Resolving shared WordPress Email issue

I like using a database to directly drive my virtual webhosting – this means that each account on the system has a UID and GID, but no username associated with it (ie in /etc/passwd or getent passwd)

Because of this, when users try and send an email in WordPress (eg to reset their password), WordPress does not send the message, complaining “Possible reason: your host may have disabled the mail() function.”

The underlying cause of the problem can be found by looking at the Postfix mail Logs – where you get errors like “fatal: no login name found for user ID XXXX

Fixing this problem – without relying on WordPress plugins or tweeks is simple – modify the php.ini file apache is using by adding the following line:

sendmail_path = /usr/sbin/sendmail -t -i -fwww@defaultwebaddress.goes.here

 

Secret of Oneplus 3

The OnePlus 3 has had some interesting reviews and press coverage, and its very much a mixed bag, but, nowhere online have I read about its killer feature – FANTASTIC (Almost unbelievable) RECEPTION.

I am blessed to live on a lifestyle block (ie semi rural), which gets marginal coverage from 2 Degrees Mobile – my preferred provider.  So marginal, in fact, that the deciding factor in purchasing my cellphones is the ability to handle 2 SIM cards, so I can fall over onto Vodafone so I can reliably receive calls at home.

With this, my desire for a technically advanced phone and particularly my spendthrift nature, the OnePlus 3 was the obvious choice.

I’ve been disappointed in its Bluetooth and software issues, but on the flipside, the ease of rooting the phone – and keeping it rooted, along with the snappy performance for the everyday things I do have made it a reasonable purchase.   So reasonable, I’ve just used it – without thinking about it.

THEN I REALISED – In the 3 months I’ve had the phone, I’ve never not been able to make or receive a call from home on my primary 2 Degrees SIM.   (As opposed to issues about once a week on all my previous phones).   The list of phones where people have had issues includes Samsung Note 4 (My wifes and my earlier phone),  LG G3 – H858HK – the dual sim phone I managed to brick while trying to re-root it after a software upgrade, as well as a plethora of guest phones including late model IPhones and various new Samsung devices.

Just how superior my phones reception is (to my Wifes Note 4, also on 2 Degrees) – and what has prompted me to write this note – is we went for a drive to Shakespeare park – she had no coverage, yet I had strong cellphone coverage.  My coverage was still excellent in the brick enclosed water closet onsite !

 

Hangsun S80 Lamp

I purchased one of these lamps in 2016.  Below details my findings and some help to others (maybe).

The product is not good at all – indeed if returning it were a practical option I would – but because I live down-under, shipping costs make this prohibitive – so I’ve tried to make the best I can.

Problems I encountered –

I could not download the Android App, no matter how hard I tried – I assume this is because of country restrictions set by the developer.   Luckily, I reached out to them, and they responded, and they responded with a QR code to download the app (not sure if this is a different one to the one on the base of the unit and manual, or if they updated there permissions), but here it is:

QR Code

This app seems to work a lot better then the IPad app I previously needed to use – specifically it fixes a bug where you could not set maximum brightness on the lamp, and has a cleaner interface.

The display

The display on the unit is backlit – and the backlighting only comes on when you are interacting with it – it is also blindingly bright white light – particularly in a dark room.   This means that you can’t simply look over at the clock to see its 3am.    I greatly greatly reduced this issue by adding a small red LED to the back-light (in conjunction with a 150 ohm resistor, which I attached to the top and bottom pins of the conveniently located CON6 connector to the left of the display board).   This allows me to read the light without having to turn it off.    Next time I open the unit, I intend to disconnect one of the 2 white LEDs which power the backlighting.  (Its not possible to simply replace one of these with a red LED, as they are merged into the display).

The hardware

Although very, very let down by the software, the hardware appears to be OK – although it is all plastic.  The design appears to be modular and thus somewhat hackable.

One confusing and disappointing thing though is the maximum lamp voltage is supposedly 6 watts (according to the package this is the size of the replacement lamp, and according to an email from them this is the maximum size).   The problem with this theory is that the lamp included is a 7 watt warm white dimmable LED.    While more-or-less adequate, its not fantastic, and certainly not as good as my previous jerry-rigged system which used the equivalent of a 100 watt CFL bright white light.

Other notes and letdowns

The promotional video seems to imply you can program a significant number of on-off events – this is incorrect – you are limited to a maximum of 2 events.  You can not specify which days, although you can turn the alarm on and off manually – this is nowhere near as convenient as a 7 day timer for example.

You can’t have the light come on  without an alarm – the alarm level can be set to low, but not off.  This is irritating.  I intend to install a switch so I can disconnect the speaker.

The light seems to turn on at random times – but without sound.  Interestingly this has stopped after I unplugged the unit for an extended period out of frustration of it coming on in the middle of the night.

On my unit, you can’t output sound over Bluetooth to the device.  (You are supposed to be able to do this according to the manual).  Not sure why this is, the unit is paired, just no sound output, regardless of volume!

The amazon  account has a number of 5 star reviews – if you look at the reviewers though, they are all (as of the time of this post) shills, having all posted exactly 2 reviews on the same 2 products.   The other reviews stand at 1 – except for mine, which I need to upgrade to 2 (I’m doing  that as part of a deal I’ve done with them to get the QR code and confirmation of the maximum wattage – and to be honest, the unit is kinda useable)

Samsung 840 EVO Geometry

I recently had a need to upgrade a 500 gig (raided) hard drive to an SSD.   I noted that the standard geometry for a 500 gig hard drive presents as 500.1 gigs, while the data sheet for the Samsung 840 EVO MZ-7TE500BW SSD claims to be fractionally smaller on the detailed spec sheets I found.

Happily this is not the case, and it shares the same size as most 500 gig hard drives, ie RawCHS=16383/16/63

Swap and Encfs mounting on Startup in Ubuntu

I use Ubuntu 14.04 on my laptop and I have a somewhat unique setup, whereby I use DRBD and encfs to mirror and secure my data as I understand that when SSD drives fail they tend to do so catastrophically and without warning.   I thus have a rather complex boot process.

I spent the morning tidying up the boot process so it looks professional (* which is not to say that this is the professional or best way to do it – but it works)

I discovered there is a dearth of information on the kinds of things I want to do, but needed to become familiar with the following –

Plymouth – The fancy boot screen that Ubuntu throws up when it boots – thats run by plymouthd. It is possible to interact with plymouthd by using plymouth.  Your mileage may vary, but i discovered that when plymouthd is running it has a pid file in /dev/.initramfs/plymouth.pid – so by checking for that file I can request the passphrase using plymouth or a command prompt as appropriate.

encfs – Using the -S switch allows the command prompt to be read from stdin. rc.local – I run this entire script from rc.local – because its easy enough to do, and happens automatically and before plymouth exits.

The script is as follows:

#! /bin/bash
ifconfig eth0 my.internal.ip
/etc/init.d/drbd start
/bin/mount /dev/drbd0 /media/drbd0

if [ -f "/dev/.initramfs/plymouth.pid" ]
then
        /bin/plymouth ask-for-password --prompt "Passphrase: " | /usr/bin/encfs /media/drbd0/ /data/ssd --public -S -o nonempty
else
        /usr/bin/encfs /media/drbd0/ /data/ssd --public -o nonempty
fi

while [ $? -ne 0 ]
do
        if [ -f "/dev/.initramfs/plymouth.pid" ]
        then
                /bin/plymouth ask-for-password --prompt "Passphrase was not accepted.  Please enter Passphrase: " | /usr/bin/encfs /media/drbd0/ /data/ssd --public -S -o nonempty
        else
                echo "Incorrect Password"
                /usr/bin/encfs /media/drbd0/ /data/ssd --public -o nonempty
        fi
done

# We have all sorts of problems if /tmp is not mounted before X
# but we want to ensure its encrypted !!

#echo "Note: We destroy /tmp on restart as good Linux systems do, but "
#echo "there is a backup of the last boot at /data/ssd/tmp-old"

echo "Stopping services that need /tmp or a network and fixing these"
/etc/init.d/openvpn stop
/etc/init.d/ssh stop

rm -r /data/ssd/tmp-old
mv /data/ssd/tmp /data/ssd/tmp-old
mkdir /data/ssd/tmp
chmod 777 /data/ssd/tmp
rm -r /tmp
ln -s /data/ssd/tmp /tmp

dhclient eth0 &

echo "Restarting services that need /tmp  or a network"
/etc/init.d/ssh start
/etc/init.d/openvpn start

/usr/sbin/lxdm

In addition I did the following:

Stopped display managers from starting under system control on boot. This is a bit weird because they exist in /etc/init, rather then /etc/init.d where I would have expected. Anyway, I moved gdm.conf, lightdm.conf and lxdm.conf out of /etc/init (and into a new directory called /etc/notinit which I created).

I also took steps to encrypt the swap space on startup.  This does not appear to be well documented, but is quite easy.  Simply make the following modifications to

/etc/crypttab  (Create it if it does not exist)

swap /dev/mapper/ubuntu--vg-swap_1	/dev/urandom swap,cipher=aes-cbc-essiv:sha256

This line creates “/dev/mapper/swap” using the backing device “/dev/mapper/ubuntu–vg-swap_1”, along with a random password it creates on the fly

and /etc/fstab

/dev/mapper/swap none            swap    sw              0       0

Which mounts /dev/mapper/swap  (Remember to comment out the old swap)

If you look through my rc.local script, you will see I jump through all kinds of hoops to move /tmp into encrypted space after startup.  An easy alternative might be to do something similar for /tmp as I did for /swap above – the downside being that it requires a fixed amount of diskspace which is carved out of my ssd.

Its worth noting that all sorts of wonderfully weird and non-obvious failures occur if /tmp is not mounted and readable by all (including X window managers crashing and issues with sound).  /tmp really needs to be useable BEFORE X is loaded.

 

BD-F6500 region free upgrade – Firmware 1010 / 1017 note

In case anyone has the same issue –

A few months ago I purchased a SamsungBD-F6500 from Noel Leemings (A whiteware retailer in New Zealand).   A few days ago, we purchased some DVDs which were “region 2” and would not play on our NZ/AU – region 4 player(s).

I attempted to region unlock the DVD using the method on the Internet, ie Start the DVD player, open and close [empty] dvd drive, press repeat, enter in “7 6 8 8 4“, then “9” for region free.   This failed to work a number of times.

With nothing to loose I upgraded the firmware to 1017, and was able to unlock the drive using the above process without issue on the first attempt.

(Of-course, friends who download their content using filesharing networks don’t have these issues – and the media industry wonder why movie piracy is so common ?)

nn1

Adding Perfect Forward Secrecy to OpenVPN

Perfect Forward Secrecy is a methodology applied to encryption to frustrate the decoding of traffic captured and stored prior to the discovery of the secret key by an adverse party.  This is done by generating a new random key every time data is transmitted.

Enabling this in OpenVPN is quite easy, but does not appear to be well documented.  The steps to do this are:

Create a common private key, eg

openvpn --genkey --secret /path/to/store/pfs.key

Securely distribute this key to each OpenVPN client, then add the following to the server

tls-server
tls-auth /path/to/store/pfs.key 0

and this to each client

tls-client
tls-auth /path/to/store/pfs.key 1

 

It is also possible to embed the tls-auth certificate in the configuration file itself. To do this
open a <tls-auth> tag, embed the key and add a closing tag. Then add another directive key-direction X, where X is 0 for the server or
1 for the client (ie the same as the second argument on the tls-auth line when using a certificate file.

So the appropriate snipped would look something like:

#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-------
.
.
-----END OpenVPN Static key V1-------

Windscreen Flyer Solution

I am one of those people who get irritated when I come to my car and find a flyer has been stuck under the windscreen. I discovered a (at least partial) solution to the problem – one which is so obvious I wonder why I have not heard of it before.   (That I have been dealing with some frustrating spam related issues probably helped focus my mind)

I was recently at a favorite watering hole one evening, and had parked my car in a public car park. When I returned to my vehicle I noticed a local restaurant had placed a flyer under my windscreen. (I was, of-course, aware of the restaurant – it was within 200 meters of where I parked).

As I was inconvenienced to get out of my car to remove the flyer the solution was obvious. Armed with a few sweet wrappers and the flyer, I walked in to the restaurant, caught a waiters attention and sprinkled my advertising for the sweets (and their flyer) while protesting the placement of litter on my car, across an unoccupied table at the restaurant before leaving. From the deeply satisfying protestations I heard as I exited, I believe I made my point.

In hind site, I could have done this a little better. Looking back, I realize I should have torn the flier into small pieces and scattered that instead of depositing my own “sweet advertisement”. Of-course, in addition to the Litter act of 1979 (*assuming the flyer or “sweet advertisement” can be defined as litter), Auckland Council also has a bylaw – preventing the placement of flyers on cars.  You can find it here – the key is the definition of poster “means a temporary sign of 1.5 square meter or less, including a placard, leaflet, flyer or communication device of a like nature, which is directly affixed (without the need for a supporting structure) to walls, buildings or structures, furniture, utilities, traffic signage or placed on any car windscreen, the message of which does not relate to the site or public place where the poster is displayed.” and section 27.3.7 prevents the displaying of the poster – interestingly this includes private land  – so I don’t think there will be too much push-back.

Fail2Ban and Brute-Force Password attacks on WordPress

I maintain a server hosting a fair number of WordPress blogs and I get inundated with brute-force password attempts.    In order to minimize the likelyhood of success of an attack, I have taken to limiting the number of login attempts I’ve customised some Fail2Ban rules to provide “overriding” lockout of accounts.

The code certainly has its limitations – for example it will – without warning –  temporarily lock out people who have forgotten their passwords, however for the most part it works pretty well.

One of the things I’ve noticed recently is that some attempts are persistent – they will continue to try log in even when null-routed, and for long periods of time.  I’ve thus written a second rule which looks through the fail2ban logs and bans – for an extended period – anyone which has been banned more then a few times.   This further reduces the likelyhood of a compromise, and also reduces the amount of “fail2ban spam” I receive, ie notifications of a ban being put in place.

Additionally, I’ve come up with a custom rule to ban IP’s sniffing around for a wordpress site where none exists.

The appropriate Fail2Ban rules are as follows –

apache-wplogin.conf

# Fail2Ban configuration file
#
# Author: Tim Connors
# Tweeked by David Go
#

[Definition]

# Ignore specific client who often forgets password.
ignoreip = XXX.XXX.XXX.XXX

# Option:  failregex
# Notes.:  Regexp to catch Apache dictionary attacks on Wrodpress wp-login
# Values:  TEXT
#
failregex = :80 <HOST> -.*(GET|POST).*/wp-login.php.*(HTTP)
:443 <HOST> -.*(GET|POST).*/wp-login.php.*(HTTP)

apache-wp-probe2.conf

# Fail2Ban configuration file
#
# Author:  David Go
#

[Definition]

# Option:  failregex
# Notes.:  Regexp to catch Apache dictionary attacks on Wrodpress wp-login
# Values:  TEXT
#
#failregex = <HOST>.*] "POST /wp-login.php

failregex = \[client <HOST>\] script \'/PATH/TO/VIRTUALHOSTSl/(.*)/wp-login.php\' not found or unable to stat

persistentban.conf:

# Fail2Ban configuration file
#

[Definition]

# Make sure we never lock ourselves out.
ignoreip = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

failregex = fail2ban.actions: WARNING.* Ban <HOST

And, of-course, the appropriate lines in jail.conf

[apache-wp-probe]
maxretry = 3
findtime = 180
bantime = 14400
enabled = true
port    = http,https
filter  = apache-wp-probe
logpath = /var/log/apache2/error.log
action  = iptables-multiport[name=wpprobe, port="80,443", protocol=tcp]
sendmail-whois[name=wpprobe]

[apache-wp-probe2]
maxretry = 3
#findtime = 14400
bantime = 14400
enabled = true
port    = http,https
filter  = apache-wp-probe2
logpath = /var/log/apache2/error.log
action  = iptables-multiport[name=wpprobe2, port="80,443", protocol=tcp]
sendmail-whois[name=wpprobe2]

[persistentban]
maxretry = 3
enabled = true
filter = persistentban
findtime = 3600
bantime = 86400
logpath = /var/log/fail2ban.log
action = iptables-multiport[name=multiban, port="80,443,21", protocol=tcp]
sendmail-whois[name=multiban]

Review of the Domain DM-DV703USB 2 DIN video/mp3/cd car stereo

My Toyota VITZ 2004 came with a “Japanese Only” Stereo, which included a reverse camera. To get the reverse camera working, in addition to some wiring tweaks (See my post on “Original Toyota Reverse Light Camera on 2004 Vitz/Echo with an aftermarket stereo“).

As I can’t call myself an audiophile, and I can be tight-fisted (who wants to spend 1/10th of a run-around vehicles value on expensive stereo equipment – especially when it spends time in a “not-that-good” neighbourhood), I decided to purchase a budget stereo off Trademe.

I picked up a Domain 7″ DVD/CD/USB/SD receiver, model DM-DV703USB from Sound Tech for arround $200 (you can get a similar one from Jonvy), and tried to install it.

First the good news – It uses an ISO wiring harness, meaning I could just spend a few dollars converting the Toyota stereo cabling to work with this stereo, and it uses standard RCA inputs for video.   The wires are labled, so this is all quite straight forward.

When the unit starts up, it shows the stereo splash screen, complete with a picture of Auckland CBD (Sky Tower is clearly prominent).  From the lack of information about this stereo I thus presume its a Chinese Import which has been customised and labelled for a New Zealand Importer.

The screen looks quite readable, and there is a row of buttons down the bottom.   The front screen tilts down to reveal the CD and SD slots.  There is a mini USB port on the front.   One nice thing about this unit (which is not boasted about) is that it also has a full size rear USB port – which is what I plugged my memory stick into, as I was able to access this from underneath dash even when the radio was installed.

The sound was quite good – I’m no audiophile, but certainly nothing to complain about.  The stereo also seemed to work well, automatically picking up the station names as it found them.   I did not try playing any DVD’s.

I really wanted this unit to be good enough – and gave it my best – I even communicated with the manufacturer who eventually took the unit back – after convincing themselves the unit was not faulty.

Now the Problems.  Unfortunately they were – for me – dealbreakers.  I eventually returned the unit for a refund from the supplier.

There were some (tolerable) limitations to the stereo design – It relied very heavily on a resistive touch screen, so skipping tracks required taking ones eyes off the road for longer then is ideal.   Still, at $200, I could have lived with that.

The problem I could not live with were the software / touch screen bugs.  The software in this unit is clearly buggy.  The biggest problem is that intermittently the touch screen would just stop working.  Even restarting the vehicle or powering off the stereo would not fix it.    (I now believe removing the USB stick might have fixed the problem, I only worked this possibility out when I was removing the unit to send back to the seller).

See the video above to show me pushing at the touch screen and nothing happening, even after a reset and other attempts.

When the touch screen was not working, the remote also did not respond.

There were other intermittent software faults as well.   For example (and despite accusations it was not wired correctly – which don’t stand up to scrutiny as the video below shows), the reverse camera sometime stayed on even when not reversing.  (It could not have been a wiring issue as changing the inputs reset it to work, and there was music playing while the camera input was showing.  The reverse camera only had a video input, and when I was in reverse no sound was played, so this is clearly a software fault.

Conclusion – This would be a great deal if it worked properly.  There is nothing fundamentally wrong with the hardware, but the software just does not cut it for me – not by a long shot.   If, and its a big if, a firmware revision comes out fixing these bugs it might be worth looking at again, but I’m not holding my breath as the distributor never responded to my request for a firmware upgrade.