News items for tag english - Koos van den Hout

2019-11-21 First setup of the remoterig interfaces 1 month ago
The remoterig set I ordered arrived.

At first I found the box somewhat empty: no manuals. But the entire manual can be found on-line: User manuals - RemoteRig. The manual is about 200 pages so printing it would be a bad idea. The remoterig site is somewhat slow so I downloaded the PDF manual to my computer.

Most of the setup is done via a webinterface, but the initial network setup needs either the right IP addresses hardcoded or a USB connection and the Microbit setup software which is only available for Windows. I did try to see whether one of the four com-ports via USB that showed up would allow me to do a minimal setup via a terminal program but that wasn't true. So I booted Windows to change the units to DHCP. For the radio-side I made an address allocation in the DHCP server, for the client side it is fine to have any usable address.

And for my next minor issue: they only use IPv4. So my inner linux and networking geek is a bit dissapointed, but my inner radio geek will do just fine.

After that bit I went back to Linux, the rest of the software setup is via a webbrowser. For the hardware setup, which is how it connects to the radio (which pin has audio, which pin has power) it needs a number of internal jumpers and jumper wires connected.

Tags: , , ,
2019-11-17 Pointing the Arrow antenna at SO-50 again 2 months ago
HF propagation has been really bad the last weeks. At least on the moments I had time to look at the radio. The maximum usable frequency was dropping below 14 MHz as soon as it started getting dark. This means that I can only make contacts on the lowest band (40 meters) with the endfed antenna set up outside and the experience from earlier weekends was that it was still a lot of work to get contacts on FT8.

So this weekend I did some 2 meter FT8 and made contacts with some new call signs. I was lucky: the 2 meter interference stopped after dark. My computer decoded one Danish callsign but I wasn't near it at that moment.

And I tried a pass of the SO-50 satellite. A pure southwest-northeast pas was coming up at the start of the evening, so I planned to be outside in the cold with antenna and handheld radio. I was hoping to get some country to the south of me in the log, but I ended up with a southeasterly contact: Croatia. I heard 9A2EY in a contact so I called him and made the contact.

Tags: , ,
2019-11-15 Suricata IDS showing amusing results 2 months ago
Some things noticed by Suricata IDS are amusing to me. When looking at lines like:
11/15/2019-13:14:35.001691  [**] [1:2402000:5363] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} ->
11/15/2019-13:15:06.794357  [**] [1:2402000:5363] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} ->
11/15/2019-13:15:06.794357  [**] [1:2403384:53195] ET CINS Active Threat Intelligence Poor Reputation IP group 85 [**] [Classification: Misc Attack] [Priority: 2] {TCP} ->
11/15/2019-13:15:20.065796  [**] [1:2403393:53195] ET CINS Active Threat Intelligence Poor Reputation IP group 94 [**] [Classification: Misc Attack] [Priority: 2] {UDP} ->
11/15/2019-13:15:32.845110  [**] [1:2402000:5363] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} ->
11/15/2019-13:16:23.399397  [**] [1:2402000:5363] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} ->
All 'Dshield Block Listed' and 'Poor Reputation IP' traffic is port scans to ports that are blocked. So it's not a surprise those IPs have a poor reputation or a Dshield listing.

Tags: ,
2019-11-13 Trying Suricata intrusion detection system (IDS) 2 months ago
After hearing about intrusion detection systems a few times I decided to give one a try at home. Although a lot of attacks are blocked I sometimes see weird attacks and it would be nice to have a better idea of what exactly the attack was.

Yes, I have weird interests sometimes. I'm glad I have an ISP (xs4all) where I can select the option 'give me the completely unfiltered Internet connection' so I even see SMB protocol attempts.

I first tried 'snort' but that doesn't deal with PPP interfaces by default. It can be recompiled to accept those but I did not want that. The next option I heard about is 'Suricata' which is running at the moment.

I was amused by the reports of DDoS-like NTP traffic. Those are caused by the NTP statistics gathering. I know NTP can be abused for generating DDoS traffic but all security reports about NTP servers I manage have been false positives.

Anyway it's running and complaining a lot about the traffic it sees. For example the IPv6 port scan/network mapping attempts I noticed two months ago are still active.
11/13/2019-15:06:59.703451  [**] [1:2002911:6] ET SCAN Potential VNC Scan 5900-5920 [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 240e:00f7:4f01:000c:0000:0000:0000:0003:6050 -> 2001:0980:14ca:0001:020d:56ff:fece:ffe1:5901
11/13/2019-15:08:39.645780  [**] [1:2002911:6] ET SCAN Potential VNC Scan 5900-5920 [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 240e:00f7:4f01:000c:0000:0000:0000:0003:5167 -> 2001:0980:14ca:0001:020d:56ff:fece:ffe6:5901

Tags: , ,
2019-11-13 More investment in remote HF operation 2 months ago
So the order for the remoterig duo to work on my remote HF operation plans is out the door. I ordered them with HamShop to get Dutch warranty rules.

I also ordered some other stuff from Conrad to be able to get everything cabled correctly. I may have missed something but I hope to have enough to get going and be able to have frontpanel and main radio hardware separated by Internet.

Tags: , ,
2019-11-06 Tested and attached wires to the new 12V powersupply 2 months ago
Powersupply with wires attached
Powersupply with wires attached
I had time to do some soldering and I tested and wired the 12V server powersupply I bought last Saturday at the "Dag van de Radioamateur" ham convention.

The powersupply that I bought is an HP DPS-800GB A and it already had two wires to make it start up when input voltage is applied. I just soldered thick wires to the output terminals so I can connect it to the HF amplifier. Unlike the previous HP DPS-700 powersupply this one has two builtin fans so it won't overheat.

Time to test it with the HF amplifier is this weekend. I'll test the output power with the current output voltage left as-is. It's currently at 12.2 Volt when no load is applied. There are simple modifications to raise the voltage as described by Server supply DPS-800GB - PA0FRI.

Update: After some testing it's clear there are two problems: the output voltage of this power supply does not get very high before it switches off. About 13 volts. At that voltage the output power of the HF amplifier is limited. And when using the external amplifier I had a lot of problem with the connection between the computer and the radio. As soon as I started transmitting the computer started giving error messages about the communication with the radio.

So back to just the radio and its output power at the moment.

Tags: , ,
2019-11-02 I visited the "Dag van de radio amateur" (DvdRA) ham convention 2 months ago
Today was the Dag voor de Radioamateur edition 2019, and I went there.

My main todo item was to deliver outgoing qsl cards to the Dutch QSL bureau and pick up the new ones for Region 08. So I walked in with a big shopping bag and after visiting the Dutch QSL bureau market stall I returned to the car right away with a new box full of cards. After that I walked in again and started looking around. I was looking for certain parts I needed recently such as RCA connectors, 2.5 mm stereo jack connectors. I also had some specific things in mind such as a newer high amperage 12V supply because the previous server power supply smoked itself and an antennaswitch and serial connectors for remote HF operation which I found. I found no USBaudio and USBserial interfaces so those will be picked up in the next electronics web order.

I attended a lecture on the QO-100 amateur satellite and the story behind the Patch of the Year antenna co-developed by Remco PA3FYM.

I also met a lot of amateur radio friends, more than I expected!

Tags: , ,
2019-10-28 TCP reflective SYNs: blocking by the /24 2 months ago
It seems the TCP reflective SYN attacks are continuing. In researching my options I saw the option to use a netmask with the iptables recent module.

This helps a bit with the attacks trying to flood an entire block. I've updated the filtering to work by the /24, start a check on a SYN from such a block, end when an ACK flies by and start dropping when the rate is over 10 per 2 minutes.
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN -m recent --update --seconds 120 --hitcount 10 --name tcpsyn --mask --rsource -j LOGDROP
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN -m recent --set --name tcpsyn --mask --rsource
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,ACK ACK -m recent --remove --name tcpsyn --mask --rsource
LOGDROP is a rule to drop packets and ratelimit the logging of dropped packets, to avoid turning a network attack into a disk attack.

But I have to be careful not to make services hard to reach for legitimate clients. The above is working, and during attacks I don't see a single SYN_RECV socket.

Tags: ,
2019-10-27 Attempts to hack digital video recorders over http via the nntp port 2 months ago
Sometimes you really wonder about the amount of errors made by noisy attacks. I noticed the following pattern in the system logs:
nnrpd[7029]: unrecognized Accept-Encoding: identity
nnrpd[7029]: unrecognized Content-Length: 586
nnrpd[7029]: unrecognized Accept-Language: en-us
nnrpd[7029]: unrecognized Host:
nnrpd[7029]: unrecognized Accept: */*
nnrpd[7029]: unrecognized User-Agent: ApiTool
nnrpd[7029]: unrecognized Connection: close
nnrpd[7029]: unrecognized Cache-Control: max-age=0
nnrpd[7029]: unrecognized Content-Type: text/xml
nnrpd[7029]: unrecognized Authorization: Basic YWRtaW46ezEyMjEzQkQ...
With some searching I eventually found exploit code for certain series of digital video recorders which can be anywhere on the wide Internet.

The whole protocol mismatch makes this a lot noisier via the nntp port than via http, but I also see some attempts via the http port.

Update: Suricata doesn't recognize the specific attack, but it does notice the HTTP basic auth in the traffic:
11/13/2019-20:12:33.772828  [**] [1:2006402:11] ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} ->

Tags: ,
2019-10-25 Slow(ish) syn floods getting more complicated to filter 2 months ago
Cybercriminal I'm seeing lots of sockets in state SYN_RECV again and noticed this time my earlier iptables rules to not respond to tcp syn packets that don't build up a connection aren't working. Between two syn packets from the same source there is 5 minutes, so my system responds to all of them. Ranges of addresses in the same block are used as source IPv4 addresses. For one address the traffic is very minimal:
22:40:51.600077 IP > Flags [S], seq 720891004, win 29200, length 0
22:40:51.600392 IP > Flags [S.], seq 1729897232, ack 720891005, win 29200, options [mss 1460], length 0
22:40:52.612035 IP > Flags [S.], seq 1729897232, ack 720891005, win 29200, options [mss 1460], length 0
22:40:54.628048 IP > Flags [S.], seq 1729897232, ack 720891005, win 29200, options [mss 1460], length 0
22:40:58.660031 IP > Flags [S.], seq 1729897232, ack 720891005, win 29200, options [mss 1460], length 0
22:41:06.851865 IP > Flags [S.], seq 1729897232, ack 720891005, win 29200, options [mss 1460], length 0
22:41:22.980000 IP > Flags [S.], seq 1729897232, ack 720891005, win 29200, options [mss 1460], length 0
22:45:18.565999 IP > Flags [S], seq 910623633, win 29200, length 0
22:45:18.566415 IP > Flags [S.], seq 3977721413, ack 910623634, win 29200, options [mss 1460], length 0
22:45:19.588000 IP > Flags [S.], seq 3977721413, ack 910623634, win 29200, options [mss 1460], length 0
22:45:21.604022 IP > Flags [S.], seq 3977721413, ack 910623634, win 29200, options [mss 1460], length 0
22:45:25.667936 IP > Flags [S.], seq 3977721413, ack 910623634, win 29200, options [mss 1460], length 0
22:45:33.860000 IP > Flags [S.], seq 3977721413, ack 910623634, win 29200, options [mss 1460], length 0
22:45:49.987965 IP > Flags [S.], seq 3977721413, ack 910623634, win 29200, options [mss 1460], length 0
But multiply this with several source IPs in the same IPv4 /24 block and a lot of open servers in the world and suddenly you get a lot of return traffic.

Tags: , ,
2019-10-20 Restored the webcam site and archives 3 months ago
I was looking at the overview of most requested but not available URLs and noticed there is still traffic to For years that was the webcam site when I still had access to a reasonable location for putting up a webcam. First a good view at my previous house, and later a window with a good view from a server room at work.

So I dug up the archived images and scripts, cleaned them up and made them available again. There are no fresh images, just the aged archives.

Tags: , , ,
2019-10-17 Tested incremental DNSSEC signing 3 months ago
I noticed some really unused records in one zone which is now DNSSEC signed. For example I still had to point at my Google+ page.

So I removed them and did the signing after increasing the serial number. Indeed the records that had no update kept their original signature and the records that where changed (such as the SOA because of the serial number) were signed with new signatures.

Tags: , ,
2019-10-16 The signatures for the first DNSSEC signed zone expired, and I signed the rest 3 months ago
Today I was reminded of the first zone I signed with DNSSEC and did the check again with DNSViz. And I saw a lot of error messages. Some searching found that I let all the signatures expire (after the default time of 30 days).

Solution: re-sign the zone and have a careful look at when I need to sign the zones again. Officially just in time for expiry time of the signature (default 30 days) minus TTL of the record.

Obviously this process has to be automated. In the first go I decided to force new signatures after 21 days. But I tested some things later and decided to go for more regular checks of the ages of the signatures and refresh the signatures that are about to expire. This is usually reserved for 'big' zones with lots of resolvers querying them but I decided to implement this myself to avoid problems, and learn more about DNSSEC.

The magic signing command is now:
    named-checkzone $* $^
    ./ $^
    dnssec-signzone -S -K /etc/bind/keys -g -a -r /dev/random -D -S -e +2592000 -i 604800 -j 86400 -o $* $^
    rndc reload $*
    touch $@
The expiry is set with -e at 30 days, the checkinterval with -i at 7 days and the jitter factor with -j at 1 day.

Now there is a special part in the Makefile to be called from cron on a regular basis. It won't produce any output when there is nothing to update.
    @for zone in $(SIGNEDZONES); do if [ `find $${zone}-signedserial -mtime +7 -print` ]; then touch $${zone}-zone ; $(MAKE) --no-print-directory $${zone}-signedserial; fi ;done
The Make variable SIGNEDZONES is filled with the zonenames of the zones that have to be kept DNSSEC signed. File structure for each forward zone is as listed in first zone with valid DNSSEC signatures.

So now almost all my domains are DNSSEC signed. A learning experience and a good level of security.

Tags: , , ,
2019-10-14 Sharing some of my CQRLOG scripts 3 months ago
Since January 2015 I've been using CQRLOG as the main amateur radio logging program. So each contact that I make ends up in the databases of this program eventually.

Being the person I am I added some scripts of my own to export data from CQRLOG to the PE4KH amateur radio station website in several formats.

I've made a few of these scripts available for the public via KHoos/CQRLOG-scripts: A collection of scripts around the CQRLOG amateur radio logging software on github. I've set the license to GPLv2, but I may have to change this as one script contains a lot of imported code.

Anyway, share and enjoy. Maybe these are of use to someone. Or someone adds the enhancements I've been thinking about but never got around to.

Tags: ,
2019-10-11 Slow(ish) syn floods probably targetting Maltese Casino websites 3 months ago
Cybercriminal While looking at some network issues at home I noticed some weird traffic coming in from the outside: forged SYN traffic. Fast enough to trigger my iptables rules to stop being part of tcp syn attacks so all traffic gets dropped. Searching for a bit finds Hell of a Handshake: Abusing TCP forReflective Amplification DDoS Attacks - usenix which discusses this kind of attack.

At the moment it's about 1 or 2 packets per second. The traffic itself isn't notable on my connection and even without the firewall rules it still wouldn't impact my system. But do this with a lot of systems on the Internet running some tcp service and quite some traffic will go to the targeted IP address.

I guess someone doesn't like some Maltese Casino website. I don't like casino websites either because they promote addictive behaviour but I'm not about to use a DDoS.

Tags: ,
2019-10-06 A new HF radio, with plans for remote operation 3 months ago
The last years I've been dealing with increasing levels of interference on the HF bands at home. One clear source is the rising numbers of solar panel installations, with a clear difference between hiring the cheapest installer versus hiring a good installer but paying more.

I don't want to start discussions with all neighbours about their solar installation and the latest news seems to be that the Dutch telecoms regulator takes the stance of solar panels being needed for our economy so radio amateurs have to accept the interference.

Moving house is not in our plans for the coming years so I started reading about the options for remote operations, where I can sit at home with the microphone and morse key looking at the display of the radio and hearing the audio while the receiving/sending part is at a remote site with a lot less interference.

I found out about RemoteRig which does just that, and with the right choice of radio allows complete remote operation over the Internet. With their offering I started looking at compatible HF radios and found a nice secondhand Kenwood TS-480SAT. This radio has better filtering options for SSB and morse than my Yaesu FT-857D.

The radio is now at home and I made the first few SSB contacts with it. The filtering already helped me understand stations better.

Now for the next steps, cables, remoterig units and other things. And a remote location. I have an offer from a fellow radio amateur to do the first tests at his house. When all that works out I'll go and find a nearby location to do the complete installation.

Tags: , ,
2019-09-27 SSH user names are not very creative 3 months ago
A search for the top 10 tried usernames for ssh gives a nice list:
     52 admin
     23 pi
     19 test
      7 oracle
      6 support
      6 nagios
      5 user
      5 ubnt
      4 ftpuser
      3 virtualbookcase

Tags: ,
2019-09-22 First morse contact, trying FT4 for the first time and participating in the BARTG Sprint75 contest 3 months ago
This weekend is the BARTG Sprint75 RTTY contest. I set up my endfed antenna on Friday evening. On Friday I listened around the band for any morse special event stations and found LZ304EW active. The station was calling with a morse speed of about 21 words per minute and I answered my callsign with 12 words per minute. And no, I can't decode morse at 21 words per minute, I used the computer (fldigi) to help me decode the morse and the nanoKeyer to help me send my callsign and the 5nn TU 73 to finish the 'contact'. I felt secure enough in hearing my own callsign in morse to be able to do this.

Most of Saturday I made a number of FT8 contacts all over Europe. Nothing really exciting, just trying to get a number of new calls in the log. I think I saw some new gridsquares.

The planned amateur radio activity was the British Amateur Radio Teledata Group Sprint75 contest on Sunday evening (17:00 utc to 20:59 utc which is 19:00 - 22:59 local time). I set up the radio Sunday afternoon and listened on 14.080 MHz, which is the default frequency for RTTY on the 20 meter band for as far as I know. I saw different signals, which turned out to be FT4 signals, the relatively new mode in WSJT-X. It's been around for a while, I just never got around to playing with it.

So I started WSJT-X and tried FT4. I made three contacts, one with an amateur in England, one with 4S6NCH in Sri Lanka which is a new country for me, and one with an amateur in India, which was a new 20 meter country for me. Not bad for trying a mode for the first time.

After dinner it was time for the contest and that was a misery. I made 17 contacts in total, 4 on the 20 meter band and 13 on the 40 meter band. Propagation was not cooperating at all, mostly just giving noise and sometimes signals faded in and I had to work hard to get a contact.

Update: The bartg sprint75 rtty contest was a weekend earlier! Only when I tried to submit my results and the website told me all my contacts were outside of the contest timeframe I noticed my error. I guess some more radio amateurs had the wrong date as I have seen 'CQ BART SPRINT75' calls. And 75 baud RTTY mode is also rare. I notified the BARTG contest manageress to let her know. Not to complain since it was my error, but to make her aware of the problem.

Tags: , ,
2019-09-19 Real IPv6 port scan/network mapping attempts 4 months ago
I noticed some interesting traffic in my home network this morning, an attempt at finding IPv6 systems. Since IPv6 privacy enhancements are enabled on most systems this is exactly like finding a needle in a haystack.

I noticed an amount of outgoing icmpv6 traffic, and looking at the destination addresses and the type of traffic found lots of 'unreachable route' messages to a few Chinese IPv6 addresses. Searching for the netblock '240e:f7:4f01:c' finds more reports of portscanning activity.
10:14:27.761704 IP6 (hlim 239, next-header TCP (6) payload length: 24) 240e:f7:4f01:c::3.12980 > 2001:980:14ca:1:5054:ff:feae:17.902: Flags [S], cksum 0xd0a9 (correct), seq 3726392987, win 29200, options [mss 1460], length 0
10:14:28.278108 IP6 (hlim 239, next-header TCP (6) payload length: 24) 240e:f7:4f01:c::3.19933 > 2001:980:14ca:1:5054:ff:feae:8003.12587: Flags [S], cksum 0xe1cc (correct), seq 95632679, win 29200, options [mss 1460], length 0
10:14:29.219766 IP6 (hlim 239, next-header TCP (6) payload length: 24) 240e:f7:4f01:c::3.41487 > 2001:980:14ca:1:5054:ff:feae:fff2.902: Flags [S], cksum 0x3c31 (correct), seq 500442149, win 29200, options [mss 1460], length 0
10:14:33.637405 IP6 (hlim 239, next-header TCP (6) payload length: 24) 240e:f7:4f01:c::3.35832 > 2001:980:14ca:1:5054:ff:feae:15.902: Flags [S], cksum 0xa6ea (correct), seq 2324914849, win 29200, options [mss 1460], length 0
10:14:34.468975 IP6 (hlim 239, next-header TCP (6) payload length: 24) 240e:f7:4f01:c::3.12470 > 2001:980:14ca:42::ffe8.16992: Flags [S], cksum 0x5a72 (correct), seq 3249792078, win 29200, options [mss 1460], length 0
10:14:34.469038 IP6 (flowlabel 0x63971, hlim 64, next-header ICMPv6 (58) payload length: 72) 2001:980:14ca:61::13 > 240e:f7:4f01:c::3: [icmp6 sum ok] ICMP6, destination unreachable, unreachable route 2001:980:14ca:42::ffe8
10:14:35.230776 IP6 (hlim 239, next-header TCP (6) payload length: 24) 240e:f7:4f01:c::3.63145 > 2001:980:14ca:1:20d:56ff:fece:8006.19: Flags [S], cksum 0xb87b (correct), seq 4259180220, win 29200, options [mss 1460], length 0
10:14:35.952841 IP6 (hlim 239, next-header TCP (6) payload length: 24) 240e:f7:4f01:c::3.9056 > 2001:980:14ca:42::8013.16992: Flags [S], cksum 0xbb3b (correct), seq 2896438720, win 29200, options [mss 1460], length 0
10:14:35.952880 IP6 (flowlabel 0x63971, hlim 64, next-header ICMPv6 (58) payload length: 72) 2001:980:14ca:61::13 > 240e:f7:4f01:c::3: [icmp6 sum ok] ICMP6, destination unreachable, unreachable route 2001:980:14ca:42::8013

Tags: , ,
2019-09-14 The nanoKeyer morse keyer in its case 4 months ago
The nanoKeyer morsekeyer in case with paddles
The nanoKeyer morsekeyer in case
I found help at the radio club, Kees PA5Z made his metalworking skills available and now the nanoKeyer has a nice case and works fine in it.

Tags: , ,
⇐ Newer news items for tag english  Older news items for tag english ⇒
, reachable as PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews