Category Archives: English

ntp running in chroot stopped working after Debian Stretch upgrade

Today I upgraded my root server from Jessie to Stretch, and suddenly ntp stopped working.

I found errors like follows in the log, which were obviously due to failures in name resolution:

2018-05-31T07:44:48.900756+00:00 myhost ntpd[22855]: giving up resolving host 1.debian.pool.ntp.org: Servname not supported for ai_socktype (-8)

The solution to make this work was to bind-mount some files and directories essential for name resolution into the chroot jail.

First create some directories and some dummy files:

# mkdir /var/lib/ntp/etc /var/lib/ntp/lib /var/lib/ntp/proc
# mkdir /var/lib/ntp/usr /var/lib/ntp/usr/lib
# touch /var/lib/ntp/etc/resolv.conf /var/lib/ntp/etc/services

Then update your /etc/fstab as follows:

...
#ntpd chroot mounts
/etc/resolv.conf  /var/lib/ntp/etc/resolv.conf none bind 0 0
/etc/services	  /var/lib/ntp/etc/services none bind 0 0
/lib		  /var/lib/ntp/lib none bind 0 0
/usr/lib	  /var/lib/ntp/usr/lib none bind 0 0
/proc		  /var/lib/ntp/proc none bind 0 0

Finally mount all these binds:

# mount -a

Thanks to the ArchLinux guys where I found this.

To check whether your ntp is working again, you can use the following command which shows a list of peers known to your ntp server:

# ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 0.debian.pool.n .POOL.          16 p    -   64    0    0.000    0.000   0.000
 1.debian.pool.n .POOL.          16 p    -   64    0    0.000    0.000   0.000
 2.debian.pool.n .POOL.          16 p    -   64    0    0.000    0.000   0.000
 3.debian.pool.n .POOL.          16 p    -   64    0    0.000    0.000   0.000
*ptbtime1.ptb.de .PTB.            1 u   46   64  377   11.483   -0.411   0.201
+ptbtime2.ptb.de .PTB.            1 u   52   64  377   11.502   -0.533   1.069
+ptbtime3.ptb.de .PTB.            1 u   47   64  377   11.451   -0.510   3.866
#batleth.sapient 131.188.3.221    2 u   44   64  377    0.188    1.097   0.176
#5.199.135.170 ( 130.149.17.21    2 u   45   64  377   11.271    0.581   0.396
-mail.morbitzer. 193.175.73.151   2 u   47   64  377    2.760    0.556   0.278
#hotel.zq1.de    161.62.157.173   3 u   46   64  377    0.094    1.384   0.261
-ntp2.m-online.n 212.18.1.106     2 u   47   64  377    7.167   -0.333   0.190
#2a03:b0c0:3:d0: 81.94.123.16     3 u   49   64  377    6.288   -2.071   1.760
#touka.thehomeof 130.149.17.21    2 u   48   64  377    0.206    0.932   0.222
+maggo.info      124.216.164.14   2 u   42   64  377    0.278   -0.137   0.436
+weyoun4.cord.de 124.216.164.14   2 u   44   64  377    2.849   -0.255   0.409
+opnsense.sauff. 222.217.153.8    2 u   43   64  377    0.270   -0.617   0.167
-web1.sys.ccs-ba 192.53.103.104   2 u   35   64  377    0.173   -1.251   0.220
#uruz.org        122.227.206.195  3 u   49   64  377    0.216    1.694   0.309
#clients5.arcani 162.23.41.55     2 u   38   64  377    6.120   -1.500   0.130
+stratum2-1.NTP. 129.70.130.71    2 u   47   64  377   14.043    1.625   0.394

The following command confirms that your current time is actually correct (within certain limits, of course):

# ntpstat
synchronised to NTP server (192.53.103.108) at stratum 2
   time correct to within 15 ms
   polling server every 64 s

If this was helpful, I would be happy to hear from you.

Exim malware scanner issue after upgrade from Jessie to Stretch

Today I finally upgraded by personal root server from Debian Jessie to Stretch, thereby upgrading Exim from 4.84 to 4.89.

After the upgrade, I observed the following errors in mainlog:

2018-05-31 08:02:03 +0000 1fOIX5-0001rg-AM malware acl condition: cmdline  : scanner returned error code: 36096
2018-05-31 08:02:03 +0000 1fOIX5-0001rg-AM H=([IPv6:2a00:6020:1efc:ee20:8857:7824:6a49:8368]) [2a00:6020:1efc:ee20:8857:7824:6a49:8368]:48523 I=[2a01:4f8:141:429::2]:465 Warning: ACL "warn" statement skipped: condition test deferred
2018-05-31 08:02:04 +0000 1fOIX5-0001rg-AM malware acl condition: cmdline  : scanner returned error code: 13
2018-05-31 08:02:04 +0000 1fOIX5-0001rg-AM H=([IPv6:2a00:6020:1efc:ee20:8857:7824:6a49:8368]) [2a00:6020:1efc:ee20:8857:7824:6a49:8368]:48523 I=[2a01:4f8:141:429::2]:465 Warning: ACL "warn" statement skipped: condition test deferred
2018-05-31 08:02:05 +0000 1fOIX5-0001rg-AM malware acl condition: cmdline  : scanner returned error code: 13
2018-05-31 08:02:05 +0000 1fOIX5-0001rg-AM H=([IPv6:2a00:6020:1efc:ee20:8857:7824:6a49:8368]) [2a00:6020:1efc:ee20:8857:7824:6a49:8368]:48523 I=[2a01:4f8:141:429::2]:465 Warning: ACL "warn" statement skipped: condition test deferred

Each of the three cmdline scanners caused an error, as shown above.

It seems there was a change in Exim from upstream, as reported by another user. Somehow it seems that if you define a cmdline scanner that uses a chain of commands, when there was an error return code encountered in the middle of the chain, the whole chain is considered failed.

To “fix” this issue (or rather work-around it), I changed the three ACL clauses as follows:

   warn  message                = This message contains malware ($malware_name)
         set acl_m0      = cmdline:\
-                               /usr/lib/AntiVir/guard/avscan -s --batch --scan-mode=all %s; /bin/echo -e \N"\navira_retval $?"\N:\
+                               /usr/local/bin/avscan_wrapper %s:\
                                \N^avira_retval 1$\N:\
                                \N^.*ALERT::[ \t]+([^;]*)[ \t]+;.*$\N
         malware                = *

I created a “wrapper” that effectively hides error return codes, and forces a return code of 0. The above wrapper looks like this:

#!/bin/bash

ARG="$1"

/usr/lib/AntiVir/guard/avscan -s --batch --scan-mode=all "${ARG}"
/bin/echo -e "\navira_retval $?"

exit 0

To make sure I didn’t break the malware scanning by my changes, I downloaded the EICAR test virus and sent it to myself. Exim caught the “virus” and ditched it.

Sony Xperia X Compact Modding

I decided to write this post since I couldn’t find any single page that lists all the “secrets” you need to know when modding your Sony Xperia X Compact (XC) codenamed “Kugo” in a concise manner and in a single place. And after half a year when I last tinkered with my XC, I had forgotten about all the details again, so I had to research them again anyway…

I give credit to the following XDA people (but not limited to them, I apologize to those who I might have forgotten):

General Approach

The general approach when modding your phone is the following:

  1. Flash custom recovery
  2. Backup current installation/data
  3. (Optionally: flash latest stock firmware)
  4. (Optionally: flash custom recovery that works with your new stock firmware)
  5. Root
  6. Flash other mods or use “root” apps

Custom Recovery

Fastboot Mode

First let’s explain what “fastboot mode” is: Fastboot is both a tool and a protocol for writing data directly to your phone’s flash memory. In practical use, it is used to flash images such as recoveries, bootloaders, and kernels to your Android device.

The “fastboot” tool (as well as “adb” which is also needed when tinkering with your Android smart phone) is part of the Android “platform tools,” which you can download directly from Google (roughly 4M only).

To bring your phone into fastboot mode, perform the following steps:

  1. Switch the phone off.
  2. Hold “Volume up” and connect your phone to the USB port of your PC. The notification LED should first light up in red, then blue, and provided you have correctly installed drivers, you will be able to use fastboot commands.
    Note that the screen will remain black. You can check whether you are in fastboot mode with the following command:

    $ fastboot devices
    BH901XXXXX    fastboot

    If you see output similar to the above, you have successfully put your phone in fastboot mode.

Continue reading Sony Xperia X Compact Modding

Get certificates for “internal” hosts from Let’s Encrypt

I have a pretty large internal IT “landscape” in my house, and as an IT pro I want everything to be clean and “safe.” So even internally I’m using official SSL (or I should say “TLS”, as SSL 2.0 or 3.0 is deprecated since many years…) certificates for my router, WiFi access points, NAS devices, intranet server, etc., using host names in my own domain. I host this domain DNS-wise myself on a root server I rent from Hetzner.

Before the StartSSL disaster I got my certs from them. Afterwards I switched to WOSign, but now that they had their scandal as well, what to do?!

Well, Let’s Encrypt, a free public CA, is something I’m using anyway for my root server since they started operating. But to verify ownership of a domain name you had to run a web server on that respective host — something I can’t easily do for my internal hosts, as they have private IP addresses only, and their host names are not even publicly visible (they don’t have  a public A record, only one visible in my internal LAN). Even for my router’s externally visible host name I can’t easily use an HTTP-based challenge, as for security reasons I don’t want to operate a web server there.

By chance I came across the dns challenge that is now available in Let’s Encrypt’s certbot. This challenge works by deploying a TXT record that certbot requests to be under this domain name. Once you did this, you tell Let’s Encrypt to check, and if they find the TXT record this proves that you have authority over the domain.

Using it is quite straight forward:

# certbot certonly --manual -d hostname.internal.bergs.biz --preferred-challenges "dns"
[...]
Please deploy a DNS TXT record under the name
_acme-challenge.hostname.internal.bergs.biz with the following value:

YrAE-fmu-Zjsdhsjhd328723hjdhjcjHJJHJhds

Once this is deployed,
-------------------------------------------------------------------------------
Press Enter to Continue

A few seconds later I had successfully received my certificate.

So now I will write a script that will run periodically on my intranet server, and that will retrieve the then-current certificates for my internal hosts from my root server, and deploy them internally.

Hard drive slot does not matter in Synology

You can read all over the internet that it’s important to put your hard drives into their original slots, e. g. when you migrate to a new Synology device, or when you need to remove the drives to add memory.

This is simply not true.

As expected DSM, which is a flavor of “Linux,” will automatically discover your physical partitions based on the GUIDs each partition has, and then reassemble your volumes. I just tested this (i. e. intentionally put the drives into the device in the wrong order) with a JBOD volume, and I had no issues whatsoever. I cannot see why this should be different with SHR or RAID-5, for example.

If you have also tested this, please let me know how it went for you.

Securely erase Drives on Synology NAS

I had to erase an external hard drive, a WD My Book, because I had to return it due to defects. So I searched on the web how to do that on a Synology DS916+ NAS, but I could not easily find the solution. Therefore I did a more generic search how to do it under Linux, and came across the tool “shred” which I had used years ago for the last time.

I checked on my NAS, and the tool was readily available. So I ran the following command to securely erase the (external) hard drive:

 shred /dev/sdq1

Hope this helps people who need to accomplish the same.

Stop Windows from waking up from Sleep for Updates

Since I have Windows 10 on my PC, I have a very annoying behavior, namely that Windows wakes up from sleep in the middle of the night to perform a reboot to install updates.

There is many “hacks” on the Internet how to disable this, but the only “proper” way seems to be by defining a Group Policy:

  • Run Group Policy Editor: gpedit.msc
  • Open branch Computer Configuration\Administrative Templates\Windows Components\Windows Update\
  • Set node Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates to Disabled

This should stop your PC from resuming from sleep to install updates.

Please let me know if this helped.

Monitoring Microsoft SNDS Status

If you operate a mail server, you should be aware of its “reputation,” because a bad reputation can give you issues sending email to certain recipients.

Microsoft operate a set of services called “Smart Network Data Services (SNDS)” to protect their own email services. If they see spam or other “malicious” activity from your address space, they might put you on a blacklist, and based on that reject email from you. It is easy to register yourself so that you can query the status of your IP address space. Just visit the above site and get started.

I created a quick’n’dirty monitoring script for Nagios to monitor the status of my IP address space in SNDS. Whenever there is data for one of my IP addresses, this script will return a WARNING status, so that I can look into it.

The script looks like follows:

#!/bin/bash

URL='https://postmaster.live.com/snds/ipStatus.aspx?key=12345678-1234-1234-1234-0123456789ab'

content="$(curl -s $URL)"
size=${#content}

if [ $size -gt 0 ]; then
    echo "WARNING:SNDS status seems to be UNHEALTHY"
    exit 1
fi

echo "OK:SNDS status is OK"
exit 0

You also need command and service definitions in Nagios as follows:

define command{
        command_name    check_snds
        command_line    /usr/local/lib/nagios/plugins/check_snds
}

define service {
        host_name                       my_host
        service_description             SNDS
        check_command                   check_snds
        use                             generic-service-internal
        notification_interval           0 ; set > 0 if you want to be renotified
}

Now, Nagios will monitor the “reputation” of your address space for you.

Migrating from Synology DS415+ to DS916+

Today I migrated from a Synology DS415+ (upgraded to 8 GB myself) to a brand-new, unused Synology DS916+ (8 GB factory equipped.)

I followed the instructions given by Synology, but as my actual experience was considerably different (actually easier!) from what supposedly should have happened, I’m documenting them here for reference.

I started by upgrading the old unit to the latest DSM version, and then shutting it down. I moved all four hard drives to the new unit, making sure the same order of the drives in the drive bays was maintained.

I then switched on the new unit and launched the web UI in a browser. This is what I got:

synology-migration-01 Continue reading Migrating from Synology DS415+ to DS916+

Capture MiniDV tapes via Firewire

Until some years ago I was using a Canon MiniDV camcorder to record home videos, but since then I had switched to one using SD cards. I have about 40 tapes left which I wanted to capture for “posterity”, but it turned out that it was not as easy as I thought…

My first try was to do it on my (somewhat elderly) MacBook Pro. It still has a Firewire (IEEE 1394) port, and I quickly found out on the Internet that I should be able to grab video from the camera using iMovie. Well, that was indeed pretty straight-forward, apart from that I had strange issues with some tapes. For some tapes, iMovie would simply report “No data from device”, even though the tapes played well on the camcorder. I would write a large number of very small files to the Mac, instead of relatively few large ones that I expected according to the source material.

So I searched for alternatives.

I quickly came across a tool called WinDV which I had actually used 10 years ago already. 🙂 Turned out that the tool still works under Windows 10, which I found pretty amazing, and that it could capture some tapes I couldn’t capture using iMovie. Still, there were some tapes that not even WinDV could capture…

I resumed my search for a suitable tool, and then came across DVgrab, which runs under Linux (Ubuntu in my case). Apart from installing it, there was nothing to do, no device nodes to create, no permissions to be modified, etc.

To make a long story short, DVgrab seems to be the perfect tool for me. Completely non-interactive, which is a big pro in my eyes because it eliminates human error (to make sure settings are the same all the time), and it finally could capture the tapes the other tools couldn’t capture. I have no clue why they failed, as the tapes seemed to contain all the required info (actual, correct timecode).

Just for reference, this is the command-line I used:

dvgrab --autosplit --timestamp --size 0 --rewind Florida-

These parameters make sure the input is split automatically into separate files (starting with “Florida-“) if a discontinuity in the timecode is detected, the tool includes the timestamps from the timecode in the filenames, it creates files of unlimited size (otherwise it would split output in 1 GB chunks), and it will rewind the tape prior to capturing it. Output files will be named like  follows:

-rw-r--r-- 1 rabe rabe 149M Jan 26 21:32 Florida-2009.05.06_13-55-15.dv
-rw-r--r-- 1 rabe rabe  69M Jan 26 21:32 Florida-2009.05.06_14-25-25.dv

It can be that simple!

I hope you enjoyed this blog post. Please leave a message  if it was in any way helpful.