Posted on

05-May-2015

Maintenance
Nothing weird – of course.
But since the Vigor router has been replaced by the ‘official’ router supplied by my ISP, it may cause extra spam and extra ‘bad traffic’. So extra attention to be paid to all logfiles.
PMAS statistics for April
Total messages    :   2311 = 100.0 o/o
DNS Blacklisted   :      0 =    .0 o/o (Files:  0)
Relay attempts    :   1540 =  66.6 o/o (Files: 30)
Accepted by PMAS  :    771 =  33.3 o/o (Files: 30)
  Handled by explicit rule
         Rejected :    190 =  24.6 o/o (processed),   8.2 o/o (all)
         Accepted :    211 =  27.3 o/o (processed),   9.1 o/o (all)
  Handled by content
        Discarded :    128 =  16.6 o/o (processed),   5.5 o/o (all)
     Quarantained :    206 =  26.7 o/o (processed),   8.9 o/o (all)
        Delivered :     36 =   4.6 o/o (processed),   1.5 o/o (all)
Not bad indeed – except for the number of relay attempts; and these come from a (Chinese) site that I locked out for accessing the network. There were just a few others’, but the rest was of one user, most from domain sina.com but from different addresses, on one day from 163.com”. The next lines show the first and last of that day – and the number of entries from this user:
13-APR-2015 12:07:58.91|R|122.13.2.195|losw@grootersnet.nl|xiaonanzi11162@sina.com|550 5.7.1 Relaying not allowed: xiaonanzi11162@s♦
...
13-APR-2015 12:52:20.59|R|122.13.2.195|cgruh@grootersnet.nl|xiaonanzi11162@sina.com|550 5.7.1 Relaying not allowed: xiaonanzi11162@♦
205

19-APR-2015 16:27:30.33|R|58.251.146.197|xwu@grootersnet.nl|xiaonanzi11162@163.com|550 5.7.1 Relaying not allowed: xiaonanzi11162@1♦
...
19-APR-2015 16:49:39.85|R|58.251.146.197|mrva@grootersnet.nl|xiaonanzi11162@163.com|550 5.7.1 Relaying not allowed: xiaonanzi11162@♦
216

23-APR-2015 00:42:01.74|R|114.112.190.22|test@82.161.236.244|mtyndallo@yahoo.com.tw|550 5.7.1 Relaying not allowed: mtyndallo@yahoo♦
23-APR-2015 15:15:52.57|R|91.236.75.224|smtp2001soho@yahoo.com|rk85r@freemailhost.ru|550 5.7.1 Relaying not allowed: rk85r@freemail♦
23-APR-2015 22:34:53.54|R|157.255.16.36|wadfil@grootersnet.nl|xiaonanzi11162@sina.com|550 5.7.1 Relaying not allowed: xiaonanzi1116♦
...
23-APR-2015 23:58:35.65|R|157.255.16.36|wacehl@grootersnet.nl|xiaonanzi11162@sina.com|550 5.7.1 Relaying not allowed: xiaonanzi1116♦
806

24-APR-2015 00:04:02.21|R|157.255.16.36|ior@grootersnet.nl|xiaonanzi11162@sina.com|550 5.7.1 Relaying not allowed: xiaonanzi11162@s♦
...
24-APR-2015 00:36:58.43|R|157.255.16.36|twycf@grootersnet.nl|xiaonanzi11162@sina.com|550 5.7.1 Relaying not allowed: xiaonanzi11162♦
271

13-APR-2015 and 14-APR-2015 are adjacent|, so the session started 13-Apr-2015 just after 22:34 and continued to 00:36 the next day. Over a 1000 attempts that failed…
DNS trouble?
There was another thing that was different with the router: From the start, I had port 53 opened – I cannot recall why – and I never had any problem, accept that occasionally. the DNS server, or the resolver, tries to send out a 20-byte UDP-package to some other system. This is blocked by the router as a [teardrop] DDos attempt so it won’t get out.
After the router had been installed for a day or so, this started again and more often than before. Now I got a message from my ISP that something was wrong: It could cause my DNS server to act like an open DNS server that could get involved in an DDOS attack.
This is weird. Since my DNS server will only handle internal addresses, and the resolver doesn’t get onto the Internet, instead requests the router to handle the request – and that will forward the request to the DNS servers of my ISP – as is setup in the handshake between the access points.
Apparently, my DNS server could receive requests from anywhere and loop back. So now port 53 has been closed – and from that moment on, I don’t get these messages any more. I’ll scrutinize the logs for some time, and add all requestors on the blacklist.
PHP and WP update
WAY overdue, I know. but updating this version won’t work. probably. So I’ll take another approach: Start a new blog, with the latest software versions of PHP and WP, probably database as well (MariaDB, a branch from MySQL that seems to be more stable and more reliable). If possible, this content will be imported directly, or I will have to do some work to get it into the new database. Well, if the structures are compatible, I may use the current database as well…

Posted on

30-Apr-2015

Vigor Router restored
The broken Vigor router was sent to the supplier for investigation and repair. They updated the firmware but were unable to reproduce the problems. Nevertheless they decided to replace the hardware (though no longer available officially, they seem to have a number left on stock), as a precaution. Tonight, I restored the configuration and re-installed the router: a matter of a few minutes.
The connection to the LAN is now 1Gb – as it should have been before, where I found it was limited to 10Mb; clear sign something was wrong…. Secondly, it looks as if IPv6 is now properly configured as well: Set to PPP…

Posted on

21-Apr-2015

Lost connection – again
This morning, none of the sites were accessible: the router didn’t respond at all. Luckily, I could access the router, and found that Diana, the main server, was connected and up and running. So I enabled SSH and could access the machine; WASD logs showed no reason of failure, but there was no access after 03:00 or thereabout. Accessing the logs using the external name however worked like a charm, so there is something else going on. It might have been an overload: Previously, some heavy access (POST to the blog login screen – which will fail at all times) and meny accesses on HyperReader, each from one addres, caused me to change the configuration logs so any attempt to connect will now fail.
After this change, all worked like it should. So it wasn’t WASD or Diana causing trouble. The event l,og of the router did show a reason:
21.04.15 03:05:19 The service provider successfully updated the firmware for this device.
21.04.15 03:05:15 The system time was updated successfully by time server 192.168.0.200.
21.04.15 03:05:14 IPv6 prefix obtained successfully. New prefix: 2001:980:ef9c::/48
21.04.15 03:05:14 IPv6 Internet connection established successfully. IP address: 2001:980:ef9c::1
21.04.15 03:05:14 Internet connection established successfully. IP address: 82.161.236.244, DNS server: 194.109.6.66 and 194.109.9.99, Gateway: 194.109.5.175, Broadband PoP: dr11.d12
21.04.15 03:05:05 Partition mounted in Freecom-DataBarUSB2-0-01
21.04.15 03:04:50 USB device 2002, class "USB 2.0 (full-speed) storage", plugged in

The router was restarted after a firmware update was installed – WITHOUT WARNING.
To get to know this, you actually need to log into the router – there is no external log… Nor is it possible to block unwanted networks. Hopefully, I’ll get my Draytek back soon – or a replacement.

Posted on

10-Apr-2015

More router issues
Yesterday I switched routers: removed the Vigor, to be sent back to the supplier, and reinstalled the Fritzbox router of the ISP. However, intenet connection kept failing. Any access over wifi failed: though devices could connect to the router, an IP address was never supplied. That means the server could not reach the devices.
Today I found out the reason: the cable is broken, hopefully it is just a bad connector, because changing the cable is impossible.
There is another cable from the router to the network, that connects my TV to the swtich for that signal. For the time being I will use this link to connect the LAN to the router. It is not a big deal to miss TV on top, and replacing the faulty connection is simple, after which I will use it to reconnect my TV

Posted on

06-Apr-2015

Server updated – and still access problems
I updated WASD and SSL to the latest versions and installed them. But than I encountered exactly the same problems as before yesterday: I could not access any of my sites. Since I have now a recent backup of my router, I restored it – but is didn’t help at all. Only by defining the sites in the hosts file on my workstation I can – and that works as long as I’m accessing the sites from the local network.
But that should not be the case!
As far as I can determine, looking at the webserver access log, the admin pages output and the router’s logging, other sites seem, top have no problem. Why I cannot, is a mystery.
But from this point, it looks as if this blog is extremely slow. It works, but that seem to be all. looking at the access log, there is a (Russian) site that POST to one of the xmlrpc.PHP file quite often. I blocked the site, not just the address, but it keeps getting through. So I blocked just the address.