Category Archives: English

Monitoring Microsoft SNDS Status

If you operate a mail server, you should be aware of its “reputation,” because a bad reputation can give you issues sending email to certain recipients.

Microsoft operate a set of services called “Smart Network Data Services (SNDS)” to protect their own email services. If they see spam or other “malicious” activity from your address space, they might put you on a blacklist, and based on that reject email from you. It is easy to register yourself so that you can query the status of your IP address space. Just visit the above site and get started.

I created a quick’n’dirty monitoring script for Nagios to monitor the status of my IP address space in SNDS. Whenever there is data for one of my IP addresses, this script will return a WARNING status, so that I can look into it.

The script looks like follows:

#!/bin/bash

URL='https://postmaster.live.com/snds/ipStatus.aspx?key=12345678-1234-1234-1234-0123456789ab'

content="$(curl -s $URL)"
size=${#content}

if [ $size -gt 0 ]; then
    echo "WARNING:SNDS status seems to be UNHEALTHY"
    exit 1
fi

echo "OK:SNDS status is OK"
exit 0

You also need command and service definitions in Nagios as follows:

define command{
        command_name    check_snds
        command_line    /usr/local/lib/nagios/plugins/check_snds
}

define service {
        host_name                       my_host
        service_description             SNDS
        check_command                   check_snds
        use                             generic-service-internal
        notification_interval           0 ; set > 0 if you want to be renotified
}

Now, Nagios will monitor the “reputation” of your address space for you.

Migrating from Synology DS415+ to DS916+

Today I migrated from a Synology DS415+ (upgraded to 8 GB myself) to a brand-new, unused DS916+ (8 GB factory equipped.)

I followed the instructions given by Synology, but as my actual experience was considerably different (actually easier!) from what supposedly should have happened, I’m documenting them here for reference.

I started by upgrading the old unit to the latest DSM version, and then shutting it down. I moved all four hard drives to the new unit, making sure the same order of the drives in the drive bays was maintained.

I then switched on the new unit and launched the web UI in a browser. This is what I got:

synology-migration-01 Continue reading Migrating from Synology DS415+ to DS916+

Capture MiniDV tapes via Firewire

Until some years ago I was using a Canon MiniDV camcorder to record home videos, but since then I had switched to one using SD cards. I have about 40 tapes left which I wanted to capture for “posterity”, but it turned out that it was not as easy as I thought…

My first try was to do it on my (somewhat elderly) MacBook Pro. It still has a Firewire (IEEE 1394) port, and I quickly found out on the Internet that I should be able to grab video from the camera using iMovie. Well, that was indeed pretty straight-forward, apart from that I had strange issues with some tapes. For some tapes, iMovie would simply report “No data from device”, even though the tapes played well on the camcorder. I would write a large number of very small files to the Mac, instead of relatively few large ones that I expected according to the source material.

So I searched for alternatives.

I quickly came across a tool called WinDV which I had actually used 10 years ago already. :-) Turned out that the tool still works under Windows 10, which I found pretty amazing, and that it could capture some tapes I couldn’t capture using iMovie. Still, there were some tapes that not even WinDV could capture…

I resumed my search for a suitable tool, and then came across DVgrab, which runs under Linux (Ubuntu in my case). Apart from installing it, there was nothing to do, no device nodes to create, no permissions to be modified, etc.

To make a long story short, DVgrab seems to be the perfect tool for me. Completely non-interactive, which is a big pro in my eyes because it eliminates human error (to make sure settings are the same all the time), and it finally could capture the tapes the other tools couldn’t capture. I have no clue why they failed, as the tapes seemed to contain all the required info (actual, correct timecode).

Just for reference, this is the command-line I used:

dvgrab --autosplit --timestamp --size 0 --rewind Florida-

These parameters make sure the input is split automatically into separate files (starting with “Florida-“) if a discontinuity in the timecode is detected, the tool includes the timestamps from the timecode in the filenames, it creates files of unlimited size (otherwise it would split output in 1 GB chunks), and it will rewind the tape prior to capturing it. Output files will be named like  follows:

-rw-r--r-- 1 rabe rabe 149M Jan 26 21:32 Florida-2009.05.06_13-55-15.dv
-rw-r--r-- 1 rabe rabe  69M Jan 26 21:32 Florida-2009.05.06_14-25-25.dv

It can be that simple!

I hope you enjoyed this blog post. Please leave a message  if it was in any way helpful.

Synology refuses to admit annoying “Cloud Sync” Bug

Since about half a year I’m struggling with a very annoying bug in Synology’s “Cloud Sync” package I’m running on my expensive Synology DiskStation DS415+ NAS. It is still present as of today’s DSM 6.0.2-8451 Update 2.

I would like to backup my photos to my Amazon Drive/CloudDrive. As an Amazon Prime customer I can store an unlimited number of images, and only images — other files, like *.xmp sidecar files, will count against my general 5 GB limit.

The problem is that Synology’s Cloud Sync will upload the sidecar files, even though I explicitly only select “Images” to be backed up (and *.xmp is not part of Images, as I will show you!). Continue reading Synology refuses to admit annoying “Cloud Sync” Bug

Update U-Boot on TP-Link TL-WDR4300

A couple of days ago while I was working from home my trusted TP-Link TL-WDR4300 seemed to have died suddenly (just a couple of days after the two year warranty had expired!) — at least this was the result of my initial investigations.

The symptom I had is that suddenly my internet connection seemed to be down — which was surprising enough, as since I upgraded to VDSL2 vectoring my line was rock-solid, and it normally dropped only once a month or even once every couple of months. When I tried to find out what happened I noticed that my router was inaccessible, I couldn’t even ping it. I thought it had crashed, so I power-cycled it to reboot it, but it didn’t come up…

So my conclusion was that it had died.

I quickly reconfigured a Linksys WRT1200AC which I bought a couple of months ago as a spare device, meant to replace the current router “one day”, and put it into operation…

Today I spent some time investigating what actually happened. I wanted to use the serial console of my rev. 1.7 device (the PCB is rev. 1.3), but found that there was no connector in place for the UART, just the holes in the PCB.

dav

So I quickly soldered in the pins, and connected the router to a laptop.

sdr

To my surprise the router booted without any issue at all. I played around with it until I was sure that there was absolutely no problem — I thought the file system in the flash memory might have been corrupted, but everything was ok.

So now that I had opened the device and connected a laptop to the serial console, I thought it would be a good occasion to update the U-Boot boot loader to a modified one by “pepe2k” that adds a lot of very useful features.

I used the instructions pepe2k provided on Github, specifically the part where he describes how to install via TFTP from the serial console. The “biggest challenge” was to find where to download the actual boot loader binary. Finally I found it here.

My VerizonWireless prepay experience

We just returned from a one month vacation trip to Florida. In order to be able to use the internet when on the go, and also to be able to make and receive phone calls we decided to use a prepay card from VerizonWireless (VZW), as they seem to have the best 4G (LTE) coverage. The SIM is normally $45 for a month, including unlimited texts and calls and 1 GB of data, but we got it from Walmart for about $37, plus we received a free one-time bonus of 1 GB data when we activated the SIM via phone.

Our customer experience was pretty bad, and I want to share with you what kind of problems we had so that you can avoid those if possible.

The phone I intended to use was an iPhone 6 Plus. This cell phone is among the cell phones that have the most LTE bands available in the world, and I explicitly checked to make sure that VZW’s bands are covered. But when I tried to use the phone it couldn’t attach to the network. I got in touch with VZW, and it turned out that they only let phones use their network (with their own VZW prepay SIMs, that is!) that have been sold by or for VZW. But after talking to them for a while and letting them know about my disappointment (because in Europe this doesn’t seem to be common) they agreed to make an exception and have my iPhone authorized to use the network.

Even after four days (they said it should take 48 hours max), more than 3.5 hours talking to or chatting with their support, and even changing the SIM in a nearby VZW store, my iPhone still didn’t work, so I looked into other options. It turned out that you can buy simply 4G cell phones here real dirt cheap, so I bought a Motorola Moto E (2nd Gen) for less than $50. This phone immediately worked with the SIM I had.

I logged onto their MyVerizon prepay Desktop Home page to check and update some settings. This portal was another really bad experience, something which you really cannot ask your customers to use. The issues I encountered were the following:

  • After I had entered my address here in Florida (we lived in the house of relatives), there was trailing characters in the street address which I didn’t enter, and which I could not remove by any means.
  • Furthermore I couldn’t change my device from the original iPhone 6 Plus to the new Motorola Moto E — all changes (including IMEI which was verified to be “valid” and “known” to VZW) seemed to the accepted, and change of device was confirmed, but when I went into the main menu and back to “Device” the iPhone was still listed.
  • In addition I couldn’t change my Voice Mail PIN, probably the reason why voice mail was not available for my SIM during the whole month of our stay.

As an alternative to the bad web portal I installed the “My Verizon Mobile” Android app, but that was disappointing, too. There was absolutely no way to tell the app not to ask for the password again — a bad thing as I normally use “strong” passwords which I cannot easily remember, so how to use the app when on the go?! More issues encountered were

  • “Usage” details permanently give me “An error occurred while processing your request;”
  • in “My Features” I couldn’t activate the “Block Premium Messaging” option (even though changing the switch produced a confirmation that said the change was successful); every time I return to this menu item the setting is back to allow premium messaging;
  • in “Settings” > “Contact Info” I couldn’t make any changes, as the app declared my email address invalid (as it contains a “+” in the so-called “local-part,” which is the part left of the “@”). That was of course nonsense, as RFC-2822 allows such email addresses, I constantly receive mail on such addresses and VZW’s web portal allowed it as “valid;”
  • changing my Voice Mail Password (PIN) was also impossible in the Android app. I always got an error message saying “We are sorry, but we are not able to process your request at this time. Please try again later.”

What I must admit, though, their staff were always very friendly and tried to help — but what can you do if your IT systems let you down?!

The main reason I write this blog post is to let people from Europe know about the limitations they might encounter when trying to use their own phone with a local prepay SIM. But I also want to let VZW know my frustration with their bad self-service tools. This is not how you treat your valuable customers!!!

Hacking the Genexis FiberTwist-P2410

In my previous article I described the key components the Genexis FiberTwist-P2410 is comprised of. One of these components is the serial console connector, and its presence was so tempting that I simply had to play with it…

Layout of Serial Console Connector
Layout of Serial Console Connector

So I connected a UART-to-USB converter and watched the console output while the device boots… Communications parameters were easy to guess: 115,200 bps, 8N1, no handshake (neither HW, nor SW)… Continue reading Hacking the Genexis FiberTwist-P2410

uhttpd with a certificate chain

To secure access to my router I wanted to use SSL encryption to access LuCi, so I obtained a certificate issued by a well-known CA. The server certificate was not issued directly off the CA, but there was a certificate chain in between.

Using a certificate chain with OpenWrt’s uhttpd is really easy, although as of today this is not yet even documented to be possible on the OpenWrt web site.

I’m using uhttpd_2015-11-08 from a trunk build (r48648) of “Designated Driver”, and certificate chains can be used here without problems.

I didn’t even have to convert from PEM to DER, I just concatenated the server cert and intermediate certs into a single file:

cat /root/server.crt /root/1_root_bundle_1.crt /root/1_root_bundle_2.crt >uhttpd.crt

Hope this helps. If it does please leave a message, thank you.

Monitor DrayTek Vigor 130 Line Status

I recently got myself a new DSL modem, namely a DrayTek Vigor 130, as I switched from ADSL2 to VDSL2-Vectoring, so that I couldn’t use my Allnet ALL0333CJ Rev. C any longer.

As I monitor about everything (just kidding) with Nagios, I certainly wanted to implement a check of the modem’s line status.

Here’s what I came up with:

# ARG1: community
define command{
        command_name    snmp_modem_status
        command_line    /usr/lib/nagios/plugins/check_snmp -H '$HOSTADDRESS$' -C '$ARG1$' -o SNMPv2-SMI::transmission.94.1.1.3.1.6.4 -P 2c -r "53 48 4F 57 54 49 4D 45"
        }
define host {
        host_name       dslmodem
        address         192.168.0.1
        use             generic-host-internal
        parents         gw
}

Nagios is running on my intranet server. The next hop when seen from Nagios is my Internet gateway (host “gw”, my router), and from there the next hop is the DSL modem (host “dslmodem.”)

Hope this helps someone… If it does please leave a quick message here in this blog, thanks…

Avira can’t get their DNS Setup right

Since many months I’m seeing the following issue with Avira‘s DNS setup, and I’m thinking it’s extremely embarassing for a company working in IT Security not to even get the basics right… :-(

This is what I’m seeing:

named[2597]: DNS format error from 89.146.248.46#53 resolving dl4.pro.antivir.de/AAAA for client 127.0.0.1#52127: Name avira-update.net (SOA) not subdomain of zone antivir.de -- invalid response

So what does that mean?

Let’s have a look at which nameservers Avira are using anyway:

$ dig -t ns antivir.de

;; ANSWER SECTION:
antivir.de.        3600    IN    NS    ns13.avira-ns.net.
antivir.de.        3600    IN    NS    ns10.avira-ns.de.
antivir.de.        3600    IN    NS    ns9.avira-ns.net.
antivir.de.        3600    IN    NS    ns12.avira-ns.de.
antivir.de.        3600    IN    NS    ns14.avira-ns.de.

;; ADDITIONAL SECTION:
ns10.avira-ns.de.    86400    IN    A    80.190.154.111
ns12.avira-ns.de.    86400    IN    A    89.146.248.46
ns14.avira-ns.de.    86400    IN    A    74.208.254.45

Ok, so 89.146.248.46 in the error message quoted above is indeed one of the nameservers for domain antivir.de.

So let’s look up the IPv6 address record (AAAA) for dl4.pro.antivir.de on the given nameserver:
$ dig @89.146.248.46 -t AAAA dl4.pro.antivir.de

;; AUTHORITY SECTION:
avira-update.net. 3600 IN SOA ns1.avira-ns.net. domains.avira.com. 2015010301 10800 3600 2419200 3600

WTF?!

Why are they returning a domain name that is not a subdomain of the original domain?! That’s an error.

And it’s especially embarassing as this is the update URL for Avira’s AntiVir product. Again remember we’re talking about a security firm here!