debian 9.5 in the wild and the broken virus scanner

UNCHECKED was the magic word that amavis (my blog) added to emails going through it after the upgrade.  Various suggested fixes to amavis in 50-user did nothing and so i delved into clamd the zoos scanner.

It could not share a socket in /var/run, adjusting that config file also did no good so after a afternoon of fun restarting things so i disabled the virus scanner in amavis which does not see a lot of action anyhow.

amavis[*]: (07127-01) (!)ClamAV-clamd av-scanner FAILED: run_av error: Too many retries to talk to /var/run/clamav/clamd.ctl (All attempts (1) failed connecting to /var/run/clamav/clamd.ctl) at (eval 98) line 613.\n

my groups already share clamd, and amavis as members for both so that was not the fault I even removed a yara (my blog) file that the 9.5 version that clamd did not like all of a sudden.

Carol Beer little britain says computer said no

It did work in its own user/group but not anymore since it is a low priority and bad files are banned by the mta as well from email (a duplication)  i bet nobody will notice it is gone until it gets fixed.  Not my issue it seems but some artefact of AllowSupplementaryGroups not perhaps getting reflected elsewhere.

My printer server config got wiped away (dbus/systemd shenanigans ?) but i managed to get a kind of print server working for monday and that is a tale for another day as hplip might need an upgrade via a compile and that seems to be not important software in the grand scheme of now.

Overall apart from the whole server room rebooting itself early in the morning debian 9.5 seems a bit problematical if you use it as a server rather than ‘basic’ workstation.

I would have installed it at some point anyhow and i would not rather want to have done this on a monday morning.

So not sure if this is something i can fix.  More fun that way.

network segregation woes

tube recycle those 1’s and 0’s

The monkey house has several routers and they work but some people segregate there routers into work, home, wifi, and iot networks,perhaps even a guest one too.

One router is fully used and chucks out all the traffic, our internal router handles all of the above stuff however i wonder about the point of doing separate networks.

Sure i have no idea what nefarious things iot’s things could also do but they might in the future

  1. colllect mac’s, network addresses
  2. scan ports
  3. use dns (which they already do)
  4. do something evil – eg ddos another brands thing since its not theres

Since i read the logs surely i would be alerted if 2 and 4 where being done and how I provision our iot printer (my blog) home./work/ wifi when all three could use it – perhaps i should buy more printers ?.

An crap iot device we have needs to be plugged into the router direct otherwise it wont work if i connect it to a switch (my blog – not just that one, all switches)

That means my vlan for iiot needs at least two switch ports. plus a new hardware switch

The wifi is in need of an upgrade but works so does that mean two ssid’s  – i am beginning to need to large port router and maybe double the hardware.

Perhaps as nefarious iot devices evolve routers will also evolve, mind you i can monitor traffic and block it with our existing router so it is not like i do not have any counter measures now.

I think two routers is enough for the time being.  Vlans miight be possible but expensive for the money house.

I could but so far do not see a lot of point to do it

international android phone ‘fun’

Professors significant other visited the monkey house complaining that the phone (my blog) did not work with international calls and data – something i have tried to fix by getting transfer codes but she wont change suppliers or ask the sim card supplier about these problems. – it works locally.

As usual ‘wifi’ got the blame which is innocent, the routers used have no ip blocks or triggered rpz zones (my blog) either.

This is something due to whatsapp not working  but neither the phone or the wifi is at fault. – i have no clue about whatsapp but then i am no smart phone ‘guru’ who if called a genus who charge you $400 to fix an iphone due to bad design.

After being badgered to fix i discovered that the bloody thing was set to airplane mode by them

Is it cynical to laugh ?

Smart phone users sigh.

the new hp printer one year on

Having been a year (my blog) or about that time i decided to run some tests on the printer and noticed a couple of things

  1. it can now do ipv6 [new was  ipv4 only]
  2. new firmware [see above]
  3. it records everything including scan use
  4. internal print status pages are not charged by instant ink (my blog)**

So it is a little creepy – it has been cheap to run if you keep an eye on it monthly and adjust the plan printer pages* also it has extended the toner life of an older printer.

If like the zoo you do not print 1000’s of pages on the printer then hp send new ink cartridges once a year, the large print cartridges have lasted 13 months that was with some photo printing.

Economics wise i based on a what if like comparison on bought cartridges with two criteria hp and oem ink once a year when the ink cartridges turned up.   Year 1 non hp ink is low as i found a cheap supplier –  would they have lasted as long as the instant ink is like comparing apples with oranges and buying hp cartridges too is also speculative, i am not buying three printers just to confirm that.

In year 2 (a projection) savings remain the same for ‘genuine’ ink and as the compatible price rose for some reason (exchange rates probably)  when i checked i still ‘saved’ money renting rather than buying ink.

Year 1 Year 2 Year 3
Overall: saving 34.10 34.52 68.62 hp ink
4.52 12.52 17.04 not hp ink

So it seems a good prospect for us.  Your mileage might vary.

I think i now have a way of getting a true page cost per cartridge from the status sheet since those figures are enabled.  More at another time when i replace cartridges for a per sheet cost and which can be comparable.

Overall the printer is liked within the zoo (does not screw up), does not jam although i did jam the printer once with very thin a4 paper.  The duplex is nice and reduces our paper usage even though one page printed on both sides is charged as two pages printed.

*pay more / pay less ** phew i dont print printer report sheets often and do not see a need to do it more than once  a year,

Exim gets a second chance

tube recycle those 1’s and 0’s

Exim was something the zoo thought of using before using something else now in production here at the zoo but doing our default mail server seemed heavy weather on a basic host.

So i configured exim which was a new experience for me without the gay russian spies at cambridge* (my blog) to help

I found  acls tricky being that

10.0.0.4 : 127.0.0.1

Did not work. – but

x.x.x.4:127.0.0.1

Did

It is a bit whiny and the update-exim4.conf.conf on debian  is not the most obvious file to file the settings in debian..  Not that i expect to edit it often

I still prefer my first choice.for smtp.

*Трахни меня товарищ

rpz secret society woes in bind on debian

Sisyphus is still a role model

So i wanted a dns firewall, (my blog) i did not want to pay or use a blocklist nameserver so it was time to do it yourself.  So our dns nameserver got upgraded eventually and i had a go.

rpz’s supposedly made this easy with all bad sites in one file opposed the many files per site.tld [per xone in rbldns and slow]- although rpz usage is hard to track down.   My first attempt was met with

ignoring out-of-zone data (citricbenz. website)

Apparently should be made with

citricbenz. website. in cname .

Citrixbenz is a zeus trojan server* when i wrote this and still might be and the only entry in my zone

However it dont work until you assign a policy and they have bizarre syntax. Something kind of does and does not work

changed from 2 to 1 qname, 0 to 0 nsdname, 0 to 0 IP, 0 to 0 NSIP, 0 to 0 CLIENTIP entries

So something is working.

The next day was interesting as i used the chrome browser which passed along my attempts to access the named example – i had to assure cbl that i was not zeus infected as i use cbl on the zoos website (my blog) .  Moral of the tale do not use google software things to try out security stuff.

Having fixed that issue on our internal router i had a bit more luck and got a working rpz zone by blocking yahoo.com as that s safer to test with and my attempts to display a redirected website message ended in failure although nxdomain works.

I still seem to be resolving the real ip rather than lookup to the zone i created. which means i am close and i achieved interception of the request with

zone "internal.zoo" policy passthru;
zone "rpz.zoo" policy cname compromised.zoo;

the cname compromised.zoo redirects the bad site request ** to compromised.zoo. – .zoo being our domain name/tld and compromised being the zone name. It tells a user that something is wrong

Logging is important here.

Order matters here [precedent] the passthru is first, and the more restrictive.  note the lack of semi colons and quote statements which feels a bit odd when option { x; y; z }; is the normal syntax bind knows and parses and most of us expect.

Your webbroswer is faster than our dns rpz.and has the same data

So a race condition can develop.,If you have infected things the rpz will do more than just the browser blocklist your browser uses. although the log will detect the rpz hit.

client internal.zoo.lan#16983 (windrushvalleyjoinery.co.uk): rpz QNAME DROP rewrite windrushvalleyjoinery.co.uk via windrushvalleyjoinery.co.uk.malware.zoo

This stuff is quite hard to figure out

As to who’s fault this is after all the zoo clearly should be paying some security firm for this by the three and half dns professionals on the internet who guard this knowledge like a secret, or is out of date

Stats are interesting bind reported

[malware.zoo]
                   7 response policy zone rewrites

So not informative – that seems a good place to end.

I might do a further post on how i make zones but being honest the zoo appears to be immune from visiting dodgy sites as either the browser stops it and so while the zones exist they do not trigger for lack of a match.

dsl microfilters going boom

The microfilter (pictured) died on one of the zoos telecom demarcation points having tried to resolve it and failing with everything else getting a reboot i decided to replace the last thing being the microfilter.

Then our internet connection stopped intermittently waiting ….. and became something reliable once more.

It does go through a surge adaptor but somehow did not protect it.

There was lightening recently (well when i write this) as our services are mostly underground but the telecoms are not i guess that is what did the damage.

Nothing else got damaged so in a way it did its job and as the filters are not expensive i would rather replace that than have to replace routers.

the day the internet came and visited our nameservers and probed them.

I bought replacement domain names (my blog) , created zones (plus slaves), and move the glue to our name servers and after doing dnssec (my blog) boom everybody came and visited.

I have no records except for ns and the dnssec but I have managed to clear 300 emails informing me of these hosts exploring our zone  The end of the day stats where.

Banned services with Fail2Ban: Bans:Unbans
named-refused: [337:337]
.

I think that’s pretty good going to buy a domain, setup dnssec, and move name servers in a day while also doing other things.    You all looked up some odd reords that would never exist

My configuration error was with an acl which had me flummoxed for a time later since i saw no issue with the appended zone file contents , and after ‘fixing’ everything else it then dawned on me stupidity that the config acl was to blame.

Those bans would have still triggered.

Since i had not advertised the domain name in any way i was impressed by the activity and since there is not a lot you can do with an empty zone except admire the dnssec (my blog)

That must have been it – very cool dnssec

raspberry pi fun

Returning to the monkey house raspberry pi adventure (my blog) and having cased it it was time to do something with it.

Having bought a larger memory card of 32gb I had some dd fun writing to an microsd card but soon got something that booted.

Networking was a bit weird using /etc/dhcpd.conf opposed to interfaces or whatever shit systemd networking (my blog) is doing these days.  I hate systemd anyhow

The monkey house uses the pi as a headless server for a couple of tasks and so far it is manageable if a little slow and short on resources once the mouse keyboard and hdmi (my blog) screen are unplugged.   I was able to watch guinea pig (my blog) videos on youtube before i wiped one card and made my new one raspberian.

It also powers a switch (my blog( and a iot heating controller via usb (saving two electrical plugs in the process).  It is not idle.

Raspberian (once secured) feels a lot like debian and a point release behind debian so 9.4 means your be running 9.3 on the pi which is not a problem.

Returning back to networking i got pissed off with dhcpd.conf since that can only do one ip and as ours has two wired ethernet ports (real ones, not virtual) meant i got one or another address neither both.  The person responsible for raspberian networking ought to hung drawn and quartered for that suggestion.

I think that these things have a future and might be the way pc’s go.  Granted it needs more memory and better standard components but it was quite a nice desktop if not one suitable for famous computer games.as hdmi does video and audio. so it certainly competes with android and much cheaper.

How long it lasts,  or the long viability of microsd will be an interesting experiment. Although it looks like DO NOT USE KINGSTON BRAND SD CARDS is good advice and a tale for another day.

andriod partitioning

Is odd – i read that special partition names are needed and apparently root access to move things it seems w95 fat is not enough.

I am glad i use Linux rather than this odd system for if even i cannot use it even with fdisk partitioning and non root access then clearly who is supposed to.

If this is the shit google thinks is good then good luck to android os.