Posted on

05-May-2015

Maintenance
Nothing weird – of course.
But since the Vigor router has been replaced by the ‘official’ router supplied by my ISP, it may cause extra spam and extra ‘bad traffic’. So extra attention to be paid to all logfiles.
PMAS statistics for April
Total messages    :   2311 = 100.0 o/o
DNS Blacklisted   :      0 =    .0 o/o (Files:  0)
Relay attempts    :   1540 =  66.6 o/o (Files: 30)
Accepted by PMAS  :    771 =  33.3 o/o (Files: 30)
  Handled by explicit rule
         Rejected :    190 =  24.6 o/o (processed),   8.2 o/o (all)
         Accepted :    211 =  27.3 o/o (processed),   9.1 o/o (all)
  Handled by content
        Discarded :    128 =  16.6 o/o (processed),   5.5 o/o (all)
     Quarantained :    206 =  26.7 o/o (processed),   8.9 o/o (all)
        Delivered :     36 =   4.6 o/o (processed),   1.5 o/o (all)
Not bad indeed – except for the number of relay attempts; and these come from a (Chinese) site that I locked out for accessing the network. There were just a few others’, but the rest was of one user, most from domain sina.com but from different addresses, on one day from 163.com”. The next lines show the first and last of that day – and the number of entries from this user:
13-APR-2015 12:07:58.91|R|122.13.2.195|losw@grootersnet.nl|xiaonanzi11162@sina.com|550 5.7.1 Relaying not allowed: xiaonanzi11162@s♦
...
13-APR-2015 12:52:20.59|R|122.13.2.195|cgruh@grootersnet.nl|xiaonanzi11162@sina.com|550 5.7.1 Relaying not allowed: xiaonanzi11162@♦
205

19-APR-2015 16:27:30.33|R|58.251.146.197|xwu@grootersnet.nl|xiaonanzi11162@163.com|550 5.7.1 Relaying not allowed: xiaonanzi11162@1♦
...
19-APR-2015 16:49:39.85|R|58.251.146.197|mrva@grootersnet.nl|xiaonanzi11162@163.com|550 5.7.1 Relaying not allowed: xiaonanzi11162@♦
216

23-APR-2015 00:42:01.74|R|114.112.190.22|test@82.161.236.244|mtyndallo@yahoo.com.tw|550 5.7.1 Relaying not allowed: mtyndallo@yahoo♦
23-APR-2015 15:15:52.57|R|91.236.75.224|smtp2001soho@yahoo.com|rk85r@freemailhost.ru|550 5.7.1 Relaying not allowed: rk85r@freemail♦
23-APR-2015 22:34:53.54|R|157.255.16.36|wadfil@grootersnet.nl|xiaonanzi11162@sina.com|550 5.7.1 Relaying not allowed: xiaonanzi1116♦
...
23-APR-2015 23:58:35.65|R|157.255.16.36|wacehl@grootersnet.nl|xiaonanzi11162@sina.com|550 5.7.1 Relaying not allowed: xiaonanzi1116♦
806

24-APR-2015 00:04:02.21|R|157.255.16.36|ior@grootersnet.nl|xiaonanzi11162@sina.com|550 5.7.1 Relaying not allowed: xiaonanzi11162@s♦
...
24-APR-2015 00:36:58.43|R|157.255.16.36|twycf@grootersnet.nl|xiaonanzi11162@sina.com|550 5.7.1 Relaying not allowed: xiaonanzi11162♦
271

13-APR-2015 and 14-APR-2015 are adjacent|, so the session started 13-Apr-2015 just after 22:34 and continued to 00:36 the next day. Over a 1000 attempts that failed…
DNS trouble?
There was another thing that was different with the router: From the start, I had port 53 opened – I cannot recall why – and I never had any problem, accept that occasionally. the DNS server, or the resolver, tries to send out a 20-byte UDP-package to some other system. This is blocked by the router as a [teardrop] DDos attempt so it won’t get out.
After the router had been installed for a day or so, this started again and more often than before. Now I got a message from my ISP that something was wrong: It could cause my DNS server to act like an open DNS server that could get involved in an DDOS attack.
This is weird. Since my DNS server will only handle internal addresses, and the resolver doesn’t get onto the Internet, instead requests the router to handle the request – and that will forward the request to the DNS servers of my ISP – as is setup in the handshake between the access points.
Apparently, my DNS server could receive requests from anywhere and loop back. So now port 53 has been closed – and from that moment on, I don’t get these messages any more. I’ll scrutinize the logs for some time, and add all requestors on the blacklist.
PHP and WP update
WAY overdue, I know. but updating this version won’t work. probably. So I’ll take another approach: Start a new blog, with the latest software versions of PHP and WP, probably database as well (MariaDB, a branch from MySQL that seems to be more stable and more reliable). If possible, this content will be imported directly, or I will have to do some work to get it into the new database. Well, if the structures are compatible, I may use the current database as well…

Posted on

15-Nov-2012

Trouble in paradise
When I switched to fiber last year, I got a modem without a fixed IP address – wasn’t possible on that type, an besides: I would always get the same address on reboot – except for major network changes.
All went well until July, when a complete overhaul was executed – without notice, so I got a new address, so I had to contact the regristar of the domain to update DNS with the new addresses….A free upgrade from 50Mb to 100Mb, symetrical, for a one-time cost of EUR 10… Not bad. That address would not change, I was told. And when a major overhaul was expected, inclusing an address change, there would be a warning.
In the mean time, the ISP was bought by the big monopolist, and I got a letter that mentioned a chnage in administration. No action required.
Yesterday, about 01:20, connection was broken and restored within a minute. It happens now and than, and has no implications normally. But this time, the connection was restored with another address. No warning, either. So it was not before 09:00 that I found out NOT ANY connection could be made. Not even to the router – and setting up VPN failed as well.
That I got another address became clear when I looked into the situation that night. MAC addresses were still the same, even on the gateway, but the address was chnaged as well. As well as the DNS servers. Phoned the helpdesk, of course they couldn’t reverse the action, nor could they guarantee that it wouldn’t happen again; even worse, it could happen at any time from now on.. And a fixed address could no longer be obtained from them.
This is considered unacceptable, so I looked for another ISP. On the network, there is one more from the beginning: the big monopolist in fact, that offered less facilities for a higher price than the ISP I choose at the time. And for a few weeks, there is a third one – a subsidiary of this monopolist (but with their own standards). And as I found out that my current ISP is bought by that monopolist, there is actually no alternative any more for the facilities I require. But I will have all ports open – and a fixed IP address.
So I made the switch – for Internet, and by that, for HD television, because that requires Internet access as well. I vae a month notice period, so the definitive swtich will take place half December, it will mean a few days without Internet – I can live with that.
In the mean time, my sites weren’t reachable, since DNS contained the wrong addresses. So I asked my registrar to chnage addresses to the new one. This morning, these weren’t included yet, it took until noon today – after which I noticed I passed the wrong addresses, in all hectic of yesterday. That was repaired within an hour, and by and by, the changes propagated to the Internet. And at 16:30, this was the last site to be available again.
Now wait for the bill. EUR 10 enyway, perhaps twice – but that’s my fault. Hopefully, it will last until the switch of ISP (which will cost an additional EUR10 for that (final) change)

Posted on

07-Mar-2012

Monthly maintenance
The automated maintenancejob runs like a charm, each month. Just a pity it doesn’t mail the PMAS statistics yet, I need to get to the log file to get them…
PMAS statistics for February
Total messages    :   9891 = 100.0 o/o
DNS Blacklisted   :   1405 =  14.2 o/o (Files: 29)
Relay attempts    :   2468 =  24.9 o/o (Files: 29)
Accepted by PMAS  :   6018 =  60.8 o/o (Files: 29)
 Handled by explicit rule
        Rejected :   5448 =  90.5 o/o (processed),  55.0 o/o (all)
        Accepted :    226 =   3.7 o/o (processed),   2.2 o/o (all)
 Handled by content
       Discarded :     95 =   1.5 o/o (processed),    .9 o/o (all)
    Quarantained :    230 =   3.8 o/o (processed),   2.3 o/o (all)
       Delivered :     19 =    .3 o/o (processed),    .1 o/o (all)
over 90% rejected by explicit rule. These come from different sources, so blocking the addresses is troublesome…And since a few months already, the logfiles are cluttered with messages that are come in – and are rejected on second thought….Though I added a rule to prevent them to arrive anyway, a slight change causes them to penetrate. So that means adding yet another rule – and another one…
We’ll see where it ends.
Mail problems
On 29-Feb-2012, in the afternoon, it suddenly became impossible to send mail to other domains, like gmail, or my employer vxcompany.com. The domains were no longer recognized by the mailserver, for some reason. In trying to figure out what the heck was going on, I decided to check using TCPIP$CONFIG, in the SMTP and BIND configuration but couldn’t find anything. DIG didn’t find these domains either so it must have been a DNS issue; but the weird part is that the web worked fine….
I won’t rule it out that it was caused by the update of the router firmware, but days after that update? That doesn’t make sense…
Anyway, I made a stupid mistake and shut down TCPIP allthogether, and before I could stop it, the connection was gone, and I had to wait another day to get it straight on the next Thursday evening….
That wasn’t as straight as I would expect:
$ @sys$startup:tcpip$startup
didn’t show an error but most services weren’t started, and most had to be started separately. But in the end, all services were up and running again.
Mail now worked fine for a few days.
On 06-Mar-2012, out of the blue, is was impossible to send messages, all mail bounces:

---- Transcript of session follows ----

550 5.7.1 >recepient on the internet<... relaying denied for 85.223.43.24

---- Recipients of this delivery ----

>recepient on the Internet< (bounced)

---- Unsent message follows ----

Return-Path: Willem@grootersnet.nl
Received: from LOCALHOST (127.0.0.1)
by diana.intra.grootersnet.nl (V5.6-ECO5, OpenVMS V8.3 Alpha);
Tue, 6 Mar 2012 19:16:20 +0000 (UTC)
Received: from SOYMAIL (24-43-223.ftth.xms.internl.net [85.223.43.24]) by
diana.INTRA.GROOTERSNET.NL (SOYMAIL AXP-1.5.2) with HTTP; Tue, 06 Mar 2012
19:16:18 +0000
Message-ID: <85.223.43.24.49493.00abdf56125f2bce.soymail@diana.INTRA.GROOTERSNET.NL>
Date: Tue, 06 Mar 2012 20:16:22 +0100
Subject: >subject<
From: Willem Grooters >my address:)<
To: >recepient on the internet<
...

What I don’t like is the line:

Received: from SOYMAIL (24-43-223.ftth.xms.internl.net [85.223.43.24])

where I would expect at least a domain name…
So I checked:

$ dig grootersnet.nl

; < <>> DiG 9.3.1 < <>> grootersnet.nl
;; global options: printcmd
;; Got answer:
;; ->>HEADER< <- opcode: QUERY, status: NOERROR, id: 18457 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;grootersnet.nl. IN A ;; AUTHORITY SECTION: grootersnet.nl. 3600 IN SOA auth10.dns.internl.net. hostmaster.internl.net. 2011101801 28800 7200 604800 3600 ;; Query time: 2623 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Mar 7 21:36:28 2012 ;; MSG SIZE rcvd: 101 $

NO ANSWER????
No wonder mail doesn't accept relay from grootersnet.nl - as it is expected to do, and has done for years... The lucky pafrt is that all my webs work and incoming mail arrives without a problem....
So I contacted my previous ISP - who is my registrar - to get an answer on what happened, why the registration has vanished - and why my mailbox is gone. It shouldn't have - since I'm still a customer.
Python updated - continued
The pervious post mentioned a problem with the Wiki forms, where I thought it was a matter of browser. There might be some browser-based issues, but I found the CSS-files weren't loaded bcause the structure of the MoinMoin wiki software has undergone a change, rendering the setting of moin_static to be false - incomplete at least:

$ sho log moin_static/full
"MOIN_STATIC" [super] = "$1$LDA11:[MOIN193.share.moin.htdocs.]" [concealed] (LNM$SYSTEM_TABLE)
= "WEB_DISK2:[WIKI.wikivms.mywiki.]/t=c"
$

The page code for the wiki starting page shows (one of four):
>link rel="stylesheet" type="text/css" charset="utf-8" media="all" href="/moin_static/modern/css/common.css"<

but the css-files are now stored on another location, becasue they arer no longer located on this location:
$ dir $1$LDA11:[MOIN193.share.moin.htdocs...]*.css
%DIRECT-E-OPENIN, error opening $1$LDA11:[MOIN193.SHARE.MOIN.HTDOCS...]*.CSS;* as input
-RMS-E-DNF, directory not found
-SYSTEM-W-NOSUCHFILE, no such file
$
It took some searching but I found them in another location:
Directory $1$LDA11:[Moin193.MoinMoin.web.static.htdocs.classic.css]

common.css;1 msie.css;1 print.css;1 projection.css;1
screen.css;1

Total of 5 files.

Directory $1$LDA11:[Moin193.MoinMoin.web.static.htdocs.modern.css]

common.css;1 msie.css;1 print.css;1 projection.css;1
screen.css;1

Total of 5 files.

based on the template: classic, modern, mdernized, rightsidebar and solenoid. NO MORE technical, and that’s the one I had set up for myself…
So after changing moin_static to be:
$ sho log moin_static/full
"MOIN_STATIC" [super] = "$1$LDA11:[MOIN193.share.moin.htdocs.]" [concealed] (LNM$SYSTEM_TABLE)
= "$1$LDA11:[MOIN193.moinmoin.web.static.htdocs.]" [concealed]
= "WEB_DISK2:[WIKI.wikivms.mywiki.]/t=c"
(just to be save, added this new location ..) it all worked, but since the ‘tecnical’ template has disappeared, I had to use another one.