News items for tag english - Koos van den Hout

2018-02-18 I learned event-based programming recently 2 months ago
On 8 and 9 February last week I attended the Surf Security and Privacy conference. SURFcert, the incident response team of SURF, had its own 'side event' within this conference, an escape room. Since the members of SURFcert like to visit escape rooms themselves, the idea was to build our own escape room. A simple one as teams of 2 or 3 people had to solve it within 15 minutes. The best scores were indeed just over 5 minutes so it was doable.

The escape room clock
The escape room clock
The theme of this escape room was the trip Snowden made: from the US to Hongkong to Moscow. Each location had a puzzle and like Snowden the only thing you could take to the next location was knowledge. In this case a 4-digit code to open a lock. Someone else in the SURFcert team did most of the hardware work and I decided to dive into some programming to support this effort. The escape room needed a countdown clock that could only be stopped by the right code. My idea was to use a barcode scanner to link the stop action to scanning the barcode on an object.

So I installed a Raspberry Pi with a raspbian desktop and found out how to set up the autorun on the Pi so my program would be started at startup when the user 'pi' logs in automatically. This was done by starting it from ~/.config/lxsession/LXDE-pi/autorun.

The program I wrote had three inputs:
  • A reset switch connected to GPIO pin 11 and ground
  • A start button connected to GPIO pin 03 and ground
  • Entering the right barcode to stop the time. In the end this was the barcode of a real Russian bottle of vodka, so my program needed vodka as input
For the barcodes I used an usb barcode scanner I have lying around. It behaves like a usb keyboard so scanning a barcode will cause the code to be entered as keystrokes with an enter key at the end,

But all programming I do is sequential. This is different, I needed to write an event-based program. It needs to react to time events, enter events and needs to check the state of gpio bits on time events. And on certain events it needs to change the global state (reset, running, stopped). The last time I did any event-based programming was an irc-bot written in Perl 4.

So with a lot of google searches, copypasting bits of code, searching a lot for which input bits would be default high and go low when connected to earth and a lot of trying I wrote a program. It uses WxPerl to have a graphical interface and use events. I'm not saying its a good program, but it did the job.

Notable things:
  • The OnInit function sets up everything: a window with minimal decorations, tries to set it full-screen, a text box that will show the time and starts at 15:00 as static text. A handler for time events that will be called 10 times per second. And an input box and a handler for when the enter key is pressed.
  • The onTimer function that looks at global state and decides which inputs are valid in that state and handles them
  • The onenter function that calculates a sha256 hash of the input line and checks which inputs can change the global state. The hash was to make sure that someone who could have a look at the source still had no idea what the commands were to control it all via keyboard. And no keyboard was connected anyway. The input for a shutdown is the barcode from one of the loyalty cards I carry around.
Read the rest of I learned event-based programming recently

Tags: ,
2018-02-18 Two new countries in the log and I participated in the Russian worldwide PSK contest 2018 2 months ago
Two new countries in the PE4KH log: Oman and India. Oman was Friday afternoon when I was home early and decided to turn the dial over the 40 meter band to make some phone contacts and heard A41CK call. Who took my call on the second try!

India was late Friday evening. The call VU2NKS showed up in FT8 and it had a direct pile-up (lots of people answering). But with some persistance from my side and good operating skills from the other side the contact was made.

And this weekend was the Russian Worldwide PSK Contest so I participated Saturday afternoon / evening and a bit Sunday right before 12:00 UTC. I managed to start Saturday 12:00 UTC sharp calling CQ. Which worked at that time for getting contacts. I chose the 40 meter band category because I expected most radio time this weekend would be after sunset.

In the end I made 64 contacts. Not a very high score, but I had times were several contacts happened in short succession so I am improving in digimode contesting.
Band  QSOs Dupes Points Mults
160      0     0      0     0
80       0     0      0     0
40      64     0    388    28
20       0     0      0     0
15       0     0      0     0
10       0     0      0     0
Total   64     0    388    28
Claimed score is 10864 points
Read the rest of Two new countries in the log and I participated in the Russian worldwide PSK contest 2018

Tags: , , ,
2018-02-11 Plotting the number of amateur radio contacts 2 months ago
After the end of January I decided to plot the number of contacts again. QSL count plot up to January 2018 January is a busy month with two contests for me but I did not make a lot of contacts outside of those contests this year. I added contacts from holidays and the PE4KH/P activities to the total count.

Some more work on the plot script, I think bars look better than a line graph. But you could spend hours in gnuplot making the plot just right...

The new script:
set output "qslcount.png"
set terminal png size 640,300 fontscale 0.7
set timefmt "%Y-%m"
set xlabel "Month"
set ylabel "Number of contacts"
set xdata time
set style fill solid
set xtics format "%b %Y"
set xtics rotate
set grid
set boxwidth 0.75 relative
set autoscale xfixmin
set autoscale xfixmax
plot "dataset-qsocount" using 1:2 title "Contacts/Month" with boxes
Update: And indeed the change in x autoscale was one bit more 'just right'. The first graph was in February 2017: Rising number of amateur radio contacts.

Tags: , , ,
2018-02-02 Trying to make me skip the rest of the security report 2 months ago
In the sshd logging today:
sshd[26961]: Invalid user <!-- from
But the logging is parsed via software that doesn't trust input either, so the rest is in the report too. Including more attempts from that IPv4 address.

Tags: ,
2018-01-27 I caused an interesting problem with the VDSL pppoe session 2 months ago
Normally being active on certain HF bands causes one-time VDSL disconnects but what I have currently done seems to have triggered something else. After the connection dropped it refuses to come back at the moment. The entire session looks like:
22:49:28.466922 PPPoE PADI [Service-Name]
22:49:28.490394 PPPoE PADO [AC-Name "dr12.d12"] [Service-Name] [AC-Cookie 0xA3FE109A222CE73945C23FCE85E03F83] [EOL]
22:49:28.490603 PPPoE PADR [Service-Name] [AC-Cookie 0xA3FE109A222CE73945C23FCE85E03F83]
22:49:28.517063 PPPoE PADS [ses 0x40c] [Service-Name] [AC-Name "dr12.d12"] [AC-Cookie 0xA3FE109A222CE73945C23FCE85E03F83] [EOL]
22:49:28.575266 PPPoE  [ses 0x40c] LCP, Conf-Request (0x01), id 72, length 16
22:49:28.575776 PPPoE  [ses 0x40c] LCP, Conf-Request (0x01), id 99, length 22
22:49:28.575798 PPPoE  [ses 0x40c] LCP, Conf-Reject (0x04), id 72, length 10
22:49:28.589161 PPPoE  [ses 0x40c] LCP, Conf-Ack (0x02), id 99, length 22
22:49:28.589164 PPPoE  [ses 0x40c] LCP, Conf-Request (0x01), id 73, length 12
22:49:28.589666 PPPoE  [ses 0x40c] LCP, Conf-Ack (0x02), id 73, length 12
22:49:28.589682 PPPoE  [ses 0x40c] LCP, Echo-Request (0x09), id 0, length 10
22:49:28.589693 PPPoE  [ses 0x40c] CCP, Conf-Request (0x01), id 89, length 17
22:49:28.589702 PPPoE  [ses 0x40c] IPCP, Conf-Request (0x01), id 89, length 18
22:49:28.589711 PPPoE  [ses 0x40c] IP6CP, Conf-Request (0x01), id 89, length 16
22:49:28.603265 PPPoE  [ses 0x40c] LCP, Echo-Reply (0x0a), id 0, length 10
22:49:28.603267 PPPoE  [ses 0x40c] LCP, Term-Request (0x05), id 74, length 6
22:49:28.604033 PPPoE  [ses 0x40c] LCP, Term-Ack (0x06), id 74, length 6
22:49:31.623454 PPPoE PADT [ses 0x40c] [Generic-Error "RP-PPPoE: System call error: Input/output error"] [AC-Cookie 0xA3FE109A222CE73945C23FCE85E03F83]
So in the end the router at my ISP decides to terminate the connection. On the connection failing I decided to change the configuration to use the kernel mode pppoe driver but after this started showing I reverted that change. Which made no difference, the connection is still not coming up.

Update: I went looking at other changes I made to enable the pppoe server test and reverting the /etc/ppp/pap-secrets file to its original format fixed the problem. I guess I somehow started to authenticate the remote end.

And changing from user-mode pppoe to kernel-mode pppoe does lower the MTU to 1492, so that test is also finished. Back to user-mode pppoe.

Tags: , , ,
2018-01-25 Building a testing server for pppoe 2 months ago
The new homeserver will have to run the same pppoe client setup as the current server. But I want to get the whole setup tested before the migration to minimize disruption.

Since I'm not going to get a free extra vdsl line and vdsl modem to test with and the complicated part is in the pppoe and ppp client part I decided to use a test vlan and set up a pppoe-server and ppp server on that vlan.

The pppoe server part is started with
# pppoe-server -I eth0.99 -C kzdoos -L -R
And it's indeed available from the client:
# pppoe-discovery -I eth2
Access-Concentrator: kzdoos
Got a cookie: 84 39 c6 51 13 fe 32 00 2c 06 2a b4 38 0e 30 87 46 7b 00 00
AC-Ethernet-Address: 00:1f:c6:59:76:f6
So that part works. Next is to get an actual ppp session working over it.

The server part was a bit of work as I want to get the whole configuration including password checks. Server configuration in /etc/ppp/pppoe-server-options on the server system:
lcp-echo-interval 10
lcp-echo-failure 2
ipv6 ,
And the client configuration in /etc/ppp/peers/dray-vdsl:
user testkees
password topsecret
ipv6 ,
maxfail 0
ipparam xs4all
lcp-echo-interval 10
lcp-echo-failure 6
pty "pppoe -I eth2"
Lots of options to make the setup exactly the same as the current. It took a lot of tries before password authentication was working. I could not get the client-side password in /etc/ppp/pap-secrets to work, but as show above the password in the ppp configuration did work.

And the setup in /etc/network/interfaces on the client just the same as the known configuration:
iface pppdray inet ppp
        provider dray-vdsl

And it works!
# ifup pppdray
Plugin loaded.
# ifconfig ppp0
        inet  netmask  destination
        inet6 fe80::5254:ff:fe3c:2014  prefixlen 10  scopeid 0x20<link>
        ppp  txqueuelen 3  (Point-to-Point Protocol)
        RX packets 9  bytes 252 (252.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 9  bytes 202 (202.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
# ping -c 3
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=0.721 ms
64 bytes from icmp_seq=2 ttl=64 time=0.436 ms
64 bytes from icmp_seq=3 ttl=64 time=0.449 ms

--- ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2029ms
rtt min/avg/max/mdev = 0.436/0.535/0.721/0.132 ms
The mtu is not yet what I want, but the session is alive.

Tags: , ,
2018-01-23 Avoiding the linux statefull firewall for some traffic 2 months ago
I was setting up a linux based firewall on a busy ntp server and to make sure everything worked as designed I added the usual:
iptables -A INPUT -j ACCEPT --protocol all -m state --state ESTABLISHED,RELATED
And after less than half an hour the system log started filling with
nf_conntrack: table full, dropping packet
nf_conntrack: table full, dropping packet
nf_conntrack: table full, dropping packet
nf_conntrack: table full, dropping packet
It is indeed a busy server. The solution is to exclude all the ntp traffic from the stateful firewall. Which means I have to allow all kinds of ntp traffic (outgoing and incoming) by itself.

The specific ruleset:
iptables -t raw -A PREROUTING --protocol udp --dport 123 -j NOTRACK
iptables -t raw -A OUTPUT --protocol udp --sport 123 -j NOTRACK

iptables -A INPUT -j ACCEPT --protocol udp --destination-port 123
I also made sure the rules for the ntp traffic are the first rules.

Traffic at this server is somewhat over 1000 ntp request per second. So the counters of the NOTRACK rules go fast.
# iptables -t raw -L -v
Chain PREROUTING (policy ACCEPT 1652K packets, 126M bytes)
 pkts bytes target     prot opt in     out     source               destination 
9635K  732M CT         udp  --  any    any     anywhere             anywhere             udp dpt:ntp NOTRACK
1650K  125M CT         udp  --  any    any     anywhere             anywhere             udp dpt:ntp NOTRACK

Chain OUTPUT (policy ACCEPT 1522K packets, 117M bytes)
 pkts bytes target     prot opt in     out     source               destination 
9029K  686M CT         udp  --  any    any     anywhere             anywhere             udp spt:ntp NOTRACK
1520K  116M CT         udp  --  any    any     anywhere             anywhere             udp spt:ntp NOTRACK
But no packets are dropped, which is good as this server is supposed to be under a constant DDoS.

Tags: , , ,
2018-01-19 Collecting ages of ntpd mode 7 probes 3 months ago
I noticed today one of the ntp servers I manage has been collecting ages of ntpd mode 7 probes without ever responding. But it makes a nice overview of probing IPv4 addresses:
remote address          port local address      count m ver rstr avgint  lstint
===============================================================================          1714        3 7 2      1 3413098   40058         14152        7 6 2      1 1107023   60553         33482        9 7 2      1 647886   73704          47493        2 7 2      1  12199   78678           33066       44 7 2      1 139771   83493          39353        1 7 2      1      0   84058        16124        4 7 2      1 1830407  127241         36749        1 7 2      1      0  138342         38141       12 7 2      1 147806  143793            33119        6 7 2      1 199742  180842        57630        6 7 2      1 968029  223794            34540        2 7 2      1  31910  251316        50130        3 7 2      1 2950157  308291         33716        2 7 2      1 853413  311971          30820        2 7 2      1 3258925  334017         35963        7 7 2      1 452131  339518         42895       10 7 2      1 692139  348753           51096        2 7 2      1  74579  392665        38393        2 7 2      1 3535530  394349         48871        2 7 2      1 537671  411921         34651        5 7 2      1 1361673  478157         37973        6 7 2      1 476469  502270         21269       10 7 2      1 718112  567076         38190        6 7 2      1 1107237  649625           54536        8 7 2      1  40836  721372        39857        2 7 2      1 415601  788308         36079        2 7 2      1 1501700  862267         37702        4 7 2      1 1637431  908028          47766        5 7 2      1 361160  913255         39122        2 7 2      1 109901  976174         34990       41 7 2      1  88999 1045070         38666        6 7 2      1 822261 1079624         54815        7 7 2      1  89032 1102095          48406        4 7 2      1 1133779 1198815        39660        3 7 2      1 1951322 1244586        39459        2 7 2      1  53072 1252190           51099       10 7 2      1 223881 1325320        34319        4 7 2      1 905995 1339133        15081        2 7 2      1 2932231 1430316         35972        2 7 2      1 1499287 1491171         43409        2 7 2      1 4255207 1497992         55927        3 7 2      1 1566148 1718947          41914        2 7 2      1  53524 1936953         41523        5 7 2      1 1112720 1948506           40862        2 7 2      1 1676933 1991259         45915       20 7 2      1 156321 2041538         45785        2 7 2      1 132706 2107890         35315        5 7 2      1 350936 2206670          30296        3 7 2      1  59063 2226284         40060        2 7 2      1  20615 2253429        56609        4 7 2      1 604491 2291452            123        2 7 2      1  85831 2381504           50367        2 7 2      1 868629 2449128           40815        2 7 2      1 182471 2525650          40640        2 7 2      1  66892 2715823        39284        4 7 2      1 163873 2759391           45371        2 7 2      1  92720 2768083          18637        2 7 0      1 802096 2787683         40362       37 7 2      1  85431 2983252          49125        4 7 2      1  60114 3023906          34969        2 7 2      1 254056 3095396           41025        2 7 2      1 107397 3103557          40409        5 7 2      1 206100 3224158         35814        2 7 2      1 571497 3264230         39557        2 7 2      1  52796 3292818         47756        2 7 2      1 242695 3296347          59698        8 7 2      1 246226 3446607         52301        2 7 2      1 839605 3455884        52337        4 7 2      1   1384 3648002         37602        2 7 2      1 752428 3652434          53586        3 7 2      1 103699 3796467         52224        2 7 2      1 138668 3837468           42111        4 7 2      1 608618 3932262          59987        2 7 2      1 143642 4096101         40165        4 7 2      1 146715 4317577            55857        4 7 2      1 115972 4329305         49717        4 7 2      1 314874 4463013          58611        3 7 2      1 359548 4485937         56661        7 7 2      1 176060 4516810          58043        2 7 2      1 687406 4684505          46254        2 7 2      1 1263073 4750583          49259        2 7 2      1 329846 5160890         6065        3 7 0      1 101832 5558503         33999        3 7 2      1  90416 5655119         52973        2 7 2      1   2174 5717159          59170        2 7 2      1  47838 5847404         39141        2 7 2      1   4837 5895126
All IP addresses with only 1 packet removed.

Tags: , ,
2018-01-15 I participated in the UBA PSK63 prefix contest 3 months ago
PSK63 contest As planned I participated in the UBA PSK63 prefix contest in the weekend. Activity was Saturday evening and Sunday morning interrupted by some good sleep.

Compared to my experiences in the ARRL RTTY roundup one weekend earlier the 40 meter band decided to act quite differently. On Saturday evening it was quite hard to make a contact. A lot of interference, no far away stations and it was hard to get heard by the other side. I stopped before 22:00 UTC (23:00 localtime) because I thought some sleep would be more effective than getting annoyed by the lack of contacts.

Indeed, Sunday morning things got better although I heard only nearby signals on the 40 meter band, including some Belgian stations. No serious DX. Belgian stations are good for extra multipliers so it was good for the score.

In the end I made 76 contacts. The last contact was started by a CQ I called at 11:59 UTC but it was only answered at 12:00, so it does count but I had to note it in the log as originating at 11:59 where the software normally logs the moment I see the callsign for the first time.

Log submitted and de Veron afdelingscompetitie updated.
Read the rest of I participated in the UBA PSK63 prefix contest

Tags: , , ,
2018-01-14 Recovering firmware on the Draytek Vigor 130 VDSL2 modem with linux / macosx 3 months ago
Note beforehand: I have not tested this procedure, every time I needed it it was faster to boot Windows to run the utility Draytek has available.

I needed the recovery procedure again: there was a new firmware 3.8.12 with newer VDSL modem driver and the standard update via the webinterface failed.

I just want to keep the notes from "OzCableguy" since his shop and blog have gone. I found the saved version via, Updating Draytek firmare using the MacOS X or UNIX command line and TFTP - OzCableguy.

Draytek modems have several methods available to update their firmware.

You can use the Firmware Upgrade Utility under Windows, load it from the web interface via HTTP, FTP the file to the modem or use the TFTP (Trivial File Transfer Protocol) service built into the box.

If your modem has been bricked you can’t use FTP or HTTP. If you don’t want to use Windows or go through the web interface, then this TFTP method is a viable alternative. Note that unlike a lot of other boxes using TFTP to load firmware, the Draytek is acting as a TFTP server, the UNIX/MacOS box as a client and you PUT the file onto the modem. It is normally the other way around, but that needs some extra setup steps that are conveniently avoided with this method.

The firmware comes in two pieces. Use the .rst version of the file if you want to change the modem settings back to factory defaults, use the .all file to keep the current settings (.all may not be a good option if the modem is bricked).

Secondly you need an ethernet interface on your Mac or UNIX box set to the subnet (eg: with IP address so that you can talk to the modem at its default IP address of

If the modem is up and running (and not bricked), you should now be able to ping it ..
$ ping
PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=255 time=0.309 ms
64 bytes from icmp_seq=1 ttl=255 time=0.421 ms
64 bytes from icmp_seq=2 ttl=255 time=0.409 ms
—- PING Statistics—-
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.309/0.380/0.421/0.050 ms$ 
If your modem is really bricked then the ping will only work when the modem is actually in TFTP upload mode as below. You can ignore this step, it just demonstrates that the ethernet cable is working.

Now we can upload the firmware. With the modem powered off, press and hold the factory reset button, then power up the modem. Continue to hold the button down until ’some’ of the lights flash together. On the Vigor2820Vn ’some’ is the left column of three. On the 2800 and 2910 the left two LEDs flash.

Release the button and on your UNIX/MacOS box type the following commands (note that the modem only stays in TFTP mode for a short time, you can actually type right up to the end of the put command and just press return when the left-hand modem lights start flashing).

The name of the firmware and the number of bytes transmitted depend on the product you are trying to recover.
$ tftp
tftp> binary
tftp> put v2820_v03301_211011_A.rst
Sent 4973144 bytes in 13.1 seconds
tftp> quit
There will be a pause after the ‘put’ command, but your modem ethernet port light should be flashing madly. The transfer is done when you get the “Sent” message. Quit the TFTP client and perhaps your Terminal session, there’s nothing more to see.

What happens next isn’t really documented but we presume that the modem has to unpack the firmware and load it into flash. On our 2820Vn the column of 3 lights continued to flash, but gradually slowed down, speeded up, then slowed again. Eventually after a minute or two the modem rebooted in the normal fashion. Just be patient.
And this last bit is where the windows utility is better: it will tell you when the recovery is done and a success. With a commandline tool you'll just have to wait for the leds to blink right.

After all the recovery and the waiting the modem works again and the line is stable. I chose the 'modem6' version again. I may try the 'modem5' and 'modem4' version too to see whether I can get lower latency without losing stability. Although the improvement may be in the single digit millisecond range so it would be a lot of work for very little improvement.

Tags: , ,
2018-01-12 I am planning to participate in the UBA PSK63 contest 3 months ago
As in previous years, I am planning to participate in the UBA PSK63 Prefix Contest in the upcoming weekend.

I can't participate for 24 hours since other things have to be done too in the weekend including the all important 'sleep'.

I just finished the preparations:
  • The endfed antenna for 10/20/40 is hanging outside
  • The contest macros have been updated to call CQ UBA PFX TEST
On Saturday evening the 20 meter band will probably be closed by the time I am available for contesting. So I'll start on the 40 meter band. The choice for 40 meter band only or all band will have to be made on Sunday morning, depending on the amount of new contacts I can make in the 40 meter band.
Read the rest of I am planning to participate in the UBA PSK63 contest

Tags: , ,
2018-01-08 I participated in the ARRL RTTY Roundup 2018 3 months ago
RTTY contest on websdr For the past weekend I had the ARRL RTTY Roundup planned, meaning I had reserved time in the family calendar. Other things had to happen too but I reserved time for contesting and made sure I had the right macros available before the contest started. I hoped to find time to set up the endfed antenna before the contest but that did not happen so it was the first thing to do when we got home at the beginning of Saturday evening.

In the contest I only operated on the 40 meter band. Most of the time I was able to participate were in the dark when I did not expect the 20 meter band to cooperate and I thought that operating in just one band would make me end higher in the rankings for that more specific category. Only after the contest I read the rules exactly and noticed that this specific contest does not differentiate between single and multi band operation.

In the end I made 95 contacts. Local noise is high in my current setup so only the strongest stations came through the noise. I made only one contact in CQ mode, the rest was search and pounce. Propagation wasn't really good until late in the evenings when I managed to score some US contacts. I did see someone from Prince Edwards Island in Canada but that station did not hear me return. I noticed WP2B did not give me a US state but a serial number and found out that is a US Virgin Island callsign, so that was a new country for me.

In the end a nice contest. For upcoming contests: check the rules / propagation predictions and plan my strategy.
Read the rest of I participated in the ARRL RTTY Roundup 2018

Tags: , , ,
2018-01-03 Fixing stuff in The Virtual Bookcase for PHP 7 3 months ago
After spending an evening fixing scripts on The Virtual Bookcase to make them run in PHP 7 and make them safer at the same time I came to the conclusion that I still don't like php.

My conclusion is that if I want to maintain sites I'd rather redo them in perl. I noticed any serious maintenance on the scripts of The Virtual Bookcase was 9 years ago (!). That was also when I had the habit of writing maintenance scripts in perl and web code in php. The upside is that a part of the page-generating code is already available in perl.

But a rewrite is a task for another day. For now the site works cleanly in PHP 7 (and 5) and I can go on to the next task for moving the homeserver.
Read the rest of Fixing stuff in The Virtual Bookcase for PHP 7

Tags: , , , ,
2018-01-01 Making my own web stuff more robust 3 months ago
In building the new homeserver there is also time to test things and improve robustness a bit (although I should not overdo it).

The one thing that forces me to look at some web-code again is that the new servers run PHP version 7. Some of my code is giving warnings, time to fix that. But I haven't written any serious PHP in ages, I just rewrote sites in mod_perl. So my PHP is rusty and needs work, especially with PHP 7.

It's a good thing I use version management, which allows me to test the fixes on the development version(s) of the site and push them to the production version when I'm happy with the results.

Some of the things I notice that could improve go on the todo list. One thing I did notice and fixed right away was that the CVS metadata inside the web directories could be requested too. Although I find no serious security information in there it is still an unwanted information leak.

Tags: , , ,
2017-12-29 New temperature sensors in the shed 3 months ago
Since the powerfailure that caused problems for the weatherstation computer ritchie and the conclusion that even after the bios upgrade the serial ports kept failing there was no 'inside the shed' temperature.

But this week I needed a better view of the temperature inside the shed as we're using it to keep some meat cool. So I heated up the soldering iron and the heatshrink gun and made a cable with two DS18B20 sensors in it. I decided that if I started on measuring temperatures inside the shed I also wanted the temperature near the roof.

The interesting bit was adding the two sensors to the w1retap configuration. It seems the whole 1820 family of temperature sensors needs to be set up as a 'DS1820' and w1retap will find out how to read it. Resulting configuration:
and now I have logging of the temperatures:
2017-12-29T16:28:00+0100 Tempinside 2.812500 ⁰C
2017-12-29T16:28:00+0100 Temproof 2.687500 ⁰C
And it helps us to determine when we need to make space in our fridge and move some other things to the shed to keep them somewhat cool.

Tags: , ,
2017-12-28 Learning Apache 2.4 access control 3 months ago
Before I expose anything to the outside world I want the access controls to work as I expect, but things have changed a lot in Apache 2.4.

Standard for a site that's normally available is now in 2.4:
        <Directory "/home/httpd/idefix/html">
                Require all granted
(and any other needed options). But for development systems I want a username/password request to access them. This part took a bit of work to get right. First I found Upgrading to 2.4 from 2.2 - Apache HTTP Server Version 2.4 has a repeating typo in the authorization samples:
AuthBasicProvider File
isn't going to work, giving
Unknown Authn provider: File
error messages. The right bit is:
AuthBasicProvider file
The difference one letter makes.

That also did not give me a working configuration, leading to interesting errors in the log of type:
AH00027: No authentication done but request not allowed without authentication for /. Authentication not configured?
Which turned out to be a missing bit in the samples in the same document: the AuthType is needed too.

The full now working access rule is:
    <Location "/">
        AuthType Basic
        AuthBasicProvider file
        AuthUserFile /home/httpd/data/sitemanagers
        AuthName "Koos z'n Doos beheer"
            Require valid-user
The use of RequireAny allows me to add trusted IP ranges so that the site is reachable from a trusted IP address or after using http basic authentication.

The good news is that the samples in Authentication and Authorization - Apache HTTP Server Version 2.4 are correct.

Tags: , ,
2017-12-28 Getting haproxy to do what I want 3 months ago
In the new homeserver I want an haproxy running on the "router" so it can route http requests to the right backend. At the moment I am testing this and after the 'http' config I'm now testing the 'https' part. To keep things consistent things that come in via https also get requested via https from the backends.

For testing I have some ports on the main server forwarded to haproxy so I can test with all aspects of host-header based routing. After some searching I found out that when I visit the header is set to
And this wasn't routed to the 'development' server. The production server is the 'default' so I searched for the right incantation to test the domain name part and found:
acl devsite hdr_dom(host) -i
And now it's a config that will test on port 8080 and will run on port 80 too. I like configurations that I can test before bringing them into production.

Tags: , ,
2017-12-28 Non-predictable interface names biting me 3 months ago
While doing some upgrades on new homeserver I ran into a problem with the tun/tap network driver which is needed for virtual machines, giving the error message
Dec 27 21:41:51 conway kernel: [  266.832675] tun: Unknown symbol dev_get_valid_name (err 0)
Since virtual machines are the main thing to run in this machine I needed this driver to work. Searching for solutions found the suggestion to reinstall the linux kernel image, which I did:
# apt-get install --reinstall linux-image-$(uname -r)
# apt-mark auto linux-image-$(uname -r)
After which the system came up fine but without a network connection it seemed. This is irritating as the homeserver is in the attic and I found out the VGA screen up there does not cooperate with the new server. So another VGA screen got dragged up there to fix it.

Some searching later I found the eth2 and eth3 interfaces got swapped from what I expected. These are the two mainboard interfaces, both Intel interfaces but with different chipsets. There is a /etc/udev/rules.d/70-persistent-net.rules which sets this up but it isn't working at the moment:

In the system logs:
[    2.833442] udevd[542]: Error changing net interface name eth2 to eth3: File exists
[    2.834309] udevd[542]: could not rename interface '4' from 'eth2' to 'eth3': File exists
[    2.866356] udevd[538]: Error changing net interface name eth3 to eth2: File exists
[    2.868197] udevd[538]: could not rename interface '5' from 'eth3' to 'eth2': File exists
Maybe different names that don't start with eth will work better to get truely persistant names as the current situation isn't very stable and reliable.

After all the work the tun/tap driver works again so the virtual machines now start fine.

Tags: , ,
2017-12-27 The 10 meter band is alive the last few days 3 months ago
Yesterday on the 26th of December I saw FT8 activity on the 10 meter amateur radio band (28.0 MHz-29.7 MHz) and made a few contacts. Propagation dropped around 12:35 UTC after which I made one contact with a nearby amateur.

Today I spun the big dial on the radio to the 10 meter band after dark and made contacts (around 17:20 UTC). This is extra special as the maximum frequency at which propagation across the ionosphere occurs drops after the sun stops illuminating it and therefore the 10 meter band is the first band to drop after sunset.

All this was predicted: the most recent 'space weather news' had some good news for radio amateurs. Today I found an article The sun will probably knock out the grid someday | Popular Science which mentions the 'Space Weather Woman' Tamitha Skov and her youtube channel TamithaSkov. I have watched a few episodes and I read articles here and there with the predictions of solar flares and solar wind.
Read the rest of The 10 meter band is alive the last few days

Tags: , ,
2017-12-26 Some extra noise in sshd attempts 3 months ago
This morning I noticed some to me new amounts of sshd noise in the log:
Dec 26 01:55:43 server sshd[31415]: Bad protocol version identification '\200F\001\003\001' from
Dec 26 01:56:24 server sshd[31466]: Bad protocol version identification '\200F\001\003\001' from
Dec 26 01:56:53 server sshd[31475]: Bad protocol version identification '\200F\001\003\001' from
Dec 26 01:57:33 server sshd[31499]: Bad protocol version identification '\200F\001\003\001' from
Dec 26 01:58:17 server sshd[31691]: Bad protocol version identification '\200F\001\003\001' from
Dec 26 01:58:51 server sshd[31749]: Bad protocol version identification '\200F\001\003\001' from
Dec 26 01:59:32 server sshd[31773]: Bad protocol version identification '\200F\001\003\001' from
Dec 26 12:07:58 server sshd[16434]: Bad protocol version identification '\200F\001\003\001' from
Dec 26 12:08:55 server sshd[16687]: Bad protocol version identification '\200F\001\003\001' from
Dec 26 12:09:52 server sshd[16743]: Bad protocol version identification '\200F\001\003\001' from
Going on and on and on and..

So I looked it up and found How to block Bad protocol version? · Issue #1284 · fail2ban/fail2ban · GitHub which has a simple rule to block this with fail2ban. As soon as the sshd.local was loaded a block was set for

Tags: ,
⇐ Newer news items for tag english  Older news items for tag english ⇒
, reachable as PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews, Weather maps