A Cure for the Common SSH Login Attack

A Cure for the Common SSH Login Attack

-by Jon Scully

Introduction
A few months ago, I began seeing our 'secure' log files fill up with entries stating: "Failed password for illegal user [username]". I decided to search the Internet to find out if others were experiencing these attacks and, hopefully, find a solution. I did uncover a lot of information on the subject, but discovered only a few script-based solutions. None of these, however, seemed... well... elegant.

What I wanted was a way to stop the attacks altogether, yet allow ssh access from anywhere, when needed. In addition, I wanted to avoid using an approach that was so complicated it could lead to more pain than I was experiencing from the original problem.

My requirements looked something like this:

• Keep port 22 closed, until needed
• Provide a simple way to open and close port 22 from any remote location
• Ensure the method used is reasonably difficult for attackers to discover
• Use an "elegant" method (i.e. not a lot of software)

The solution should behave similar to the following shell prompt activity:

    $ ssh name@hostname # No response (Ctrl-C to abort)
   ^C
   $ telnet hostname 1600 # Telnet into port 1600 to open port 22
   Trying 123.123.123.123...
   ^C
   $ ssh name@hostname # Now logins are allowed
   name@hostname's password:
   .
   .
   .
   $ telnet hostname 1601 # Telnet into port 1601 to close port 22
   Trying 123.123.123.123...
   ^C

Note that the ports used to open and close port 22 should appear closed, as well. This approach would be a sort of simplified "port knocking" technique.

Proposed Solution
The 'recent' module in iptables is designed to detect malicious access attempts and then help block or at least honeypot the potential intruder with delays. I've sort of turned this module on its head and, instead, used it to let people in.

The following represents the contents of an iptables file, drawn from a Red Hat distribution (the usual path is /etc/sysconfig/iptables). The highlighted text outlines the changes needed to support our style of port knocking.

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -s 10.0.0.0/24 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m recent --rcheck --name SSH -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1599 -m recent --name SSH --remove -j DROP
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1600 -m recent --name SSH --set -j DROP
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1601 -m recent --name SSH --remove -j DROP
-A RH-Firewall-1-INPUT -j DROP
COMMIT

Note that there is a "close" port on either side of the "open" port. This should cause most linear port scans (ascending or descending) to leave port 22 closed, upon completion.

For an even more robust approach, use two separate "open" ports -- such as a knock at port 1300, followed by a knock at port 1600. Also keep in mind, once you have ssh-connected, you can then close the port without losing your established connection.

Conclusion
What's really convenient about this method is, when you're at a trusted location (say, in the office) and you unlock a target site (say, a home server), you need only knock once; The port will stay open for that specific source IP address, indefinitely (until you deliberately close the port or iptables is restarted). If you attempt to use the port from another location (say, a client's office), it will appear closed -- until you knock.

What I find most elegant about this approach is that you don't have to fill up your iptables with dozens of DROP entries in order to block the world of would-be attackers.

Sample Log
Here is a representative sample from a 'secure' log file:

Jan  7 09:58:47 hostname sshd[24729]: Illegal user test from [IP_ADDRESS_A]
Jan  7 09:58:50 hostname sshd[24729]: Failed password for illegal user test from [IP_ADDRESS_A] port 51250 ssh2
Jan  7 09:58:52 hostname sshd[24731]: Illegal user guest from [IP_ADDRESS_A]
Jan  7 09:58:54 hostname sshd[24731]: Failed password for illegal user guest from [IP_ADDRESS_A] port 51396 ssh2
Jan  7 09:58:56 hostname sshd[24733]: Illegal user admin from [IP_ADDRESS_A]
Jan  7 09:58:58 hostname sshd[24733]: Failed password for illegal user admin from [IP_ADDRESS_A] port 51546 ssh2
Jan  7 09:59:00 hostname sshd[24735]: Illegal user admin from [IP_ADDRESS_A]
Jan  7 09:59:03 hostname sshd[24735]: Failed password for illegal user admin from [IP_ADDRESS_A] port 51688 ssh2
Jan  7 09:59:04 hostname sshd[24737]: Illegal user user from [IP_ADDRESS_A]
Jan  7 09:59:07 hostname sshd[24737]: Failed password for illegal user user from [IP_ADDRESS_A] port 51828 ssh2
Jan  7 09:59:11 hostname sshd[24739]: Failed password for root from [IP_ADDRESS_A] port 51963 ssh2
Jan  7 09:59:15 hostname sshd[24741]: Failed password for root from [IP_ADDRESS_A] port 52114 ssh2
Jan  7 09:59:20 hostname sshd[24743]: Failed password for root from [IP_ADDRESS_A] port 52288 ssh2
Jan  7 09:59:22 hostname sshd[24745]: Illegal user test from [IP_ADDRESS_A]
Jan  7 09:59:24 hostname sshd[24745]: Failed password for illegal user test from [IP_ADDRESS_A] port 52419 ssh2
Jan  7 16:35:22 hostname sshd[25103]: Failed password for nobody from [IP_ADDRESS_C] port 53721 ssh2
Jan  7 16:35:25 hostname sshd[25105]: Illegal user patrick from [IP_ADDRESS_C]
Jan  7 16:35:28 hostname sshd[25105]: Failed password for illegal user patrick from [IP_ADDRESS_C] port 53832 ssh2
Jan  7 16:35:31 hostname sshd[25107]: Illegal user patrick from [IP_ADDRESS_C]
Jan  7 16:35:33 hostname sshd[25107]: Failed password for illegal user patrick from [IP_ADDRESS_C] port 53907 ssh2
Jan  7 16:35:39 hostname sshd[25109]: Failed password for root from [IP_ADDRESS_C] port 54003 ssh2
Jan  7 16:35:45 hostname sshd[25111]: Failed password for root from [IP_ADDRESS_C] port 54093 ssh2
Jan  7 16:35:50 hostname sshd[25113]: Failed password for root from [IP_ADDRESS_C] port 54181 ssh2
Jan  7 16:35:58 hostname sshd[25115]: Failed password for root from [IP_ADDRESS_C] port 54312 ssh2
Jan  7 16:36:04 hostname sshd[25117]: Failed password for root from [IP_ADDRESS_C] port 54395 ssh2
Jan  7 16:36:07 hostname sshd[25119]: Illegal user rolo from [IP_ADDRESS_C]
Jan  7 16:36:10 hostname sshd[25119]: Failed password for illegal user rolo from [IP_ADDRESS_C] port 54488 ssh2
Jan  7 16:36:14 hostname sshd[25121]: Illegal user iceuser from [IP_ADDRESS_C]
Jan  7 16:36:16 hostname sshd[25121]: Failed password for illegal user iceuser from [IP_ADDRESS_C] port 54577 ssh2
Jan  7 16:36:21 hostname sshd[25123]: Illegal user horde from [IP_ADDRESS_C]
Jan  7 16:36:23 hostname sshd[25123]: Failed password for illegal user horde from [IP_ADDRESS_C] port 54681 ssh2
Jan  7 16:36:26 hostname sshd[25125]: Illegal user cyrus from [IP_ADDRESS_C]
Jan  7 16:36:28 hostname sshd[25125]: Failed password for illegal user cyrus from [IP_ADDRESS_C] port 54786 ssh2
Jan  7 16:36:32 hostname sshd[25127]: Illegal user www from [IP_ADDRESS_C]
Jan  7 16:36:34 hostname sshd[25127]: Failed password for illegal user www from [IP_ADDRESS_C] port 54878 ssh2
Jan  7 16:36:37 hostname sshd[25129]: Illegal user wwwrun from [IP_ADDRESS_C]
Jan  7 16:36:40 hostname sshd[25129]: Failed password for illegal user wwwrun from [IP_ADDRESS_C] port 54966 ssh2
Jan  7 16:36:43 hostname sshd[25131]: Illegal user matt from [IP_ADDRESS_C]
Jan  7 16:36:46 hostname sshd[25131]: Failed password for illegal user matt from [IP_ADDRESS_C] port 55050 ssh2
Jan  7 16:36:50 hostname sshd[25133]: Illegal user test from [IP_ADDRESS_C]
Jan  7 16:36:53 hostname sshd[25133]: Failed password for illegal user test from [IP_ADDRESS_C] port 55152 ssh2
Jan  7 16:36:57 hostname sshd[25135]: Illegal user test from [IP_ADDRESS_C]
Jan  7 16:36:59 hostname sshd[25135]: Failed password for illegal user test from [IP_ADDRESS_C] port 55263 ssh2
Jan  7 16:37:02 hostname sshd[25137]: Illegal user test from [IP_ADDRESS_C]
Jan  7 16:37:04 hostname sshd[25137]: Failed password for illegal user test from [IP_ADDRESS_C] port 55366 ssh2
Jan  7 16:37:08 hostname sshd[25139]: Illegal user test from [IP_ADDRESS_C]
Jan  7 16:37:10 hostname sshd[25139]: Failed password for illegal user test from [IP_ADDRESS_C] port 55457 ssh2
Jan  7 16:37:13 hostname sshd[25141]: Illegal user www-data from [IP_ADDRESS_C]
Jan  7 16:37:16 hostname sshd[25141]: Failed password for illegal user www-data from [IP_ADDRESS_C] port 55548 ssh2
Jan  7 16:37:21 hostname sshd[25143]: Failed password for mysql from [IP_ADDRESS_C] port 55637 ssh2
Jan  7 16:37:26 hostname sshd[25145]: Failed password for operator from [IP_ADDRESS_C] port 55724 ssh2
Jan  7 16:37:33 hostname sshd[25147]: Failed password for adm from [IP_ADDRESS_C] port 55799 ssh2
Jan  7 16:37:42 hostname sshd[25149]: Failed password for apache from [IP_ADDRESS_C] port 55912 ssh2
Jan  7 16:37:52 hostname sshd[25151]: Illegal user irc from [IP_ADDRESS_C]
Jan  7 16:37:54 hostname sshd[25151]: Failed password for illegal user irc from [IP_ADDRESS_C] port 56036 ssh2

Disclaimer
The security gained from using the above information cannot be guaranteed. If you use the above information for any purpose, you do so at your own risk.

iptables

Same here, as well at home as at my work. My solution: properly
configure the firewall. I've configured it in such a way that it
blocks all SSH access except from a couple of trusted machines.

This leaves you hanging, though, if you ever need to access the box
from a machine you didn't know about in advance. Enter port knocking.
Here is the relevant part of my iptables script:

CMD="iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport"
$CMD 22 -m recent --rcheck --name SSH -j ACCEPT
$CMD 11 -m recent --name SSH --remove -j DROP
$CMD 12 -m recent --name SSH --set -j DROP
$CMD 13 -m recent --name SSH --remove -j DROP

If you make a connection to port 12, it'll remember the IP you did
that from, and enable SSH access from that IP, even though the
connection to port 12 fails. This is the knock on the door that
unlocks it. Connect to port 11 or 13 to close the port again. This is
so a sequential portscan won't keep the SSH port opened.

Sybren
--
The problem with the world is stupidity. Not saying there should be a
capital punishment for stupidity, but why don't we just take the
safety labels off of everything and let the problem solve itself?
Frank Zappa

两招：东坡菜式

东坡喜食鳊鱼，曾有诗赞其味美。诗曰：“晓日照江水，游鱼似玉瓶。谁言解缩项(鳊鱼亦名缩项鲂)，贪饵每遭烹。杜老当年意，临流忆孟生。吾今又悲子，辍筋 涕纵横。”他一到黄州，就对这里的鳊鱼产生了兴趣，常与潘生(大临)等垂钓江上，钓鳊野炊。当时如何烹制，现已无法知道，按现今黄州的传统作法，用这种鳊 鱼红烧、清蒸、油焖都可以，而且 都味道鲜美。

东坡鳊鱼

清蒸

原料：

鲜鳊鱼一尾(约重1000克)，熟火腿，水发，净冬笋，鸡油，猪油，鸡汤，味精，绍酒，精盐，胡椒粉，葱结，姜块。

制法：

(1)将鱼去鳞、鳃，剖腹去内脏，洗净，在鱼两面剞花，撒上精盐，盛入盘中。香菇(去蒂洗净)和熟火腿切成薄片，互相间隔着摆在鱼上面。冬笋切成柏叶形薄片，镶在鱼的两边，加葱、姜(柏松)和绍酒。

(2)铁锅置旺火上，下猪油烧熟，泌入蒸鱼的汤汁，下鸡汤烧沸，加入味精、鸡油，起锅，浇在鱼上面，撒上胡椒粉即成。

油焖

原料：

鲜鳊鱼一尾，猪肥膘肉，水发玉兰片，猪油，芝麻油，味精，白糖，绍酒，酱油，红辣椒，精盐，小葱，姜末。

制法：

(1)将鱼去鳞、鳃，剖腹去内脏，洗净，在鱼身两面剞斜十字刀纹(每面剞五、六刀)，用酱油抹鱼身，腌渍五分钟。猪肥膘肉、红辣椒、小葱、玉兰片，都切成一寸长的粗丝。

(2)炒锅置旺火上，下芝麻油，烧至八成熟，将鱼下锅，用勺拨动翻面，待鱼两面炸成淡黄色时捞出。

(3) 原炒锅倒去余油后置旺火上，放入肥膘肉、红辣椒、小葱、玉兰片，炒两分钟，至葱散发出香味时，再将鱼下锅，加入绍酒、姜末、酱油、白糖、味精、精盐、清 水、焖烧三分钟，待鱼汁渐浓，即移置微火上，加盖焖八分钟至鱼已透味、汤汁浓稠时，再端锅置旺火上，下猪油继续焖二分钟，起锅盛盘即成。

此菜淡色有光泽，皮酥滑，肉肥嫩，汁稠浓，味鲜美，咸甜中略带辣味。

红烧

原料：

鲜鳊鱼，水发玉兰片，熟猪油，芝麻油，味精，白糖，湿淀粉，绍酒，酱油，葱花，姜末。

制法：

(1)将鱼去鳞、鳃，剖去内脏洗净，在鱼身两面剞斜十字刀纹(每面剞五、六刀)。玉兰片切成薄片。

(2)炒锅置旺火上，下芝麻油烧热，把鱼下锅两面煎黄，加入绍酒、姜末、酱油、精盐、葱段、玉兰片、清水等一起烹烧。

待汤汁烧沸后，移至中火上烧十分钟至鱼透味，再端锅置旺火上，继续烧至三分钟，直到汤汁稠浓，即将鱼起锅，盛入盘内。

(3)将原炒锅连汤汁置旺火上，下味精、白糖，用湿淀粉调稀勾芡，放入熟猪油，起锅，浇在鱼面上即成。

此菜色泽金黄，脂肪肥厚，肉质细糯，油润爽滑，味道异常鲜美。

东坡蒸猪头

东 坡《仇池笔记》载有煮猪头颂：“净洗锅，浅着水，深压柴头莫教起。黄豕贱如土，富者不肯吃，贫者不解煮，有时自家打一碗，自饱自知君莫管。”其 中，还介绍了这样一段故事：“王中令(即王金斌，后唐时太正人，宋初官拜安国军节度，死后加封中书令)，既平蜀，饥甚，入一村寺，主僧醉，甚箕踞(坐态不 正，狂傲异常)，公欲斩之，僧应对不惧，公奇之，公求蔬食，云有肉无蔬，愧蒸猪头，甚美，公喜，问‘止能饮酒食肉耶，尚有他技也(有无别的本事)’？僧言 能诗，公令赋蒸豚，立成云：‘嘴长毛短浅含膘，久向山中食药苗(有药的野嫩草)。蒸处已将蕉叶裹，熟时兼用杏浆浇。红鲜雅称金盘荐(金盘中陈列的蔬菜和看 果)，香软真堪玉箸挑(用筷子一戳就烂)。若把膻根来比并，膻根自合吃藤条’。公大喜，与紫衣师号。”

这里是说，把猪头洗净刮光，去骨，以盐、姜等调料抹其四周，用芭蕉叶子裹住，入笼猛火蒸一、二小时，待熟后再用杏子酱淋一淋就可以吃了。

蒸猪头的方法在北魏时的《齐民要术》上也介绍过：“取生猪头，去其骨。煮一沸，刀细切，水中治之。以清酒、盐、肉蒸。皆口调和(调味适当)。熟以干姜、椒着上食之。”这与东坡介绍的方法是有些相同的。

现今黄州有酱汁猪头肉，其作法与前说略同。

酱汁猪头肉

原料：猪头一只，净重3000克，绍酒5.5克，精盐0.5克，冰糖屑150克，白糖250克，糖适量，葱结50克，姜片、八角、红曲粉适量。

制 法：将猪头放清水中，镊去毛，刮洗干净。猪面朝下放砧板上，在后脑中间劈开，挖出猪脑，剔去骨头，割下耳，去掉猪眼圈、淋巴肉、嘴唇、耳圈、鼻 子。猪脸切成两块，下巴切成三块，再放入大锅内，舀入开水(淹没为度)，用旺火烧沸几分钟，撇去浮沫。放入竹算垫底后，先将猪耳、嘴唇、鼻子，放在下面， 然后把肉块 (皮朝上)排放在竹算上面。再加绍酒、葱结、姜片、八角，盖上锅盖，用中火烧约一小时后，加入糖色、红曲粉，再盖上锅盖，烧五分钟，用小火焖至酥烂(约两 小时)，加冰糖屑、白糖，待卤汁收稠时，锅离火口，取出酱汁肉，皮朝上放在瓷盘中。食时切片后浇上卤汁即成(多余的卤汁留作下次用)。

注：炒锅置旺火上，放入白糖50克，清水50克烧沸后，用铁勺不断搅动一、二分钟，待水分炒至干时，移至微火上继续搅动，下至呈红黑色，见冒青烟时，倒入100克沸水，搅匀后起锅即成糖色。

东坡春鸠脍

《东 坡集》载曰：“蜀人贵芹芽脍，杂鸠肉为之。”东坡谪居黄州期间，在城东开荒种地，于瓦砾中发现了他在家乡爱吃的芹菜。这芹菜，就是蕲菜。鄂东各 地都有这种菜，蕲春的“蕲”本为芹菜，因以“蕲”(芹)名县。东坡就把他家乡特有的春鸠脍的作法拣了起来。这就是取斑鸠胸肌肉，切成丝入猪油锅，用旺火炒 至半熟，再用芹菜段，加盐，下酱油拌炒。如此便是“春鸠脍”。

原料：

斑鸠胸脯肉，嫩芹菜，鸡蛋清，白糖，湿淀粉，绍酒，猪油，胡椒粉，味精，精盐，葱花，姜末。

制法：

⑴选用初春斑鸠胸脯肉放入清水盆中漂去血液、洗净，用刀背将肉拍松，切丝盛钵，下绍酒、精盐稍渍，以湿淀粉、鸡蛋清拌匀。芹菜洗净切成丝。

⑵炒锅置旺火上，下猪油烧至五成热，放入鸠肉炒散，呈乳白色时，倒入漏网滤去油。

⑶原炒锅内留油50克，置旺火上烧热，下芹菜丝稍炒散发出香味时，再放入鸠肉合炒，加姜末、白糖、味精、胡椒粉、葱花、滑炒两分钟，起锅盛盘即成。

此道菜芹菜清香，鸠肉鲜嫩，是上乘野味佳品。

德国的洪堡基金

洪堡基金是为纪念德国伟大的自然科学家和科学考察旅行家亚历山大·封·洪堡于1860年在相林建立的。1923年之前，洪堡基金仅资助德国学者到外国进行 科学考察，1925年后，这项基金转为支持外国科学家和博士研究生在德国学习。1945年，基金会停止了活动。根据原洪堡学者的倡议，基金会于 1953年12月10日由联邦德国再次建立(具有法人资格)，办公地点设在波思市巴德·哥德斯堡。第二年基金会就提供了75人的研究奖学金。此后，来自 100多个国家的近14000名学者得到过它的资助。

洪堡基金会理事会是由它的主席、各大学术组织的主席、联邦各州文教部长主席和三位联邦部长组成的。

洪堡基金设立的奖项

一、外国科学家研究奖学金

洪堡基金会每年向大约600名具有博士学位，年龄不超过40岁的成绩优秀的外国科学家提供奖学金，使其有一段较长的时间(1至2年)在联邦德国进行 科学研究工作。中央选拔委员会由100名各学科的德国科学家组成，在德意志研究联合会主席的主持下负责对申请者进行选拔。选拔的惟一标准是学术水平，不分 国别，也没有专业限制。

从1953年至1990年，有98个国家的11760名青年学者获得该研究奖学金。

1．申请方法

申请者可以随时向洪堡基金会递交申请材料。选拔委员会每年开3次会议，大多在3月、6月和11月。全部申请材料最迟应在上述时间的前5个月交到基金会秘书处。如所寄材料不全，则需要更长的处理时间。所以，建议申请者一定要向洪堡基金会索要最新的说明书。

从事自然科学和工程科学的申请者以及医生至少要掌握英文；从事人文科学的申请者则需要很好的德语知识。洪堡基金会对申请通过者提供经费，并且根据其申请为他们的配偶提供在德国培训班学习德语的经费。

2．资助款项

洪堡基金研究奖学金数额，按学者的年龄和学术水平，平均每月在3000至3800马克(免税)之间。此外，基金会还负担旅费、配偶和孩子补贴、参加学术会议补助费等。

研究奖学金首先授予一年。如能有成效地结束正在进行的科学工作，根据申请可以延期，但最多不超过24个月。如因研究课题需要，每年最多可以有6个月的时间在德国之外的其他欧洲国家的研究所工作。

3．研究奖学金学者的专业领域分布

研究奖学金学者专业分布逐年变化。上述统计的11760位外国奖学金学者中，61%从事自然科学研究，30%从事人文科学研究，9%从事工程科学研 究。近年来，专业分布情况和上述比例变化不大。这一统计结果不是洪堡基金会的政策所致，因为选拔时既不按国别，也没有专业限额，而是

仅仅根据学术水平。

4．研究奖学金学者的客座研究所

外国学者可以自由地选择客座研究所和合作教授，只有当双方同意合作订出研究计划时，才有可能申请研究奖学金。

自1953年以来，研究奖学金学者，有82%在高等学校，9%在马克斯·普朗克学会的研究所，2%在大型研究机构，1%在联邦科研机构，其余6%在其他研究所。

二、外国科学家科研奖金

洪堡基金会每年向200名外国的国际公认的知名科学家授予不同项目的洪堡科研奖金，在授奖金的同时还邀请他们在德国的研究所进行一段较长时间(4至 12 个月)的自选课题研究。获奖金的前提是必须获得德国著名科学家提名。奖金额为200OO至1200OO马克不等。每年有80项科学奖金是颁发给美国科学家 的，这是联邦政府为感谢美国的马歇尔援助计划而设立的。自1972年以来总共有1400多名洪堡科研奖金获得者来到德国。

三、德国科学家研究奖学金

洪堡基金会设有效欧尔·吕能奖学金，颁发的对象是德国获博士学位的年龄不满38岁的学者，每年不超过200名。目的是使他们能在国外研究所进行长时 间 (1至4年)的科学研究工作。这些外国研究机构是洪堡奖学金学者曾工作的地方。奖学金由洪堡基金会的客座研究所共同支付，每月2200马克(免税)。另 外，还有所去国的津贴、房旅费、家眷津贴、杂费(每月200马克)、医疗保险补助、回国重返工作岗位补助等。国内有导师和该学者保持联系，以便在重返工作 岗位时提供帮助。

洪堡基金会在德国境内的活动

洪堡基金会资助洪堡奖学金学者和部分家属参加德语培训班学习，邀请新来的洪堡学者参加引见会，每年在罗塔赫—艾格思为洪堡科研奖金获得者举行学术讨 论会，为洪堡研究奖学金学者和他们的家属每年举行一次为期3周的了解德国的学术旅游，并邀请所有的客座学者和他们的家属来波恩参加年会。从1954年起， 联邦总统在他的官邸——哈默尔施密特别墅，接见所有参加年会的学者。

为了改善客座教授在德国的居住条件，洪堡基金会在大众汽车基金会的大力支持下，在德国西部各州修建了近50座招待所和国际学术聚会中心(IBZ)。在联邦和州政府、社团、高等院校以及各基金会的共同资助下，目前共提供38所大学内共1000套住房。

保持永久的联系

洪堡基金会对洪堡研究奖学金学者给予一定的资助之后，再结合专业愿望和他们保持联系。85%的前洪堡学者又重新得到了资助，被邀请再次来德国从事短 期研究工作、赠送科学书籍(总价值超过600马克)和向外汇短缺的国家赠送科学仪器(4700马克)、提供参加学术会议和印刷补助(总共近500万马 克)，在德国和其他国家举行学术会议。近年来，资助外国和德国研究所合作研究及支持与德国的博士后合作研究(费欧多尔·吕能计划)也不断增多。

与前洪堡学者保持联系的费用占洪堡基金会年度支出的15%之多。

学术座谈会和专业会议

洪堡基金会定期在国外举行学术座谈会和区域性大会，全部前洪堡奖学金学者和洪堡科研奖获得者均被邀请参加这些会议。在这些会议上也可以讨论如何继续 支持研究工作和加强与德国科学家的学术合作。会议的准备工作将得到所在国前洪堡学者组织的“洪堡俱乐部”(在世界各国共有46个)的全力支持。在许多国家 中，如日本、波兰等，还成立了“洪堡学者联合会”。

1973年以来，洪堡基金会在德国举行了多次专业讨论会，会议文集均由德国著名出版社出版。

出版物

洪堡基金会从1958年开始出版发行《通报》杂志，每年两期，到1990年底，已出版56期，发行量已增至18500册。洪堡学者研究工作期间发表的论文题目汇编在《洪堡书刊目录》里，现已收集260OO种，其中有4000多种已由德文译成其他30多种文字。

用德、英文出版的《年度报告》主要介绍基金会的活动。1988年出版的小册子《跟踪》，也有英文版，介绍了1953至1988年洪堡基金会组织的科学学术交流的成果。最近两年，洪堡基金会已开始出版中文的简介材料。

中国的洪堡基金学者

从1979年至1998年，先后有774名中国学者获得洪堡奖学金的资助，其中包括中国科学院院长路甬祥、副院长严义坝、教育部副部长韦钰等。

国际泥沙研究培训中心的王兆印博士是水利行业第一位获得洪堡基金资助的学者，此后还有清华大学水利系的周建军教授等7～8人得到过资助。

camera focus

Actually, no, the system does not work on the basis of maximizing contrast, although contrast is a factor. Over on Rob Galbraith's forum, there is a recent topic devoted to gathering information on how the system works.

According to the major material in Canon's "Lens Work III," the description in their US patent application, and remarks by Chuck Westfall, to put it briefly:

The AF system sensors are located in the floor of the mirror box. They receive the image through the semi-silvered mirror, which is then reflected downward by a secondary mirror hinged to the back of the main mirror. This forms a virtual focusing plane that is supposed to be at the exact same plane as the sensor (a point of possible miscalibration).

Each AF sensor consists of a pair of short lines of pixels forming an array. One array comprises the outer sensors. Two crossed arrays (one vertical, one horizontal) comprise the center sensor. With lenses or f2.8 or faster, the camera activates a second vertical array in the center.

The arrays are sensitive to linear details that run perpendicular to the orientation of the array. Therefore, the horizontal arrays (identified by the horizontal rectangle marks on the viewscreen) are sensitive to vetical linear details; the vertical arrays (identified by the vertical rectangle marks on the viewscreen) are sensitive to horizontal linear details.

They are blind to linear details that run parallel to the array direction. The center array, being a crossed combination of a vertical and a horizontal array, is sensitive to linear details running both vertically and horizontally. When the second vertical array is activated, it's combined input increases the accuracy by a factor of three.

The pixel arrays are actually three times longer than indicated by the viewfinder markings. This is to cover the fact that the viewscreen has a significant amount of "slop" in its horizontal-plane positioning (what you see as left/right/up/down in the viewfinder). Therefore, the sensors actually see details that are somewhat outside the viewfinder markings, and may focus on them instead of details within the sensor markings, if those outside details are more perpendicular to the array than the details inside the markings.

When you mount a lens (whether the camera is on or off), the camera interrogates the lens for its characteristics, including maximum aperture, which one of the focusing parameters.

When you half-press the shutter release (or the * button, if you've used the custom function to move focusing control there), the activated AF sensor "looks" at the image projected by the lens from two different directions (each line of pixels in the array looks from the opposite direction of the other) and identifies the phase difference of the light from each direction. In one "look," it calculates the distance and direction the lens must be moved to cancel the phase differences. It then commands the lens to move the appropriate distance and direction and stops. It does not "hunt" for a best focus, nor does it take a second look after the lens has moved (it is an "open loop" system).

If the starting point is so far out of focus that the sensor can't identify a phase difference, the camera racks the lens once forward and once backward to find a detectable difference. If it can't find a detectable difference during that motion, it stops.

Although the camera does not take a "second look" to see if the intended focus has been achieved, the lens does take a "second look" to ensure it has moved the direction and distance commanded by the camera (it is a "closed loop" system). This second look corrects for any slippage or backlash in the lens mechanism, and can often be detected as a small "correction" movement at the end of the longer initial movements.

When the camera determines how far and in what direction the lens must move to cancel the phase difference, it does so within a tolerance of "within the depth of focus" of lenses slower than f2.8 (down to f5.6) or "within 1/3 of the depth of focus" of lenses f2.8 and faster. The depth of focus is the range at the sensor plane within which the image of a point will be reproduced as a blur smaller than the manufacturer's designated "circle of confusion" (CoC). Canon's designated circle of confusion is 0.035mm for the 24x36mm format and 0.02mm for the APS-C format. The CoC is based on maintaining the appearance of sharpness in a 6x9 inch print at about an 10 inch viewing distance (as revealed by the Euro-Canon web site). There is no guarantee that images enlarged any greater than this will appear sharp.

The depth of focus increases when the aperture of the lens decreases (like depth of field at the subject plane), but it does not change with the focused distance or the focal length of the lens (according to Canon, unlike depth of field). That is why the camera interrogates the lens for that information; it calculates the depth of focus tolerance from the maximum aperture, not the set working aperture.

As a result of this tolerance (within the depth of focus or within 1/3 of the depth of focus), the camera can place the actual plane of focus at random anywhere within the tolerance range, and not necessarily at the same place each time.

A non-exhaustive list of information about focusing:

1. The center focus square in the viewfinder represents has both horizontal and vertical sensors, so it can focus just as well on vertical and horizontal lines of detail. The outer focusing rectangles are represent sensors that are oriented either vertically or horizontally (according to the shape of the marks), and focus best on lines of detail that are perpendicular to them. You can test this easily: Line up a vertical focusing rectangle on a vertical detail (like the corner of a wall or the edge of a door) and try to focus. The camera will not be able to focus on it. But put a horizontal rectangle against that vertical line, and it will snap instantly into focus (you can turn the camera, and the same will be true). This is a valuable tool. If you are struggling with a background that competes with the foreground, look at whether either has linear detail (say, a squirrel on a tree branch). You can activate one of the rectangles and turn the camera so that the rectangle is either parallel with the linear detail that you want to ignore or perpendicular to the detail you want to focus on.

2. The actual focus sensor arrays are three times larger than the viewfinder marks. A user could put an intended subject in the mark, but if there is a strong detail just outside the mark (but within the sensor area), the camera would focus on that strong detail. This is a source of much of the complaints of the back- or front-focusing -- especially with the "ruler tests." Also, as far as the camera is concerned, a focus lock on anything within the sensor area is good, which sometimes covers more area than the photographer intended.

3. Auto focusing with the 20D only works with lenses with maximum apertures of f5.6 or greater (as determined by the information passed to the camera by the lens). This means the total maximum aperture of the lens, not the aperture you're shooting with at the momement. With a lens slower than f5.6, you have to focus manually (unless you fool the lens somehow into reporting an incorrect aperture to the camera).

4. On the 20D, the center marks have additional sensors to increase accuracy three times greater than the 10D, but these only come into play with lenses that have maximum apertures of f2.8 or greater (not the aperture set for shooting, but the maximum aperture). On a variable aperture zoom lens, if it drops below f2.8 while zooming, that information is passed to the camera, which cuts out the additional focusing sensors. The outside focus sensors of the 20D are normal accuracy.

5. The camera's AF sensors require some details in the image to determine the phase difference. It's harder for the camera to find focus when the light is dim or there is little subject detail. Contrary to recent remarks on another topic, the camera CAN distinguish contrast between equally bright hues of red and green just as the eye can--the sensors are color corrected. Although the sensors can distinguish some quite subtle detail differences, they don't see quite a sharply as the eye. If the lens starts from a very out of focus condition, it can miss very fine detail that the eye sees clearly, such as the mesh of a speaker grill from across the room. In this case, it can be helped if the photographer manually moves close to "focus" and allows the camera to find the actual focus.

6. AF controls:
Shutter release. By default, when you half-depress the shutter release, the camera will focus with the active sensors on the strongest contrasts within those sensor areas. Whether or not it will hold that focused distance depends on what AF mode you're shooting in.

AE/AF Lock Button. The asterisk button on the back near your right thumb. You can set this button to be the focus button in the Custom Function menu (CF4--choose option 1). When this is set, you focus by putting the active AF mark in the viewfinder on your subject and press the asterisk button. The camera focuses on that spot and does not change focus until you press the button again. In AI Servo mode, the camera continuously evaluates focus only as long as you have the button pressed.

Multicontroller (joy button) and AF Selection button. These controls, plus the control wheels, allow you to select which focus marks are active--they provide multiple ways to do the same thing, so take your choice. You can either select one point or you can set the camera to choose its own points as you focus. If the camera chooses the points, it will usually focus on any number of points that are closest to the camera. About the only time this is better is when you're focusing on fast-moving activity that you can't keep under a single mark (say, a soccer player). Otherwise, it's usually better to select your own point. The diagonal points on the 20D are very close to the "Rule of Thirds" intersections, so sometimes it's convenient (if you use that composition rule to place your subject in the frame) to select one of those points.

7. AF Modes:
One Shot: When you set the camera to "One Shot," you set the condition "The subject is definitely not moving." The camera is in a "focus priority" mode. The shutter release is locked until the camera achieves what it thinks is the proper focus. This is best if your subject and the camera will be motionless, because it allows you to focus and change the framing without the camera refocusing automatically.

AI Servo: When you put the camera into AI Servo mode, you have set the condition "The subject is definitely moving." The camera is in a "shutter priority" mode. Therefore, the camera goes into a routine that continually collects data to predict the subject movement and move the lens to intercept the subject at its new position. You can shoot even if out of focus (however, the camera cannot release the shutter if the lens is actually in motion). If you know your subject will be in constant motion, this is the best mode. If the subject is actually not moving, the chance of a misfocused shot increases as the camera goes through its data-collection routine. However, often a handheld camera does move (as the photographer sways naturally) for AI Focus to detect and correct for the sway. AI Servo will use whichever focus point you have activated. However, if you activate all the focus points, you must put the center point on the subject and half-press the shutter release for about half a second for the camera to "acquire" the right subject. After that, while you hold the shutter release, the camera can intelligently "hand off" the subject focus from point to point as the subject "wanders" over the viewscreen.

AI Focus: The camera is normally in One Shot mode and the shutter will lock until it achieves focus. However, if it detects the subject moving (that is, the subject goes out of focus), it will automatically switch into AI Servo mode and try to maintain focus. If you are focusing on something that frequently stays still but could move suddenly (like a toddler) this mode comes in handy. The important point wiht AI Focus is that it does not lock the shutter. However, the camera will usually interpret "focus and recompose" as movement of the subject, and will refocus.

北京经典美味制作方法

北京

北京八宝菜

制法：
将腌好的苤蓝切成2厘米见方的薄片，黄瓜切丁，藕切成半圆形片，大白菜切成2厘米的块，豆角切成小段，萝卜切丝，芥菜切成菱角片，放入清水中撒盐1天，捞出榨干水分，同炒熟的花生仁一起拌匀，装布袋入酱缸，每天搅动2次。3周即成。

特点：色泽金黄，酱香味浓。


宫廷烤乳猪

制法：
（1）最好用10公斤以下尚未断奶的小猪，宰杀后，去毛洗净，去掉内脏，放在炭火上烤（也可放在烤箱中烤），一边烤，一边不停地转动，同时一次又一次地用小刷子给猪身上涂油，普通大约烤1个半小时左右。
（2）烤小猪的要点心皮脆而不焦。为了防止耳朵、尾巴烤焦，保持小猪完整而美好的体形，在烤以前，往往用菜叶等将这些部分包裹好，并在猪腹内塞一个盛水的瓶子，以免腹腔被烤焦。
（3）各种配制好的调料，可将削下的烤乳猪肉在调料中沾着吃，就像吃烤鸭一样。

特点：烤乳猪全身金黄油亮，皮薄脆，肉柔嫩，乳肉香气四溢，耐人寻味。


福云酱猪头肉

制法：
（1）酱猪头肉的作法与酱肉、酱肘花基本相同。要用新鲜的猪头（冷冻者次之，老母猪、老公猪的头一律不用），要挖净眼毛、耳根毛，除净污物、肉枣等杂物，劈为两爿，刷洗干净，入清水锅中煮沸，换汤再煮，以去除异味。
（2）煮时要根据猪头的份量加上适量的食盐、酱油、花椒、大料、茴香、桂皮、葱、姜等调料（香料可装纱袋内），待煮至六七成熟时，捞出并乘热去骨，即成猪头坯子。
（3）将拆骨的猪头坯子码放在另一锅内，中间需留"汤眼"，放入煮肉老汤，兑适量清水，使咸淡适度，再加上上述调料，加锅盖酱制。
（4）酱制猪头肉的火候十分重要。开始要用大火煮制90分钟左右，然后逐步撤火，在汤回头时加入适量料酒，再改用文火煨制到熟烂。出锅时，动作要快速、准确，否则会把肉搞碎。酱制时间一般为4小时左右。
（5）出锅时要把猪耳朵和拱嘴压在下边，使之呈不规则的方块状。捞完肉后，汤内加适量味精，并乘热将猪头肉刷上一层酱汁即成。

特点：外形美观，色泽褐红光亮，味道浓香，富含胶质蛋白，肥而不腻。


炒麻豆腐

制法：
（1）麻豆腐在炒前压去其中的残余水分，直至松散干燥才下锅。500克麻豆腐（约一大碗），约需用猪油200克。再加猪肉200克，一半剁肉末，一半切小肉丁。
（2）先将肉丁下锅煸焦待用，再下肉末稍炒，加黄酱、酱油、葱姜末及少量水，最后加入麻豆腐一起煸炒。炒时逐渐变色，越炒越干，不断加水，加油，边炒边调匀，直至呈稀糊状，锅中出现气泡，并时时将豆汁溅起时暂停。最后，麻豆腐水分已干，可以用筷子夹起。
（3）将起锅前，加入煸焦的小肉丁，青韭，熟豆芽及油渣，即成。炒时要防止豆腐焦底，故须不断加熟油，边炒边加油才能在起锅时使豆腐滋润、滑腻。

特点：灰绿，微酸，开胃。


燕京酱萝卜

制法：
将萝卜洗净，切成两瓣，入缸腌制，一层萝卜一层盐，每天翻缸1次。7天后捞出，置日光下晒干，再放入甜面酱中酱制。每天翻缸1次。4天后即成。

特点：色酱红，质脆嫩。


京味芝麻酱拌腰片

制法：
（1）用快刀将猪腰两面平片，剩下腰臊扔掉。
（2）腰片须用凉水拔，经常换水，待腰片血水排净方可用。
（3）焯腰片要大锅多水。等水大开，将腰片推下，立即用笊篱抄出，不可等腰片复开。将第一次焯腰片的水泼去，洗净锅，再坐锅，水大开，将焯过一次的腰片投入再焯，立即捞了，放凉水盆中。焯两次，腰片已熟，而仍脆嫩。
（4）腰片凉透后挤去水，入盘，浇以生芝麻酱、剁碎的豆瓣及少许豆瓣酱、葱末、姜末、蒜泥。

特点：香辣鲜脆。


京味香辣萝卜丝

制法：
将新鲜青萝卜洗净，切去根须（个大的可一切两瓣），入缸腌制，一层萝卜一层盐，上压石块。隔两天倒缸1次，倒3次为止，3周后即可腌透。将萝卜在原汤中洗 净，取出切成细丝，放入清水中浸泡约1天，泡出盐分及异味，捞出榨水（10千克萝卜榨到约4千克左右）。将大蒜、鲜姜捣碎，和酱油、辣椒面、白糖、糖精、 香精混合，加入萝卜丝中浸泡，第二天倒缸1次。食用前加入炒好的芝麻。

特点：甜、辣、香、脆。


京味红油黄瓜

制法：
（1）将鲜嫩黄瓜用清水洗净，切去两头，对剖后去瓜瓤，用刀拍后切成小块，放入小盆内，加少量精盐腌几分钟，入味后用冷开水洗净沥干。
（2）取精盐放入一小碗内，将红油、酱油、蒜泥、白糖、味精、香油共调成味汁。
（3）把黄瓜块装盘内，食时淋上红油味汁，即可食用。

特点：清香脆辣。


京味核桃酥泥

制法：
（1）将核桃仁在开水里浸泡后取出，去皮，再用油炸酥，备用。
（2）将去皮荸荠、蜜瓜圆、蜜枣和炸酥好的核桃仁一齐剁成细泥，备用。
（3）将鸡蛋黄、水豆粉和面粉装入碗内，用筷子搅打成浆，备用。
（4）鸡蛋清用筷搅打成蛋泡，备用。
（5）炒锅洗净置中火上，下油烧至六成熟时，将浆倒入，并快速翻炒。待浆发白亮油，呈现鱼子蛋状时，速将剁好的细泥倒入炒均，再放白糖。糖化后，起锅装盘中，盖上蛋泡，并在蛋泡面摆上密樱桃即成。

特点：香甜细嫩，油而不腻。滋阴补肺肾。


京味海米拌黄瓜

制法：
（1）用清水洗净黄瓜，切去两头，再切成"梳子背"块形；将海米洗净放一小碗内，用沸水发一下。
（2）把切好的黄瓜放一碗内，用盐腌约1刻钟后，再用凉开水淘洗一次，轻轻挤干水分，放入盘内。
（3）将发好的海米放在黄瓜上，再放入精盐、味精、香油及少许发海米的汁水，拌匀即可食用。

特点：色泽鲜艳，咸香脆嫩。


京味腐竹拌黄瓜

制法：
（1）将黄瓜洗净，切去两头，再切成小滚刀块，放大碗内加盐拌匀，腌片刻，轻轻挤去水分。
（2）用水将腐竹泡胀，洗净，切成3厘米长段，下开水锅中氽一下，再用凉水过凉，捞起挤干。
（3）将黄瓜、腐竹与精盐、味精、香油拌匀装盘即可。

特点：清凉脆嫩。


京味葱油黄瓜

制法：
（1）将黄瓜洗净，切成上厚下薄滚刀小块，放在小盆内用适量精盐拌匀，码味约几分钟后，用凉开水淘洗干净，轻轻挤干水分，放入盘内。
（2）葱洗净切成碎末，放在小碗内。炒锅置火上，锅内加适量香油烧热，倒入加葱末的小碗里，烫出香味，制成葱油，晾凉备用。
（3）将黄瓜放入小盆内，加适量精盐、味精，再倒入制好的葱油拌匀即成。

特点：色泽翠绿，咸鲜脆爽，富有葱味。


京都藤萝方脯

制法：
（1）将仲春盛开的紫滕花剪下，摘去已谢将残的散瓣，留下开到八分及未开之花苞，只要花瓣，截蒂去蕊，放于碗内。
（2）装一大碗，用净脂油80--100克切成细丁，加拌白糖。
（3）约腌10小时，油糖与花瓣溶为一体后即可蒸食。
（4）用此花馅包好，放入木制印模中，压成方饼式样。印上各式花纹图案，即成方脯。

特点：清香甜软，春意融融。


北京苏造肉

制法：
（1）用各具特色的老汤煮肉是做"苏造肉"的第一道工序。
（2） "苏造汤"是第二道工序，也是成品工序。调汤时用一定比例的水和酱油、盐，开锅后，把需用的中药碾成粉末，用布袋缝好放入汤中同煮，汤中发出药料及调料的 香味时，即成为苏造汤。用以煨肉。用后，剩下的苏造汤，其贮藏、保管和增加的方法，全与老汤相同，也是更迭使用。
（3）中药配方有十余味。配方按春夏秋冬四季而有所不同。品种不外丁香、肉桂、砂仁、甘草、豆蔻、广皮之类。按季不同即如肉桂、桂皮等燥热之剂冬季用量多，夏季用量减少。
（4）苏造肉主要材料除猪肉外，内脏包括心肝肚肺以及大肠。关键要漂洗干净，然后下清水锅煮几分钟，放柴花椒，撇去血沫捞起备用。再同肉放在老汤中煮。煮时要根据某些多煮易烂的材料，分先后放入。
（5）老汤开锅后肉色变红，煮十几分钟就起锅。只有肺最后出锅。其次是将以上已煮到八分熟的材料，移到苏造汤中煨。
（6）苏造汤锅内先放一张大小适当的竹篦子，然后在篦上平放一些猪骨头。倒上汤，分类把肉和内脏有次序地排列在骨头上。使材料不沾锅底，以免烧焦。只有肉改切长条，其他用时再改刀。汤烧开后，改用文火煨。锅中的汤只把材料浸到一半，起着气泡，这样煨2--3小时即成。

特点：汤鲜鲜，肉酥烂，佐酒或就着烧饼火烧吃，别有一番风味


北京松花蛋拌豆腐

制法：
（1）北豆腐入开水焯过，俟冷，切为小骰子块，加少许盐。
（2）松花蛋（要腌得较老的），亦切成骰子块，与豆腐同拌。
（3）老姜在蒜臼中捣烂，加水，滗去渣，淋入。不宜用姜末，亦不加醋。

特点：清淡爽口，耐人回味，佐酒佳肴。


北京扦瓜皮

制法：
（1）黄瓜切成2.5厘米长段，用小刀从外至内旋成薄条，如带，成卷。去掉带籽的瓜心。
（2）酱油、糖、花椒、大料、桂皮、胡椒（破粒）、干红辣椒（整个）、味精、料酒调匀。交扦好的瓜皮放入料汁，不断以筷子翻动，使瓜皮沾透料汁，腌约60分钟，取出瓜皮装盘。先装中心，然后将瓜皮瓜面朝外，层层码好，状如小馒头，以所余料汁自顶淋下。

特点：扦瓜皮极脆，诸味均透，而瓜香犹在。


北京酱桃仁

制法：
（1）将核桃仁在沸水中浸泡后取出去皮，再加入烧至六成热的油锅内炸酥后捞出。
（2）待油沥干后，立即放在细干豆粉里拌匀，然后装盘即成。

特点：香甜酥脆，温补肺肾。