Tuesday, 30 August 2016

Let down by my fingerprint

Logging in to one of my servers was irritatingly slow, so I decided to fix it. Instead of logging in with ssh, I used ssh -vvv which gives lots of information about what's going on. None of it helped.

Then I noticed that it wasn't only slow when I logged in with ssh, it was also slow when I was already logged in, and wanted to change the user with "su". Which means that it isn't an ssh issue, it's an authentication issue.

So I logged in using su, and had a good look at the syslog (/var/log/messages).

Aug 30 01:37:02 volds dbus[20339]: [system] Activating via systemd: service name='net.reactivated.Fprint' unit='fprintd.service'
Aug 30 01:37:02 volds systemd: Starting Fingerprint Authentication Daemon...
Aug 30 01:37:02 volds dbus[20339]: [system] Successfully activated service 'net.reactivated.Fprint'
Aug 30 01:37:02 volds systemd: Started Fingerprint Authentication Daemon.

It's trying to check my fingerprint! And I don't even have a fingerprint reader. Where did that come from?

So I stopped it with "systemctl stop fprintd.service", and now logging in is instant.
But I don't want it to happen each time I start up the computer, so I disabled it with
 "systemctl disable fprintd.service"


Monday, 29 August 2016

Catch 22

I got this email.

Date: Mon, 29 Aug 2016 14:04:56
From: Numerology <>

Subject: The Meaning of 04.
   1 Shown      2 lines  Text
   2   OK     164 lines  Text

Your email client does not support HTML, this email must be viewed in HTML mode.
Ah, but I did maths at uni, so I know the meaning of 04. It's the number after 03.

But there's no clue in the email about *how* I might view it in HTML mode, and there's no link to go to.

Not that I would go to your web site. Because I already know the meaning of 04.

And ...

I got a bounce from Google, telling me that it blocked something because it was harmful. Well, thanks for that, Google, but I just counted the number of trojans in my mailbox sent over the last six hours, and there's 103 of them. Blocking one hasn't really done much.

Sunday, 28 August 2016

I'm Spartacus

Since I started making all these changes, several of my servers have been intermittently cut off, and I was wondering why. But I think I've worked it out.

These were all servers that were behind a second pix. Because instead of using a pix which has three ethernet connections (inside, outside and dmz), I was using two pixes that each had two ethernet connections. So packets that arrived in my dmz had to go through another pix before they were allowed to the innermost area. Why? Because A) it's easier to configure a two-headed firewall than a three, and B) two two-headed firewalls are  somewhat cheaper than a three-header, and C) I already had the two-headers.

So as part of the changes, I moved several servers (raspberry pis, actually, because I use them for light duties instead of a big heavy normal server, because they're really cheap and very economical on power - a proper server might pull 250 watts, whereas a pi takes about 10) from behind that second firewall, to connect directly to my big shiny pix525. But I didn't bother to switch off that second firewall.

So as a result, the second firewall was still announcing the IP addresses of the servers that it didn't actually control, while the servers themselves were also announcing themselves.

I'm Spartacus.

Saturday, 27 August 2016

From the Windows Technical Service

David called. There's a problem with my Windows computer.
"Oh no!" I said, doing a pretty good impression of a scared and stupid muggins.

He spent five minutes talking me doing things with the computer before I revealed that the computer was in the other room, and it was taking so long because I had to go back and forth between that and the phone.

He told me to move the computer next to the phone and he'd call me back.

Actually, Richard called me back. Richard was a lot easier for me to understand, David's accent was tough for my ears. So Richard talked me through starting up the computer, and running "Event Viewer" and he told me that each line of that represented an error in my computer, but not to worry, he'd walk me through fixing it. I was *so* grateful!

So then Richard and I started up Firefox, and downloaded an application from that would let him control my computer. The file downloaded, and then he got me to click on it to install it. And it was at that moment that the screen went blank! "What do I do now?" I asked. he tried talking me though clicking on things, but I kept saying that the screen is blank, there's nothing to click on until eventually he twigged and got me to power cycle the computer. "Ooh, you've fixed it," I said, "I'm so happy! Thank you so much." "No wait, " he said,"there's more to do."

So we went round that loop again, download, click, blank screen, and then he passed me over to Roger. Roger had a really clear voice, I could see that I was at the top of the tech support tree now. The only higher power would be Bill Gates (who I met once, by the way, but that's another story) and he talked me through starting up Internet Exporer and accessing the "Support Me" web site. He gave me a six digit number, which was his account number, and that was great, because there was a place on the site to report abose, which I did, and I would hope that by now they've cancelled the account.

And it was shortly after that, that Roger just hung up on me without even a "Have a nice day".

Audit tip

There's a thing that runs on your Fedora server that's auditing everything that happens; this can be great for security. But because of the way it works, it not only logs to the audit file, it also logs to the system log. That's the thing in /var/log/messages that is so useful for working out what's gone wrong when you tried to start up the name server.

The problem is, by the time you look at /var/log/messages to diagnose your nameserver problem, it's full of audit messages, and the ones you want to see have god scrolled up.

So here's what you do.

Edit /etc/rsyslog.conf and add

if $msg contains 'audit' or  $programname contains 'audit' then /var/log/myauditlog
if $msg contains 'audit' or $programname contains 'audit' then stop

Then restart the system log with

systemctl restart rsyslog

Hey presto! All the audit logs still go to the myauditlog file, but they don't clutter up the main system log!

Wrestling with DNS

Once you've got DNS set up, it kind of lasts forever. Kind of. Except when ...

As part of my comprehensive upgrade, I've moved a lot of the servers to Fedora 24, the latest version. And some of them go *way* back - version 9 was quite common in my farm, and that's about ten years old. I even have some servers running a Fedora from before it was called Fedora! So anyway, on to version 24. And, of course, between the versions ancient and modern, there's been big changes.

One change is DNS Sec, the "secure" version of DNS. I decided to skip that for now, it's a whole other can of worms, I'll do that later.

Another change is that the order in which you have sentences in the DNS data file is now a lot stricter. I had to go through all my data files, a couple of dozen of them, and move a line from line 2 to line 4.

Another change is that when a master sends data to slaves (I'm suprised that the SJWs haven't picked up on this terminology yet), the data that arrives is in compressed format, to save space and for faster loading. But since I only have a couple of dozen, space isn't as important to me as legibility, so I had to change that.

So I edited all my DNS data files, and created four new nameservers (called, imaginatively, ns3, ns4, ns5 and ns6, because I already have ns1 and ns2 running) which will sit on the new fast line (although at the moment, they're on the old slow line), and
then it was time to tell Network Solutions and Godaddy about the changes.

DNS is important. When you access a computer over the internet, the computer has a four-part number, that looks like this: So, for example, Google is
But you dn't want to try to remember the numbers, you want to remember names, like Your computer will translate the name to the number, and here's how.

First, it goes to one of the root nameservers. There's 12 companies run these, and I expect each company is using a whole bunch of computers to provide the service. When you want to go to, the root tells your computer "I don't know the answer, but if you ask Network Solutions, they'll know". So your computer asks Netsol. Netsol says "I don't know, but if you ask, you'll get the answer there". And will tell you, which is run by Google, who kindly host this blog at no cost. So now you can read my blog!

Network Solutions is a company that (among other things) acts as a registrar for domain names. So, for example, when I first registered ( was already taken by an antivirus company) I went to Netsol and did it there, paying a ridiculously large amount of dollars for a very tiny and totally automated service. Then I tell Netsol the IP addresses of my name servers, and my name servers redirect requests to, for example,, to the appropriate IP address. I'm mostly not with Netsol now, they're very expensive and not as user-friendly as GoDaddy. Although you really can't imagine how totally user-hostile it all was 20 years ago - you had to send a carefully crafted and formatted email to make any change, and I was always nervous about whther I'd got it right, and how to fix any errors. But it's all web-based now.

So I logged on to, clicked on "manage account", and instead of doing what I'd come for, I diverted to update my credit card details. Then "My Domain Names" ... "Manage name servers" and I created the new nameservers, giving the IP address that they'll have with the fast line. So now I have two nameservers using the old IPs, and four with the new. I've done that so that the information can spread through the internet over the next few days. Then I updated the list of nameservers for each of the domains I have with Netsol, so now it knows about six nameservers for each of my domains. Job done, logged off.

Then I logged on to Godaddy, who, by the way, are advertising that you can set up your own web site for £0.99 for the first year (if you sign up for two years), which might be interesting to someone who just wants a little web site for fun, although most likely your ISP already gives you web space for free. I went to "Domains" ... "Manage" which took me to a list of the couple of dozen domains I run. I clicked on the tick that checked the check boxes for all of them, so that I could update them all in one swoop, clicked on "nameservers" and "set nameservers", chose "custom" and added the two new nameservers ns5 and ns6 to the list. I clicked on "Save" and that should mean that all the domains now have the same six nameservers.

The nameservers run on my computers, and they're currently directing people to the old IP addresses, but once the news of these nameservers propagates around the internet, I'll be able to switch to the new IP addresses very easily, just editing stuff on my computers.

Into the fast lane

I spent today reconfiguring my network. There's a lot to do!

First, though, a speed test. This is a 100 megabit line. the tests that I've done indicate that I'm getting 92 megabits out of it, which I think is pretty good. That's also told me that the Pix 525 isn't acting as a bottleneck.

Reconfiguring isn't easy. Maybe if I did these every day, I'd be better at it, but this is a once-in-a-decade job.

Fortunately, a few years ago Daisy decided to change all my IP addresses. I begged and pleaded, but they insisted. So I had to learn how to change all my IP addresses, and it turned out to be not quite as horrible as I'd expected. And what I learned from that, has been useful in the current changes.

One of the first, and most difficult, jobs, was to get my email working on the new line. New IP addresses, new DNS servers, new nameserver addresses, and testing is really difficult because of the long lag between I make a change, and I see if it's working. But eventually I overcame all the (mostly self-made) obstacles, and I'm getting email from Facebook, from my gmail account, and (of course) spam. Who said spam isn't useful?

I've moved the Nightmail, the Robot Arm, and some other puzzles. But there's still masses to do. Oh well - tomorrow is another day!