Koos picture small

Koos van den Hout

Koos van den Hout - Latest news, thoughts, rants, projects and other things to write about.
2019-11-06 Tested and attached wires to the new 12V powersupply 5 days ago
Powersupply with wires attached
Powersupply with wires attached
I had time to do some soldering and I tested and wired the 12V server powersupply I bought last Saturday at the "Dag van de Radioamateur" ham convention.

The powersupply that I bought is an HP DPS-800GB A and it already had two wires to make it start up when input voltage is applied. I just soldered thick wires to the output terminals so I can connect it to the HF amplifier. Unlike the previous HP DPS-700 powersupply this one has two builtin fans so it won't overheat.

Time to test it with the HF amplifier is this weekend. I'll test the output power with the current output voltage left as-is. It's currently at 12.2 Volt when no load is applied. There are simple modifications to raise the voltage as described by Server supply DPS-800GB - PA0FRI.

Tags: , ,
2019-11-02 I visited the "Dag van de radio amateur" (DvdRA) ham convention 1 week ago
Today was the Dag voor de Radioamateur edition 2019, and I went there.

My main todo item was to deliver outgoing qsl cards to the Dutch QSL bureau and pick up the new ones for Region 08. So I walked in with a big shopping bag and after visiting the Dutch QSL bureau market stall I returned to the car right away with a new box full of cards. After that I walked in again and started looking around. I was looking for certain parts I needed recently such as RCA connectors, 2.5 mm stereo jack connectors. I also had some specific things in mind such as a newer high amperage 12V supply because the previous server power supply smoked itself and an antennaswitch and serial connectors for remote HF operation which I found. I found no USBaudio and USBserial interfaces so those will be picked up in the next electronics web order.

I attended a lecture on the QO-100 amateur satellite and the story behind the Patch of the Year antenna co-developed by Remco PA3FYM.

I also met a lot of amateur radio friends, more than I expected!

Tags: , ,
2019-10-28 TCP reflective SYNs: blocking by the /24 2 weeks ago
It seems the TCP reflective SYN attacks are continuing. In researching my options I saw the option to use a netmask with the iptables recent module.

This helps a bit with the attacks trying to flood an entire block. I've updated the filtering to work by the /24, start a check on a SYN from such a block, end when an ACK flies by and start dropping when the rate is over 10 per 2 minutes.
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN -m recent --update --seconds 120 --hitcount 10 --name tcpsyn --mask 255.255.255.0 --rsource -j LOGDROP
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN -m recent --set --name tcpsyn --mask 255.255.255.0 --rsource
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,ACK ACK -m recent --remove --name tcpsyn --mask 255.255.255.0 --rsource
LOGDROP is a rule to drop packets and ratelimit the logging of dropped packets, to avoid turning a network attack into a disk attack.

But I have to be careful not to make services hard to reach for legitimate clients. The above is working, and during attacks I don't see a single SYN_RECV socket.

Tags: ,
2019-10-27 Attempts to hack digital video recorders over http via the nntp port 2 weeks ago
Sometimes you really wonder about the amount of errors made by noisy attacks. I noticed the following pattern in the system logs:
nnrpd[7029]: 189.243.177.73 unrecognized Accept-Encoding: identity
nnrpd[7029]: 189.243.177.73 unrecognized Content-Length: 586
nnrpd[7029]: 189.243.177.73 unrecognized Accept-Language: en-us
nnrpd[7029]: 189.243.177.73 unrecognized Host: 74.219.111.25
nnrpd[7029]: 189.243.177.73 unrecognized Accept: */*
nnrpd[7029]: 189.243.177.73 unrecognized User-Agent: ApiTool
nnrpd[7029]: 189.243.177.73 unrecognized Connection: close
nnrpd[7029]: 189.243.177.73 unrecognized Cache-Control: max-age=0
nnrpd[7029]: 189.243.177.73 unrecognized Content-Type: text/xml
nnrpd[7029]: 189.243.177.73 unrecognized Authorization: Basic YWRtaW46ezEyMjEzQkQ...
With some searching I eventually found exploit code for certain series of digital video recorders which can be anywhere on the wide Internet.

The whole protocol mismatch makes this a lot noisier via the nntp port than via http, but I also see some attempts via the http port.

Tags: ,
2019-10-25 Slow(ish) syn floods getting more complicated to filter 2 weeks ago
Cybercriminal I'm seeing lots of sockets in state SYN_RECV again and noticed this time my earlier iptables rules to not respond to tcp syn packets that don't build up a connection aren't working. Between two syn packets from the same source there is 5 minutes, so my system responds to all of them. Ranges of addresses in the same block are used as source IPv4 addresses. For one address the traffic is very minimal:
22:40:51.600077 IP 112.175.120.39.58275 > 82.95.196.202.22: Flags [S], seq 720891004, win 29200, length 0
22:40:51.600392 IP 82.95.196.202.22 > 112.175.120.39.58275: Flags [S.], seq 1729897232, ack 720891005, win 29200, options [mss 1460], length 0
22:40:52.612035 IP 82.95.196.202.22 > 112.175.120.39.58275: Flags [S.], seq 1729897232, ack 720891005, win 29200, options [mss 1460], length 0
22:40:54.628048 IP 82.95.196.202.22 > 112.175.120.39.58275: Flags [S.], seq 1729897232, ack 720891005, win 29200, options [mss 1460], length 0
22:40:58.660031 IP 82.95.196.202.22 > 112.175.120.39.58275: Flags [S.], seq 1729897232, ack 720891005, win 29200, options [mss 1460], length 0
22:41:06.851865 IP 82.95.196.202.22 > 112.175.120.39.58275: Flags [S.], seq 1729897232, ack 720891005, win 29200, options [mss 1460], length 0
22:41:22.980000 IP 82.95.196.202.22 > 112.175.120.39.58275: Flags [S.], seq 1729897232, ack 720891005, win 29200, options [mss 1460], length 0
22:45:18.565999 IP 112.175.120.39.41767 > 82.95.196.202.465: Flags [S], seq 910623633, win 29200, length 0
22:45:18.566415 IP 82.95.196.202.465 > 112.175.120.39.41767: Flags [S.], seq 3977721413, ack 910623634, win 29200, options [mss 1460], length 0
22:45:19.588000 IP 82.95.196.202.465 > 112.175.120.39.41767: Flags [S.], seq 3977721413, ack 910623634, win 29200, options [mss 1460], length 0
22:45:21.604022 IP 82.95.196.202.465 > 112.175.120.39.41767: Flags [S.], seq 3977721413, ack 910623634, win 29200, options [mss 1460], length 0
22:45:25.667936 IP 82.95.196.202.465 > 112.175.120.39.41767: Flags [S.], seq 3977721413, ack 910623634, win 29200, options [mss 1460], length 0
22:45:33.860000 IP 82.95.196.202.465 > 112.175.120.39.41767: Flags [S.], seq 3977721413, ack 910623634, win 29200, options [mss 1460], length 0
22:45:49.987965 IP 82.95.196.202.465 > 112.175.120.39.41767: Flags [S.], seq 3977721413, ack 910623634, win 29200, options [mss 1460], length 0
But multiply this with several source IPs in the same IPv4 /24 block and a lot of open servers in the world and suddenly you get a lot of return traffic.

Tags: , ,
2019-10-24 Nog een https upgrade 2 weeks ago
Ik ontdekte dat de website van de HCC PCgg netwerkgroep nog prima draait maar wel als onveilig in een moderne browser werd aangemerkt omdat er invoervelden in zitten.

Ook al is de laatste activiteit op de site van Augustus 2012 wil ik toch deze site in de lucht houden omdat ik toen heel veel lol heb gehad met de netwerkgroep en het leuk was om daar presentaties te geven en dingen uit te zoeken.

Dus de site draait nu met een LetsEncrypt certificaat op https. En het was een mooi moment om gelijk de versie van serendipity zelf bij te werken.

Update: Ik zie nu ook browsers die alle http gewoon als onveilig melden. Het is denk ik tijd om de laatste sites ook over te zetten naar https.

Tags: , ,
2019-10-20 Restored the webcam site and archives 3 weeks ago
I was looking at the overview of most requested but not available URLs and noticed there is still traffic to http://webcam.idefix.net/. For years that was the webcam site when I still had access to a reasonable location for putting up a webcam. First a good view at my previous house, and later a window with a good view from a server room at work.

So I dug up the archived images and scripts, cleaned them up and made them available again. There are no fresh images, just the aged archives.

Tags: , , ,
2019-10-17 Tested incremental DNSSEC signing 3 weeks ago
I noticed some really unused records in one zone which is now DNSSEC signed. For example I still had gplus.idefix.net to point at my Google+ page.

So I removed them and did the signing after increasing the serial number. Indeed the records that had no update kept their original signature and the records that where changed (such as the SOA because of the serial number) were signed with new signatures.

Tags: , ,
2019-10-16 The signatures for the first DNSSEC signed zone expired, and I signed the rest 3 weeks ago
Today I was reminded of the first zone I signed with DNSSEC and did the check again with DNSViz. And I saw a lot of error messages. Some searching found that I let all the signatures expire (after the default time of 30 days).

Solution: re-sign the zone and have a careful look at when I need to sign the zones again. Officially just in time for expiry time of the signature (default 30 days) minus TTL of the record.

Obviously this process has to be automated. In the first go I decided to force new signatures after 21 days. But I tested some things later and decided to go for more regular checks of the ages of the signatures and refresh the signatures that are about to expire. This is usually reserved for 'big' zones with lots of resolvers querying them but I decided to implement this myself to avoid problems, and learn more about DNSSEC.

The magic signing command is now:
-zone-signedserial:
    named-checkzone $* $^
    ./SOA.pl $^
    dnssec-signzone -S -K /etc/bind/keys -g -a -r /dev/random -D -S -e +2592000 -i 604800 -j 86400 -o $* $^
    rndc reload $*
    touch $@
The expiry is set with -e at 30 days, the checkinterval with -i at 7 days and the jitter factor with -j at 1 day.

Now there is a special part in the Makefile to be called from cron on a regular basis. It won't produce any output when there is nothing to update.
agecheck:
    @for zone in $(SIGNEDZONES); do if [ `find $${zone}-signedserial -mtime +7 -print` ]; then touch $${zone}-zone ; $(MAKE) --no-print-directory $${zone}-signedserial; fi ;done
The Make variable SIGNEDZONES is filled with the zonenames of the zones that have to be kept DNSSEC signed. File structure for each forward zone is as listed in first zone with valid DNSSEC signatures.

So now almost all my domains are DNSSEC signed. A learning experience and a good level of security.

Tags: , , ,
2019-10-14 Sharing some of my CQRLOG scripts 4 weeks ago
Since January 2015 I've been using CQRLOG as the main amateur radio logging program. So each contact that I make ends up in the databases of this program eventually.

Being the person I am I added some scripts of my own to export data from CQRLOG to the PE4KH amateur radio station website in several formats.

I've made a few of these scripts available for the public via KHoos/CQRLOG-scripts: A collection of scripts around the CQRLOG amateur radio logging software on github. I've set the license to GPLv2, but I may have to change this as one script contains a lot of imported code.

Anyway, share and enjoy. Maybe these are of use to someone. Or someone adds the enhancements I've been thinking about but never got around to.


Tags: ,

News archive by year: 1999 | 2000 | 2001 | 2002 | 2003 | 2004 | 2005 | 2006 | 2007 | 2008 | 2009 | 2010 | 2011 | 2012 | 2013 | 2014 | 2015 | 2016 | 2017 | 2018 | 2019

The person

Father, cat owned/owner, Linux fan, Internet user, book reader, radio amateur, recumbent bicyclist, snowboarder, ipv6 fan. For those who don't speak Dutch: how to pronounce Koos van den Hout.

The job

Specialist information security at Utrecht University with a modern Profile page.
 

Search idefix.net

Custom Search

Visitor using IPv4

Your IPv4 address is 3.81.29.226 in United States

Other webprojects I work on

Contact

Use the e-mail address in the address box and use PGP private secure e-mail when possible.

Pages on specific projects

Loads more pages


Koos van den Hout, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
This page is best viewed with any browser in any resolution. Some browsers will wait with rendering most of the page until allmost all HTML is loaded. RSS
Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
This page generated by $Id: index.cgi,v 1.115 2019/10/22 16:24:52 koos Exp $ in 0.017715 seconds.