News items for tag english - Koos van den Hout

2018-08-12 More output power for PE4KH: I bought an HF linear amplifier 2 months ago
The reason for making the HP DPS-700 GB powersupply deliver a somewhat higher voltage and lots of amperes is that I made the decision to buy a HF linear amplifier. With such a device I get more output power on HF bands which should increase my chances in radio contests.

I have been looking at new and secondhand linear amplifiers for a while. Since this market is dominated by US customers most amplifiers will give 1000-1500 Watts output power at a serious price. The legal limit here in the Netherlands is 400 Watt unless I request a special license which will never happen since the radio station is surrounded by other houses. But there isn't much on offer below 400 Watt output power. I found RM Italy which sells linear amplifiers for CB and radio amateur use at more reasonable amounts of power and at a better price-point. I selected the RM Italy HLA300V plus which should give 300 Watts on HF bands.

I bought it online and it arrived fast. After soldering some cables to the power supply I was able to use it and it works as intended.

On the 20 meter band and 10 meter band it works with the endfed antenna (which can take 400 watts). On the 40 meter band it goes into protection mode instantly. It turns out the amplifier is quite sensitive to SWR problems, the endfed gives a 1:1.5 SWR. Maybe I can improve this a bit, the resonant point is below the 40 meter band.

Giving it 5 watt input power in digimodes will make 5 of the 7 output power LEDs light up. To get it to light up 5 LEDs in SSB mode I need to give it 10 watts power in that mode.

Propagation wasn't great this weekend so I spent most time in FT8 mode. With the help of the new amplifier I was able to get two new countries in the log: V51MA in Namibia and 9G5AR in Ghana.

The receive side is currently a different story. Interference levels are at an all-time high. The way I currently get reception for FT8 is by using the UTwente WebSDR for the receive side and feeding the audio to WSJT-X. With the delays and audio-processing introduced by the WebSDR I still get better and more decodes than from the local receiver.

For contesting that setup is not going to work. Most contests have a rule that all equipment for a contest station has to be on a limited area. For example the upcoming SCC RTTY contest has the rule:
All operation must take place from one operating site. Transmitter and receiver must be located within a 500-meter diameter circle.
I'm looking into using a receive loop to have less interference on reception.
Read the rest of More output power for PE4KH: I bought an HF linear amplifier

Tags: , , ,
2018-08-11 Testing login credentials from dataleaks 2 months ago
The authenticated SMTP setup with sendmail and secondary passwords I created is also attracting a new kind of attack: trying credentials from dataleaks. Leading to interesting tries in the log:
Aug 10 17:29:01 greenblatt saslauthd[32650]: do_auth         : auth failure: [user=409shop.com] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Aug 11 10:48:42 greenblatt saslauthd[32649]: do_auth         : auth failure: [user=409shop.com] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]

Tags: ,
2018-08-06 Rich chunky amps from a HP DPS-700 GB server power supply 2 months ago
At a hamfest a scouting group was offering a HP DPS-700 GB power supply for the nice sum of 5 euro. A quick search with google found information about the pinout so I bought it. This is a power supply that can deliver 56 Ampere at 12 Volts, and the 12 Volts can be adjusted upwards somewhat.

As usual with projects like this the power supply lived in the stack of projects for a while, but today I got around to testing it. Finding the pinout again was a bit hard, but I found the pins again at HP DPS-700GB 80mm fan shroud - Thingiverse which includes the simple modification to make the output voltage go up.

As this power supply has no internal fans and will stop fast due to internal overheating if not cooled, I set it up with a recycled computer fan. Power supplies like this will always be active in systems with enough fans to push air through the whole chassis.

The first test gave me 12.1 Volt. After adding a 1.5 kOhm resistor it went to 13.27 Volt. In theory the maximum current may have dropped as a result of this modification, but my best guess is that it can still deliver 50 Ampere.

Tags: , ,
2018-07-27 Automating Let's Encrypt certificates with DNS-01 protocol 2 months ago
Encrypt all the things meme After thoroughly automating Let's Encrypt certificate renewal and installation I wanted to get the same level of automation for systems that do not expose an http service to the outside world. So that means the DNS-01 challenge within the ACME protocol has to be used.

I found out dehydrated Let's Encrypt certificate management supports DNS-01 and I found a sample on how to do this with bind9 at Example hook script using Dynamic DNS update utility for dns-01 challenge which looks like it can do the job.

It took me a few failed tries to find out that if I want a certificate for the name turing.idefix.net that it will request the TXT record for _acme-challenge.turing.idefix.net to make me prove that I have control over the right bit of DNS. I first assumed something in _acme-challenge.idefix.net which turned out wrong. So the bind9 config in /etc/bind/named.conf.local has:
zone "_acme-challenge.turing.idefix.net" {
        type master;
        file "/var/cache/bind/_acme-challenge.turing.idefix.net-zone";
        masterfile-format text;
        allow-update { key "acmekey-turing"; };
        allow-query { any; };
        allow-transfer {
                localnetwork;
        };
};
And in the idefix.net zone there is just one delegation:
_acme-challenge.turing  IN      NS      ns2
I created and used a dnskey with something like:
# dnssec-keygen -r /dev/random -a hmac-sha512 -b 128 -n HOST acmekey-turing
Kacmekey-turing.+157+53887
This gives 2 files, both with the right secret:
# ls Kacmekey-turing.+157+53887.*
Kacmekey-turing.+157+53887.key  Kacmekey-turing.+157+53887.private
# cat Kacmekey-turing.+157+53887.key
acmekey-turing. IN KEY 512 3 157 c2V0ZWMgYXN0cm9ub215
and configured it in /etc/bind/named.conf.options:
key "acmekey-turing" {
        algorithm hmac-md5;
        secret "c2V0ZWMgYXN0cm9ub215";
};
And now I can request a key for turing.idefix.net and use it to generate sendmail certificates. And the net result:
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256          
        verify=OK)                                                              
SMTP between systems with TLS working and good certificates.

Tags: , , ,
2018-07-19 Configuring sendmail authentication like imaps access to allow secondary passwords 3 months ago
I needed to configure sendmail authenticated access because I want a strict SPF record for idefix.net which means I always have to make outgoing mail originate from the right server.

For the sendmail authenticated smtp bit I used How to setup and test SMTP AUTH within Sendmail with some configuration details from Setting up SMTP AUTH with sendmail and Cyrus-SASL. To get this running saslauthd is needed to get authentication at all and I decided to let it use the pam authentication mechanism. The relevant part of sendmail.mc:
include(`/etc/mail/sasl/sasl.m4')dnl
define(`confAUTH_OPTIONS', `A p')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
And now I can login to sendmail only in an encrypted session. And due to sendmail and other services now having valid certificates I can set up all devices to fully check the certificate so I make it difficult to intercept this password.

And after I got that working I decided I wanted 'secondary passwords' just like I configured extra passwords for IMAPS access so I set up /etc/pam.d/smtp to allow other passwords than the unix password and restrict access to the right class of users.
auth    required    pam_succeed_if.so quiet user ingroup users
auth    [success=1 default=ignore]      pam_unix.so nullok_secure
auth    sufficient  pam_userdb.so db=/etc/courier/extrausers crypt=crypt use_first_pass
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
Now I can set up my devices that insist on saving the password for outgoing smtp and if it ever gets compromised I just have to change that password without it biting me too hard.

Tags: , , ,
2018-07-10 Found the original article about Steven K. Roberts and his recumbent bicycle Behemoth 3 months ago
Steven K. Roberts on Behemoth II I noticed the Nomadic Research Labs site was cleaned up a bit more, so I searched again for the article that I read in August 1995 about Steven K. Roberts and his recumbent bicycle Behemoth: "Big Electronic Human-Energised Machine ... Only Too Heavy".

The scans are at BEHEMOTH in Kijk – Dutch Magazine. Interesting detail is that the top left text refers to a picture of a Challenge recumbent. I recently ordered a new Challenge recumbent! Maybe I should find out whether I can find that page of that magazine.

Several things can be related to seeing this article: buying the book Computing Across America, selecting a recumbent bicycle later in life and this idea in the back of my head of future recumbent cycling trips.

Tags: , , , ,
2018-07-08 Automating Let's Encrypt certificates further 3 months ago
Encrypt all the things meme Over two years ago I started using Let's Encrypt certificates. Recently I wanted to automate this a step further and found dehydrated automated certificate renewal which helps a lot in automating certificate renewal with minimal hassle.

First thing I fixed was http-based verification. The webserver has been set up to make all .well-known/acme-challenge directories end up in one place on the filesystem and it turns out this works great with dehydrated.

I created a separate user for dehydrated, gave that user write permissions for the /home/httpd/html/.well-known/acme-challenge directory. It also needs write access to /etc/dehydrated for its own state. I changed /etc/dehydrated/config with:
CHALLENGETYPE="http-01"
WELLKNOWN="/home/httpd/html/.well-known/acme-challenge"
Now it was possible to request certificates based on a .csr file. I used this to get a new certificate for the home webserver, and it turned out to be easier than the previous setup based on letsencrypt-nosudo.
Read the rest of Automating Let's Encrypt certificates further

Tags: , , , ,
2018-07-05 Future cycling goals... 3 months ago
I had a serious case of 'ooooh shiny' today. I browsed a bit of Northern Canada news from CBC and found the article Dempster Highway drivers flock to new destination — the Arctic coast about the new Inuvik Tuktoyaktuk Highway which connects the Dempster Highway all the way to Tuktoyaktuk on the northern arctic coast.

So I started wondering whether people are cycling the Dempster Highway. Yes, they are. I found several travel stories, Cycling the Dempster Highway to Inuvik, Cycling the Dempster Highway Part 1: Hungrier than the bears - Tasting Travels and Dempster Highway to the Arctic about one cyclist who cycled from Vancouver to Inuvik on a recumbent.

I may have found some future cycling ideas there. Those ideas aren't really new, from time to time I get back to thinking about Computing Across America and Steven K. Roberts.

Tags: , , ,
2018-06-30 New 2 meter distance: 483 kilometers 3 months ago
While trying to get an idea of how much interference I have on the 2 meter band I still worked on my distance records: I had a contact with G8GXP which is a distance of 483 kilometers, a new record for me on the 2 meter band.

This is with S5/S6 interference on the 2 meter band as long as the sun is more than a bit above the horizon, which at the moment is very long. Some ferrite added to the solar power convertor already helped, but I guess the solar optimizers also need some work to clear the 2 meter band again.

Tags: , , ,
2018-06-27 Recorded the ISS contact today 3 months ago
Today was an ISS contact with Werner-Heisenberg-Gymnasium, Leverkusen, Germany and Schickhardt-Gymnasium, Herrenberg, Germany and most of the contact was going to be within range for me and it was at a usable time.

So I set up gpredict to track the ISS and the receive frequency and set up audacity to record the results. Which weren't great since 2 meter reception is now influenced by recently installed solar panels on the house next door.
Listen to audio attachment:

Tags: , , ,
2018-06-26 Interesting video about amateur radio 3 months ago
A nice video I found from Essex Ham via Journey into Amateur Radio (Pete M0PSX) where Pete narrates slides from earlier presentations he gave on his specific journey in amateur radio.

Tags: ,
2018-06-25 Distributed ssh attack 3 months ago
SSH attacks are on the rise. But fail2ban isn't blocking as much of those attacks as it used to since the attacks are quite distributed. This morning I noticed clear correlation between a subset of the attempts, they were all using names of websites hosted on the same system.
Jun 25 06:18:44 greenblatt sshd[10092]: Invalid user campwireless from 95.111.97.96
Jun 25 06:29:21 greenblatt sshd[10993]: Invalid user camp-wireless from 206.189.158.105
Jun 25 06:30:51 greenblatt sshd[11073]: Invalid user campwireless from 211.118.23.85
Jun 25 06:41:43 greenblatt sshd[12213]: Invalid user camp-wireless from 80.191.115.125
Jun 25 06:50:01 greenblatt sshd[12962]: Invalid user campwireless from 46.24.225.3
Jun 25 06:59:39 greenblatt sshd[13794]: Invalid user camp-wireless from 58.221.14.202
Jun 25 07:35:27 greenblatt sshd[16771]: Invalid user virtualbookcase from 98.248.65.243
Jun 25 07:35:36 greenblatt sshd[16779]: Invalid user campwireless from 109.95.210.175
Jun 25 07:39:28 greenblatt sshd[17175]: Invalid user camp-wireless from 88.170.50.242
Jun 25 07:46:01 greenblatt sshd[17570]: Invalid user camp-wireless from 166.70.198.80
Jun 25 07:54:59 greenblatt sshd[18273]: Invalid user camp-wireless from 187.104.5.246
Jun 25 07:59:48 greenblatt sshd[18754]: Invalid user idefix from 188.19.15.188
Jun 25 08:02:08 greenblatt sshd[18926]: Invalid user idefix from 179.219.129.91
Jun 25 08:05:54 greenblatt sshd[19358]: Invalid user virtualbookcase from 118.114.237.235
Jun 25 08:09:45 greenblatt sshd[19809]: Invalid user urlurl from 111.231.89.130
Jun 25 08:26:35 greenblatt sshd[21183]: Invalid user urlurl from 212.156.83.146
Jun 25 08:29:07 greenblatt sshd[21357]: Invalid user camp-wireless from 37.205.177.106
Jun 25 08:43:04 greenblatt sshd[22400]: Invalid user campwireless from 190.85.83.230
Jun 25 08:45:45 greenblatt sshd[22558]: Invalid user campwireless from 35.161.235.34
Jun 25 09:01:30 greenblatt sshd[23883]: Invalid user urlurl from 180.76.160.50
Jun 25 09:08:17 greenblatt sshd[24516]: Invalid user camp-wireless from 60.251.223.115
Jun 25 09:23:47 greenblatt sshd[26042]: Invalid user camp-wireless from 106.51.76.93
Jun 25 09:45:27 greenblatt sshd[27812]: Invalid user camp-wireless from 62.254.31.162
Jun 25 09:56:02 greenblatt sshd[28617]: Invalid user campwireless from 212.77.72.170
Jun 25 10:06:47 greenblatt sshd[29707]: Invalid user campwireless from 123.207.139.72
Jun 25 10:14:58 greenblatt sshd[30250]: Invalid user camp-wireless from 81.95.114.163
Jun 25 10:15:43 greenblatt sshd[30317]: Invalid user camp-wireless from 193.112.166.253
Jun 25 10:19:17 greenblatt sshd[30698]: Invalid user campwireless from 211.54.146.250
Jun 25 10:19:25 greenblatt sshd[30702]: Invalid user urlurl from 178.91.253.138
Jun 25 10:32:42 greenblatt sshd[31743]: Invalid user idefix from 85.120.15.35
Jun 25 11:04:33 greenblatt sshd[2346]: Invalid user campwireless from 213.138.110.89
This suggests coordination between the attacking systems.

But the simpler attacks do continue:
Jun 25 09:17:31 greenblatt sshd[25579]: Invalid user cristina from 202.29.224.50
Jun 25 09:17:35 greenblatt sshd[25582]: Invalid user cristina from 202.29.224.50
Jun 25 09:17:39 greenblatt sshd[25586]: Invalid user cristina from 202.29.224.50
Jun 25 09:17:39 greenblatt sshd[25585]: Invalid user cristina from 202.29.224.50

Tags: ,
2018-06-23 SMART can be wrong 3 months ago
Someone brought me a 'WD My cloud' that does not respond at all. So I took it apart and found out how to access the disk in an i386 Linux system: mount the 4th partition as ext4. When the disk was available I did a smart test:
=== START OF READ SMART DATA SECTION ===
SMART overall-health self-assessment test result: PASSED
But while trying to find out how much data is actually on the disk, I get:
[  866.165641] Sense Key : Medium Error [current] [descriptor]
[  866.165645] Descriptor sense data with sense descriptors (in hex):
[  866.165647]         72 03 11 04 00 00 00 0c 00 0a 80 00 00 00 00 00 
[  866.165659]         b0 90 ea 60 
[  866.165664] sd 2:0:0:0: [sda]  
[  866.165668] Add. Sense: Unrecovered read error - auto reallocate failed
So the disk isn't very healthy. But rerunning the smart check still shows nothing is wrong. It is a Western Digital 'RED' harddisk especially for NAS systems so it should return errors earlier to the operating system but this disk is bad, which is probably related to why the 'my cloud' enclosure isn't working.
Read the rest of SMART can be wrong

Tags: ,
2018-06-22 Slow password guessing for imaps 4 months ago
Interesting in the logs:
Jun 19 21:22:29 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:5.188.207.9]
Jun 19 21:23:30 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:5.188.207.9]
Jun 19 21:27:05 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:5.188.207.11]
Jun 19 21:31:58 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:5.188.207.11]
Jun 19 22:27:15 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:5.188.207.9]
Jun 19 22:30:10 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:5.188.207.9]
Jun 19 22:44:17 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:5.188.207.11]

..

Jun 22 14:23:39 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:5.188.207.11]
Jun 22 14:24:35 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:5.188.207.11]
Jun 22 15:20:05 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:5.188.207.9]
Jun 22 15:21:01 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:5.188.207.9]
Jun 22 15:29:18 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:5.188.207.11]
Jun 22 15:30:06 greenblatt imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:5.188.207.11]
Every time fail2ban blocks the addresses for a while but the attacker is more persistant than that.

Tags: ,
2018-06-19 I don't run your nameserver 4 months ago
Showing in the logs since a few hours:
Jun 18 12:48:36 server named[16424]: client 92.247.148.230#38664: query '1.3.20.172.in-addr.arpa/PTR/IN' denied
Jun 18 12:48:39 server named[16424]: client 92.247.148.230#38664: query '14.0.20.172.in-addr.arpa/PTR/IN' denied
Jun 18 12:48:45 server named[16424]: client 92.247.148.230#38664: query '41.1.20.172.in-addr.arpa/PTR/IN' denied
Jun 18 12:48:47 server named[16424]: client 92.247.148.230#38664: query '6.1.20.172.in-addr.arpa/PTR/IN' denied
Given earlier reports of the same IPv4 address asking about the same queries this has been seen by at least one other place before. Blacklisted for now, maybe I can think of some answers that can slow down the resolver later.

Tags: ,
2018-06-17 More kilometers distance into Australia 4 months ago
This evening I made an FT8 contact with VK7AC which is a new distance record: 16918 kilometers. Which is an improvement over the previous record: 16581 kilometers to Melbourne.

With Australia being huge I'm not surprised distances can be very different.

The contact was hard to make but callsigns and signal reports got exchanged eventually. This was on the 40 meter band so that's also a new band for that country.

In the rest of the weekend I made more FT8 contacts on different bands and some SSB (voice) contacts to several active stations. Noticable was that several high-power stations were active on the 10 meter band Friday evening enjoying the band opening.

Tags: , ,
2018-06-17 Apache 2.2 Proxy and default block for everything but the .well-known/acme-challenge urls 4 months ago
I'm setting up a website on a new virtual machine on the new homeserver and I want a valid letsencrypt certificate. It's a site I don't want to migrate so I'll have to use the Apache proxy on the 'old' server to allow the site to be accessed via IPv4/IPv6 (for consistency I am now setting up everything via a proxy).

So first I set up a proxy to pass all requests for the new server to the backend, something like:
        ProxyPass / http://newsite-back.idefix.net/
        ProxyPassReverse / http://newsite-back.idefix.net/
But now the requests for /.well-known/acme-challenge also go there and they are blocked needing a username/password since the new site is not open yet.

So to set up the proxy correctly AND avoid the username checks for /.well-known/acme-challenge the order has to be correct. In the ProxyPass rules the rule for the specific URL has to come first and in the Location setup it has to come last.
        ProxyPass /.well-known/acme-challenge !
        ProxyPass / http://newsite-back.idefix.net/
        ProxyPassReverse / http://newsite-back.idefix.net/

        <Location />
        Deny from all
        AuthName "Site not open yet"
        [..]
        </Location>

        <Location /.well-known/acme-challenge>
            Order allow,deny
            Allow from all
        </Location>
And now the acme-challenge is done locally on the server and all other requests get forwarded to the backend after authentication.

Tags: , , ,
2018-06-04 First 'Sporadic E' contact on 2 meter 4 months ago
As guessed when I got earlier personal distance records with FT8 on the 2 meter band bigger distances are possible with 'Sporadic E', a condition in which even higher frequencies can be propagated through the ionosphere.

This evening G8EOH came back to an FT8 cq on 2 meter and I found out that gave me a new distance record: 342 kilometer.

Tags: , ,
2018-06-04 An active weekend on the 10 meter band, Faroe islands in the log 4 months ago
This weekend had enough time available to be active on the radio. And the 10 meter band was open again, just like the evening opening on 10 meters three weeks ago. This weekend the 10 meter band cooperated most of Friday evening, a few hours Saturday morning and most of Sunday afternoon and evening. Especially 10 meters FT8 was busy and I worked a lot of European countries on the 10 meter band. On Thursday evening I had 15 countries confirmed (lotw or paper qsl) on 10 meter for my call PE4KH, on Sunday evening that number was 25.

I added the Faroe islands to the log Sunday (also on 10 meter FT8) when I saw OY1DZ active and had a contact. Not yet confirmed, I have requested a card via the OQRS system in use for OY1DZ and other calls. According to that page the LoTW confirmation will also happen soon.

I also got a few voice contacts in the log: special event calls and world wide flora and fauna activations are always nice to have. The flora and fauna location spff-450 activated by SP5KD/P was hard to understand at home so I used the utwente websdr to receive and the transmitter at home to transmit.

Tags: , ,
2018-05-25 Going full duplex with amateur satellites, part 13: receiving a linear satellite transponder / SO-50 without the preamp 4 months ago
This evening another try, this time without the preamp. And tried receiving a linear satellite transponder.

This makes things even more complicated as I have to look at one display (gpredict) to have an idea where to aim the antenna and another display (gqrx) for the waterfall display. Maybe both can be on the same screen with a lot of resizing.

The first pass I tried was a pass of the FO-29 satellite which has a linear transponder. It was not a very high pass so all reception was through a house. I did hear morse first, and later saw signs of USB signals in the passband. Signals were weak and noise was high. I was almost able to understand one callsign, a 9A.. callsign (Croatia).

The other pass I tried was a pass of the SO-50 satellite which is a narrow FM satellite. Signals were weak for narrow FM so I had to keep turning the arrow antenna to get the polarisation right. I could hear spanish and english callsigns.

I recorded the SO-50 pass and noted the audio looked very distorted in audacity. Maybe I can improve the audio somewhere in the chain and get things better.

Tags: , ,
⇐ Newer news items for tag english  Older news items for tag english ⇒
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
RSS
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews