them expect that a Web server returns a "200" code. As I worked hard to return a "418" code, most software sees my server as an anomaly. I can not use either TCP or ping controls because my router answers instead of the server if it is disconnected.

UptimeRobot service has the particularity to propose to monitor the presence of a keyword. So I can verify the presence of the text "error 418" to control the operation of my server and receive an alert when he is down.

Sunday, April 7, 2013

Fun with logs - Hackers!


Reading of the "User Agents" in the log was repetitive but instructive. It also allowed me to observe more interesting traces.





For example, this connection:
X.X.X.X 88.166.82.62 - [30/Dec/2012:06:52:36 +0000] "GET /user/soapCaller.bs HTTP/1.1" 404 345 "-" "Morfeus Fucking Scanner"


This connection is unusual for several reasons:
  • It tries to connect to a page that does not exist on my server. The page /user/soapCaller.bs is an admin page of the Drupal CMS.
  • It connects directly to the IP address of my server instead of the DNS name. This is probably a robot that scans entire address ranges rather than targeted attacks
  • The user agent "Morfeus Fucking Scanner" is a vulnerability scanner
Other connections try to access to administration pages of PhpMyAdmin and other tools:
X.X.X.X 88.166.82.62 - [05/Feb/2013:02:56:13 +0000] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 345 "-" "ZmEu"
X.X.X.X 88.166.82.62 - [05/Feb/2013:02:56:13 +0000] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 345 "-" "ZmEu"
X.X.X.X 88.166.82.62 - [05/Feb/2013:02:56:14 +0000] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 345 "-" "ZmEu"
Here the user agent used is "Zmeu" which is also the name of a monster romanian mythology. The first connection seems to leave a signature "w00tw00t.at.blackhats.romanian.anti-sec".


I also found traces of a port scanner called "DFind":
X.X.X.X - - [05/Feb/2013:09:24:57 +0000] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 349 "-" "-"


Another scanner with the signature "muieblackcat" comes several times. It searches for a large number of php pages.
X.X.X.X 88.166.82.62 - [11/Feb/2013:02:16:43 +0000] "GET /muieblackcat HTTP/1.1" 404 345 "-" "-"
X.X.X.X 88.166.82.62 - [11/Feb/2013:02:16:43 +0000] "GET //index.php HTTP/1.1" 418 1370 "-" "-"
X.X.X.X 88.166.82.62 - [11/Feb/2013:02:16:54 +0000] "GET //admin/index.php HTTP/1.1" 404 345 "-" "-"
X.X.X.X 88.166.82.62 - [11/Feb/2013:02:16:54 +0000] "GET //admin/pma/index.php HTTP/1.1" 404 345 "-" "-"


Other unfair connection without User-Agent, neither signature:
X.X.X.X 88.166.82.62 - [29/Jan/2013:01:20:59 +0000] "GET / HTTP/1.1" 200 1371 "-" "-"
X.X.X.X 88.166.82.62 - [29/Jan/2013:01:21:00 +0000] "GET /phpldapadmin/ HTTP/1.1" 404 345 "-" "-"
X.X.X.X 88.166.82.62 - [29/Jan/2013:01:21:00 +0000] "GET /phpldapadmin/htdocs/ HTTP/1.1" 404 345 "-" "-"
X.X.X.X 88.166.82.62 - [29/Jan/2013:01:21:01 +0000] "GET /phpldap/ HTTP/1.1" 404 345 "-" "-"
X.X.X.X 88.166.82.62 - [29/Jan/2013:01:21:02 +0000] "GET /phpldap/htdocs/ HTTP/1.1" 404 345 "-" "-"
X.X.X.X 88.166.82.62 - [29/Jan/2013:01:21:02 +0000] "GET /admin/ HTTP/1.1" 404 345 "-" "-"


And also some connections using the DNS:
X.X.X.X www.htcpcp.net - [21/Jan/2013:17:55:53 +0000] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 345 "http://HTCPCP.NET/phpmyadmin/scripts/setup.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
X.X.X.X www.htcpcp.net - [21/Jan/2013:17:55:53 +0000] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 345 "http://HTCPCP.NET/phpmyadmin/scripts/setup.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"


As a conclusion I find many connections from curious or malicious people. We can't really talk about hackers, but rather script kiddies. In any case, I'll need to look at the safety of my teapot. Maybe strengthen my iptables rules, implement Fail2ban or install an complete IDS such as Snort. Especially in this log, I see only connections on port 80. I'm sure that the traffic on port 22 (SSH) would also be interesting to study.
Image credit: Oren neu dag (Own work) [CC-BY-SA-3.0], via Wikimedia Commons)

Wednesday, April 3, 2013

Pac-Man Easter cookies

Disclaimer: Sorry, this joke works better in french language because the french word for Easter is "Pâques".




What is better than cooking some traditional Pacman cakes to celebrate Easter in feasting?


Here is my recipe for Pacman cookies.

Ingredients:
  • 200g sugar
  • 125g butter
  • 3 eggs
  • a pinch of salt
  • 1 tablespoon oil
  • 2 tablespoons of orange blossom water ("eau de fleur d'oranger" is more beautifull)
  • 1 teaspoon of yeast
  • Flour (the presize amount is measured by feeling, yes french kitchen is art!)
  • dried Raisins


Preparation:
  • Melt butter
  • Mix the sugar with the melted butter
  • Break the eggs in trying to keep a yellow side. You have three tries, the remaining yellow will be used to fry the cakes.
  • Mix the eggs
  • Add oil and orange blossom water
  • Mix the yeast with a little flour
  • Add flour an knead. Continue to add flour while kneading until you get a compact ball of dough (here is the secret).
  • Roll the dough and cut the shapes (with a glass to round and a knife to cut the mouth)
  • Add a quarter of a raisin to the eye
  • Basting brush with the egg yellow mixed with a little milk
  • Bake at 150 ° C for at least 20 minutes watching so it does not burn

Enjoy!

Monday, April 1, 2013

Raspberry Pi power consumption - Three month after


The first quarter of the power consumption survey of my Raspberry Pi is completed:

April 1, total consumption measured from the beginning of the year is 5.3 kWh. This confirms an average consumption of 1.8 kWh per month of non-stop operation.


crédit photo: By Fir0002 (Own work) [GFDL 1.2 (http://www.gnu.org/licenses/old-licenses/fdl-1.2.html)], via Wikimedia Commons