News items for tag english - Koos van den Hout

2019-05-19 Logging amateur satellite contacts (and another contact) 1 day ago
After getting a satellite contact via SO-50 the next thing was to get it in the log correctly. I followed the instructions from Logging Satellite QSOs with Logbook of the World - Amsat, logging the contact in the tqsl program, uploading that log to Logbook of the World and importing the logfile (ADIF) into CQRLOG later.

But later I found out that CQRLOG now supports satellite logging after enabling it in the preferences. Since version 2.3.0 satellite support is included.
Read the rest of Logging amateur satellite contacts (and another contact)

Tags: , ,
2019-05-17 Back on amateur satellites: I made a contact via SO-50 3 days ago
This evening I checked 'Sky at a glance' in gpredict and saw a nice SO-50 pass come up. It was a southwest - northeast pass with a very high maximum elevation. So a good chance to listen to the satellite for a while. I took the Arrow antenna together with the Wouxun handheld radio outside, which I programmed for the SO50 frequencies when I started with amateur satellites years ago.

I started hearing the satellite right after it got above the houses. I heard one familiair callsign: Peter 2M0SQL. In a silent moment I answered his call, he heard me fine and we had a contact.

My first satellite contact since August 2014 and directly someone in the log who I really wanted to get in the log.

Tags: , ,
2019-05-15 Taking steps to get back on the amateur satellites 5 days ago
Saudisat 1c / SO-50 cube satellite
Saudisat 1c / SO-50
Tuesday evening we had a good presentation at our radio club about getting active on the QO-100 geostationary amateur satellite. This was a very technical presentation by René Stevens PE1CMO. This amateur satellite is actually a transponder on the Es'Hail2 satellite. The transponder is active on amateur bands: 2.4 GHz up and 10 GHz down.

A very interesting and good presentation. And for now I find it very interesting but I'm not going to invest the time and money to get on that satellite.

This did remind me that I wanted to get back into amateur satellites as planned for several years. Looking back I see a clear moment when the satellite activity stopped: The last successful amateur satellite contact was 2014-08-10: Success with the new radio and the SO-50 amateur satellite and the first HF contact was 2014-08-29: First PSK31 on HF contacts. It's easier to make a lot more contacts on HF for the same amount of work as one satellite contact.

As a first step I took out the arrow antenna and a handheld radio just to listen to some passes. And that showed the well-known problem with satellite passes: They have to fit in your schedule or otherwise you will miss them completely. But there are a lot of amateur satellites to listen to. I had two Fox-1A (AO-85) passes not higher than 23 degrees elevation. And I heard nothing on those passes, but that wasn't a big surprise given earlier experiences and what people have shared. I had one pass of Saudisat (SO-50) which went up to 29 degrees elevation and I heard at least a few callsigns on that pass. And no really bad behaviour, but maybe a Wednesday daytime is better in that regard.
Read the rest of Taking steps to get back on the amateur satellites

Tags: , ,
2019-05-06 Making checking SSL certificates before installing them a bit more robust 2 weeks ago
Encrypt all the things meme With all the automated updates of certificates as described in Enabling Server Name Indication (SNI) on my webserver and Automating Let's Encrypt certificates further I wondered about what would happen when some things got corrupt, most likely as a result of a full disk. And a simple test showed out that the checkcert utility would happily say two empty files are a match because the sha256sum of two empty public keys is the same.

Solution, do something with the errorlevel from openssl. New version of checkcert:
#!/bin/sh

# check ssl private key 1 with ssl pem encoded x509 certificate 2 public key

SUMPRIVPUBKEY=`openssl pkey -in $1 -pubout -outform pem || echo privkey | sha256sum`
SUMCERTPUBKEY=`openssl x509 -in $2 -noout -pubkey -outform pem || echo pubkey | sha256sum`

if [ "${SUMPRIVPUBKEY}" = "${SUMCERTPUBKEY}" ]; then
        exit 0
else
        exit 1
fi
And now:
koos@gosper:~$ /usr/local/bin/checkcert /dev/null /dev/null
unable to load key
139636148224064:error:0906D06C:PEM routines:PEM_read_bio:no start line:../crypto/pem/pem_lib.c:686:Expecting: ANY PRIVATE KEY
unable to load certificate
139678825668672:error:0906D06C:PEM routines:PEM_read_bio:no start line:../crypto/pem/pem_lib.c:686:Expecting: TRUSTED CERTIFICATE
koos@gosper:~$ echo $?
1

Tags: , , ,
2019-05-06 Good security tips in an e-mail with a virus attached 2 weeks ago
Just seen in an e-mail with a virus, looking like it's something from a bank:
Security tips

1. Install virus detection software and personal firewall on your computer. This software needs to be updated regularly to ensure you have the latest protection.
2. To prevent viruses or other unwanted problems, do not open attachments from unknown or non-trustworthy sources.
3. If you discover any unusual activity, please contact the remitter of this payment as soon as possible. 
But the attachment has malware.

Tags: ,
2019-05-04 Considering enabling Server Name Indication (SNI) on my webserver 2 weeks ago
Encrypt all the things meme While making a lot of my websites available via HTTPS I started wondering about enabling Server Name Indication (SNI) because the list of hostnames in the one certificate (subjectAltName parameter) keeps growing and they aren't all related.

So on a test system with haproxy I created two separate private keys, two separate certificate signing requests and requested two separate certificates. One for the variants of camp-wireless.org and one for most of the idefix.net names. The whole requesting procedure happened on the system where my automated renewal and deployment of LetsEncrypt certificates with dehydrated happens so the request went fine. For the configuration of haproxy I was following HAProxy SNI where 'terminating SSL on the haproxy with SNI' gets a short mention.

So I implemented the configuration as shown in that document and got greeted with an error:
haproxy[ALERT] 123/155523 (3435) : parsing [/etc/haproxy/haproxy.cfg:86] : 'bind :::443' unknown keyword '/etc/haproxy/ssl/webserver-idefix-main.pem'.
And found out that the crt keyword has to be repeated.

This is why I like having a test environment for things like this. Making errors in the certificate configuration on the 'production' server will give visitors scary and/or incomprehensible errors.

So the right configuration for my test is now:
frontend https-in
    bind :::443 v4v6 ssl crt /etc/haproxy/ssl/webserver-campwireless.pem crt /etc/haproxy/ssl/webserver-idefix-main.pem
And testing it shows the different certificates in use when I use the -servername parameter for openssl s_client to test things.
$ openssl s_client -connect testrouter.idefix.net:443 -servername idefix.net -showcerts -verify 3
..
Server certificate
subject=/CN=idefix.net
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
..
Verification: OK
$ openssl s_client -connect testrouter.idefix.net:443 -servername camp-wireless.org -showcerts -verify 3
..
Server certificate
subject=/CN=www.camp-wireless.org
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
..
Verification: OK
The certificates are quite separate. Generating the certificate signing requests with a separate private key for each request works fine.

So if I upgrade my certificate management to renew, transport, test and install multiple certificate for the main webserver it would work.
Read the rest of Considering enabling Server Name Indication (SNI) on my webserver

Tags: , , , ,
2019-04-29 I participated in the BARTG Sprint75 contest 2019 3 weeks ago
I participated in the British amateur radio teledata group RTTY Sprint75 contest 2019. The special thing with the 75 is that this is 75baud RTTY and not the normal 45baud RTTY.

This is a relatively short contest (4 hours) on a Sunday evening and I did not participate in the contest the whole time, I also watched some television with my family. All a matter of priorities.

I made 27 contacts on the 20 and 40 meter bands. Since I now have an RF power meter I was able to make sure my output power was right below 100 watts so I could enter in the '100 watts' category and not 'high power'.

Tags: , ,
2019-04-25 Accepting multiple passwords for IMAPS access 3 weeks ago
After upgrading to the new homeserver my old setup to allow two passwords for IMAPS logins so I can use a separate password for IMAPS access for those devices that insist on saving a password without asking.

I have the following PAM libraries:
ii  libpam-modules 1.1.8-3.6    amd64        Pluggable Authentication Modules
And I debugged the problem using the pamtester program which makes debugging this problem a lot easier than constantly changing the configuration and restarting the imap server.

The relevant configuration now is:
# PAM configuration file for Courier IMAP daemon

#@include common-auth
# here are the per-package modules (the "Primary" block)
auth    required    pam_succeed_if.so quiet user ingroup users
#auth   [success=1 default=ignore]      pam_unix.so nullok_secure
auth    sufficient      pam_unix.so nullok_secure
auth    sufficient  pam_userdb.so db=/etc/courier/extrausers crypt=crypt use_first_pass
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
@include common-account
@include common-password
@include common-session
And now both my unix login password and the extra password are accepted.

Tags: , , ,
2019-04-24 I applied for the ARRL DXCC award 3 weeks ago
ARRL DXCC certificate sample After getting to the magic number of getting contacts with 100 DXCC entities confirmed I applied for (and paid for) the ARRL DXCC award, the American Radio Relay League DX Century Club award.

So I guess I have to admit I'm a serious DX chaser!

Tags: , , ,
2019-04-21 New countries in amateur radio: Egypt and Colombia 4 weeks ago
After working on the URE 70 year anniversary special event I also made contact with two new countries: Egypt and Colombia. Egypt is not too far away but there aren't many active radio amateurs in Egypt so this one is harder. This evening SU9JG is active and I got the contact.

Right after that I got HK3C in the log from Colombia. Not a very rare country in Amateur radio, but with my current setup I have trouble reaching South America.

The definition of 'rare' or 'not so rare' countries (or rather: DX entities, but that's another story) in Amateur radio is based on the statistics gathered by Club Log and published as the DXCC Most Wanted List which is based on the assumption that every active Club Log member wants contacts with all available DXCC entities. Countries with lots of active amateurs such as the United States of America and Italy are at the bottom of the list, countries or entities that restrict amateur radio or are very hard to reach such as North Korea and Bouvet Island are at the top.

Update 2019-04-22: And both are already confirmed on Logbook of the World which gets the number of countries confirmed via electronic qsls on Logbook of the World to a round 100, the magic number for the DX Century Club. So, time to start checking my options to get an actual DXCC certificate! I also have three countries confirmed via QSL card which aren't confirmed electronically, so I have to look into the Dutch QSL card checker option one day.

Tags: , ,
2019-04-14 Getting countries on new bands in the log 1 month ago
I haven't made an amateur radio contact with a completely new country in a while, but I have worked on getting countries on new bands in the log. This weekend I had the 6-40m longwire antenna out. It did not want to tune on 12 meters but I made contacts on the 10, 15, 17, 30 and 40 meter bands.

Some new country/band combinations were added: Moldova, Montenegro, Japan and the Slovak Republic on 30 meters, Estonia on 17 meters, Latvia on 15 meters. I also made contacts with several stations in the URE 70 year anniversary special event.

Update 2019-04-15: Tuned the longwire for 80 meters and added Serbia and Norway as new 80 meter countries.

Tags: , ,
2019-04-13 Cornet Oaked from De Hoorn Brouwerij 1 month ago
Another find in the local supermarket. This time no complicated backstory, it just looked and sounded nice.

It's a blonde beer. The color is lighter than I expected from a blonde, it's almost like Belgian white beer (Belgisch witbier). It has a higher alcohol level for a beer, but it didn't taste/feel like a strong beer to me.

A nice taste, not too complicated.

The beer details

CompanyDe Hoorn Brouwerij
Beer nameCornet Oaked
Beer styleBlond beer
Alcohol by volume8.5 %

Tags: ,
2019-04-12 Corel spam 1 month ago
It seems Corel graphics still exists and part of their continued existance is sending out spam to unverified e-mail addresses. With the included lie:
You are receiving this email because you requested to receive information regarding Corel products and special offers or you subscribe to a Corel e-newsletter.
No I haven't.

Tags: , ,
2019-04-08 I participated in the EA RTTY Contest 2019 1 month ago
In an otherwise quite filled weekend there was also the EA RTTY Contest 2019. I participated for somewhat over an hour on Sunday and made 28 contacts, 24 on the 20 meter band and 4 on the 40 meter band.

Preliminary results: 28 valid contacts, 44 points, multiplier 23, total 1012 points.
Read the rest of I participated in the EA RTTY Contest 2019

Tags: , ,
2019-04-07 Goose IPA from Goose Island Beer company 1 month ago
I had a look at the beer on display in our local supermarket and noticed Goose IPA from Goose Island Beer company and I got reminded of Goose Island, Oregon which is mentioned in the Wargames movie. So I bought a bottle of the beer and did some research when I got home.

And everything about that link turned out to be wrong.

The Goose Island Beer company has nothing to do with Oregon, they are from Chicago, Illinois.

And according to Anderson Island (Washington) - Wikipedia English the scene around entering "Goose Island, Oregon" in the movie WarGames was actually filmed on Anderson Island in the state of Washington. There is a small island named "Goose Island" in the state of Oregon, it's an island in the Columbia river. Goose island measures almost 1000 meters by 680 meters. Goose Island Oregon USA on google maps.

Having left me with nothing of the link(s) I suspected when I saw the bottle there is only one thing to do: try the beer.

I would describe the colour as amber / dark amber. The smell and taste have a strong hop influence. I personally like IPA beers, but this one is a bit too bitter for me.

The beer details

CompanyGoose Island Beer company
Beer nameGoose IPA
Beer styleIPA - India Pale Ale
Alcohol by volume5.9 %

Tags: ,
2019-04-01 Plotting the number of radio contacts after varying months 1 month ago
QSO count plot up to March 2019 After a month with a holiday and a month with one contest I redid the QSO count plot to see the development.

before, before, before, before, before

Tags: , ,
2019-04-01 Wat volts extra 1 month ago
UPS invoer voltage laatste jaar Het viel me op in de grafieken van het invoer voltage volgens de UPS dat het voltage vanaf het stroomnet is gestegen tot 238 volt aan het eind van september 2018. Ik vraag me af wat de oorzaak is van deze wijziging. Het kan niet zijn door de toename van zonnepanelen in de omgeving, het gestegen voltage is zowel overdag als 's nachts.

Tags: , ,
2019-03-29 Still looking for the correct frequency for FT8 on the 70 centimeter band 1 month ago
Although FT8 does great work for weak signal reception on HF bands it's also nice for the 2 meter band and the 70 centimeter band. So after lots of tries with the 2 meter band I decided to give the 70 centimeter band another try. But, there is one thing: there aren't many stations active in FT8 on 70 centimeter and even when one is active in the nearby area that station may be on a different FT8 frequency. The real standard is not there yet.

Until now I've seen:
  • 432.174 MHz
  • 432.176 MHz
  • 434.670 MHz
I check for activity via the PSKreporter site. My two FT8 on 70 centimeter contacts where on 432.174 and 432.176.

Tags: , ,
2019-03-24 Now also mapping 70cm gridsquares 1 month ago
In the past week I made my second 70cm FT8 contact, and again with another amateur in the JO22 gridsquare. So the map for 70cm gridsquares contacted and confirmed isn't very spectacular yet, but I'm going to generate and maintain it anyway.

Now in the list of maps at pe4kh.idefix.net.

Tags: ,
2019-03-22 Distributed authenticated smtp scanning 1 month ago
I noticed a lot of entries in my mail logging about aborted smtp transactions
Mar 22 21:04:04 gosper sm-mta[30180]: x2MK437r030180: [193.169.254.68] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA-v6
Mar 22 21:04:58 gosper sm-mta[30229]: x2MK4vv0030229: [185.234.217.222] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA-v6
Mar 22 21:05:25 gosper sm-mta[30307]: x2MK5Oas030307: [193.169.254.68] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA-v6
Mar 22 21:06:01 gosper sm-mta[30328]: x2MK5xAc030328: [185.234.217.222] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA-v6
Mar 22 21:06:02 gosper sm-mta[30331]: x2MK5xg5030331: [185.222.209.209] did not issue MAIL/EXPN/VRFY/ETRN during connection to MSP-v6
And I wondered what was going on, until I did a capture of the session and had a look:
    1   0.000000 185.234.217.222 → 82.95.196.202 TCP 68 55448 → 25 [SYN, ECN, CWR] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
    2   0.000314 82.95.196.202 → 185.234.217.222 TCP 68 25 → 55448 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
    3   0.034751 185.234.217.222 → 82.95.196.202 TCP 56 55448 → 25 [ACK] Seq=1 Ack=1 Win=65536 Len=0
    4   6.038967 82.95.196.202 → 185.234.217.222 SMTP 395 S: 220-gosper.idefix.net ESMTP Sendmail 8.15.2/8.15.2/Debian-8; Fri, 22 Mar 2019 21:00:55 +0100; (No UCE/UBE) | 220-   This is a private SMTP server. | 220-   The use of this or any related system for the transmission of | 220-   Unsollicited Bulk E-mail (UBE) is prohibited. | 220 logging access from: [185.234.217.222](FAIL)-[185.234.217.222]
    5   6.072501 185.234.217.222 → 82.95.196.202 SMTP 76 C: EHLO 82.95.196.202
    6   6.072915 82.95.196.202 → 185.234.217.222 TCP 56 25 → 55448 [ACK] Seq=340 Ack=21 Win=29312 Len=0
    7   6.073011 82.95.196.202 → 185.234.217.222 SMTP 267 S: 250-gosper.idefix.net Hello [185.234.217.222], pleased to meet you | 250-ENHANCEDSTATUSCODES | 250-PIPELINING | 250-EXPN | 250-VERB | 250-8BITMIME | 250-SIZE | 250-DSN | 250-ETRN | 250-STARTTLS | 250-DELIVERBY | 250 HELP
    8   6.106154 185.234.217.222 → 82.95.196.202 SMTP 68 C: AUTH LOGIN
    9   6.106585 82.95.196.202 → 185.234.217.222 SMTP 86 S: 503 5.3.3 AUTH not available
   10   6.141445 185.234.217.222 → 82.95.196.202 TCP 56 55448 → 25 [FIN, ACK] Seq=33 Ack=581 Win=65024 Len=0
   11   6.141775 82.95.196.202 → 185.234.217.222 TCP 56 25 → 55448 [FIN, ACK] Seq=581 Ack=34 Win=29312 Len=0
   12   6.174430 185.234.217.222 → 82.95.196.202 TCP 56 55448 → 25 [ACK] Seq=34 Ack=582 Win=65024 Len=0
Each session starts ESMTP and even with the ESMTP reply not listing AUTH the next command is 'AUTH LOGIN' for authenticated smtp, and as soon as my server denies offering this the session gets aborted. This does mean no failed authentication attempt is logged which would trigger fail2ban.

This does look like a bit of a distributed attack, but without the network remembering that the attack is not going to work in this way and therefore trying it again and again.

Update: IPs active in this scanning attack sofar: 185.234.217.222 193.169.254.68 185.234.219.56 37.49.225.232 185.222.209.202 141.98.80.15 114.207.112.188 185.222.209.209 23.227.207.215 185.211.245.170 141.98.80.17 89.248.171.176 185.211.245.198 164.132.45.117 37.49.225.224 119.176.218.216 103.114.104.175 37.49.225.47 103.207.37.40 37.49.227.49 185.234.219.57

Update 2019-03-24: I noticed the incorrect EHLO above and looked at options for HELO/EHLO checking in sendmail. Searching did not show a lot of options, trying with the $&s delayed s macro did not fire on the given HELO/EHLO. So I kept searching and found the latest sendmail administration guide ('Bat book') with FEATURE(block_bad_helo). I activated this feature to see if it stops some of this traffic.

Tags: ,
  Older news items for tag english ⇒
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
RSS
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews