29-Oct-2014

Power outage
We’ve been warned that yesterday, between 8:00 and 11:00, there would be a power outage, because some maintenance was scheduled on the power grid.
Because my job brings me too far away to easily handle ths situation, I shut down all systems before leaving home, intending to restore services when I got back. So it was one day where all Internet access to and from my home was – deliberately – impossible.
Functionality ceased just before 7:00, all hardware not just shut down but also powered off. It is something of a gamble because you never know if the drives start to spin (they are of a reasonable age…) and wethter the battery of NVRAM and TOY clock have sufficient energy to keep these subsystems warm. But it would shut down anyway, and I considered it a good idea to have control over both shutdown and restore.
But it proved to be no problem at all. Just before 19:00 I repowered the disks and all stated spinning. Next I switched the DS10 back to life and booted. Ans as was to be expected, nothing went wrong; The system was up and running within a few minutes, and started reading in email that had been delivered during the day (and was stored at my ISP’s backup server).
One thing I found today: the text on the homepage was not restored; that was taken care of right away.

23-Oct-2013

A very remarkable day
Well, in hindsight, because on the day itself you could never tell:
As turned out this morning, yesterday was a very remarkable day: No quaratained mail, no discarded mail.. Well, there is mail that was rejected, but that remains out of sight unless digging in the logifle. For yesterday, there were 17 ; of which 15 were rejected because they matched a rule I have defined; only two have been scanned to find they were junk. The total number however is rather normal. As well as the wto relay attempts – though there are days without, this isn’t unexpected.

But nothing quaratained or discarded: That feels weird 🙂

17-Oct-2014

Router on tilt?
It was about 10 o’clock – in the evening – when searching data on the intenet on both my mobile phone and a tablet, that all of a sudden the connections dropped for no appearent reason; my Andoid phone complained that the wiFi connection was unstable. A slow down normally means there is an attempt running to break into some service at my site, but that would not cause the Wifi to beconme unstable, just that traffic slows down tremendously and that sites cannot be found because name resolution slows down too much. So there was something else going on.
Going up to theatic it became immediately clear that indeed there was something going on: every two seconds a beep of the Alpha system signalled a mail coming in – from the SYSLOG daemon, triggered by the router.
It turned out that a number of name servers tried to access the router (given the address) in a stream of UDP-messages that caused the router (by its configuration) to block them as being DoS attacks, similar to
Charon2: [DOS][Block][udp_RP_flood, timeout=10] [(address:53 -> )82.161.236.244:port][UDP][HLen=(Headerlength), TLen=(Transport-length)]
.
Given the originating port (53) marks the requests were sent by a name server (port 53 is the default port for DNS), I checked the addresses, and all were, indeed, name srvices: From my ISP, a few others, and Google. The way to get this stopped was shutting down the WAN interface (the ‘dirty side’ of the router); closing port 53 would be useless, since the router blocked the access: the requests didn’t make it into the LAN. After re-enabling the port all was back to normal.
Since SYSLOGD has been set up to log this type of request not just the the logfile but to OPCOM as well, it’s an easy trip to track it all down. And I found that the whole sequence started by a flood of UDP packets – twice – from a secured port:
%%%%%%%%%%% OPCOM 17-OCT-2014 19:49:23.80 %%%%%%%%%%%
Message from user SYSTEM on DIANA
Message from syslogd@charon.intra.grootersnet.nl at Oct 17 19:49:23 ...
Charon2: [DOS][Block][udp_RP_flood, timeout=10][82.94.234.15:443->82.161.236.244:39146][UDP][HLen=20, TLen=65]

%%%%%%%%%%% OPCOM 17-OCT-2014 19:49:25.33 %%%%%%%%%%%
Message from user SYSTEM on DIANA
Message from syslogd@charon.intra.grootersnet.nl at Oct 17 19:49:24 ...
Charon2: [DOS][Block][udp_RP_flood, timeout=10][82.94.234.15:443->82.161.236.244:39146][UDP][HLen=20, TLen=1378]

This address is the Google cache at my ISP….
The very next moment comes a mail message, and from that moment on, the trouble starts and name services start firing their request. In the beginning, the Google Cache service hops in a few times but that doesn’t show up later on; as well as incoming mail messages (but operator.log doesn’t show the originating address – I’ll have to dig the PMAS or SYSLOGD logs for them). Then it stops after I disabled the WAN interface, about 30 minutes after it all started.
The log shows that the router spewed out a message every 2 seconds, but the instability started when the number op available channels droipped too far so new connections could not be established.
This may have caused the instability of the Wifi connection – as signalled by my phone. But as it turned out, it was not the interface that was unstable, but a far too budy router….
This is one of those cases that is hard – if not impossible – to reproduce, but even so, I’ll mention it to the manufacturer.

15-Oct-2014

Windows updates
Patch Tuesday has passed – and so I did the updates tonight. One of them caused the real-time virusS\scanner to drop dead. Solution: Run the control program, check for updates (that it usually dows automatically) and install them. Scanned the system, nothing wrong.
Probably one of the .Net updates. These cause havoc sometimes, customers have run into these issues as well….
Planned power outage
In our neighbourhood, there is some demolition and building going on, and that also involves some maintenance to the power grid in the area. So a power outage is planned to happen on 28=Oct-2014, between 8:0 and 10:30. I could hire a UPS for that time, or an aggregate, but that is way too expensive.
So I will power off my gear before leaving for work, at about 7:0, and bring it back on when I return, about 12 hours later. Hopefully, my ISP will store incoming mail for that time so it will be retrieved at the end of the day.

02-Oct-2014

No surprises
The saving of logs worked like a charm – as always. Nothing strange in that logfile.
Number of messages still pretty low compared to the past:

PMAS statistics for September
Total messages    :   2203 = 100.0 o/o
DNS Blacklisted   :      0 =    .0 o/o (Files:  0)
Relay attempts    :    246 =  11.1 o/o (Files: 30)
Accepted by PMAS  :   1957 =  88.8 o/o (Files: 30)
  Handled by explicit rule
         Rejected :   1257 =  64.2 o/o (processed),  57.0 o/o (all)
         Accepted :    309 =  15.7 o/o (processed),  14.0 o/o (all)
  Handled by content
        Discarded :    139 =   7.1 o/o (processed),   6.3 o/o (all)
     Quarantained :    209 =  10.6 o/o (processed),   9.4 o/o (all)
        Delivered :     43 =   2.1 o/o (processed),   1.9 o/o (all)

Number of relay attempts as well: the amount was notable on 5 days only (where the logfile was over 5 blocks in size but not as big as in previous months: just a few block more. There has been quite some internet traffic though; the router logs in a SYSLOG daemon, and the logfile is cycled when it’s over 25000 blocks – 12 Mb – and this happened every 3 days or so. Well, not too bad…
A few days ago there has been an attempt breaking the DNS server for quite some time – I was at the console when it started and could block the offendig addresses (two in the same netwoirk) in the router. Nothing heard from them since 🙂
Travel posts
I’m working on the week-long trip of last year’s fall – time to finish the data on the Lahnsteig trail we followed that week. I finished glueing together whatever was to be combined, dumped the tracking data onto maps, still have to do the projection on GoogleEarth and picture that as well. Putting it all into a presentation (which usually takes some time as well…) before it can be published. However, there is an additional problem: The logical disk I defined for Trips, Tracks and Travels is quite full: just 3% is now free – being 919136 blocks – less than 500 Mbytes. Way too small to hold this album. But it can be extended – there is stiill little over 10 Gb available on that (physical) disk. Or use another, totally free 32 Gb disk that is still in the system and move all of the images to that location….
This is a better solution anyway, since I also need to finish the Corfu trip of this year, and the journal of this year’s Long Distance Footpath (not totally finished yet, two more legs to go…).
I can do so without downing the site – the advantage of VMS’s abilities 🙂