Steam on debian stable 64bit

Carol Beer little britain says computer said no

I changed my distro from testing to debian stable [jesse] (my blog) some months later i decide to reinstall steam (my blog) and find that i cannot make the dependencies

It appears i will not be installing steam without enabling i386 architecture support.

Argh! it is installable just a pain to install although something features are yet to make it into linux.  More on steam in the future.

Symantec leaves the ssl market

mafia run the british red cross

Symantec i read have sold there ssl interests after fucking up ssl (tls) certs with the green bars.  Quite how these security geniuses ended upon such a state is noteworthy but probably leaves many of you with bad unverified certificates rom them and there brands that will stop working.

This has happened before (my blog) so size is no guarantee of administration.  Oddly these are the same people complain bitterly about others and not there own behaviour in the past.

I do not have any Symantec brands of tls but i do not want any of there products in the zoo.

It feels like money trumps integrity.   Most of us do tls once and never have to worry about it it for a year or so but Symantec have other plans for you.

mailgraph and logwatch reporting curiosities with postmulti and some regex’es for fun.

The zoo’s mailgraph charts are not working and i have mentioned it before (my blog).

So after changing our /etc/postfix instance (we have more better instances) for a new feature to allow outbound internet mail to be sent to an address the charts began to show only that traffic.  Bounces too also appear to work (not shown).

Spam and viruses as defined by amavis do work but the received email from those other postfix instances is still not being recognised even with explicit syslog statements in the main.cf file.

So something is off

Reading the charts could give you the impression that despite receiving email that the chart does not graph bur we appear send out spam and viruses and blocked,  The bounces where something i induced and could have been dmarc related too as many dmarc reporters have problems clearing there gmail inbox..

It is a good reminder that badly made statistics may look interesting but do not reflect reality.

The logwatch config files /usr/share/logwatch/default.conf/services/postfix.conf are written as perl and at this point are beyond my comprehension

*OnlyService = “(?:post(?:fix|grey|fwd|fix-1|fix2|fix-0|fix-3|policyd-spf)(?:/[-\w]*)?”
$postfix_Syslog_Name = “(?:post(?:fix|grey|fwd)|policyd-spf)”
# POSTMULTI NOT WORK *OnlyService = “postfix\d?/[-a-zA-Z\d]*”
#$postfix_Syslog_Name = “postfix\d?”

My changes are in bold. That does not work.. /etc/postfix-1 etc is how postmulti expects its managed instances to be located (my blog).

A few days pass and with the help of a pcre debuger [https://regex101.com/] i find that

$postfix_Syslog_Name = “postfix/[\w]*”
*OnlyService = “(:postfix-1/|postfix-2/|postfix-3/|postfix-4/|policyd-spf|postfix/|post-grey|post-fwd)(?:[-\w]*)?”

Provides output from postmulti instances as well as the /etc/postfix daemon.  I might not need that last postfix on the third line but completist me me thought it worth specifying.

post-fwd and post-grey are not used here in the zoo we use postscreen  The spf log part of the the section is a little unwieldy but that always was and i could turn it off,

I find with postmulti reporting that “postfix/lmtp” is best stated as “lmtp” if grepping unless you want to add extra grep lines to your cron jobs.

So charts are still a bit messed up.   Not the end of the world although i have cron jobs that grep for connections and sasl abusers so between the broken things and our existing zoo cron jobs we keep on top on what postfix is having to deal with.

A work in progress mailgraph.requires that the /usr/sbin/mailgraph file be changed for postmulti.

I seemed ho have some luck and you can see the switch on since the data before was sent from a non internet postfix host denoted by green and red suddenly appearing.

I changed the line for postfix (a regex again) from

if($prog =~ /^postfix\/(.*)/) {

to

if($prog =~ /:postfix|postfix-1\/(.*)|postfix-2\/(.*)|postfix-3\/(.*)|postfix-4\/(.*)/) {

Which is not very maintainable and a bit of a bodge job but gets the regex working for more than one instance..  If that reflects reality or not i will have to check with logwatch reporting although with postfix dropping more bad connections earlier (my blog) feels right so the charts now ignore a large quantity of data of bad smtp clients say.

106 Reject by IP --------
 3 49.213.57.100 unknown
 3 103.241.75.75 unknown

So mailgraph and postfix seem now not count certain items compared to before the upgrade.  So that regex might see an edit.

Mailgraph was and then was not working i was unsure of my efforts – another regex to adjust

I eventually found

/postfix-1\/(.*)|postfix-2\/(.*)|postfix-3\/(.*)|postfix-4\/(.*)|postfix/

Appears to show green / blue and red posfix lines

Fail2ban also seems to need some help – although it seems it will not trip with rate throttling controls in my experience although the odd prober does try an extract from logwatch.

smtp
10 AUTH command rate
10 110.175.112.118 110-175-112-118.tpgi.com.au
1 Connection rate
1 110.175.112.118 110-175-112-118.tpgi.com.au

Perhaps fail2ban’s postfix jails are redundant with the rate limiting feature in newer postfix. Not that fail2ban tripped that often with our non postmulti config.

As most of our email traffic is using tls (dane – my blog) (or trying to) i somehow think mailgraphs use out of the box does not reflect reality with the rate controls, bad clients getting ignore and tls traffic not shown so i suppose this graph shows genuine email traffic rather than all port 25 attempts..

hp ‘instant’ e-ink

Have you played the overpriced ink game?

Well it seemed a idea worth a test with the new printer (my blog) after all the low quantity hp inks will need replacing sooner rather than later and with heavy document printing in the month it was bought and with some months free its worth at least £26*.  Either way the zoo would have to had buy ink for a printer unless you colllect printers that cannot print..

The instant ink wording is not nice – go over and charges are soon incurred so it probably is not for heavy users (300 pages a month) not that i or the zoo care if the ink is genuine or not (my blog).  Lets face facts even you do not care about retail packaging – you just want ink not coloured cardboard packaging designed for a retailers point of sale displays .

The assumption here is that it theoretically brings down the cost of printing to what we would pay anyhow with non hp ink which is available for the printer.  Savings of 30% are reduced to 10% if you switch benchmarks and use the guide price of non hp ink which is what i did as i am just that sort of ape.    I wrote a spreadsheet so i have a fair idea – if i can ‘profit’ by comparing it to compatible ink then that seems a more reasonable comparison rather than just to hp ink

Duplex printing is accounted as two sheets, as to whether your printing is all colour, or mostly black and white is not a distinction made.  The control panel is not part of hplip the linux driver and separate so another printer is something i am going to keep working and will purchase ink for it outright opposed to ‘renting’ pages.

Do these cartridges last longer than the retail ones ? no idea so far but expect a six day post delay from hp when sending ink – as hp supplied the starter inks and it was government form printing month here in the zoo perhaps instant ink is not as instant. A first impression although ink levels appear ok after minimal printing after those large government documents.

It is nice to have a printer that prints rather than jams so that is another interesting issue as to how jammed pages are charged for.

The delivery of replacement inks is not particularly fast but they also supply recycling envelopes which shows that non genuine ink suppliers have taught hp a thing or too.

einkThe ink cartridges are longer than standard ones if standard one looks like a like van these look like an hgv however the basic hp supplied black ink crapped out at 89 pages, hp instant nk registers as that rather than hp ink  The ink sensor did not detect that there was no black ink left – thats one failing hp have still yet to get right.

I had to replace one starter ink with the hgv sized ‘instant’ ink  It appears that the mandatory test sheet for the scanner  to verify the ink cartridge is counted as a paid sheet even though you did not desire to print it however i recorded it as a charge and then a few days later the counter was less one page. Non printed output is still charged despite the printer not printing the output correctly – something to be careful off.

I have more questions than answers, i imagine that print head cleaning is a costly business with e-ink and not recommended. A long term factor that will prove bad on the economics of instant ink. So i will return to this topic and bore you further! What exciting stuff.

As mentioned I still use a non instant ink laser printer for black and white things where the zoo pays £12 a cartridge.  HP charges £ 60 for a 1500 page unit.  You may see why i still compare non hp ink with instant ink despite the unfairness of the bigger size which is like comparing apples with oranges.

Only a fool would use hp sticker prices and i do not like to be called one of those.

Since i took the screenshot – instant ink has had a website ‘redesign’ which sucks imho.

If you are still awake after reading all that well done your prize is a banana skin which you can collect from the zoo.

*more if you use hp sticker prices – a month is classed as 30 days it appears

 

 

Is sogo opensource ?

I have a small interest in supporting one mobile phone via some kind of webmail and Sogo (my blog) is your horse for that. Alas in Jessie i was i386, no joy there. In Stretch (debian) things went amd64 bit and to my surprise i found a deb that could install.  It felt too easy but….

Having found most of the config files i then wondered about the database schema and found no files to create the sogo tables*.

Sisyphus is still a role model

There do exist update files for schema for crap mysql and the amazing postgres

ls so/sql*
so/sql-update-1.2.2_to_1.3.0-mysql.sh
so/sql-update-1.2.2_to_1.3.0.sh
so/sql-update-1.3.11_to_1.3.12-mysql.sh
so/sql-update-1.3.11_to_1.3.12.sh
so/sql-update-1.3.3_to_1.3.4-mysql.sh
so/sql-update-1.3.3_to_1.3.4.sh
so/sql-update-2.0.4b_to_2.0.5-mysql.sh
so/sql-update-2.2.17_to_2.3.0-mysql.sh
so/sql-update-2.2.17_to_2.3.0.sh

But how can i adjust nothing to something ?  eg

echo “Step 1 – Converting c_content from VARCHAR to TEXT in table sogo_folder_info” >&2
tables=`psql -t -U $username -h $hostname $database -c “select split_part(c_location, ‘/’, 5) from $indextable;”`

for table in $tables;
do
convVCtoText
done

So my adventure in Sogo came to an abrupt halt.

It appears to be a compile job.  Close but not useable. Its good that open source still retains mystery to it.   After all it keeps me in daily blog posts. apt remove sogo.  Maybe the third install attempt will  be the one?

*i have other databases.

 

strange tales of hewlett packard printers

I and the zoo have a love/hate relationship with older hp printers with non oem ink, we love the ink.  Printer – meh although the printer in question recently kicked the bucket (my blog)  and was replaced.

One day some time ago i was reading slashdot when i noticed that what i write (my blog) was being said by many.   Recently one cartridge was ‘REALLY EMPTY’ and after intervening with a button press since we ignore the hp sensor

This even pissed off the zoo staff  who started printing to a different laser printer which means to hp that the other printers ink wont be touched and so not replaced until its not printing in a missing colour deemed required.

Meg Whitman is ok, what about ebay ?

Meg Whitman is ok, what about ebay ?

Two weeks go by and i check out the printer settings on the server to find it to have defaulted to american letter size paper. rather a4 and when i turn it on its ink level is fine and it does not shutdown on start up, or need a ok pressed.

I of course expect such foul play from Meg and Cary (my blog) as shit ex bosses of HP.

The result for hp is that no ink genuine or otherwise was bought by the zoo.

What really confuses me is that i dont remember downloading a new version of hplip, or changing printer settings on the Linux server to letter size which no sane person directly uses but sends jobs to it.

Its not my reputation HP its yours.

The dns game

Bananas was up one day and looking through the zoo’s server log and it was full of dns attempts*.

New hosts where invented included the mysql.zoo** among other names from a number of ranges. dnssec (my blog) seems to have replied back these things are not official and i know about it

Some of the visitors where educational.

NetRange: 129.7.0.0 – 129.7.255.255
CIDR: 129.7.0.0/16
NetName: UH-NET
Organization: University of Houston (UNIVER-239)

So i am delighted the zoo withstood the whatever somebody was trying to do. Despite not knowing the orign and objective as one does not usually create hosts with our domain name and connect them for doing something..

Yeah.  It seems dnssec is worth it.

*needs to be turned on **my view of that software has been stated before.

avoid innostore usb drives

About a year ago i purchased a 16gb innostore usb flash drive.  It crapped out on me once again (my blog) and the best format was only ten megabytes and that was with a clearing of the partition table.

I recommend that if you are looking for an usb flash drive steer clear of innostore brand.  The device is awaiting a journey to a ewaste disposal plant.

I had recorded A Girl Walks Home Alone at Night a film which had five minutes of logos and titles before the thing died and then accessed the next item.

If you value data avoid innostore.

mod_defensible in Debian stetch

I have reported that it does not log.(my blog) although i thought it was working.

I noticed

LogLevel alert

added to the bottom of apache.conf rather than warn  – I never changed the apache config during the upgrade as apache2 came out of the experience pretty much working apart from defenisble.

Commenting it  meant the value of warn set way up in the file worked after a restart of the process.  So it still works and now logs.

Running debian stretch thoughts

As a server (my blog not as workstation (my blog)

The improvements first.

Postfix with postmulti

I had this ‘forced’ on me by systemd (my blog) not running the simple one instance that supposedly everybody else does and is ok with.  While i am still a bit newbish with the postfix command replacement it feels a better solution especially with logging which my older extra instances did not offer – as to what instance was doing.

There is no real config change but seems a more modern config despite that not changing and already having scripts that ise multiple postfix configs.

Postfix is a lot less tolerant of clients such as

connect from unknown[12.130.172.232]

Who don’t do much but like to test things and despite our config from before denying such activity [ddos,spammers,clueless,bot nets] it feels as if they are discarded more quickly

Tls probers (waste of time clients) have sslv3 requests redirected to something more modern tls. Milters where odd to debug.  See the mailgraph heading below for a downside.

Dnssec

My manual method of signing zones still works – the daemon software in jessie i could not figure out – mostly because most people never used it or compiled a better version and never used the debian package being out of date.  It is something i might look at in the future

Signing zones currently takes a minute and is something i spend twelve minutes a year doing.

Not sure of and probably blame me department

cyrus imap

I am on the fence on this upgrade and feel the config still needs looking at despite working it seems a little no there et after i did seem to lose a lot of config commands to get it to work along with those bloody sockets i had to delete..

Hard to fix and runtime issues with solutions.

mod_defensible

Appears to work but now does not log – kind of/maybe situation – apache says it wrote 403 errors, but the confirmation from before means i take one softwares fact as a unknown.

Hairy eyeball those emails from root to to get these – you did read them right ?.

Mailgraph

Is not updating its png images, html updates with the date and time – think this is not a systemd thing once again not /etc/default or init.d issue.- not an urgent issue and might be something due to postmulti since spam is logged in the chart and the mail.log has stuff in it.

I get

Well it recorded the one spam

Which is not an accurate representation of activity – files do update but no postfix activity in charts.   Not working.i guess due to incompatible parsing of:

postfix-instancex/smtpd[*]: disconnect from unknown[14.161.40.101]
 helo=1 auth=0/1 quit=1 commands=2/3

My theory anyhow

logwatch

I had to adjust the cron job to get the more detailed report once again for stretch to reflect as jessie. not hard.

p0f

Has had a redesign  – we only used for port 25 scanning with amavis and now does not work with the old config.   With postfix improvements i might let this fall in to non use.

X Logout leaves running processes

Don’t ask me why but it does cache cleaner, and hplip and systemd seem unhappy with something.

rkhunter

Need –pkgmgr DPKG in cron.daily as extra parameters

logrotate

I need

TMPDIR=/var/tmp
export TMPDIR
/usr/sbin/logrotate /etc/logrotate.conf
TMPDIR=/tmp
export TMPDIR

Or i get mail errors

Yara

Can now be ‘easily’ installed without’breaking’ debian.so i might be adding to the virus scanner which gets little cause for use with our mail config refusing bad content before it gets to a scanner.

Opendmarc

reporting (my blog) command appears to now send reports from more than just the first reporting host who got on with it and did not complain.  I guess the atps and other dns lines might be deemed redundant.

apt

The package maanager does ttry o do more than it should trying to restart things – an easy example yesterday apt upgraded apache2 documents and tried to add the module and failed when the conf file it tried to read did not exist where debian assumed it was.

So i had to restart apache.manually.

Overall not a disaster.   Something i might think as a good idea at some point but then again it as a server does a lot of jobs.I guess upgrading one server with one task would be less stressful.