our unnecessary ancient debian antivirus cockup.

The zoo has detected one virus via an email in a year, since the mail server blocks microsoft (microshit) attachments and we hate microsoft products having a scanner is a bit of a waste of time since it is something it will not find.

But .. after the upgrade to buster (my blog) all the updates stopped (my blog) or the config got passed over and is not the most important thing in the universe to fix.  Since the server only gets definition updates four times a month i decided it was time to have antivirus in buster rather than continue with useless cron warnings about missing gpg keys four times a month.

I deleted the extra clamd debian package, set up some logins and used the recent script from extemeshok which now is on version 6 and have used in the past being version 2 something.   Things look happy and after ninety minutes i seem to have more definitions and yara rules once again.

I expect the virus scanner to do nothing most of the time as it did beforehand since most viruses seem to be opportunistic and usually sent from badly configured mail servers when they get emailed and so the mail server rules kick in and reject them before payload and does not get the scanner to run..

Maybe there will be a resurgence in them ? but the zoo is covered now.

It seems packaging is not a cure for virus software.   Since i spent very little time worrying about awful microsoft code from microsoft i think ninety minutes a year is more than ample and reminds me that microsoft products cannot be trusted.

Intel graphics i915 debian 10 fix

My debian pc has seen a few versions in its time – if your seeing (my blog)

[drm:intel_pipe_update_end [i915]] *ERROR* Atomic update f

in logs then

cat /etc/modprobe.d/i915.conf
options i915 enable_psr=0

might do something for you.   If your x display still freezes as it did for me then

apt remove xserver-xorg-video-intel

Changes the driver to x server to modeset using the firmware-misc-nonfree packaged intel 915 driver which seems to be more up to date.

I do not have to reset by unplugging the power now when the screen freezed

boo hoo

Occasionally somebody comments on an ancient blog post here* and it goes back a few years the “expert” knows more about the topic than i do and then goes into a suggestion that i teach others to not have to deal with the crap of nine years ago.

At the time many of the things we now take for granted did not exist, for instance i complied opendkim prior to it being packaged something our indian it pro (my blog) is blissfully unaware about.

Another problem with howto things is you get professionals whining that there email won’t work and its the authors fault.

I really did not care that the indian knew of the criminal i wrote of all those years ago or his opinion of this blog. How dare i not do the indians it job for him i must  be a really racist ape to not do his job.

This blog is not a security blog and with the rise of cloud services means amazon and google are it and so people dont have servers or really own there data if kim dot com happened then it could to amazon and google too.

I hope this blog will exist way into the future and be used in ways i cannot imagine but if some indian cannot get nuance in an ancient post or realize that stuff changes maybe because of the criminal then that is not my problem.

Generally i have little issues with stuff , i can infer from others when necessary.

Quite what this says about indian it professionals is something you can muse on.

*usually a like these days

debian ten new things

Debian 10 (my blog) is a fast loader even on a server and here a few things different which debian deems un-news worthy.

Its been a week or so

monitor sharing [HARDWARE] – the zoo being cheap has a monitor with three interfaces on it i(vga/dvi/hdmi) n the old version debian would seed control to the thing on the hdmi interface rather than the dvi port on no interaction being debian has a dvi interface, the new version remains on the hardware screen – not a problem since the hdmi interface can be chosen from the screens menu as required.

If the zoo had billions to spend on another monitor it would be a very low priority and probably be an ex-display/return one as well.  The monitor remains turned off 99% of the time anyhow – emergency use case.

Usually we remote into it

tls

tls 1.3  (part of openssl) works and things we use can use tls 1.3, quays tests work and confirm it in browser client and .server

amavis

/usr/sbin/amavis-services msg-forwarder
/usr/sbin/amavis-services childproc-minder
/usr/sbin/amavis-services snmp-responder

Since amavis keeps mum on changes these seem to be new binaries i hairy eyeballed.

zombie process

opendmarc

is a bit of a mystery the zoo’s  only non working component – think postfix got grandfathered and if your not doing sockets how it used to so nothing happens

Milters ….

fail2ban

The new config is baffling, our old config works  so damn it i will use that.

rkhunter

Debian reports large memory blobs now and the usual hidden /etc/.java directory returns and deleting it means it gets recreated regardless.  You have cron mail to read every day.

Cyrus imap

No nasty surprises a week in.

Postfix

Opendmarc [milter] is a no go but everything else appears to work.

tube recycle those 1’s and 0’s

Ipv4 & Ipv6

I had to add an timeout option to systemd to make a list of open ports to load since we use a miix of static and dynamic ipv6 it seems pretty stable.  Iov4 seems to also work although the boot process still whines i have a bad interfaces file entry but wont tell me where or why.

Patches have been light so far.   The ghostscript patch stopped my desktop (i386)  from seizing in x several times a day.

Apart from our isp losing ipv6 for five minutes a day (everything also does) it does feel like a debian problem as the router is not debian based it soon returns so i am not blaming them for that.

I am not regretting this upgrade.

having a moment – upgrading raspbian to buster

The raspberry pi 3 (my blog) is something that just works but was struck on debian stretch [version 9], My prior attempts with upgrading where not good although bad sdcard’s might have helped here with that impression.

So preparation for the end of the world took time -i made backups of important files , and an iso of the disk just in case disaster struck.

Stretch does work but a better dns thing might be nice and buster has been a general success in the zoo on intel hardware.

It is easier to attempt the upgrade than do a native debian install (my blog) which is an unknown experience.

Once ready and sitting next to the thing with a keyboard things went smoothly – only two usual prompts as blogged about before the following files caused conflict

  • /etc/sysctl.conf
  • lighttp/conf-available/ 10-cgi.conf & 1–ssl.conf
  • plymouth/plymouth.conf
  • /ssh/sshd_config
  • /fail2ban/jail.conf – temp file warning as welll /var/run goes /run.
  • /bind/named.conf.options
  • /lightdm/lightdm.conf

lighttp needed help and i moved the old config file to a backup and installed the version in /etc/lighttp.

Bind9 init is a mess

named[1841]: binding TCP socket: address in use
named[1841]: unable to listen on any configured interfaces
named[1841]: loading configuration: failure
named[1841]: exiting (due to fatal error)

Despite it claiming not to work bind9 does work  – ignore systemd (my blog)| for your sanity

 

 

ddwrt routers – still too pricey.

So i was looking on an ecommerce site and a router (my blog) i once considered had dropped in price.  I could buy two professional routers for the price of one

Since i would likely flash it with the non default router os i am quite sure that they tell you to get lost if you brick it.

No thanks.

Mind you the monkey houses wifi is the next big networking job that will eventually happen and something else also will not be open source powered.

Mesh wifi looks interesting if perhaps overkill.

Migrating postfix faills

The zoo moved isp, (my blog) and also did ipv6 i was getting this error

postfix/sendmail[20836]: 
fatal: parameter inet_interfaces: 
no local interface found for x

But i could not find x, i go hunting in /var/spool and find some out of date /etc files that posfix once wanted and remove any mention but x is still there.

Then i guess its my postmulit bash script file which is looking at the older config version gah.