News archive November 2009 - Koos van den Hout

Archive by year: 1999 | 2000 | 2001 | 2002 | 2003 | 2004 | 2005 | 2006 | 2007 | 2008 | 2009 | 2010 | 2011 | 2012 | 2013 | 2014 | 2015 | 2016 | 2017 | 2018 | 2019 | 2020 | 2021

2009-11-30 (#) 11 years ago
Vandaag is de nieuwe keuken geinstalleerd waarmee het ineens erg mooi uit gaat zien. De foto's van de verbouwing zijn bijgewerkt.

Tags: ,
2009-11-27 (#) 11 years ago
After finding shortcomings in the verification by openssl s_client I tried the gnutls command-line client gnutls-cli. The upside of gnutls-cli is that it does use IPv6 when available. But.. gnutls-cli decides not to trust a server when using the same certificate set as used in testing openssl s_client.
~$ gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p imaps
*** Verifying server certificate failed...
:~$ openssl s_client -verify 10 -CAfile /etc/ssl/certs/ca-certificates.crt -connect
    Verify return code: 0 (ok)
Weird. I would not be completely surprised when my own root CA had issues in very strict utilities but the chain used for the work servers is very well tested.

Update 2012-04-01: Found out later that gnutls-cli had a point: the order of the certificate chain given by the server was incorrect. Which is something all other applications allow.

Tags: , ,
2009-11-26 (#) 11 years ago
De winnaars van de IPv6 awards zijn bekend gemaakt vanmiddag:

Categorie ISPs: BIT

Categorie bedrijfsleven: Watchmouse

Categorie publicatie: Arnout Veerman

Categorie onderwijs: Hogeschool Utrecht en Universiteit van Amsterdam

Categorie particulieren: Jasper Wonnink

Door diverse sponsors zijn mooie prijzen beschikbaar gesteld. Persbericht IPv6 taskforce over de awards (PDF)

Zelf ben ik dus buiten de prijzen gevallen. Maar veel belangrijker is dat dit weer aandacht verzorgt voor IPv6. De uitreiking was onderdeel van het jaarcongres ECP-ECN en daar heb ik mensen uit diverse branches gesproken die nu door beginnen te krijgen dat IPv6 een onderwerp is om rekening mee te houden. Voor de meesten is alles 'netwerk' of 'Internet' maar die moeten er toch rekening mee houden dat dat 'Internet' wel aan het veranderen is.

Tags: ,
2009-11-25 (#) 11 years ago
I like my SSL verification tools paranoid, and it seems openssl s_client -verify isn't paranoid enough. The man page reports:

       The -verify option should really exit if the server verification

I'd like added "the hostname in the certificate is not verified". I ran a little test server to test for the right way to configure the SSL certificates in openldap server and noticed I got the verification to work even when I was connecting to the wrong name.

Tags: , ,
2009-11-24 (#) 11 years ago
Met een folder over het tatoeëeren van je burgerservicenummer keurig in de stijl van andere folders van de overheid (PDF formaat) vraagt Het Nieuwe Rijk aandacht voor de opslag van vingerafdrukken.

Uit de beweegredenen van deze groep:

Het verbaast niet dat de aanleg en gebruik van deze vingerafdrukkendatabase op gespannen voet staat met het grondrecht op privacy, zoals vastgelegd in artikel 10 van de Nederlandse Grondwet en artikel 8 van het Europees Verdrag voor de Rechten van de Mens. Ook het College Bescherming Persoonsgegevens (CBP), verschillende onderzoekers, hoogleraren en deskundigen op het gebied van informatica, rechtspsychologie, computerbeveiliging en zelfs de Europese Toezichthouder voor Gegevensbescherming hebben zich zeer kritisch uitgelaten over deze ontwikkeling.

De Nederlandse regering wil het doen lijken alsof zij deze database op grond van Europese wetgeving aanlegt. Maar dat is niet het geval.

Opvallend is hoe in de reactie van het ministerie van binnenlandse zaken en koninkrijksrelaties alleen ingegaan wordt op de folder en de eventuele misleiding. Deze reactie is gepubliceerd toen de makers van de folder en het onderwerp waar aandacht voor gevraagd wordt nog onbekend waren, dus misschien komt daar nog verandering in.

Ik hoop dat de ophef over de verwijzing naar de holocaust niet teveel af zal leiden (of misbruikt zal worden om af te leiden) van het onderwerp waar het over gaat: de ongeoorloofde opslag van vingerafdrukken.
Update : Ook in de tweede reactie van het ministerie van binnenlandse zaken en koninkrijksrelaties wordt absoluut voorbijgegaan aan het doel van de actie. Op zijn minst is het jammer dat ze daar niet op ingaan. Ondertussen stromen de ondertekeningen van de petitie tegen de opslag van de vingerafdrukken binnen.

Tags: ,
2009-11-24 (#) 11 years ago
I was replacing ssl certificates on a lot of servers and got it working everywhere except on our ldap server. The SSL certificate chain wasn't given out so there was no link between a trusted root and the certificate on the server. I had it configured:
TLSCACertificateFile /etc/openldap/ssl/cacert.pem
TLSCertificateFile /etc/openldap/ssl/servercrt.pem
TLSCertificateKeyFile /etc/openldap/ssl/serverkey.pem
With the certificate in servercrt.pem and the intermediate certificates in cacert.pem. But that was a config from an older server which uses OpenSSL, including openssl libraries (libssl). The newer ldap server uses the gnu tls libraries (libgnutls) which really need:
TLSCertificateFile /etc/openldap/ssl/servercrt.pem
TLSCertificateKeyFile /etc/openldap/ssl/serverkey.pem
With the server certificate and the entire chain together in servercrt.pem. Something to keep in mind, so I documented it on our internal wiki.

Tags: ,
2009-11-24 (#) 11 years ago
Wardriving results 28 September - 23 November: 1831 new networks with GPS locations. Not much wardriving happening due to the construction work at home.

Tags: ,
2009-11-20 (#) 11 years ago
I realized there is one piece of software running on my server which has a small chance of having a known leak because it is a widely used package: Serendipity powers the hcc!pc gg netwerkgroep website and I hadn't upgraded it recently. A very small chance, since security is a very important part of the Serendipity design. Since upgrading phpBB for Camp Wireless was always a royal pain in the behind I sort of postponed this process. But after the serious search for any security flaw in my website I searched on the Serendipity site for an explanation of the upgrade process. And the answer: upgrading Serendipity is very, very easy. More PHP applications should be this easy to upgrade.
Update: A frequent reader notes that I had a bit of a strong opinion: lots of PHP software is easy to upgrade, phpBB is/was just a problem because the templating system is too integrated in the source.

Tags: , ,
2009-11-19 (#) 11 years ago
Somebody in Denmark thought something in this webserver would run some default and vulnerable software and tried to find a hole:
$ grep -c ~httpd/idefix/logs/access_log
All tries to display which is a bit of PHP source:
<?php /* ZFxID */ echo("Shiro"."Hige"); die("Shiro"."Hige"); /* ZFxID */ ?>
Which will display ShiroHige as one word when run through the php processor.

All urls are attempts where it is assumed some vulnerable script is behind some visible part of the site such as the root, or my homepage, or some part of my homepage. Samples:

GET //?mosConfig_absolute_path=%0D
GET /~koos//?mosConfig_absolute_path=%0D
GET /~koos//administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php?mosConfig_live_site=%20%0D
GET /~koos/newsitem.cgi//?mosConfig_absolute_path=%0D
GET /~koos/newsitem.cgi//administrator/components/com_a6mambocredits/admin.a6mambocredits.php?mosConfig_live_site=%20%0D
GET /~koos/newstag.cgi/security%20%20//libraries/pcl/pcltar.php?g_pcltar_lib_dir=%20
GET /~koos/newstag.cgi/security%20%20//templates/be2004-2/index.php?mosConfig_absolute_path=%20%0D
GET /~koos/newstag.cgi/security%20%20//modules/mod_weather.php?absolute_path=%20%0D
A bit of research finds that the next bit of code to execute would try to get info on the php setup (os, rights, free disk space). The third bit is running an entire bot with a few backdoors. I tried to find where the backdoor would connect to but that is all dynamic, only when the third script is loaded via the vulnerability a number of variables are set with the IP and port to connect to.

Like any good bot, it also notifies its maker in a hidden away part of its source, which would look like:

Subject: Fx29Shell by

Boss, there was an injected target on by
Searching on the term Fx29Shell gives a scary answer: Results 1 - 10 of about 221,000 for Fx29Shell. a lot of those still showing webservers where this script is active.

But all my home-made webstuff is not in the habit of executing remote php scripts. But given the load of sites hosted on it's probably a script running on that server which got hacked from a third place.

Tags: ,
2009-11-19 (#) 11 years ago
I'm building a new box at work and I waited a bit with ratelimiting ssh connections (ssh is already configured to only allow valid accounts with pre-established keys). The result of one night..:
# egrep -c 'sshd.*(Invalid user|not allowed)' auth.log 

Tags: ,
2009-11-18 (#) 11 years ago
I played with temporary IPv6 addresses recently, the privacy extension where the right half of the address isn't always the same address derived from the ethernet mac address but a random address. I noticed when I set Linux to use the temporary address as preferred address it was listed as 'secondary':
# ip -6 addr ls
1: lo:  mtu 16436 
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
22: wlan0:  mtu 1500 qlen 1000
    inet6 2001:888:1011:1:10f3:2799:3587:237e/64 scope global secondary dynamic 
       valid_lft 604544sec preferred_lft 85544sec
    inet6 2001:888:1011:1:21f:e1ff:fe45:2894/64 scope global dynamic 
       valid_lft 2591744sec preferred_lft 604544sec
    inet6 fe80::21f:e1ff:fe45:2894/64 scope link 
       valid_lft forever preferred_lft forever
I thought maybe I can use this to fix my outgoing IPv6 address selection problem. Searching for clues how to change the status of an IPv6 address using the ip command I found: IPv6 Source Address Selection on Linux which answers my question completely, and now I can 'block' the tunnel address completely for outgoing connections:
# ip -6 addr ls dev xs4allipv6
7: xs4allipv6@NONE:  mtu 1480 
    inet6 2001:888:1011::13/128 scope global 
       valid_lft forever preferred_lft forever
    inet6 2001:888:10:11::2/64 scope global deprecated 
       valid_lft forever preferred_lft forever
    inet6 fe80::a2a:1401/64 scope link 
       valid_lft forever preferred_lft forever
    inet6 fe80::525f:c4ca/64 scope link 
       valid_lft forever preferred_lft forever
    inet6 fe80::a2a:201/64 scope link 
       valid_lft forever preferred_lft forever
The tunnel address is 'deprecated' so it will not be used for outgoing connections but the system still responds to it so routing works. Now the wanted address is chosen when I connect to a system 'nearby' in IPv6 address terms:
tcp6       0      0 2001:888:1011::13:41041 2001:888:0:311:194::119 ESTABLISHED

Tags: , ,
2009-11-18 (#) 11 years ago
Zojuist mail binnen: ik heb een nominatie voor de IPv6 awards in de categorie particulieren. De andere genomineerde in deze categorie is Jasper Wonnink van Fix6 die volgens mij minstens even veel kans maakt. Dus ik ben benieuwd.

De nominaties:

BedrijfslevenNetMatch, Watchmouse
Overheid & not-for-profitStichting DOK, Nederlandse Publieke omroep, Ministerie van Algemene zaken
OnderwijsHogeschool Utrecht, Universiteit van Amsterdam
PublicatieBenjamin Margarita, Arnout Veenman, Marcel van de Kraats
ParticulierenJasper Wonnink, Koos van den Hout
Internet Service ProvidersBIT, Signet, Shock Media, Prolocation

IPv6 awards nominaties op de IPv6 taskforce website

Tags: , ,
2009-11-17 (#) 11 years ago
Vanmorgen weer een compleet overbodige fietsers afstappen gezien. Wanneer komt er eens een bordje automobilisten uitstappen en duwen. Bijvoorbeeld op de A2N2 bij Eindhoven.

Tags: ,
2009-11-16 (#) 11 years ago
Power failure this morning at work.. which left us not in the dark (enough emergency lighting) but with a completely silent serverroom. When the power came back we had some hours of work to get everything up and running again. Worst problem was with a number of Xen based virtualhosts, some centos upgrade had suddenly created a network device virbr0 which uses NAT and a local dhcp pool and enslaved all xen domU network interfaces under that bridge with no access to the 'real' network because NAT was not set up so their NFS root mount failed. The details on virbr0:
virbr0    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
          inet addr:  Bcast:
A bit hard to disable, but at the end ifconfig virbr0 down ; brctl delbr virbr0 helps to get rid of the weird bridge, and all domUs will start after that.

Tags: , , ,
2009-11-15 (#) 11 years ago
Sheldon explains the cloud.

Tags: ,
2009-11-13 (#) 11 years ago
Mijn website heeft meer bezoekers dan die van de Telegraaf via IPv6.
Kijk maar op de 6bone Webserver List. Ontdekt door Henk van de Kamer die ook de telegraaf heeft verslagen.

Tags: , ,
2009-11-13 (#) 11 years ago
Na de verhuizing van HCC!net mail (met diverse mailtjes aangekondigd) blijf ik nu zien uit fetchmail:
fetchmail: Server CommonName mismatch: localhost.localdomain !=
fetchmail: Server certificate verification error: self signed certificate
En daar is geen uitleg over in de Veel gestelde vragen over HCC!net mail. Workaround: sslproto ssl23 in de regel voor zodat er geen TLS gebruikt wordt (ontleend aan How can I tell fetchmail not to use TLS if the server advertises it? Why does fetchmail use SSL even though not configured? - The Fetchmail FAQ). Beter zou natuurlijk zijn als gewoon een echt certificaat zou hebben.
Opmerkelijk is trouwens de sterk ontbrekende optie om HCC!net support te bereiken via e-mail op de contact pagina. Ik ga geen 60 cent per minuut betalen om ze uit te leggen dat ze het stuk gemaakt hebben.

Tags: , ,
2009-11-12 (#) 11 years ago
Twee van mijn favoriete onderwerpen gecombineerd:
$ host has address has IPv6 address 2001:888:2156::3:1:1
Nu dus ook via ipv6:

Tags: , ,
2009-11-10 (#) 11 years ago
Going old-school today: I wrote a sed script to massage grub.conf to add a windows partition on a second disk. Searching google for has this been done before yields loads of page with handholding on how to add windows by hand to a grub.conf generated by anaconda but no simple 'automated' solution. I am always in favor of letting the computer do the boring work. But a bit of thinking and testing and now sed does the job:
if [ -b /dev/sdb1 ]; then

        cp /boot/grub/grub.conf /boot/grub/grub.conf.pre

        sed -e 's/timeout=5/timeout=30/' -e '/hiddenmenu/a\
title Windows XP (Service Pack 3)\
        rootnoverify (hd1,0)\
        map (hd0) (hd1)\
        map (hd1) (hd0)\
        chainloader (hd1,0)+1
' -e '/hiddenmenu/d' < /boot/grub/grub.conf.pre > /boot/grub/grub.conf
Everybody knows sed -e 's/../../' but I had to look up 'insert', 'append' and 'delete'.
Update 2009-11-12: Changed insert to append because the previous version inserted windows multiple times with multiple linux kernels. Once is enough. Also moved it from the post-install instructions to the post-reboot script so linux is fully configured before windows gets booted.

Tags: , , ,
2009-11-07 (#) 11 years ago
Maybe related to the constructionwork at home or to problems with the DSL network to my provider but 29 October was a day of intermittant DSL problems. And indeed, the resulting line quality graph looks 'interesting'.

Tags: , , ,
2009-11-07 (#) 11 years ago
Something up with sshd? Suddenly I see log entries (formatted for readability) like:
Nov  7 11:14:25 greenblatt sshd[5670]: Bad protocol version identification 'yJ
\313\362' from
I dislike seeing stuff like this.

Tags: ,
2009-11-06 (#) 11 years ago
I'm playing a bit with NDPMon - IPv6 Neighbor Discovery Protocol Monitor, now at version 1.4.0. Sofar, after configuring it in the right configuration file it likes one part of the home network (the wired part). I'm looking at it both from the viewpoint of playing with IPv6 and from the viewpoint of network security: can I use this to trace users of a network. In a large network like the one at work I could imagine ndpmon doing for IPv6 what arpwatch does for IPv4. Combine that with logs from the switches for tracing ethernet addresses and I see possibilities for a big, usable and at the same time manageable and secure network.

Tags: , , ,
2009-11-04 (#) 11 years ago
All the talk about gopher from the article The Web may have won, but Gopher tunnels on made me try whether I can run a gopher server which is reachable via ipv6. The answer is: yes I can.

gopher:// reachable via both IPv4 and IPv6.

Update 2009-11-05: and I'm not the first one to think of this. gopher://✎.net/ adds the fun of a punycode url.

Tags: , ,
2009-11-03 (#) 11 years ago
Bedrijven niet voorbereid op uitputting webadressen. Alleen al door de term 'webadressen' heb je door dat de auteur wat details gemist heeft, maar we houden het er op dat het IPv6 in het nieuws weet te houden. De quote die ik er even uit wil halen:
Bovendien zijn niet alle bedrijven en organisaties op de hoogte van de noodzaak over te stappen op de nieuwe IP-versie.
Bedrijven roepen zelfs actief dat ze er prima uitkomen met NAT. En het helpt ook niet als Gartner roept dat 'we' ons nog geen zorgen hoeven te maken over IPv6: Gartner: Don't sweat move to IPv6 (heeft iemand toegang tot het originele rapport?). Veel mensen die beslissingen hierover nemen zullen Gartner graag als bron geloven.

Tags: ,

IPv6 check

Running test...
, reachable as PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated by $Id: morenews.cgi,v 1.50 2020/12/31 15:36:31 koos Exp $ in 0.047519 seconds.