2018-06-25 Distributed ssh attack 5 hours ago
SSH attacks are on the rise. But fail2ban isn't blocking as much of those attacks as it used to since the attacks are quite distributed. This morning I noticed clear correlation between a subset of the attempts, they were all using names of websites hosted on the same system.Jun 25 06:18:44 greenblatt sshd: Invalid user campwireless from 220.127.116.11 Jun 25 06:29:21 greenblatt sshd: Invalid user camp-wireless from 18.104.22.168 Jun 25 06:30:51 greenblatt sshd: Invalid user campwireless from 22.214.171.124 Jun 25 06:41:43 greenblatt sshd: Invalid user camp-wireless from 126.96.36.199 Jun 25 06:50:01 greenblatt sshd: Invalid user campwireless from 188.8.131.52 Jun 25 06:59:39 greenblatt sshd: Invalid user camp-wireless from 184.108.40.206 Jun 25 07:35:27 greenblatt sshd: Invalid user virtualbookcase from 220.127.116.11 Jun 25 07:35:36 greenblatt sshd: Invalid user campwireless from 18.104.22.168 Jun 25 07:39:28 greenblatt sshd: Invalid user camp-wireless from 22.214.171.124 Jun 25 07:46:01 greenblatt sshd: Invalid user camp-wireless from 126.96.36.199 Jun 25 07:54:59 greenblatt sshd: Invalid user camp-wireless from 188.8.131.52 Jun 25 07:59:48 greenblatt sshd: Invalid user idefix from 184.108.40.206 Jun 25 08:02:08 greenblatt sshd: Invalid user idefix from 220.127.116.11 Jun 25 08:05:54 greenblatt sshd: Invalid user virtualbookcase from 18.104.22.168 Jun 25 08:09:45 greenblatt sshd: Invalid user urlurl from 22.214.171.124 Jun 25 08:26:35 greenblatt sshd: Invalid user urlurl from 126.96.36.199 Jun 25 08:29:07 greenblatt sshd: Invalid user camp-wireless from 188.8.131.52 Jun 25 08:43:04 greenblatt sshd: Invalid user campwireless from 184.108.40.206 Jun 25 08:45:45 greenblatt sshd: Invalid user campwireless from 220.127.116.11 Jun 25 09:01:30 greenblatt sshd: Invalid user urlurl from 18.104.22.168 Jun 25 09:08:17 greenblatt sshd: Invalid user camp-wireless from 22.214.171.124 Jun 25 09:23:47 greenblatt sshd: Invalid user camp-wireless from 126.96.36.199 Jun 25 09:45:27 greenblatt sshd: Invalid user camp-wireless from 188.8.131.52 Jun 25 09:56:02 greenblatt sshd: Invalid user campwireless from 184.108.40.206 Jun 25 10:06:47 greenblatt sshd: Invalid user campwireless from 220.127.116.11 Jun 25 10:14:58 greenblatt sshd: Invalid user camp-wireless from 18.104.22.168 Jun 25 10:15:43 greenblatt sshd: Invalid user camp-wireless from 22.214.171.124 Jun 25 10:19:17 greenblatt sshd: Invalid user campwireless from 126.96.36.199 Jun 25 10:19:25 greenblatt sshd: Invalid user urlurl from 188.8.131.52 Jun 25 10:32:42 greenblatt sshd: Invalid user idefix from 184.108.40.206 Jun 25 11:04:33 greenblatt sshd: Invalid user campwireless from 220.127.116.11This suggests coordination between the attacking systems. But the simpler attacks do continue:Jun 25 09:17:31 greenblatt sshd: Invalid user cristina from 18.104.22.168 Jun 25 09:17:35 greenblatt sshd: Invalid user cristina from 22.214.171.124 Jun 25 09:17:39 greenblatt sshd: Invalid user cristina from 126.96.36.199 Jun 25 09:17:39 greenblatt sshd: Invalid user cristina from 188.8.131.52
2018-06-23 SMART can be wrong 1 day ago
Someone brought me a 'WD My cloud' that does not respond at all. So I took it apart and found out how to access the disk in an i386 Linux system: mount the 4th partition as ext4. When the disk was available I did a smart test:Read the rest of SMART can be wrong=== START OF READ SMART DATA SECTION === SMART overall-health self-assessment test result: PASSEDBut while trying to find out how much data is actually on the disk, I get:[ 866.165641] Sense Key : Medium Error [current] [descriptor] [ 866.165645] Descriptor sense data with sense descriptors (in hex): [ 866.165647] 72 03 11 04 00 00 00 0c 00 0a 80 00 00 00 00 00 [ 866.165659] b0 90 ea 60 [ 866.165664] sd 2:0:0:0: [sda] [ 866.165668] Add. Sense: Unrecovered read error - auto reallocate failedSo the disk isn't very healthy. But rerunning the smart check still shows nothing is wrong. It is a Western Digital 'RED' harddisk especially for NAS systems so it should return errors earlier to the operating system but this disk is bad, which is probably related to why the 'my cloud' enclosure isn't working.
2018-06-22 Slow password guessing for imaps 2 days ago
Interesting in the logs:Jun 19 21:22:29 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:184.108.40.206] Jun 19 21:23:30 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:220.127.116.11] Jun 19 21:27:05 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:18.104.22.168] Jun 19 21:31:58 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:22.214.171.124] Jun 19 22:27:15 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:126.96.36.199] Jun 19 22:30:10 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:188.8.131.52] Jun 19 22:44:17 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:184.108.40.206] .. Jun 22 14:23:39 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:220.127.116.11] Jun 22 14:24:35 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:18.104.22.168] Jun 22 15:20:05 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:22.214.171.124] Jun 22 15:21:01 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:126.96.36.199] Jun 22 15:29:18 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:188.8.131.52] Jun 22 15:30:06 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:184.108.40.206]Every time fail2ban blocks the addresses for a while but the attacker is more persistant than that.
2018-06-19 I don't run your nameserver 6 days ago
Showing in the logs since a few hours:Jun 18 12:48:36 server named: client 220.127.116.11#38664: query '18.104.22.168.in-addr.arpa/PTR/IN' denied Jun 18 12:48:39 server named: client 22.214.171.124#38664: query '126.96.36.199.in-addr.arpa/PTR/IN' denied Jun 18 12:48:45 server named: client 188.8.131.52#38664: query '184.108.40.206.in-addr.arpa/PTR/IN' denied Jun 18 12:48:47 server named: client 220.127.116.11#38664: query '18.104.22.168.in-addr.arpa/PTR/IN' deniedGiven earlier reports of the same IPv4 address asking about the same queries this has been seen by at least one other place before. Blacklisted for now, maybe I can think of some answers that can slow down the resolver later.
2018-06-17 More kilometers distance into Australia 1 week ago
This evening I made an FT8 contact with VK7AC which is a new distance record: 16918 kilometers. Which is an improvement over the previous record: 16581 kilometers to Melbourne. With Australia being huge I'm not surprised distances can be very different. The contact was hard to make but callsigns and signal reports got exchanged eventually. This was on the 40 meter band so that's also a new band for that country. In the rest of the weekend I made more FT8 contacts on different bands and some SSB (voice) contacts to several active stations. Noticable was that several high-power stations were active on the 10 meter band Friday evening enjoying the band opening.
2018-06-17 Apache 2.2 Proxy and default block for everything but the .well-known/acme-challenge urls 1 week ago
I'm setting up a website on a new virtual machine on the new homeserver and I want a valid letsencrypt certificate. It's a site I don't want to migrate so I'll have to use the Apache proxy on the 'old' server to allow the site to be accessed via IPv4/IPv6 (for consistency I am now setting up everything via a proxy). So first I set up a proxy to pass all requests for the new server to the backend, something like:ProxyPass / http://newsite-back.idefix.net/ ProxyPassReverse / http://newsite-back.idefix.net/But now the requests for /.well-known/acme-challenge also go there and they are blocked needing a username/password since the new site is not open yet. So to set up the proxy correctly AND avoid the username checks for /.well-known/acme-challenge the order has to be correct. In the ProxyPass rules the rule for the specific URL has to come first and in the Location setup it has to come last.ProxyPass /.well-known ! ProxyPass / http://newsite-back.idefix.net/ ProxyPassReverse / http://newsite-back.idefix.net/ <Location /> Deny from all AuthName "Site not open yet" [..] </Location> <Location /.well-known/acme-challenge> Order allow,deny Allow from all </Location>And now the acme-challenge is done locally on the server and all other requests get forwarded to the backend after authentication.
2018-06-04 First 'Sporadic E' contact on 2 meter 2 weeks ago
As guessed when I got earlier personal distance records with FT8 on the 2 meter band bigger distances are possible with 'Sporadic E', a condition in which even higher frequencies can be propagated through the ionosphere. This evening G8EOH came back to an FT8 cq on 2 meter and I found out that gave me a new distance record: 342 kilometer.
2018-06-04 An active weekend on the 10 meter band, Faroe islands in the log 3 weeks ago
This weekend had enough time available to be active on the radio. And the 10 meter band was open again, just like the evening opening on 10 meters three weeks ago. This weekend the 10 meter band cooperated most of Friday evening, a few hours Saturday morning and most of Sunday afternoon and evening. Especially 10 meters FT8 was busy and I worked a lot of European countries on the 10 meter band. On Thursday evening I had 15 countries confirmed (lotw or paper qsl) on 10 meter for my call PE4KH, on Sunday evening that number was 25. I added the Faroe islands to the log Sunday (also on 10 meter FT8) when I saw OY1DZ active and had a contact. Not yet confirmed, I have requested a card via the OQRS system in use for OY1DZ and other calls. According to that page the LoTW confirmation will also happen soon. I also got a few voice contacts in the log: special event calls and world wide flora and fauna activations are always nice to have. The flora and fauna location spff-450 activated by SP5KD/P was hard to understand at home so I used the utwente websdr to receive and the transmitter at home to transmit.
2018-05-25 Going full duplex with amateur satellites, part 13: receiving a linear satellite transponder / SO-50 without the preamp 1 month ago
This evening another try, this time without the preamp. And tried receiving a linear satellite transponder. This makes things even more complicated as I have to look at one display (gpredict) to have an idea where to aim the antenna and another display (gqrx) for the waterfall display. Maybe both can be on the same screen with a lot of resizing. The first pass I tried was a pass of the FO-29 satellite which has a linear transponder. It was not a very high pass so all reception was through a house. I did hear morse first, and later saw signs of USB signals in the passband. Signals were weak and noise was high. I was almost able to understand one callsign, a 9A.. callsign (Croatia). The other pass I tried was a pass of the SO-50 satellite which is a narrow FM satellite. Signals were weak for narrow FM so I had to keep turning the arrow antenna to get the polarisation right. I could hear spanish and english callsigns. I recorded the SO-50 pass and noted the audio looked very distorted in audacity. Maybe I can improve the audio somewhere in the chain and get things better.
2018-05-24 Going full duplex with amateur satellites, part 12: picking it up again 1 month ago
So last year I wanted to get back on amateur satellites and bought some hardware that would enable me to go full-duplex: receive and transmit at the same time. The most important part is to get the receive side working. This evening had a pass of the SO-50 amateur satellite and a pass of the Fox-1D satellite right after another (with some overlap). And it's dry and a reasonable temperature to be outside with laptop, preamp, rtl-sdr stick and arrow antenna. Signal levels on narrow FM are still very faint and hard to hear, so I guess I am at the limits of the rtl-sdr for weaker signals, even with the preamp.
2018-05-24 Stopping the weather map site 1 month ago
In all the web content that has to be migrated to a new environment I noticed the weather map site weather.idefix.net depends on a load of complex scripts to generate it and never got any amount of visitors. So I decided to stop that site. I'll archive all the scripts around it so I can pick it up again some day.
2018-05-22 The linkspammers are back, but they are trying to hide it a lot better 1 month ago
Over the years I have ranted several times about linkspammers. About spammers in general too, but linkspammers are a special category. Most of them, especially the fully automated ones died when google started detecting their deceit. That time there was some amusement to be had reading mails "somehow there is an evil link to my site from your site, please remove it as it affects both our google ranking". But now they are back, but trying to hide it a lot better. I received several nicey-nicey and helpful mails with really personal suggestions to improve my site, or improve the world in general by adding some link they proposed, complete with the right anchor text. At first I thought they were personal and answered them telling them the proposed links were wrong, or they had not read the article/post/.. they wanted to change very carefully. And then a week or two later I'd get another personal mail asking whether I had considered their previous request. And answering with "did you read my answer?" did not change a thing. My best guess at the moment is that I wasn't looking at a personal mail and that I should add a lot of airquotes about terms like "personal" above. It's a template with 'page X' 'needs link Y' and 'with anchor text Z' and there is software running that checks whether page X has the 'right' link and keeps sending reminders until it does. As you can imagine (or not), I feel very annoyed by this new scam tactic. One sample:Hi pal, My name is Oliver and I'm writing to share an infographic that aims to educate people about PTSD amongst our veterans and serving military personnel. The infographic is titled "The Silent Enemy: How PTSD Damages Our Soldiers". You can view the infographic by clicking here: [link] To spread the word about these issues, I ask if you could add a "weblink" to this infographic from this page on your own website: https://idefix.net/~koos/newsitem.cgi/1318581406 Note how this page has only a link to 'military' but actually reading it for 4 seconds would let you know that it has no link to PTSD in the military. I chose this page because you already link to www.af.mil/News/Photos/ from this page. If this is possible, you could add the below text to this page on your own websi te: The Silent Enemy: How PTSD Damages Our Soldiers – An infographic aiming to raise awareness about PTSD in the military. Alternatively, you could also publish the infographic on your website as a "guest blog post". If this is OK, I can write a unique introduction to go with the infographic. This will save you time and also help to highlight the important issues covered in the infographic. I really appreciate your time. I know that linking to this infographic will help to build awareness about mental health issues amongst veterans and serving memb ers of the military. I'm sure this is a cause you would like to get behind by adding the above link. I've actually attached the infographic to this email for you to add to your website at either the page I suggest or as a fresh blog post. Many thanks, Oliver Clark Rehab 4 Alcoholism Please click on Unsubscribe to be unsubscribed from any future communications. P rivacy notice.The last line is quite a hint that this is from an automated system, the stories are somewhat long so this isn't always very visible. Now I also wonder whether the link would be to a very commercial rehab organisation.
2018-05-20 I participated in the EU PSK DX Contest 2018 1 month ago
This weekend I had some time to participate in the EU PSK DX Contest. Conditions did not cooperate very well. First I thought local qrm was making me hear only the loudest stations but comparing it to the Utwente websdr I was hearing about 'everything'.Read the rest of I participated in the EU PSK DX Contest 2018Total number of QSO in your log is 41, Including 0 QSO with errors, Valid QSO - 41 Band QSOs Dupes Points Mults 160 0 0 0 0 80 0 0 0 0 40 28 0 56 39 20 13 0 25 21 15 0 0 0 0 10 0 0 0 0 ====================================== Total 41 0 81 60 Claimed score is 4860 points
2018-05-14 Back to the 10 meter band 1 month ago
The 10 meter amateur band (from 28.0 to 29.7 MHz) is the HF band where I started making the first HF contacts in 2014 but after that HF propagation went down and I had to go to lower frequencies and bigger antennas. But there are short periods of better propagation and this evening I tried FT8 on the 10 meter band again and made two contacts into Norway. I even received signals from Brazil so propagation was ok, mostly along the 'greyline' which is the line over the earth between the areas in the sun and not in the sun and causes some more propagation.
2018-05-07 I participated in the ARI International DX Contest 1 month ago
Last weekend I participated in the ARI International DX Contest. Before the contest I was looking at the option of trying the tlf contest software and operating phone (voice) but adding the definitions for scoring this contest to tlf turned out to be not possible at the moment and at the end the weekend was filled with enough other things that only a few hours of operating RTTY were left. Propagation wasn't very cooperative and I first was blaming local interference until I noticed that the same lack of signals was showing in other places and twitter was filled with aurora pictures, so a solar flare had blocked propagation. In the end I made 43 contacts and entered in the 'single operator RTTY low power' category. Low power on an Italian scale: below 100 watts.
2018-05-05 High-Tech Bridge 'security scan' causing big noise in the logs 1 month ago
I noticed a lot of error messages from sshd/imaps and other services all related to IPv4 address 22.214.171.124. Checking the firewall logs found even more attempts. It seems all this noise is related to a 'Web Server Security Test' from High-Tech Bridge. Something like the Qualys SSL Labs SSL Server Test but aimed at a complete test according to PCI DSS, HIPAA and NIST. Since most of those standards have to do with procedures too an automated test can never be complete. But with all these errors and firewall log entries it is very noisy. And now I wonder who was interested in my webserver security at a time that I was asleep.
2018-05-03 The preferring IPv6 policy is working 1 month ago
Yesterday I changed some IPv4 addresses on virtual machines on the new homeserver to make autofs work. This is a known issue with autofs: autofs does not appear to support IPv6 hostname lookups for NFS mounts - Debian Bug #737679 and for me the easy solution is to do NFS mounts over rfc1918 ipv4 addresses. I prefer autofs over 'fixed' NFS mounts for those filesystems that are nice to be available but aren't needed constantly. It took about 9 hours before arpwatch on the central router noticed the new activity. I guess the policy to try to do everything over IPv6 is working.
2018-05-01 Getting amateur satellite contacts into LoTW correctly 1 month ago
A very good bit of info just flew by on the amsat-bb mailing list: Logging Satellite QSOs with Logbook of the World - AMSAT-NA. Complete with screenshots and needed steps, how to create an ADIF file (which I could import into CQRLOG) with the satellite-specific fields set to the values needed by LoTW to make it a valid satellite-contact. CQRLOG has no support for satellite-specific contact information, so for me the workflow for these contacts would be to create an ADIF file as above in LoTW, upload it, and import the ADIF file in CQRLOG and not upload it from CQRLOG. Now to find time, energy and nice weather to get on the satellites again.
2018-04-26 More radio maps and their limits 2 months ago
The PE4KH website has maps of the locations where I contacted radio amateurs all over the world. The maps with generated images are created by exporting my locators worked/confirmed from cqrlog and using gcmwin for linux with a whole set of different configurations to plot the results. But now the 2 meter band has been added and on that band a 'record distance' is not as far as on HF. On HF my current distance record was a contact with Australia at 16581 kilometers. My current distance record on the 2 meter band is 363 kilometer in Germany. Quite a different scale! So the maps part has been enhanced with a 2 meter contacts map, but gcmwin can't use 6-position maidenhead locators so the map is quite coarse compared to what I want. I don't know the solution at the moment to improve this. The recent qso map PE4KH does show the more precise gridsquares when available in the log, so maybe that page needs distances added.Read the rest of More radio maps and their limits
2018-04-24 KVM and os-specific defaults 2 months agoOlder news items for tag english ⇒
Today I wanted to install a new virtual machine on the new homeserver and virt-install gave me a new warning:WARNING No operating system detected, VM performance may suffer. Specify an OS with --os-variant for optimal results.According to the virt-install manpage the --os-variant can be found with osinfo-query os which I can't find in Devuan jessie. But the same information is available via Installing Virtual Machines with virt-install, plus copy pastable distro install one-liners. I chose debian7 as that is probably the closest to Devuan Jessie to be upgraded to Devuan ascii immediately. The interesting change is that the resulting linux suddenly has virtio networkcards and a disk /dev/vda. That last bit is quite different from earlier virtual machines.