News items for tag work - Koos van den Hout

For almost 20 years I was involved with the running of NTP time servers at work. But the hardware aged and my job is no longer in systems administration and not in the department actually housing the timeservers.

So, time to stop doing it. The pool ntp server has been retracted, DNS names removed and soon I will make one final trip to shut down hardware one last time and remove it from racks. The end for ntp.cs.uu.nl and others.

I still run an NTP server at home which is available in the IPv6 NTP pool. That server also compared itself to one of the servers at work so it has been reconfigured. I added a few upstream servers and made sure all of them are reachable via IPv6.

The log of NTP service at cs.uu.nl was kept, here is the final version:

Date	Event
8 Apr 2021	DNS names for ntp service at cs.uu.nl removed
2 Apr 2021	Announcement posted to system administration mailing list that ntp service at cs.uu.nl will stop
24 Sep 2014	A second stratum-1 ntp appliance is brought on-line, galileo.cs.uu.nl
28 Nov 2011	Fixed the networking for stardate, the full time lab is up and running.
23 Nov 2011	The antenna cable connectors are soldered on which results in a working setup after a few tries. Stardate is better at reporting the state of the power to the GPS antenna, but has no working network. Huygens has working network and serves time to metronoom.
22 Nov 2011	The server ntp.cs.uu.nl is active at its new IP. Our own GPS reference doesn't work yet: we still need to solder the right connectors on the antenna cable. The server is added to the ntp pool and traffic starts to flow a few hours later.
15 Nov 2011	The ntp servers are moved to their new location
14 Nov 2011	The ntp servers are switched off
13 Nov 2011	We retract ntp.cs.uu.nl at its current address from the pool because the serverroom will move physically, the ntp equipment will move to a different location and the IP will change to deal with the traffic better
18 Sep 2011	Stats for doei.cs.uu.nl, five years after withdrawing it from the ntp pool
19 Sep 2010	Stats for doei.cs.uu.nl, four years after withdrawing it from the ntp pool
4 Mar 2010	The turkish adsl provider ttnet falls off the Internet for a few hours, traffic falls from 2000 packets/second to 100 packets/second in that time
22 Jan 2010	We volunteer ntp.cs.uu.nl for the turkish part of the ntp pool. Traffic explodes, peaks over 5000 packets/second
18 Sep 2009	Stats for doei.cs.uu.nl, three years after withdrawing it from the ntp pool
28 Jul 2009	ntp.cs.uu.nl back at full speed in the ntp pool, firewall configuration fixed
15 Jul 2009	rear doors of racks closed again
2 Jul 2009 10:00	serverroom airco has problems with high temperatures (28-30 C), we open rear doors of racks which makes the temperature go down a bit in the racks but the airco still has hard work
Mar 2009	ntp.cs.uu.nl tuned down in the ntp pool to avoid firewall issue
18 Sep 2008	Stats for doei.cs.uu.nl, two years after withdrawing it from the ntp pool
17 Jan 2008	huygens.cs.uu.nl has a GPS reception failure, fixed with a software update
18 Sep 2007	Stats for doei.cs.uu.nl, a year after withdrawing it from the ntp pool
11 Mar 2007	airco failure serverroom
5 Mar 2007	all ntp servers moved to one rack close together for temperature stability
20 Jan 2007	airco failure serverroom
9 Jan 2007	huygens.cs.uu.nl added as stratum-1
23 Dec 2006	airco failure serverroom
29 Nov 2006	powerfailure in our building
1 Nov 2006	metronoom.dmz.cs.uu.nl takes over as ntp.cs.uu.nl and joins pool.ntp.org
~ 24 Oct 2006	antenna cable to stardate.cs.uu.nl reconnected
~ 6 Oct 2006	ntpd on stardate disabled: free running clock starts to differ too much from correct time
~ 25 Aug 2006	antenna cable from stardate.cs.uu.nl disconnected because of building and recabling activities
1 Aug 2006	doei.cs.uu.nl leaves pool.ntp.org
19 Aug 2003	doei.cs.uu.nl joins pool.ntp.org
10 Jan 1999	stardate.cs.uu.nl set up as stratum-1 with GPS time reference

I'm currently following the course The Best TLS and PKI Training Course in the World and learning even more about the workings of encryption, TLS and certificates.

One of the things I learned is to balance security with performance. And I directly used this new insight on my own webservers. The connection which brought you this page from https://idefix.net/ is still encrypted but I saved a few milliseconds on the encrypted setup by switching from a big (4096 bit) RSA private key to a 384 bit ECDSA key which are comparable in cryptographic strength. But the calculations with the ECDSA key are less CPU intense. And yes, I have statistics on page loading times before and after the changeover of the key.

It was a good moment to change private keys anyway, the old keys were more than a year old.

This is one of those areas where I like having my knowledge hands-on. Actually understanding what is happening and why.

At work there is a sort-of competition for the best christmas decorations in the office. At the end of last year I considered doing something with programmable LEDs to 'participate' in this competition in 2020.

This year turned out somewhat different, but slowly my son is also somewhat interested in electronics, soldering and making the computer do something.

So I set out to find fully programmable LED strips. I found a good comparison of LED strips in a Youtube video: LED Strips, what's the difference? WS2811, WS2812B, 2812Eco, WS2813, WS2815, SK6812, SK9822. which compares the several available types and their pros and cons. After viewing this video and for my limited experiment I thought the WS2812B based LED strip would be the best choice. The next hurdle was controlling it and I found Connect and Control WS2812 RGB LED Strips via Raspberry Pi which has pointers to the right code.

I am not following the advice on that page about working with mains power cables. That looks dangerous.

I ordered a WS2812B based LED strip and a matching power supply for 5V 40Watt from a Dutch webshop and got it in a few days later. I was amused by the warning the webshop gave that a LED strip like this is for advanced users only because you have to add a controlling device and do all the programming. That is exactly what I intended to do!

Programming is in Python3, and I haven't written any Python code before. But with a lot of google searches and looking at samples I got the idea right.

I now have the LED strip blinking in exactly the patterns I want, including a nice pattern for a christmas tree. And it blinks 'MERRY CHRISTMAS' in morse code, because why not!

An interesting bit of news: SSH client gets patched after RSA key exchange memory vuln spotted.

The fixes implemented on PuTTY over the weekend include new features plugging a plethora of vulns in the Telnet and SSH client, most of which were uncovered as part of an EU-sponsored HackerOne bug bounty.

Get your updated putty at the PuTTY download page.

Update: Interesting visual change in putty: informational lines from the client are now prefixed by a putty logo. This could make it harder to mislead the user in certain attacks.

This morning I was looking on shodan for open remote desktop servers in the work network since RDP was mentioned as an attack vector in the latest GANDCRAP ransomware.

Searching for '3389' on shodan found something completely different: an open industrial control system (ICS) for tankstation gauges.

IN-TANK VOORRAAD        

TANK PRODUCT             VOLUME TC VOLUME   VULVOL   HOOGTE    WATER     TEMP
  1  UL 98                 9757      9693    10283    939.2      0.0    20.09
  2  EURO                 2...

According to The Internet of Gas Station Tank Gauges -- Take #2 - Rapid7 this was already a reported issue in January 2015 and according to their research it may be possible to do bad things with this access.

The above is from a gas station I can find on google maps.

Oh I found the way to search for open remote desktop servers on shodan: port:3389.

The work laptop is now "upgraded" to Windows 10. I wasn't sure about it as I saw Windows 7 as less annoying but it's the corporate choice.

And after I changed the password for my eduroam wifi-account it just gives an error and does not connect to the wireless network. The obvious choice to show the option to enter a new password does not pop up (unlike Android which came with that suggestion right away). Even the "network troubleshooter" doesn't come with the source of the connection problem let alone the obvious solution.

The Windows 10 "solution" is to just forget the network and discover it again. I'm glad this isn't a network where I need special options and a certificate to log in.

Since activating sendmail authentication with secondary passwords I see a number of attempts to guess credentials to send mail via my system. This is not very surprising, given the constant attack levels on the wider Internet.

For work I am looking at log correlation and monitoring and with that in mind I noted that finding the right information from sendmail where and when the attempt came from is quite hard since there are several processes busy and it's hard to correlate the logging. The failed attempt is logged by saslauthd in /var/log/auth.log:

Aug 16 12:28:57 greenblatt saslauthd[32648]: pam_unix(smtp:auth): check pass; user unknown
Aug 16 12:28:57 greenblatt saslauthd[32648]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 16 12:28:59 greenblatt saslauthd[32648]: do_auth         : auth failure: [user=monster] [service=smtp] [realm=idefix.net] [mech=pam] [reason=PAM auth error]
Aug 16 12:29:00 greenblatt saslauthd[32649]: pam_unix(smtp:auth): check pass; user unknown
Aug 16 12:29:00 greenblatt saslauthd[32649]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Aug 16 12:29:02 greenblatt saslauthd[32649]: do_auth         : auth failure: [user=monster] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]

This is probably related to this sendmail log information:

Aug 16 12:28:56 greenblatt sm-mta[20716]: STARTTLS=server, relay=62.82.128.182.static.user.indesat.com [62.82.128.182] (may be forged), version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256
Aug 16 12:29:02 greenblatt sm-mta[20716]: w7GASspx020716: 62.82.128.182.static.user.indesat.com [62.82.128.182] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MSP-v6

But I can't be sure as there are multiple 'did not issue MAIL/EXPN/VRFY/ETRN' messages in the logs. So I can't build a fail2ban rule based on this.

At work we (indirectly) get the scanning results from Shadowserver which now includes open VNC servers which is yet another service we don't really want left open to the Internet in general. A few were found which are now actively chased after to get them firewalled/disabled.

I really like the concept of shadowserver. ISPs that want the information can get full overviews of insecure services and botnet activity on their network. A full overview of what shadowserver looks for can be found at The scannings will continue until the Internet improves - Shadowserver.

Ever since I upgraded VirtualBox to a version 5 on my work laptop I can't start virtual machines which want to use the VirtualBox host-only network. For some communication I'd like to use that host-only network. Diving deep into the possible reasons found me VirtualBox can't find host-only adapters on Windows 10 which tells:

Oh and please double check that when you go to "Network Connections" and open the Properties dialog of the "VirtualBox Host-Only Network" connection, you see "VirtualBox NDIS6 Bridged Networking Driver" in the "This connection uses the following items" list.

This is indeed the case on my work laptop, and the use of the NDIS6 driver is an upgrade compared to VirtualBox 4. But I know the windows policy at work includes "you cannot use bridged networking" so I think I found the reason.

So now the solution is to use the main NAT network device. I was using the host-only network for some communication between the virtual machine and the host system or other virtual machines which should not be influenced by the 'outside world'. Now I seem to be using NAT as a firewall for that, which is wrong.

After taking the course in April and doing the exam in June I am now a Certified Information Systems Security Professional. As part of my job in computer security it is good to have this knowledge, it really helps me understand things.