This get’s past both iptables and denyhost type approaches since they can trickle in the attacks from various bots. And your right that’s when port knocking and fwknop come in handy.

1. I need to update one of my ssh posts. I typically set MaxAuthTries to 1 or 3 depending on the system to help with this. When possible, I get rid of password auth completely.

2. I suspect the distributed monitoring is not as effective as people think. Yes, it sounds great but how many attacks do you actually block due to the pooled list? I used to use Dsheilds in the capacity and stopped as I found it helped with less than 1% of the hits on a pool of 50 servers. I would love to see numbers on this but based on my own observations these distributed tools on the scale of DenyHosts are of limited value.

Now, I am a big fan of collating data within your own environment. I’ve had great success with that approach due to the sequential scanning nature of many bots.

3. In case, I missed citing it, here’s a good reference on attacking log tools:
http://www.ossec.net/main/attacking-log-analysis-tools
The point is that ssh does not sanitize log output, so using log analysis tools can introduce new vulnerabilities.

4. For those environments, I just use VPN and lock out public ssh access completely.

Don’t get me wrong, I like the concept of denyhosts, fail2ban and similar items, especially for shared hosting environments where end-user control is not well monitored. However, when these tools turn a potential security issue, e.g. weak password, into a known exploitable issue, I tend to leave them off of my systems. For example, what if I spoof your DNS resolvers, google’s IPs, hotmail, etc. Targeting these IPs with injections could have serious impact to your operations.

1. By only looking at new connections, the scripts or attackers can attempt to enter a password up to the configured “MaxAuthTries” value configured on the ssh server. e.g. If the server is configured for 5 password attempts (5 is the default), multiplied by the number of new connections, you get 15 password attempts in a minute time frame. While a far cry from 100’s or 1000’s of password guesses, it still too many to be considered best practice IMO.

2. Rate limiting based on new connections doesn’t have the added benefit of distributed behavioral pattern analysis. DenyHosts for example obtains many thousands of reports on offending IP addresses from it’s many thousands of clients around the globe. This list is not simply “ever growing”, as there are configurable rules regarding entry tolerance and lifetime.

3. I agree that log analysis tools provide the platform for “potentially” one attack vector, as long as the application (in this case openssh) sanitizes log output, this risk is fairly low. Plus, new connections from repeat offenders are blocked by the systems tcp wrappers, reducing the risk even lower since most connections are simply refused.

4. Both Log Analysis tools like DenyHosts simple IPTables rate-limiting do not prevent zero-day attacks against vulnerable openssh servers. A much more secure method of protecting against application layer attacks is not even allowing ANY connection up the stack until the client has been authenticated by crypto system. For that I recommend Fwknop for “Single Packet Authorization”.

http://cipherdyne.org/fwknop/

No crypto authentication, the port doesn’t even respond as being open. Thanks for your comments. I also enjoyed your site.

I’ve since turned to using IPtables to rate limit connections.
http://www.rackaid.com/resources/how-to-block-ssh-brute-force-attacks/

Why I started fiddling with script is to actually automate the process as much as possible and as many movies as possible, so this way that requires much user interaction is no good (for me). I’m sure I’ll try/use it for single file conversions :)

I call it mkmkv.sh, but feel free to call it whatever you like. It relies only on a single argument (the video file name), and just make sure to invoke the script from the same directory as the video file.

cd /path/to/mkv-dir/
mkmkv.sh filename.mkv

#!/bin/bash
MP3="${1}.mp3"
WAV="${1}.wav"
 
echo ""
echo "Identifying Video File: \"$1\""
echo ""
 
ffmpeg -i "$1" 2>&1 | grep "Audio"
 
echo ""
echo "Which audio track do you wish to convert to Stereo MP3?"
read -p "Enter desired FFmpeg audio stream ID in X:Y format: " STREAM
echo ""
echo "Identifying MKV Track ID's..."
echo ""
 
mkvmerge -i "$1"
 
echo ""
read -p "Enter Video ID to be Included: " VID
read -p "Enter Video ID $VID Description: " VDESC
echo ""
read -p "Enter Audio ID to be Included: " AID
read -p "Enter Audio ID $AID Description: " ADESC
echo ""
read -p "Enter name for your NEW MKV file (e.g. movie.mkv): " OUTPUT
echo ""
echo ""
echo "Verify proposed mkvmerge command..."
echo ""
echo "\"mkvmerge\" -o \"$OUTPUT\" --language $VID:eng --track-name \"$VID:$VDESC\" --default-track $VID:yes --language $AID:eng --track-name \"$AID:$ADESC\" --default-track $AID:yes -a $AID -d $VID -S \"$1\" --language 0:eng --track-name \"0:English Stereo MP3\" --default-track 0:no -a 0 -D -S \"$MP3\" --track-order 0:$VID,0:$AID,1:0"
 
echo ""
read -p "Ctrl+C to cancel, or ENTER to continue."
 
echo ""
echo "Running command: ffmpeg -i \"$1\" -map $STREAM -acodec pcm_s16le -ac 2 \"$WAV\""
ffmpeg -i "$1" -map $STREAM -acodec pcm_s16le -ac 2 "$WAV"
 
echo ""
echo "Running command: lame -V0 -q0 --vbr-new \"$WAV\" \"$MP3\""
lame -V0 -q0 --vbr-new "$WAV" "$MP3"
 
echo ""
echo "Running mkvmerge..."
echo ""
"mkvmerge" -o "$OUTPUT" \
--language $VID:eng \
--track-name "$VID:$VDESC" \
--default-track $VID:yes \
--language $AID:eng \
--track-name "$AID:$ADESC" \
--default-track $AID:yes \
-a $AID -d $VID -S "$1" \
--language 0:eng \
--track-name "0:English Stereo MP3" \
--default-track 0:no \
-a 0 -D -S "$MP3" \
--track-order 0:$VID,0:$AID,1:0

I was, too, aware that such simple script can’t cover all aspects, but for me it does cover 90% of mkvs :)

As you surely know, this line does ripping of audio:

ffmpeg -i $1 -acodec pcm_s16le -ac 2 audio.wav

and (as you also surely know) with this command you can inspect the streams:

ffmpeg -i

Example result:

Stream #0.0(eng): Video: h264, yuv420p, 1280×720, PAR 1:1 DAR 16:9, 24 tbr, 1k tbn, 47.95 tbc
Stream #0.1(eng): Audio: ac3, 48000 Hz, 5.1, s16
Stream #0.2(eng): Audio: dca, 48000 Hz, 5.1, s16

So, you just need to add this to choose a different (in this case, the 3rd, dts) stream:

-map 0.2

Solution: add another input parameter for script specifying the audio stream mapping (tho you have to check the file beforehand with ffmpeg -i ).

It just depends on the number of files you are working on so it can turn out that u spent more time on script than you would on converting each file manually (via e.g. gui) :)
But at least we polish our scripting skillz ;)

For example, many of my MKV’s have multiple audio tracks, and the default isn’t always English. So simply running ffmpeg without specifying which to use, might cause ffmpeg to pull the wrong source audio track. Also, many foreign movies end up needing subtitle tracks, and excluding them all by default can suck. :-) Again, choosing the right one when there are multiple subtitle tracks is also important.

It will take some work, but you’ve inspired me to get a public version going. Thanks again!

Use the Find Remote keys and paste in the ID. After it finds it click Import.

First time you do this you likely need to select Preferences to add the keyserver.ubuntu.com:11371 as the default keyserver to use. I know for me it was not in there by default.

#!/bin/bash
echo
echo $1
echo
mkvmerge -i $1

echo
echo “####### STARTING AUDIO EXTRACTION #######”
echo
ffmpeg -i $1 -acodec pcm_s16le -ac 2 audio.wav

echo
echo “####### COMPRESSING AUDIO #######”
echo
lame -V0 -q0 –vbr-new audio.wav audio.mp3

echo
echo “####### APPENDING AUDIO TO CONTAINER #######”
echo
mkvmerge -o new.$1 \
$1 \
–language 0:eng \
–track-name “0:2-Channel Stereo (MP3)” \
–default-track 0:yes \
-a 0 -D -S audio.mp3 \

echo
echo new.$1
echo
mkvmerge -i new.$1

Just call it from (unix) command line with mkv filename as argument.

I think this little piece of script solve’s *.cdda.wav to *.mp3 problem at one’s;

for f in *.wav ; do AUFILE=`echo “$f” | sed ’s/.cdda.wav/.mp3/g’` ; lame $f $AUFILE ; done

In the end I used the following two lines:
$ mkdir new
$ for f in *.mp3 ; do lame –preset standard “$f” “new/$f” ; done