Tuesday, July 26, 2005

A Cure for the Common SSH Login Attack

A Cure for the Common SSH Login Attack

-by Jon Scully

A few months ago, I began seeing our 'secure' log files fill up with entries stating: "Failed password for illegal user [username]". I decided to search the Internet to find out if others were experiencing these attacks and, hopefully, find a solution. I did uncover a lot of information on the subject, but discovered only a few script-based solutions. None of these, however, seemed... well... elegant.

What I wanted was a way to stop the attacks altogether, yet allow ssh access from anywhere, when needed. In addition, I wanted to avoid using an approach that was so complicated it could lead to more pain than I was experiencing from the original problem.

    My requirements looked something like this:
  • Keep port 22 closed, until needed
  • Provide a simple way to open and close port 22 from any remote location
  • Ensure the method used is reasonably difficult for attackers to discover
  • Use an "elegant" method (i.e. not a lot of software)

The solution should behave similar to the following shell prompt activity:

    $ ssh name@hostname # No response (Ctrl-C to abort)
$ telnet hostname 1600 # Telnet into port 1600 to open port 22
$ ssh name@hostname # Now logins are allowed
name@hostname's password:
$ telnet hostname 1601 # Telnet into port 1601 to close port 22

Note that the ports used to open and close port 22 should appear closed, as well. This approach would be a sort of simplified "port knocking" technique.

Proposed Solution
The 'recent' module in iptables is designed to detect malicious access attempts and then help block or at least honeypot the potential intruder with delays. I've sort of turned this module on its head and, instead, used it to let people in.

The following represents the contents of an iptables file, drawn from a Red Hat distribution (the usual path is /etc/sysconfig/iptables). The highlighted text outlines the changes needed to support our style of port knocking.

:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -s -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m recent --rcheck --name SSH -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1599 -m recent --name SSH --remove -j DROP
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1600 -m recent --name SSH --set -j DROP
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1601 -m recent --name SSH --remove -j DROP
-A RH-Firewall-1-INPUT -j DROP

Note that there is a "close" port on either side of the "open" port. This should cause most linear port scans (ascending or descending) to leave port 22 closed, upon completion.

For an even more robust approach, use two separate "open" ports -- such as a knock at port 1300, followed by a knock at port 1600. Also keep in mind, once you have ssh-connected, you can then close the port without losing your established connection.

What's really convenient about this method is, when you're at a trusted location (say, in the office) and you unlock a target site (say, a home server), you need only knock once; The port will stay open for that specific source IP address, indefinitely (until you deliberately close the port or iptables is restarted). If you attempt to use the port from another location (say, a client's office), it will appear closed -- until you knock.

What I find most elegant about this approach is that you don't have to fill up your iptables with dozens of DROP entries in order to block the world of would-be attackers.

Sample Log
Here is a representative sample from a 'secure' log file:

Jan  7 09:58:47 hostname sshd[24729]: Illegal user test from [IP_ADDRESS_A]
Jan 7 09:58:50 hostname sshd[24729]: Failed password for illegal user test from [IP_ADDRESS_A] port 51250 ssh2
Jan 7 09:58:52 hostname sshd[24731]: Illegal user guest from [IP_ADDRESS_A]
Jan 7 09:58:54 hostname sshd[24731]: Failed password for illegal user guest from [IP_ADDRESS_A] port 51396 ssh2
Jan 7 09:58:56 hostname sshd[24733]: Illegal user admin from [IP_ADDRESS_A]
Jan 7 09:58:58 hostname sshd[24733]: Failed password for illegal user admin from [IP_ADDRESS_A] port 51546 ssh2
Jan 7 09:59:00 hostname sshd[24735]: Illegal user admin from [IP_ADDRESS_A]
Jan 7 09:59:03 hostname sshd[24735]: Failed password for illegal user admin from [IP_ADDRESS_A] port 51688 ssh2
Jan 7 09:59:04 hostname sshd[24737]: Illegal user user from [IP_ADDRESS_A]
Jan 7 09:59:07 hostname sshd[24737]: Failed password for illegal user user from [IP_ADDRESS_A] port 51828 ssh2
Jan 7 09:59:11 hostname sshd[24739]: Failed password for root from [IP_ADDRESS_A] port 51963 ssh2
Jan 7 09:59:15 hostname sshd[24741]: Failed password for root from [IP_ADDRESS_A] port 52114 ssh2
Jan 7 09:59:20 hostname sshd[24743]: Failed password for root from [IP_ADDRESS_A] port 52288 ssh2
Jan 7 09:59:22 hostname sshd[24745]: Illegal user test from [IP_ADDRESS_A]
Jan 7 09:59:24 hostname sshd[24745]: Failed password for illegal user test from [IP_ADDRESS_A] port 52419 ssh2
Jan 7 16:35:22 hostname sshd[25103]: Failed password for nobody from [IP_ADDRESS_C] port 53721 ssh2
Jan 7 16:35:25 hostname sshd[25105]: Illegal user patrick from [IP_ADDRESS_C]
Jan 7 16:35:28 hostname sshd[25105]: Failed password for illegal user patrick from [IP_ADDRESS_C] port 53832 ssh2
Jan 7 16:35:31 hostname sshd[25107]: Illegal user patrick from [IP_ADDRESS_C]
Jan 7 16:35:33 hostname sshd[25107]: Failed password for illegal user patrick from [IP_ADDRESS_C] port 53907 ssh2
Jan 7 16:35:39 hostname sshd[25109]: Failed password for root from [IP_ADDRESS_C] port 54003 ssh2
Jan 7 16:35:45 hostname sshd[25111]: Failed password for root from [IP_ADDRESS_C] port 54093 ssh2
Jan 7 16:35:50 hostname sshd[25113]: Failed password for root from [IP_ADDRESS_C] port 54181 ssh2
Jan 7 16:35:58 hostname sshd[25115]: Failed password for root from [IP_ADDRESS_C] port 54312 ssh2
Jan 7 16:36:04 hostname sshd[25117]: Failed password for root from [IP_ADDRESS_C] port 54395 ssh2
Jan 7 16:36:07 hostname sshd[25119]: Illegal user rolo from [IP_ADDRESS_C]
Jan 7 16:36:10 hostname sshd[25119]: Failed password for illegal user rolo from [IP_ADDRESS_C] port 54488 ssh2
Jan 7 16:36:14 hostname sshd[25121]: Illegal user iceuser from [IP_ADDRESS_C]
Jan 7 16:36:16 hostname sshd[25121]: Failed password for illegal user iceuser from [IP_ADDRESS_C] port 54577 ssh2
Jan 7 16:36:21 hostname sshd[25123]: Illegal user horde from [IP_ADDRESS_C]
Jan 7 16:36:23 hostname sshd[25123]: Failed password for illegal user horde from [IP_ADDRESS_C] port 54681 ssh2
Jan 7 16:36:26 hostname sshd[25125]: Illegal user cyrus from [IP_ADDRESS_C]
Jan 7 16:36:28 hostname sshd[25125]: Failed password for illegal user cyrus from [IP_ADDRESS_C] port 54786 ssh2
Jan 7 16:36:32 hostname sshd[25127]: Illegal user www from [IP_ADDRESS_C]
Jan 7 16:36:34 hostname sshd[25127]: Failed password for illegal user www from [IP_ADDRESS_C] port 54878 ssh2
Jan 7 16:36:37 hostname sshd[25129]: Illegal user wwwrun from [IP_ADDRESS_C]
Jan 7 16:36:40 hostname sshd[25129]: Failed password for illegal user wwwrun from [IP_ADDRESS_C] port 54966 ssh2
Jan 7 16:36:43 hostname sshd[25131]: Illegal user matt from [IP_ADDRESS_C]
Jan 7 16:36:46 hostname sshd[25131]: Failed password for illegal user matt from [IP_ADDRESS_C] port 55050 ssh2
Jan 7 16:36:50 hostname sshd[25133]: Illegal user test from [IP_ADDRESS_C]
Jan 7 16:36:53 hostname sshd[25133]: Failed password for illegal user test from [IP_ADDRESS_C] port 55152 ssh2
Jan 7 16:36:57 hostname sshd[25135]: Illegal user test from [IP_ADDRESS_C]
Jan 7 16:36:59 hostname sshd[25135]: Failed password for illegal user test from [IP_ADDRESS_C] port 55263 ssh2
Jan 7 16:37:02 hostname sshd[25137]: Illegal user test from [IP_ADDRESS_C]
Jan 7 16:37:04 hostname sshd[25137]: Failed password for illegal user test from [IP_ADDRESS_C] port 55366 ssh2
Jan 7 16:37:08 hostname sshd[25139]: Illegal user test from [IP_ADDRESS_C]
Jan 7 16:37:10 hostname sshd[25139]: Failed password for illegal user test from [IP_ADDRESS_C] port 55457 ssh2
Jan 7 16:37:13 hostname sshd[25141]: Illegal user www-data from [IP_ADDRESS_C]
Jan 7 16:37:16 hostname sshd[25141]: Failed password for illegal user www-data from [IP_ADDRESS_C] port 55548 ssh2
Jan 7 16:37:21 hostname sshd[25143]: Failed password for mysql from [IP_ADDRESS_C] port 55637 ssh2
Jan 7 16:37:26 hostname sshd[25145]: Failed password for operator from [IP_ADDRESS_C] port 55724 ssh2
Jan 7 16:37:33 hostname sshd[25147]: Failed password for adm from [IP_ADDRESS_C] port 55799 ssh2
Jan 7 16:37:42 hostname sshd[25149]: Failed password for apache from [IP_ADDRESS_C] port 55912 ssh2
Jan 7 16:37:52 hostname sshd[25151]: Illegal user irc from [IP_ADDRESS_C]
Jan 7 16:37:54 hostname sshd[25151]: Failed password for illegal user irc from [IP_ADDRESS_C] port 56036 ssh2

The security gained from using the above information cannot be guaranteed. If you use the above information for any purpose, you do so at your own risk.

Monday, July 25, 2005


Same here, as well at home as at my work. My solution: properly
configure the firewall. I've configured it in such a way that it
blocks all SSH access except from a couple of trusted machines.

This leaves you hanging, though, if you ever need to access the box
from a machine you didn't know about in advance. Enter port knocking.
Here is the relevant part of my iptables script:

CMD="iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport"
$CMD 22 -m recent --rcheck --name SSH -j ACCEPT
$CMD 11 -m recent --name SSH --remove -j DROP
$CMD 12 -m recent --name SSH --set -j DROP
$CMD 13 -m recent --name SSH --remove -j DROP

If you make a connection to port 12, it'll remember the IP you did
that from, and enable SSH access from that IP, even though the
connection to port 12 fails. This is the knock on the door that
unlocks it. Connect to port 11 or 13 to close the port again. This is
so a sequential portscan won't keep the SSH port opened.

The problem with the world is stupidity. Not saying there should be a
capital punishment for stupidity, but why don't we just take the
safety labels off of everything and let the problem solve itself?
Frank Zappa

Friday, July 15, 2005


东坡喜食鳊鱼,曾有诗赞其味美。诗曰:“晓日照江水,游鱼似玉瓶。谁言解缩项(鳊鱼亦名缩项鲂),贪饵每遭烹。杜老当年意,临流忆孟生。吾今又悲子,辍筋 涕纵横。”他一到黄州,就对这里的鳊鱼产生了兴趣,常与潘生(大临)等垂钓江上,钓鳊野炊。当时如何烹制,现已无法知道,按现今黄州的传统作法,用这种鳊 鱼红烧、清蒸、油焖都可以,而且 都味道鲜美。














(3) 原炒锅倒去余油后置旺火上,放入肥膘肉、红辣椒、小葱、玉兰片,炒两分钟,至葱散发出香味时,再将鱼下锅,加入绍酒、姜末、酱油、白糖、味精、精盐、清 水、焖烧三分钟,待鱼汁渐浓,即移置微火上,加盖焖八分钟至鱼已透味、汤汁浓稠时,再端锅置旺火上,下猪油继续焖二分钟,起锅盛盘即成。












东 坡《仇池笔记》载有煮猪头颂:“净洗锅,浅着水,深压柴头莫教起。黄豕贱如土,富者不肯吃,贫者不解煮,有时自家打一碗,自饱自知君莫管。”其 中,还介绍了这样一段故事:“王中令(即王金斌,后唐时太正人,宋初官拜安国军节度,死后加封中书令),既平蜀,饥甚,入一村寺,主僧醉,甚箕踞(坐态不 正,狂傲异常),公欲斩之,僧应对不惧,公奇之,公求蔬食,云有肉无蔬,愧蒸猪头,甚美,公喜,问‘止能饮酒食肉耶,尚有他技也(有无别的本事)’?僧言 能诗,公令赋蒸豚,立成云:‘嘴长毛短浅含膘,久向山中食药苗(有药的野嫩草)。蒸处已将蕉叶裹,熟时兼用杏浆浇。红鲜雅称金盘荐(金盘中陈列的蔬菜和看 果),香软真堪玉箸挑(用筷子一戳就烂)。若把膻根来比并,膻根自合吃藤条’。公大喜,与紫衣师号。”






制 法:将猪头放清水中,镊去毛,刮洗干净。猪面朝下放砧板上,在后脑中间劈开,挖出猪脑,剔去骨头,割下耳,去掉猪眼圈、淋巴肉、嘴唇、耳圈、鼻 子。猪脸切成两块,下巴切成三块,再放入大锅内,舀入开水(淹没为度),用旺火烧沸几分钟,撇去浮沫。放入竹算垫底后,先将猪耳、嘴唇、鼻子,放在下面, 然后把肉块 (皮朝上)排放在竹算上面。再加绍酒、葱结、姜片、八角,盖上锅盖,用中火烧约一小时后,加入糖色、红曲粉,再盖上锅盖,烧五分钟,用小火焖至酥烂(约两 小时),加冰糖屑、白糖,待卤汁收稠时,锅离火口,取出酱汁肉,皮朝上放在瓷盘中。食时切片后浇上卤汁即成(多余的卤汁留作下次用)。



《东 坡集》载曰:“蜀人贵芹芽脍,杂鸠肉为之。”东坡谪居黄州期间,在城东开荒种地,于瓦砾中发现了他在家乡爱吃的芹菜。这芹菜,就是蕲菜。鄂东各 地都有这种菜,蕲春的“蕲”本为芹菜,因以“蕲”(芹)名县。东坡就把他家乡特有的春鸠脍的作法拣了起来。这就是取斑鸠胸肌肉,切成丝入猪油锅,用旺火炒 至半熟,再用芹菜段,加盐,下酱油拌炒。如此便是“春鸠脍”。









洪堡基金是为纪念德国伟大的自然科学家和科学考察旅行家亚历山大·封·洪堡于1860年在相林建立的。1923年之前,洪堡基金仅资助德国学者到外国进行 科学考察,1925年后,这项基金转为支持外国科学家和博士研究生在德国学习。1945年,基金会停止了活动。根据原洪堡学者的倡议,基金会于 1953年12月10日由联邦德国再次建立(具有法人资格),办公地点设在波思市巴德·哥德斯堡。第二年基金会就提供了75人的研究奖学金。此后,来自 100多个国家的近14000名学者得到过它的资助。




洪堡基金会每年向大约600名具有博士学位,年龄不超过40岁的成绩优秀的外国科学家提供奖学金,使其有一段较长的时间(1至2年)在联邦德国进行 科学研究工作。中央选拔委员会由100名各学科的德国科学家组成,在德意志研究联合会主席的主持下负责对申请者进行选拔。选拔的惟一标准是学术水平,不分 国别,也没有专业限制。









研究奖学金学者专业分布逐年变化。上述统计的11760位外国奖学金学者中,61%从事自然科学研究,30%从事人文科学研究,9%从事工程科学研 究。近年来,专业分布情况和上述比例变化不大。这一统计结果不是洪堡基金会的政策所致,因为选拔时既不按国别,也没有专业限额,而是






洪堡基金会每年向200名外国的国际公认的知名科学家授予不同项目的洪堡科研奖金,在授奖金的同时还邀请他们在德国的研究所进行一段较长时间(4至 12 个月)的自选课题研究。获奖金的前提是必须获得德国著名科学家提名。奖金额为200OO至1200OO马克不等。每年有80项科学奖金是颁发给美国科学家 的,这是联邦政府为感谢美国的马歇尔援助计划而设立的。自1972年以来总共有1400多名洪堡科研奖金获得者来到德国。


洪堡基金会设有效欧尔·吕能奖学金,颁发的对象是德国获博士学位的年龄不满38岁的学者,每年不超过200名。目的是使他们能在国外研究所进行长时 间 (1至4年)的科学研究工作。这些外国研究机构是洪堡奖学金学者曾工作的地方。奖学金由洪堡基金会的客座研究所共同支付,每月2200马克(免税)。另 外,还有所去国的津贴、房旅费、家眷津贴、杂费(每月200马克)、医疗保险补助、回国重返工作岗位补助等。国内有导师和该学者保持联系,以便在重返工作 岗位时提供帮助。


洪堡基金会资助洪堡奖学金学者和部分家属参加德语培训班学习,邀请新来的洪堡学者参加引见会,每年在罗塔赫—艾格思为洪堡科研奖金获得者举行学术讨 论会,为洪堡研究奖学金学者和他们的家属每年举行一次为期3周的了解德国的学术旅游,并邀请所有的客座学者和他们的家属来波恩参加年会。从1954年起, 联邦总统在他的官邸——哈默尔施密特别墅,接见所有参加年会的学者。



洪堡基金会对洪堡研究奖学金学者给予一定的资助之后,再结合专业愿望和他们保持联系。85%的前洪堡学者又重新得到了资助,被邀请再次来德国从事短 期研究工作、赠送科学书籍(总价值超过600马克)和向外汇短缺的国家赠送科学仪器(4700马克)、提供参加学术会议和印刷补助(总共近500万马 克),在德国和其他国家举行学术会议。近年来,资助外国和德国研究所合作研究及支持与德国的博士后合作研究(费欧多尔·吕能计划)也不断增多。



洪堡基金会定期在国外举行学术座谈会和区域性大会,全部前洪堡奖学金学者和洪堡科研奖获得者均被邀请参加这些会议。在这些会议上也可以讨论如何继续 支持研究工作和加强与德国科学家的学术合作。会议的准备工作将得到所在国前洪堡学者组织的“洪堡俱乐部”(在世界各国共有46个)的全力支持。在许多国家 中,如日本、波兰等,还成立了“洪堡学者联合会”。








Tuesday, July 12, 2005

camera focus

Actually, no, the system does not work on the basis of maximizing contrast, although contrast is a factor. Over on Rob Galbraith's forum, there is a recent topic devoted to gathering information on how the system works.

According to the major material in Canon's "Lens Work III," the description in their US patent application, and remarks by Chuck Westfall, to put it briefly:

The AF system sensors are located in the floor of the mirror box. They receive the image through the semi-silvered mirror, which is then reflected downward by a secondary mirror hinged to the back of the main mirror. This forms a virtual focusing plane that is supposed to be at the exact same plane as the sensor (a point of possible miscalibration).

Each AF sensor consists of a pair of short lines of pixels forming an array. One array comprises the outer sensors. Two crossed arrays (one vertical, one horizontal) comprise the center sensor. With lenses or f2.8 or faster, the camera activates a second vertical array in the center.

The arrays are sensitive to linear details that run perpendicular to the orientation of the array. Therefore, the horizontal arrays (identified by the horizontal rectangle marks on the viewscreen) are sensitive to vetical linear details; the vertical arrays (identified by the vertical rectangle marks on the viewscreen) are sensitive to horizontal linear details.

They are blind to linear details that run parallel to the array direction. The center array, being a crossed combination of a vertical and a horizontal array, is sensitive to linear details running both vertically and horizontally. When the second vertical array is activated, it's combined input increases the accuracy by a factor of three.

The pixel arrays are actually three times longer than indicated by the viewfinder markings. This is to cover the fact that the viewscreen has a significant amount of "slop" in its horizontal-plane positioning (what you see as left/right/up/down in the viewfinder). Therefore, the sensors actually see details that are somewhat outside the viewfinder markings, and may focus on them instead of details within the sensor markings, if those outside details are more perpendicular to the array than the details inside the markings.

When you mount a lens (whether the camera is on or off), the camera interrogates the lens for its characteristics, including maximum aperture, which one of the focusing parameters.

When you half-press the shutter release (or the * button, if you've used the custom function to move focusing control there), the activated AF sensor "looks" at the image projected by the lens from two different directions (each line of pixels in the array looks from the opposite direction of the other) and identifies the phase difference of the light from each direction. In one "look," it calculates the distance and direction the lens must be moved to cancel the phase differences. It then commands the lens to move the appropriate distance and direction and stops. It does not "hunt" for a best focus, nor does it take a second look after the lens has moved (it is an "open loop" system).

If the starting point is so far out of focus that the sensor can't identify a phase difference, the camera racks the lens once forward and once backward to find a detectable difference. If it can't find a detectable difference during that motion, it stops.

Although the camera does not take a "second look" to see if the intended focus has been achieved, the lens does take a "second look" to ensure it has moved the direction and distance commanded by the camera (it is a "closed loop" system). This second look corrects for any slippage or backlash in the lens mechanism, and can often be detected as a small "correction" movement at the end of the longer initial movements.

When the camera determines how far and in what direction the lens must move to cancel the phase difference, it does so within a tolerance of "within the depth of focus" of lenses slower than f2.8 (down to f5.6) or "within 1/3 of the depth of focus" of lenses f2.8 and faster. The depth of focus is the range at the sensor plane within which the image of a point will be reproduced as a blur smaller than the manufacturer's designated "circle of confusion" (CoC). Canon's designated circle of confusion is 0.035mm for the 24x36mm format and 0.02mm for the APS-C format. The CoC is based on maintaining the appearance of sharpness in a 6x9 inch print at about an 10 inch viewing distance (as revealed by the Euro-Canon web site). There is no guarantee that images enlarged any greater than this will appear sharp.

The depth of focus increases when the aperture of the lens decreases (like depth of field at the subject plane), but it does not change with the focused distance or the focal length of the lens (according to Canon, unlike depth of field). That is why the camera interrogates the lens for that information; it calculates the depth of focus tolerance from the maximum aperture, not the set working aperture.

As a result of this tolerance (within the depth of focus or within 1/3 of the depth of focus), the camera can place the actual plane of focus at random anywhere within the tolerance range, and not necessarily at the same place each time.

A non-exhaustive list of information about focusing:

1. The center focus square in the viewfinder represents has both horizontal and vertical sensors, so it can focus just as well on vertical and horizontal lines of detail. The outer focusing rectangles are represent sensors that are oriented either vertically or horizontally (according to the shape of the marks), and focus best on lines of detail that are perpendicular to them. You can test this easily: Line up a vertical focusing rectangle on a vertical detail (like the corner of a wall or the edge of a door) and try to focus. The camera will not be able to focus on it. But put a horizontal rectangle against that vertical line, and it will snap instantly into focus (you can turn the camera, and the same will be true). This is a valuable tool. If you are struggling with a background that competes with the foreground, look at whether either has linear detail (say, a squirrel on a tree branch). You can activate one of the rectangles and turn the camera so that the rectangle is either parallel with the linear detail that you want to ignore or perpendicular to the detail you want to focus on.

2. The actual focus sensor arrays are three times larger than the viewfinder marks. A user could put an intended subject in the mark, but if there is a strong detail just outside the mark (but within the sensor area), the camera would focus on that strong detail. This is a source of much of the complaints of the back- or front-focusing -- especially with the "ruler tests." Also, as far as the camera is concerned, a focus lock on anything within the sensor area is good, which sometimes covers more area than the photographer intended.

3. Auto focusing with the 20D only works with lenses with maximum apertures of f5.6 or greater (as determined by the information passed to the camera by the lens). This means the total maximum aperture of the lens, not the aperture you're shooting with at the momement. With a lens slower than f5.6, you have to focus manually (unless you fool the lens somehow into reporting an incorrect aperture to the camera).

4. On the 20D, the center marks have additional sensors to increase accuracy three times greater than the 10D, but these only come into play with lenses that have maximum apertures of f2.8 or greater (not the aperture set for shooting, but the maximum aperture). On a variable aperture zoom lens, if it drops below f2.8 while zooming, that information is passed to the camera, which cuts out the additional focusing sensors. The outside focus sensors of the 20D are normal accuracy.

5. The camera's AF sensors require some details in the image to determine the phase difference. It's harder for the camera to find focus when the light is dim or there is little subject detail. Contrary to recent remarks on another topic, the camera CAN distinguish contrast between equally bright hues of red and green just as the eye can--the sensors are color corrected. Although the sensors can distinguish some quite subtle detail differences, they don't see quite a sharply as the eye. If the lens starts from a very out of focus condition, it can miss very fine detail that the eye sees clearly, such as the mesh of a speaker grill from across the room. In this case, it can be helped if the photographer manually moves close to "focus" and allows the camera to find the actual focus.

6. AF controls:
Shutter release. By default, when you half-depress the shutter release, the camera will focus with the active sensors on the strongest contrasts within those sensor areas. Whether or not it will hold that focused distance depends on what AF mode you're shooting in.

AE/AF Lock Button. The asterisk button on the back near your right thumb. You can set this button to be the focus button in the Custom Function menu (CF4--choose option 1). When this is set, you focus by putting the active AF mark in the viewfinder on your subject and press the asterisk button. The camera focuses on that spot and does not change focus until you press the button again. In AI Servo mode, the camera continuously evaluates focus only as long as you have the button pressed.

Multicontroller (joy button) and AF Selection button. These controls, plus the control wheels, allow you to select which focus marks are active--they provide multiple ways to do the same thing, so take your choice. You can either select one point or you can set the camera to choose its own points as you focus. If the camera chooses the points, it will usually focus on any number of points that are closest to the camera. About the only time this is better is when you're focusing on fast-moving activity that you can't keep under a single mark (say, a soccer player). Otherwise, it's usually better to select your own point. The diagonal points on the 20D are very close to the "Rule of Thirds" intersections, so sometimes it's convenient (if you use that composition rule to place your subject in the frame) to select one of those points.

7. AF Modes:
One Shot: When you set the camera to "One Shot," you set the condition "The subject is definitely not moving." The camera is in a "focus priority" mode. The shutter release is locked until the camera achieves what it thinks is the proper focus. This is best if your subject and the camera will be motionless, because it allows you to focus and change the framing without the camera refocusing automatically.

AI Servo: When you put the camera into AI Servo mode, you have set the condition "The subject is definitely moving." The camera is in a "shutter priority" mode. Therefore, the camera goes into a routine that continually collects data to predict the subject movement and move the lens to intercept the subject at its new position. You can shoot even if out of focus (however, the camera cannot release the shutter if the lens is actually in motion). If you know your subject will be in constant motion, this is the best mode. If the subject is actually not moving, the chance of a misfocused shot increases as the camera goes through its data-collection routine. However, often a handheld camera does move (as the photographer sways naturally) for AI Focus to detect and correct for the sway. AI Servo will use whichever focus point you have activated. However, if you activate all the focus points, you must put the center point on the subject and half-press the shutter release for about half a second for the camera to "acquire" the right subject. After that, while you hold the shutter release, the camera can intelligently "hand off" the subject focus from point to point as the subject "wanders" over the viewscreen.

AI Focus: The camera is normally in One Shot mode and the shutter will lock until it achieves focus. However, if it detects the subject moving (that is, the subject goes out of focus), it will automatically switch into AI Servo mode and try to maintain focus. If you are focusing on something that frequently stays still but could move suddenly (like a toddler) this mode comes in handy. The important point wiht AI Focus is that it does not lock the shutter. However, the camera will usually interpret "focus and recompose" as movement of the subject, and will refocus.

Saturday, July 09, 2005






















将新鲜青萝卜洗净,切去根须(个大的可一切两瓣),入缸腌制,一层萝卜一层盐,上压石块。隔两天倒缸1次,倒3次为止,3周后即可腌透。将萝卜在原汤中洗 净,取出切成细丝,放入清水中浸泡约1天,泡出盐分及异味,捞出榨水(10千克萝卜榨到约4千克左右)。将大蒜、鲜姜捣碎,和酱油、辣椒面、白糖、糖精、 香精混合,加入萝卜丝中浸泡,第二天倒缸1次。食用前加入炒好的芝麻。





















(2) "苏造汤"是第二道工序,也是成品工序。调汤时用一定比例的水和酱油、盐,开锅后,把需用的中药碾成粉末,用布袋缝好放入汤中同煮,汤中发出药料及调料的 香味时,即成为苏造汤。用以煨肉。用后,剩下的苏造汤,其贮藏、保管和增加的方法,全与老汤相同,也是更迭使用。