our unnecessary ancient debian antivirus cockup.

The zoo has detected one virus via an email in a year, since the mail server blocks microsoft (microshit) attachments and we hate microsoft products having a scanner is a bit of a waste of time since it is something it will not find.

But .. after the upgrade to buster (my blog) all the updates stopped (my blog) or the config got passed over and is not the most important thing in the universe to fix.  Since the server only gets definition updates four times a month i decided it was time to have antivirus in buster rather than continue with useless cron warnings about missing gpg keys four times a month.

I deleted the extra clamd debian package, set up some logins and used the recent script from extemeshok which now is on version 6 and have used in the past being version 2 something.   Things look happy and after ninety minutes i seem to have more definitions and yara rules once again.

I expect the virus scanner to do nothing most of the time as it did beforehand since most viruses seem to be opportunistic and usually sent from badly configured mail servers when they get emailed and so the mail server rules kick in and reject them before payload and does not get the scanner to run..

Maybe there will be a resurgence in them ? but the zoo is covered now.

It seems packaging is not a cure for virus software.   Since i spent very little time worrying about awful microsoft code from microsoft i think ninety minutes a year is more than ample and reminds me that microsoft products cannot be trusted.

Intel graphics i915 debian 10 fix

My debian pc has seen a few versions in its time – if your seeing (my blog)

[drm:intel_pipe_update_end [i915]] *ERROR* Atomic update f

in logs then

cat /etc/modprobe.d/i915.conf
options i915 enable_psr=0

might do something for you.   If your x display still freezes as it did for me then

apt remove xserver-xorg-video-intel

Changes the driver to x server to modeset using the firmware-misc-nonfree packaged intel 915 driver which seems to be more up to date.

I do not have to reset by unplugging the power now when the screen freezed

debian ten new things

Debian 10 (my blog) is a fast loader even on a server and here a few things different which debian deems un-news worthy.

Its been a week or so

monitor sharing [HARDWARE] – the zoo being cheap has a monitor with three interfaces on it i(vga/dvi/hdmi) n the old version debian would seed control to the thing on the hdmi interface rather than the dvi port on no interaction being debian has a dvi interface, the new version remains on the hardware screen – not a problem since the hdmi interface can be chosen from the screens menu as required.

If the zoo had billions to spend on another monitor it would be a very low priority and probably be an ex-display/return one as well.  The monitor remains turned off 99% of the time anyhow – emergency use case.

Usually we remote into it

tls

tls 1.3  (part of openssl) works and things we use can use tls 1.3, quays tests work and confirm it in browser client and .server

amavis

/usr/sbin/amavis-services msg-forwarder
/usr/sbin/amavis-services childproc-minder
/usr/sbin/amavis-services snmp-responder

Since amavis keeps mum on changes these seem to be new binaries i hairy eyeballed.

zombie process

opendmarc

is a bit of a mystery the zoo’s  only non working component – think postfix got grandfathered and if your not doing sockets how it used to so nothing happens

Milters ….

fail2ban

The new config is baffling, our old config works  so damn it i will use that.

rkhunter

Debian reports large memory blobs now and the usual hidden /etc/.java directory returns and deleting it means it gets recreated regardless.  You have cron mail to read every day.

Cyrus imap

No nasty surprises a week in.

Postfix

Opendmarc [milter] is a no go but everything else appears to work.

tube recycle those 1’s and 0’s

Ipv4 & Ipv6

I had to add an timeout option to systemd to make a list of open ports to load since we use a miix of static and dynamic ipv6 it seems pretty stable.  Iov4 seems to also work although the boot process still whines i have a bad interfaces file entry but wont tell me where or why.

Patches have been light so far.   The ghostscript patch stopped my desktop (i386)  from seizing in x several times a day.

Apart from our isp losing ipv6 for five minutes a day (everything also does) it does feel like a debian problem as the router is not debian based it soon returns so i am not blaming them for that.

I am not regretting this upgrade.

having a moment – upgrading raspbian to buster

The raspberry pi 3 (my blog) is something that just works but was struck on debian stretch [version 9], My prior attempts with upgrading where not good although bad sdcard’s might have helped here with that impression.

So preparation for the end of the world took time -i made backups of important files , and an iso of the disk just in case disaster struck.

Stretch does work but a better dns thing might be nice and buster has been a general success in the zoo on intel hardware.

It is easier to attempt the upgrade than do a native debian install (my blog) which is an unknown experience.

Once ready and sitting next to the thing with a keyboard things went smoothly – only two usual prompts as blogged about before the following files caused conflict

  • /etc/sysctl.conf
  • lighttp/conf-available/ 10-cgi.conf & 1–ssl.conf
  • plymouth/plymouth.conf
  • /ssh/sshd_config
  • /fail2ban/jail.conf – temp file warning as welll /var/run goes /run.
  • /bind/named.conf.options
  • /lightdm/lightdm.conf

lighttp needed help and i moved the old config file to a backup and installed the version in /etc/lighttp.

Bind9 init is a mess

named[1841]: binding TCP socket: address in use
named[1841]: unable to listen on any configured interfaces
named[1841]: loading configuration: failure
named[1841]: exiting (due to fatal error)

Despite it claiming not to work bind9 does work  – ignore systemd (my blog)| for your sanity

 

 

strange debian buster upgrade (non documentation guessing game)

If your a cave dwelling citizenand who only reads my blog* then your probably not know that a new release of Debian (my blog) is out.

it has not been out long but is mysterious as to what has been updated is a mystery – sure the gui’s have been updated but mysterious questions like tls1.3 support mean searching and getting misguided results for instance ubuntu is not debian. google mind you with alphabet worrying about hate speech who cares if there search engine goes to shit.

Apparently tls 1.3 is now supported (my blog) but i still have other questions so documentation wise Debian ten is a complete mystery if your wondering what is new.

Cyrus imap is another  mystery here – the suggested route (not here) compared with the actual is not the same. I was expecting to configure and reconstruct but just disabling imap seems to have worked – although imap apparently does not use Berkeley db’s any more i did need a roundube option create_default_folders’] = true; (not here) opposed to false

Not sure why debian cyrus 3.0.8.6 did not need the linked work – i think it should have. Not complaining though.

The dist upgrade failed several times and i had to restart it.  konq-plugins was a package that failed on i386

apt remove konq-plugins

Fixed.

Messages are very inconsistent on upgrade nss and glibc was one prompt that started and stopped processes, so your experience will vary between x64 and i386.   Servers with sql backends used dbcommon and i kept most of my config files choosing N rather than the package file.

If you upgrading via ssh then the lines.

#'MACs hmac-sha2-512-etm@openssh.com,
hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,
umac-128-etm@openssh.com,
hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,
umac-128@openssh.com

Will cause ssh to not reload. – be careful if your non local.

Openafs kernel module is a time consuming item to upgrade especially its kernel module.

If your into windows** nameservers dhcp needs an uograde but we dont have microshit windows here in the zoo.

Opendnssec — gets updated but i have no idea still how this awful software works.

postgresql seems to start first time in buster unlike stretch

pgctl_cluster main start

Files changed

  • crontab
  • modsecurity RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf security2.conf
  • sysctl.conf
  • opendnssec.conf.xml
  • /etc/services
  • /etc/ssl/openssl.conf
  • issue and issue.net
  • cron.daily logrotate
  • syslog.conf
  • ssh_confing & sshd_config [see above]
  • clamd conf
  • hplip.conf
  • rkhunter
  • fail2ban – action.d/mail.conf filter.d/postfix.conf
  • opendmarc.conf
  • named.conf.options
  • postfix scripts are only updated not main and master files

So my fuckup’s

I [apparently] had an extra listen address in apache2 in ports conf, ipv6 is sluggish for apache and email on startup.  Some ipv6 addresses refused to startup and cause failures.  Keeping the original conf files seems to saved me a lot of headaches.

Since i was not ssh’ed into the box not an issue for me

Overall

email worked our zoo bots are working, apache does once interfaces started manually – xserver works when required [not often]

Server boot speed is not that impressive on older hardware, but since i dont reboot often who cares.

openssl does support tls 1.3 Most things work although this is perplexing

ssl-cert-check -s zoo.com -p 443 -a

Host Status Expires Days
———————————————– ———— ———— —-
unable to load certificate
3080701696:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
unable to load certificate

The second instance does not work, calling it once before does work. It worked on stetch not us, but something else is confused as apache likes the stated files fine.

Most things appear to work but your experience might vary – it took 25 minutes to download and three hours to nursemaid as described and restart.

I can probably fix the boot problems myself.

So far buster on a server seems a safe choice.

I will deal with newer features elsewhere.   Not an upgrade from hell althougth i did make media backups before hand.

*somebody might – joke **you poor sod

i hate cups (ipp version) and more debian buster upgrades.

Cups printers suck when upgrading (my blog) I have since discovered that simply deleting all printers and rebooting makes them magically work after an upgrade.

Gah.

Debian buster gave me a new prompt that i had not seen on another zoo pc i have now upgraded about starting and stopping services, once again four hours for a simple workstation did it, twenty minutes of that was downloading.

One non computer literate zoo staff member even thought it was a lot faster than stretch

Debian 10 (buster) a quick look on a simple workstation

two dogs

I use debian (my blog) and with version ten out called buster i offered the monkey houses stretch* pc to upgrade it via apt dist-upgrade   Three hours later i am typing this on itin debian ten.

Being a simple pc opposed to a server not too may hiccups

Those being

  • virtualbox [oracle crap]’ has no buster repository
  • minissdp wanted attention – not that i knew what minissdp does i ignored it
  • /etc/defaults/networking was updated [prompted] i kept my file
  • /etc/ssh/ssh_config [prompted] i kept my file

kde works from a brief exploration

Some issues which i discovered and may be user [me] issues

  • ipv6 by default [no ipv4]  until i edited my /etc/network/interfaces file which looks like its been through an exorcism since i have being doing a lot of iov6 work recently.
  • bluetooth sound is controlled via the sounds app in kde on the applications tab so codecs works,
  • cups/ipp needs some help

It took half an hour to download and 2 and a bit hours to extract but this also during dinner in the monkey house so some prompts might have been ignored while the tribe ate its bananas.

Being a SIMPLE pc everything worked opposed to server changes so as a first look on a basic pc no issues.

I have client tls 1.3 support from openssl  so tle 1.3 seems to be finally here.

*the old version 9

apple content on non apple hardware now that itunes is ‘dead’

great bananas,

I bet you all used banana skin that it will still not work on linux ,windows or non apple smart tv.   Itunes works only on there platform last time i checked – when was the last time you saw a quick time film trailer that needed its own software to play ?.   Leave your answer in the comments

With apple now doing media opposed to telephones (my blog)  it will be interesting to see if non apple hardware like a samsung tv will be able to play the content.   Being that i dont control the software on a smart tv i do wonder how popular the stuff might be after all to get something on a tv it usually has a non apple app  store and somebody usually wants a cut..

Since the monkey house has no apple* products it will be interesting to see if  they force the walled garden on consumers if so they cannot expect the monkey house to consume there products.

If you could only buy netflix with a dedicated netflix television (my blog) i am sure i would not be  subscribing to netflix and you would have walls of screens just like in Fahrenheit 451  or you could read the book.

Perhaps as electronics do not matter as much to apple  they will have to fail first before they make money with media.   I do not do a lot of ecommerce but if i had to own an amazon device** to shop there i would also go elsewhere too.

This is not a compliant but should be taken as a warning that your entertainment conglomerate and silicon valley darling might not see the results you think they get.

*perhaps organic ones you eat ** you get the idea