News items for tag english - Koos van den Hout

2018-09-06 Weird interface names in snmp due to virtio driver 3 months ago
I want to measure network traffic so I decided to copy most of my rrdtool setup from the old home server.

But with virtio network cards I have a confused snmpd:
IF-MIB::ifDescr.1 = STRING: lo
IF-MIB::ifDescr.2 = STRING: Red Hat, Inc Device 0001
IF-MIB::ifDescr.3 = STRING: Red Hat, Inc Device 0001
IF-MIB::ifDescr.4 = STRING: Red Hat, Inc Device 0001
IF-MIB::ifDescr.5 = STRING: dummy0
IF-MIB::ifDescr.6 = STRING: dumhost
IF-MIB::ifDescr.7 = STRING: dumdh6
Fix: go for the IF-MIB::ifName snmp variables, found in oid
IF-MIB::ifName.1 = STRING: lo
IF-MIB::ifName.2 = STRING: eth0
IF-MIB::ifName.3 = STRING: eth1
IF-MIB::ifName.4 = STRING: eth2
IF-MIB::ifName.5 = STRING: dummy0
IF-MIB::ifName.6 = STRING: dumhost
IF-MIB::ifName.7 = STRING: dumdh6
Those are easier to discern, now my snmp scripts are gathering data again.

Tags: , , ,
2018-09-02 Ok weather and time for outdoor radio 3 months ago
Outdoor radio
Outdoor radio, picture by PA5Z
Last Friday I had time available for outdoor radio and the weather prediction looked nice. Fellow radio amateur PA5Z had time available too and joined me. We cycled to the local park and found a nice spot for some radio, complete with a bench available to sit and run the radio.

First decision was which band, because changing the band after raising the linked dipole means having to take it all down again. It was a tough decision between 40 and 20 meters, both looked not too promising. We decided on 40 meters.

I also extended the mast and tie-wrapped the balun of the linked dipole to the mast (three segments below the top) before getting the mast upright. This worked nicer for me on an earlier setup. The downside is that we had to be very careful in where the guy-wires and the dipole wires are around the fiber mast to avoid tangled lines and twists. And the right way to lengthen the mast is twisting the segments to lock them together.

With two people it is a lot easier to get the mast straight and it looked very nice. Soon contacts were made, but after a few tries I received a report that the audio sounded like I had RF interference. I heard this remark before at the end of my testing the mast at Trintelhaven and this time I found out what the problem was: the lead-acid battery I was using was running low and when the voltage drops from 12.0 to 9.6 volts on transmitting the output gets distorted. The fix was to lower the output power, a local radio amateur who we contacted was willing to help test this and confirm my theory that the drop in voltage was causing distortion.

Eventually it started to rain a bit, the batteries started to get depleted even at lower power and we decided it was time to pack up and go back home.

A nice day for radio, I ordered a new battery to replace the failing ones and I'll be doing this again some day!
Read the rest of Ok weather and time for outdoor radio

Tags: ,
2018-08-26 I participated in the SCC RTTY contest 3 months ago
RTTY contest on websdr As planned and prepared for I participated in the SCC RTTY contest this weekend. I was aiming for 100+ contacts but due to local interference and not very cooperating propagation those did not happen. In the end I made 83 contacts, 2 on the 40 meter band and 81 on the 20 meter band. I entered in the 'single operator 20 meter' category which was the most fitting for me. That does mean the 2 40 meter contacts only count for log checking.

Interesting things that happened: I got YV5AAX in the log. This has happened before in RTTY contests. But I do see YV5AAX from time to time in FT8 but never made a contact in that mode. I guess the station uses different antennas for contests. I also worked several US stations but I don't think those have resulted in a new US state for my statistics.

The new amplifier was working fine although I noticed the fan control and fan in the power supply stopped completely when I transmitted RTTY in the 10 meter band. This was not a very big problem this time as there was no propagation at all on that band. But it will have to be fixed before the next contest.

With this amount of power I can work almost all stations that I can decode. That is a nice improvement!
Read the rest of I participated in the SCC RTTY contest

Tags: , ,
2018-08-19 Testing the fiber mast with antenna at home 3 months ago
Today I set up the fiber mast against the back fence of our yard and used it to raise the endfed wire antenna as a vertical, with the coil between the 10/20 meter and 40 meter parts of the wire a few segments beneath the top of the fibermast.

This works ok. Interference on the 10 meter band is nearly gone, interference on the 20 meter band is about the same. What is also interesting is that this setup gives more balanced results on the pskreporter map. With the endfed antenna from the roof to the end of the garden the results are that most of what I receive is to the east of me. With the fibermast and the endfed as a vertical the reception is more balanced and I see more North and South America.

There is a downside: with even the slightest bit of wind the top of the fibermast starts to move a bit much. So to keep this setup safe for a weekend I would need to do something with guy wires.

Tags: ,
2018-08-17 Trying (and failing) to correlate security logs 3 months ago
Since activating sendmail authentication with secondary passwords I see a number of attempts to guess credentials to send mail via my system. This is not very surprising, given the constant attack levels on the wider Internet.

For work I am looking at log correlation and monitoring and with that in mind I noted that finding the right information from sendmail where and when the attempt came from is quite hard since there are several processes busy and it's hard to correlate the logging. The failed attempt is logged by saslauthd in /var/log/auth.log:
Aug 16 12:28:57 greenblatt saslauthd[32648]: pam_unix(smtp:auth): check pass; user unknown
Aug 16 12:28:57 greenblatt saslauthd[32648]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 16 12:28:59 greenblatt saslauthd[32648]: do_auth         : auth failure: [user=monster] [service=smtp] [] [mech=pam] [reason=PAM auth error]
Aug 16 12:29:00 greenblatt saslauthd[32649]: pam_unix(smtp:auth): check pass; user unknown
Aug 16 12:29:00 greenblatt saslauthd[32649]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 16 12:29:02 greenblatt saslauthd[32649]: do_auth         : auth failure: [user=monster] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
This is probably related to this sendmail log information:
Aug 16 12:28:56 greenblatt sm-mta[20716]: STARTTLS=server, [] (may be forged), version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256
Aug 16 12:29:02 greenblatt sm-mta[20716]: w7GASspx020716: [] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MSP-v6
But I can't be sure as there are multiple 'did not issue MAIL/EXPN/VRFY/ETRN' messages in the logs. So I can't build a fail2ban rule based on this.

Tags: , , ,
2018-08-13 Trying to receive amateur radio through local interference 3 months ago
This evening I tried several things to improve my chances of actually receiving anything other than the loudest stations in the upcoming SCC RTTY contest.

First try was with a borrowed receive loop indoor and using an HF upconvertor, an rtl-sdr dongle and gqrx as receiving software. This did not work for digital modes: letting wsjt-x (FT8 software) 'listen' to the audio output of gqrx gave no decodes.

Interesting detail: looking at the right piece of spectrum for FT8 showed that the frequency wasn't 100% stable, with frequencies slowly changing. Touching the rtl-sdr gave a bump in frequency.

Another attempt was with the loop indoor and reception on the FT-857D radio. Reception of a strong SSB station seemed somewhat better on the loop, but I heard no improvement of weaker stations.

So I moved the loop outside to the end of the garden and layed a long cable back to the radio setup. This made interference worse! It was already dark so this was not related to any solar panel setup, but some other source of interference on HF. The loop is supposed to receive less local interference but I could not get it to do that this time (it did work for SSB some other time).

Tags: , , ,
2018-08-13 False advertising from antivirus software in e-mail 3 months ago
----- No virus found in this message. Checked by AVG - Version: 2014
.0.4830 / Virus Database: 4365/10772 - Release Date: 13/08/18

[-- Attachment #2: doc10089752487652120190813.docx.jar --]
I guess No known virus found was a better message for AVG.

Tags: , ,
2018-08-12 Making the HP DPS-700GB power supply less noisy 3 months ago
The HP DPS-700 GB power supply adapted to feed the linear amplifier has no own internal fans so I connected a recycled 50mm PC fan. Which runs at full speed which is a lot of noise. I ordered a 12 volt fan control module on-line so it can run slower and keep the noise down a bit.

I'll probably replace the current fan with an 80mm PC fan and set a low minimum speed. The air has to move as the power supply has no internal fans and is quite good at a thermal shutdown. But as long as things don't get warm it would be nice to reduce the noise as this was very noisy.
Read the rest of Making the HP DPS-700GB power supply less noisy

Tags: , ,
2018-08-12 More output power for PE4KH: I bought an HF linear amplifier 3 months ago
The reason for making the HP DPS-700 GB powersupply deliver a somewhat higher voltage and lots of amperes is that I made the decision to buy a HF linear amplifier. With such a device I get more output power on HF bands which should increase my chances in radio contests.

I have been looking at new and secondhand linear amplifiers for a while. Since this market is dominated by US customers most amplifiers will give 1000-1500 Watts output power at a serious price. The legal limit here in the Netherlands is 400 Watt unless I request a special license which will never happen since the radio station is surrounded by other houses. But there isn't much on offer below 400 Watt output power. I found RM Italy which sells linear amplifiers for CB and radio amateur use at more reasonable amounts of power and at a better price-point. I selected the RM Italy HLA300V plus which should give 300 Watts on HF bands.

I bought it online and it arrived fast. After soldering some cables to the power supply I was able to use it and it works as intended.

On the 20 meter band and 10 meter band it works with the endfed antenna (which can take 400 watts). On the 40 meter band it goes into protection mode instantly. It turns out the amplifier is quite sensitive to SWR problems, the endfed gives a 1:1.5 SWR. Maybe I can improve this a bit, the resonant point is below the 40 meter band.

Giving it 5 watt input power in digimodes will make 5 of the 7 output power LEDs light up. To get it to light up 5 LEDs in SSB mode I need to give it 10 watts power in that mode.

Propagation wasn't great this weekend so I spent most time in FT8 mode. With the help of the new amplifier I was able to get two new countries in the log: V51MA in Namibia and 9G5AR in Ghana.

The receive side is currently a different story. Interference levels are at an all-time high. The way I currently get reception for FT8 is by using the UTwente WebSDR for the receive side and feeding the audio to WSJT-X. With the delays and audio-processing introduced by the WebSDR I still get better and more decodes than from the local receiver.

For contesting that setup is not going to work. Most contests have a rule that all equipment for a contest station has to be on a limited area. For example the upcoming SCC RTTY contest has the rule:
All operation must take place from one operating site. Transmitter and receiver must be located within a 500-meter diameter circle.
I'm looking into using a receive loop to have less interference on reception.
Read the rest of More output power for PE4KH: I bought an HF linear amplifier

Tags: , , ,
2018-08-11 Testing login credentials from dataleaks 4 months ago
The authenticated SMTP setup with sendmail and secondary passwords I created is also attracting a new kind of attack: trying credentials from dataleaks. Leading to interesting tries in the log:
Aug 10 17:29:01 greenblatt saslauthd[32650]: do_auth         : auth failure: [] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Aug 11 10:48:42 greenblatt saslauthd[32649]: do_auth         : auth failure: [] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]

Tags: ,
2018-08-06 Rich chunky amps from a HP DPS-700 GB server power supply 4 months ago
At a hamfest a scouting group was offering a HP DPS-700 GB power supply for the nice sum of 5 euro. A quick search with google found information about the pinout so I bought it. This is a power supply that can deliver 56 Ampere at 12 Volts, and the 12 Volts can be adjusted upwards somewhat.

As usual with projects like this the power supply lived in the stack of projects for a while, but today I got around to testing it. Finding the pinout again was a bit hard, but I found the pins again at HP DPS-700GB 80mm fan shroud - Thingiverse which includes the simple modification to make the output voltage go up.

As this power supply has no internal fans and will stop fast due to internal overheating if not cooled, I set it up with a recycled computer fan. Power supplies like this will always be active in systems with enough fans to push air through the whole chassis.

The first test gave me 12.1 Volt. After adding a 1.5 kOhm resistor it went to 13.27 Volt. In theory the maximum current may have dropped as a result of this modification, but my best guess is that it can still deliver 50 Ampere.

Tags: , ,
2018-07-27 Automating Let's Encrypt certificates with DNS-01 protocol 4 months ago
Encrypt all the things meme After thoroughly automating Let's Encrypt certificate renewal and installation I wanted to get the same level of automation for systems that do not expose an http service to the outside world. So that means the DNS-01 challenge within the ACME protocol has to be used.

I found out dehydrated Let's Encrypt certificate management supports DNS-01 and I found a sample on how to do this with bind9 at Example hook script using Dynamic DNS update utility for dns-01 challenge which looks like it can do the job.

It took me a few failed tries to find out that if I want a certificate for the name that it will request the TXT record for to make me prove that I have control over the right bit of DNS. I first assumed something in which turned out wrong. So the bind9 config in /etc/bind/named.conf.local has:
zone "" {
        type master;
        file "/var/cache/bind/";
        masterfile-format text;
        allow-update { key "acmekey-turing"; };
        allow-query { any; };
        allow-transfer {
And in the zone there is just one delegation:
_acme-challenge.turing  IN      NS      ns2
I created and used a dnskey with something like:
# dnssec-keygen -r /dev/random -a hmac-sha512 -b 128 -n HOST acmekey-turing
This gives 2 files, both with the right secret:
# ls Kacmekey-turing.+157+53887.*
Kacmekey-turing.+157+53887.key  Kacmekey-turing.+157+53887.private
# cat Kacmekey-turing.+157+53887.key
acmekey-turing. IN KEY 512 3 157 c2V0ZWMgYXN0cm9ub215
and configured it in /etc/bind/named.conf.options:
key "acmekey-turing" {
        algorithm hmac-md5;
        secret "c2V0ZWMgYXN0cm9ub215";
And now I can request a key for and use it to generate sendmail certificates. And the net result:
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256          
SMTP between systems with TLS working and good certificates.

Tags: , , ,
2018-07-19 Configuring sendmail authentication like imaps access to allow secondary passwords 4 months ago
I needed to configure sendmail authenticated access because I want a strict SPF record for which means I always have to make outgoing mail originate from the right server.

For the sendmail authenticated smtp bit I used How to setup and test SMTP AUTH within Sendmail with some configuration details from Setting up SMTP AUTH with sendmail and Cyrus-SASL. To get this running saslauthd is needed to get authentication at all and I decided to let it use the pam authentication mechanism. The relevant part of
define(`confAUTH_OPTIONS', `A p')dnl
And now I can login to sendmail only in an encrypted session. And due to sendmail and other services now having valid certificates I can set up all devices to fully check the certificate so I make it difficult to intercept this password.

And after I got that working I decided I wanted 'secondary passwords' just like I configured extra passwords for IMAPS access so I set up /etc/pam.d/smtp to allow other passwords than the unix password and restrict access to the right class of users.
auth    required quiet user ingroup users
auth    [success=1 default=ignore] nullok_secure
auth    sufficient db=/etc/courier/extrausers crypt=crypt use_first_pass
# here's the fallback if no module succeeds
auth    requisite             
Now I can set up my devices that insist on saving the password for outgoing smtp and if it ever gets compromised I just have to change that password without it biting me too hard.

Tags: , , ,
2018-07-10 Found the original article about Steven K. Roberts and his recumbent bicycle Behemoth 5 months ago
Steven K. Roberts on Behemoth II I noticed the Nomadic Research Labs site was cleaned up a bit more, so I searched again for the article that I read in August 1995 about Steven K. Roberts and his recumbent bicycle Behemoth: "Big Electronic Human-Energised Machine ... Only Too Heavy".

The scans are at BEHEMOTH in Kijk – Dutch Magazine. Interesting detail is that the top left text refers to a picture of a Challenge recumbent. I recently ordered a new Challenge recumbent! Maybe I should find out whether I can find that page of that magazine.

Several things can be related to seeing this article: buying the book Computing Across America, selecting a recumbent bicycle later in life and this idea in the back of my head of future recumbent cycling trips.

Tags: , , , ,
2018-07-08 Automating Let's Encrypt certificates further 5 months ago
Encrypt all the things meme Over two years ago I started using Let's Encrypt certificates. Recently I wanted to automate this a step further and found dehydrated automated certificate renewal which helps a lot in automating certificate renewal with minimal hassle.

First thing I fixed was http-based verification. The webserver has been set up to make all .well-known/acme-challenge directories end up in one place on the filesystem and it turns out this works great with dehydrated.

I created a separate user for dehydrated, gave that user write permissions for the /home/httpd/html/.well-known/acme-challenge directory. It also needs write access to /etc/dehydrated for its own state. I changed /etc/dehydrated/config with:
Now it was possible to request certificates based on a .csr file. I used this to get a new certificate for the home webserver, and it turned out to be easier than the previous setup based on letsencrypt-nosudo.
Read the rest of Automating Let's Encrypt certificates further

Tags: , , , ,
2018-07-05 Future cycling goals... 5 months ago
I had a serious case of 'ooooh shiny' today. I browsed a bit of Northern Canada news from CBC and found the article Dempster Highway drivers flock to new destination — the Arctic coast about the new Inuvik Tuktoyaktuk Highway which connects the Dempster Highway all the way to Tuktoyaktuk on the northern arctic coast.

So I started wondering whether people are cycling the Dempster Highway. Yes, they are. I found several travel stories, Cycling the Dempster Highway to Inuvik, Cycling the Dempster Highway Part 1: Hungrier than the bears - Tasting Travels and Dempster Highway to the Arctic about one cyclist who cycled from Vancouver to Inuvik on a recumbent.

I may have found some future cycling ideas there. Those ideas aren't really new, from time to time I get back to thinking about Computing Across America and Steven K. Roberts.

Tags: , , ,
2018-06-30 New 2 meter distance: 483 kilometers 5 months ago
While trying to get an idea of how much interference I have on the 2 meter band I still worked on my distance records: I had a contact with G8GXP which is a distance of 483 kilometers, a new record for me on the 2 meter band.

This is with S5/S6 interference on the 2 meter band as long as the sun is more than a bit above the horizon, which at the moment is very long. Some ferrite added to the solar power convertor already helped, but I guess the solar optimizers also need some work to clear the 2 meter band again.

Tags: , , ,
2018-06-27 Recorded the ISS contact today 5 months ago
Today was an ISS contact with Werner-Heisenberg-Gymnasium, Leverkusen, Germany and Schickhardt-Gymnasium, Herrenberg, Germany and most of the contact was going to be within range for me and it was at a usable time.

So I set up gpredict to track the ISS and the receive frequency and set up audacity to record the results. Which weren't great since 2 meter reception is now influenced by recently installed solar panels on the house next door.
Listen to audio attachment:

Tags: , , ,
2018-06-26 Interesting video about amateur radio 5 months ago
A nice video I found from Essex Ham via Journey into Amateur Radio (Pete M0PSX) where Pete narrates slides from earlier presentations he gave on his specific journey in amateur radio.

Tags: ,
2018-06-25 Distributed ssh attack 5 months ago
SSH attacks are on the rise. But fail2ban isn't blocking as much of those attacks as it used to since the attacks are quite distributed. This morning I noticed clear correlation between a subset of the attempts, they were all using names of websites hosted on the same system.
Jun 25 06:18:44 greenblatt sshd[10092]: Invalid user campwireless from
Jun 25 06:29:21 greenblatt sshd[10993]: Invalid user camp-wireless from
Jun 25 06:30:51 greenblatt sshd[11073]: Invalid user campwireless from
Jun 25 06:41:43 greenblatt sshd[12213]: Invalid user camp-wireless from
Jun 25 06:50:01 greenblatt sshd[12962]: Invalid user campwireless from
Jun 25 06:59:39 greenblatt sshd[13794]: Invalid user camp-wireless from
Jun 25 07:35:27 greenblatt sshd[16771]: Invalid user virtualbookcase from
Jun 25 07:35:36 greenblatt sshd[16779]: Invalid user campwireless from
Jun 25 07:39:28 greenblatt sshd[17175]: Invalid user camp-wireless from
Jun 25 07:46:01 greenblatt sshd[17570]: Invalid user camp-wireless from
Jun 25 07:54:59 greenblatt sshd[18273]: Invalid user camp-wireless from
Jun 25 07:59:48 greenblatt sshd[18754]: Invalid user idefix from
Jun 25 08:02:08 greenblatt sshd[18926]: Invalid user idefix from
Jun 25 08:05:54 greenblatt sshd[19358]: Invalid user virtualbookcase from
Jun 25 08:09:45 greenblatt sshd[19809]: Invalid user urlurl from
Jun 25 08:26:35 greenblatt sshd[21183]: Invalid user urlurl from
Jun 25 08:29:07 greenblatt sshd[21357]: Invalid user camp-wireless from
Jun 25 08:43:04 greenblatt sshd[22400]: Invalid user campwireless from
Jun 25 08:45:45 greenblatt sshd[22558]: Invalid user campwireless from
Jun 25 09:01:30 greenblatt sshd[23883]: Invalid user urlurl from
Jun 25 09:08:17 greenblatt sshd[24516]: Invalid user camp-wireless from
Jun 25 09:23:47 greenblatt sshd[26042]: Invalid user camp-wireless from
Jun 25 09:45:27 greenblatt sshd[27812]: Invalid user camp-wireless from
Jun 25 09:56:02 greenblatt sshd[28617]: Invalid user campwireless from
Jun 25 10:06:47 greenblatt sshd[29707]: Invalid user campwireless from
Jun 25 10:14:58 greenblatt sshd[30250]: Invalid user camp-wireless from
Jun 25 10:15:43 greenblatt sshd[30317]: Invalid user camp-wireless from
Jun 25 10:19:17 greenblatt sshd[30698]: Invalid user campwireless from
Jun 25 10:19:25 greenblatt sshd[30702]: Invalid user urlurl from
Jun 25 10:32:42 greenblatt sshd[31743]: Invalid user idefix from
Jun 25 11:04:33 greenblatt sshd[2346]: Invalid user campwireless from
This suggests coordination between the attacking systems.

But the simpler attacks do continue:
Jun 25 09:17:31 greenblatt sshd[25579]: Invalid user cristina from
Jun 25 09:17:35 greenblatt sshd[25582]: Invalid user cristina from
Jun 25 09:17:39 greenblatt sshd[25586]: Invalid user cristina from
Jun 25 09:17:39 greenblatt sshd[25585]: Invalid user cristina from

Tags: ,
⇐ Newer news items for tag english  Older news items for tag english ⇒
, reachable as PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews