Blocking, blocking, blocking

No visitors, so why not?

This site has been up for a few years now. Very few (hardly any) visitors. That’s fine. This is really just a place for me to make notes about tech that’s on my mind. Without a job there’s fewer situations that I find myself having to resolve so less to write about.

wp.boba.org is on the Internet though, so of course it gets hit by bots. And since commenting without creating a login is permitted the bots attempt to post spam. Comments need to be approved before they’re displayed so I see, and reject, all of them. Source IP is usually Russia but spam comments also come from Kazakhstan, Belarus, Iran, Amsterdam, Saudi Arabia, Kuwait, Dubai, China, and VPNs that originate in Stockholm and London, among other places.

For a while I didn’t bother about it and simply marked those comments as spam so they never show up on the site. Lately though I’ve changed my approach a bit. Since I’m not trying to make a popular site and I realize the likelihood of getting real comments from any of those locations is infinitesimal I decided to start blocking networks that spam comments are coming from.

The interesting thing is that once I began blocking networks, spam comments became a bit more frequent. Each time from a new network, of course, because the firewall was updated for each new spam source.

The spam being more frequent is a subjective measure but when the first block rule went in it was a while before another spam comment showed up. After that new network was blocked the interval to the next spam comment was less than the interval from the first to the second. It seems as if once a site is detected where spam can be posted that IP or URL is shared among spammers so they can all take a crack at it.

I’ve also found how to add Internet block lists to the firewall. There’s hundreds of thousands if IPs that are blocked and the lists are updated daily. Even so, and much to my surprise, after adding the block lists, the only blocks I see in the log are from the spammer networks. That is honestly a surprise to me. With hundreds of thousands of IPs in the block lists I would have thought some would show up in the log. None have so far. That’s a good thing, but still a surprise.

Today’s blocked networks follow below. It will probably be a day or two before there will be others to add. Don’t expect updates. Hmmm…….

37.99.32.0/20
37.99.48.0/20
37.99.80.0/21
37.221.0.0/24
45.88.76.0/22
46.8.10.0/23
46.151.28.0/24
46.161.11.0/24
62.113.118.0/24
77.238.237.0/24
80.239.140.192/27
84.17.48.0/23
84.38.188.0/24
87.249.136.0/22
91.84.100.96/27
91.201.113.0/24
93.183.92.0/24
178.172.152.0/24
178.217.99.0/24
179.43.128.0/18
183.0.0.0/10
185.173.37.0/24
188.126.89.64/27
192.42.116.192/27
194.32.122.0/24
195.2.70.0/24
195.181.174.0/23
212.34.128.0/24
212.34.141.0/24
212.34.148.0/24

Windows 11 Pro setup

First time for me doing the out-of-box experience with Windows 11 Pro preloaded on new hardware.

ThinkPad X13 2-in-1 Gen 5 is a very nice laptop. Completing initial power-on and setup, since it was Windows Pro, I opted for a local admin account and associated it with a Microsoft account.

Once on the desktop I installed KeePassXC, Calibre, AeroAdmin, Firefox, iTunes, and Kdenlive. I used Kdenlive to create a few videos describing settings or usage for some of the apps. YouTube links sprinkled through this post.

The person getting the laptop has decided to step up their online credential game. Rather than using variations of a base password they want to learn to use and manage more complex ones. Bravo, I say. And check out the videos I made about using KeePassXC to do that, Login with KeePassXC and KeePassXC, Updating a Password.

Calibre is an e-book library manager. I included it because it has become very useful to me and I encourage everyone to try it. All those household documents, appliance manuals, car owner manuals, serial numbers and VINs can be cataloged and available at your fingertips. It’s also a great way to organize training guides, magazine and web articles, etc. Maybe my calibre library info system review will pique your interest.

Sometimes the hardest part of giving remote support is getting the recipient to recognize the steps that need to be taken to complete the connection. This AeroAdmin guide is my attempt to clarify that.

Then Firefox was added because after some updates Edge would no longer login to some Microsoft websites. That prevented access to some account info, among other things. So, install Firefox and with it successfully login to every Microsoft site that Edge would not login to. Firefox is there because a backup to Edge is necessary.

And what resolved Edge’s problems with Microsoft’s own sites? Disabling all Edge security features for any Microsoft.com, Office.com, Live.com domain. And after all that “Device encryption” couldn’t be enabled because it didn’t recognize the Microsoft account was logged in. It clearly was as demonstrated by access to OneDrive, Microsoft365, and other integrated features after logon to the desktop with no more credential prompts for any of those services.

It seems Microsoft tries to soften the blow when enabling device encryption fails with their messages, “Oops something when wrong” and “it was probably us”. It sets a light mood and is a relief at first. But after having the problem for more than a week it is disturbing that nothing has changed.

That didn’t get resolved before the laptop was delivered to its owner.

Confirmed, Movies Updates Work

House of cards, but with the stack setup it is easier.

Like many things that appear on a computer screen there is a long chain of events that need to happen successfully for what is on screen to be what is desired there. The various “Movies” tables on this website are one example.

I got some DVDs for Christmas. A very nice Seven Samurai DVD with extras. My movies database had it marked as movie I want. It appeared on this website in the Movies I Want tables that are on two pages of this website.

Change the setting in the database so it’s a movie I have and the title should now only be found in the two Movies I Have tables on the website and no longer found in the two Movies I Want tables on this website. One change to the source to trigger four changes on the website.

In the case of the Movies tables, for changes to the movies database to appear in the tables, the updated data must be exported to two files, one listing “Movies I Have” and the other “Movies I Want”. Those exported files update the source lists the Movies tables refer to. And finally a sync tool from the wpTables publisher must run against the source lists to update the Movies tables on the website.

Making changes to the movies database is infrequent, a few times a year at most. Remembering the process each time is a challenge but now the data extract step and the link refresh steps are automated which makes most of the process happen without need to remember anything (or look at the code if I wish to remember).

The link update code as a cron…

# m h  dom mon dow   command
*/15 * * * * wget -q -O – "https://wp.boba.org/wp-admin/admin-ajax.php?action=wdtable_update_cache&wdtable_cache_verify=<hex-number>"

Export updates for source lists …

<?php
 $server = "<host>"; 
 $username = "<user-name>";
 $password = "<pwd>"; 
 $database_name = "<movies>"; 
 $link_myMovies = mysqli_connect($server, $username, $password, $database_name);
 $Views = array("movies_i_want","movies_i_have");
 $out_path = "/var/tmp/";
 
 foreach ($Views as $view)
 {
        $query_result = null;
        $columns_total = null;
        $str_query = "SELECT * FROM $view";
        $query_result = mysqli_query($link_myMovies, $str_query);
        $columns_total = mysqli_num_fields($query_result);
 
        $col_names = array();
 
        for ($i = 0; $i < $columns_total; $i++) 
         {
                $Heading = mysqli_fetch_field_direct($query_result, $i);
                array_push($col_names,$Heading->name);
         }
 
         $fileOut = fopen("$out_path$view.csv", 'w') or die("Unable open ./$out_path$view.csv");
         fputcsv($fileOut, $col_names);

         while ($row = mysqli_fetch_array($query_result, MYSQLI_NUM)) 
         {
                fputcsv($fileOut, array_values($row)); 
         }
         
         fclose($fileOut) or die("Unable to close ./$view.csv");
}
?>

Up again, but not public yet

Well, except, you’re reading this so it is public.

Lost interest in maintaining this server and website when I lost my job and couldn’t get another. The server’s Ubuntu, web server is Apache, and CMS is WordPress. It’s been running for a number of years without issue. I wouldn’t call it production because I don’t rely on it for anything. It’s just a test bed to familiarize myself with the software stack and gain some understanding of it’s setup and administration. I’m self hosting. Its an old computer repurposed as a server.

One other thing I experimented with is DNS. I wanted to be able to get to my server on my home network using wp.boba.org, whether on the public Internet or my home network. That worked fine for years with BIND9 and isc-dhcp.

I developed the habit of running upgrades periodically without testing. If there was a problem then no big deal, not production, figure out the issue, repair and proceed. Problems happened a few times with that approach and were always easily rectified.

DNS on the server stopped working after an upgrade. I tried many things and couldn’t figure out why. Rather than rollback the upgrade or restore the system from a backup I kept mucking with it to try and get it to work. No success. Eventually I just lost interest and let the server go dark. I wasn’t working so didn’t have anyone to talk with about the server. With no one to talk tech with about my server project there seemed no point to fixing it.

I did want to dip my toe in the water again after a while. I decided to rebuild the server and bring all components up to the latest release. I still couldn’t get BIND9 DNS to work. Searching BIND9 issues I found other Ubuntu users were also having problems with it. After searching for alternate DNS servers I decided to try dnsmasq. That got me to a working DNS on my home network. And that got me to the point of having the server up and publicly available again.

All development of the server configuration and settings was done on a virtual machine, vm, in a virtual network with virtual clients. VirtualBox is the hypervisor being used. Once everything worked as expected I migrated the server vm to a physical host. That took surprisingly little tweaking. Network addresses had to be changed from the virtual network settings to the home network settings and a different Ethernet device name entered where needed. That was about it to migrate from a virtual to physical server.

For all the world to see, in all its underwhelming glory, wp.boba.org is back. Enjoy.

Mount an external LFS drive

It’s easy. Just took a while to recall.

Original server was hardware installed from thumb drive iso. Set up LFS on server install.

New server from VirtualBox vm. Used ext4 there. Have it running on different drive on original server. LFS drive is set aside.

Want to get at some info from LFS drive. Trying to mount external LFS drive is running into many dead ends so far.

And of course it was simply a question of installing the correct file system drivers. In this case # apt update & apt install lvm2, and the volume can be mounted read/write.

I will keep the old drive around for a while in the external housing. I’m sure there will be times I want to find stuff to pluck off. But I need to put a label on it for a hard date to be DBANed.

Rehoming all my Domains, Oh My !

Domains and registrars, and services, and what?

Google is selling their domain registration business to Squarespace. If your webserver is at a dynamic Internet address, the address needs to be monitored so it can be updated on the name server when it changes. Squarespace name servers won’t accept dynamic updates.

Monitoring the network to see the router’s public Internet address change and updating Google Domains‘ name server was done with Google provided DDNS instructions and settings. Squarespace, the provider they’re selling their Domain Name business to, does not support DDNS. Once Squarespace is actually managing the domain name it will keep the old information about the Internet address in its name server but doesn’t provide a way to automate updates. Once the domain name is on Squarespace and my Internet provider updates my modem’s Internet address, access to this website by name goes down unless I’ve set up another way to keep the website address updated.

Two ways I found to avoid this are move to a registrar that supports DDNS, like Namecheap, or find a DNS provider that supports DDNS and doesn’t require registering a domain with them, like FreeDNS (at afraid.org, yes, but don’t be), and use of their name servers as custom name servers with the domain registrar. That approach requires two service providers for each domain, a registrar and a DNS service.

There’s a fee with registrars for migrating a domain to them. Not much but if you can just change a setting and then there’s no need to pay to move to a different registrar then why not do that?

“THAT”, in this case means leaving the domains with Google and updating the name servers on Google’s domain registration record to the FreeDNS name servers and then keeping the Internet address updated on the FreeDNS name servers.

I’ve moved one domain to Namecheap to see how I like that, an $11 move. It will give me a hand at a third domain control panel, Google Domains, Squarespace, and Namecheap.

The others I’ve created records for them on FreeDNS, updated the name server records on Google Domains and will start using the Squarespace control panel to manage them when they transfer from Google. Squarespace doesn’t support DDNS but if custom nameservers are supported the move from Google Domains will go without a hitch.

Haven’t moved boba.org yet. Want to interact with the other sites a bit before deciding to use FreeDNS and their name servers with Squarespace domain registration or move to a registrar that supports DDNS with their name servers.

I do have to spend time out of the house to interact with the sites through the new DNS / name server setups. Sure, could do it through the phone if I turn off the WiFi but LTE isn’t very good here and I don’t like phone screen for web browsing. If LTE was good could tether the computer to the phone and browse the sites on the pc as I’d like. Kind’a lucky the weak signal, more fun to go out. Maybe find a coffee shop in a mall, buy a cup, sit in one of the seats and figure out how to choose the better option, then compare the details and make the choice.

Goodbye Google Domains!! ?? !!

…hello Namecheap ddns or, hmm, domain hosting too?

This domain, boba.org, is on a server I control, behind a dynamic IP address. Google Domains provides the domain hosting and supports DDNS which made it easy to have Google nameservers be authoritative, keep the A record updated, and manage the physical server.

Now Google’s giving up the domain name business, along with all the convenient features they bundle like DDNS, redirects, privacy, etc.

It’s being transferred to Squarespace. And Squarespace doesn’t include DDNS or offer it as a bundle.

Still need a way to update domain record with new address when it changes BUT can’t do that with Squarespace nameservers.

Checking if domain record can have nameserver but no A record with IP. IF SO, domain record points to nameserver that can be updated, e.g. Namecheap free DNS, and domain continues to function when IP changes even though new domain host doesn’t offer dynamic IP updating.

Will see what happens and update…

MySQL export to .csv

The elusive MySQL export to CSV *WITH* headers.

It took a while, review of a number of weblogs, support sites, and error message causes but export from MySQL to .csv with the column titles is finally working!

SELECT convert('Title' using utf8mb4) 'Title',
	convert('Year' using utf8mb4) 'Year',
	convert('Time' using utf8mb4) 'Time',
	convert('Rating' using utf8mb4) 'Rating',
	convert('Genre' using utf8mb4) 'Genre'  
UNION ALL
SELECT * from 
	(SELECT * from movies_i_want order by Title) a
INTO OUTFILE '/var/lib/mysql-files/movies_i_want.csv' 
FIELDS TERMINATED BY ',' 
ENCLOSED BY '"';

and the file it produces…

"Title","Year","Time","Rating","Genre"
"Amazon Women on the Moon","1987","85","R","Comedy,Sci-Fi"
"Blade of the Immortal","2017","140","R","Action,Drama"
"Bound","1996","108","NR","Crime,Romance,Thriller"
 ...

The first SELECT above produces a single row table with the column’s titles as the field values in the row. The table is not named.

mysql> SELECT 'Title', 'Year', 'Time', 'Rating', 'Genre';
+-------+------+------+--------+-------+
| Title | Year | Time | Rating | Genre |
+-------+------+------+--------+-------+
| Title | Year | Time | Rating | Genre |
+-------+------+------+--------+-------+

The full SELECT expression uses convert('Title' using utf8mb4) 'Title'… for each field because UNION failed from incompatible collations between the first SELECT’s row and the “SELECT ... movies_i_want” statement.

Collations can be associated with one character set. A character set can be associated with many collations. For collations to match, both character sets must match. The purpose of the first SELECT is to emit the column titles for the .csv export. It produces only one row, the column titles. Converting that SELECT’s character set to match the character set used in the live data table permitted the collation the UNION was doing to work.

Once the collations were compatible it was necessary to get each column’s title into the output as the first row of the output. The view used for the second SELECT has the same column titles in the same order as the first select. Its data needs to be the 2nd and subsequent rows.

After many attempts, several ways to state the problem were found. Unfortunately none included the column titles in the output. The column titles are a must have for free wpDataTables to show headings on the tables it displays from reading the .csv files.

ignoring the comment about collation to simplify the statements...
The following both work except for no column titles

SELECT 'Title', 'Year', 'Time', 'Rating', 'Genre'  
UNION ALL
SELECT * 
FROM movies_i_want order by Title;

SELECT 'Title', 'Year', 'Time', 'Rating', 'Genre'  
UNION ALL
SELECT 'Title', 'Year', 'Time', 'Rating', 'Genre' 
FROM movies_i_want order by Title;

To include the column titles in the output three SELECTs are needed. And be sure to include an alias for the ‘derived table’, the one created by the second SELECT.

SELECT 'Title', 'Year', 'Time', 'Rating', 'Genre'  
UNION ALL
SELECT * FROM (SELECT * FROM movies_i_want order by Title) a;

Now the output can be created in the necessary format using native MySQL. The method is a bit dense but I think simpler than the PHP, Use PHP to export MySQL to .csv.

With this and the PHP method of exporting the data a trigger is need to cause it to happen, either method can run on demand, or either method can run on a schedule.

A trigger, in other words “only when needed”, is my preferred approach. MySQL can be triggered by INSERT, UPDATE, and DELETE.

Solutions:

A MySQL trigger runs a SQL user procedure to export the data.
Problem: export destinations are limited to a single location with very restrictive access and it is not the location where either .csv file for the web tables is.

A MySQL trigger runs an external program, the PHP, to export the data.
Problem: can a trigger launch an external program?

Use PHP to export MySQL to .csv

The wpDataTables update when the source .csv files change. Next, update the source .csv files when the movies database is updated.

To update the Movies tables the underlying .csv source files must be updated and the wpDataTables tables’ links with those files must be refreshed. Without the link refresh the table doesn’t update even if the webpage is refreshed.

The .csv source files for the “Movies I Have” and “Movies I Want” tables are monitored for changes. The wpDataTables links are refreshed when the files have changed. The table display will update the next time the page is refreshed or landed on.

Another step in the chain is a database update, (INSERT, UPDATE, or DELETE), triggering the .csv file to be updated. And to make that happen, need to be able to do several things

  • Figure out how to create and trigger an event
    • Trigger the the event after INSERT, UPDATE, or DELETE on movies database
  • Write trigger(s) to a) export the new data and hopefully b) update the .csv files
  • Figure out HOW? to update the .csv files
    • PL/SQL export, then use non SQL program to update files with the export
    • PHP program that extracts the data and overwrites the .csv files
    • Program (PHP, PL/SQL) extracts the data to monitored files. Another program updates the .csv files with the data when the monitored files change.

I’ve put together the PHP to extract the data. Also need to see what can be done with SELECT * INTO OUTFILE. PHP may be able to do the whole process, extract records and update .csv file. MySQL may be able to do it with INTO OUTFILE but I think that’s very limited the destinations it can write to.

<?php
 $server = "myserver.boba.org"; 
 $username = "fan";
 $password = xx; 
 $database_name = "the_movies"; 
 $link_myMovies = mysqli_connect($server, $username, $password, $database_name);
 $Views = array("movies_i_want","movies_i_have");
 $out_path = "/var/tmp/";
 
 foreach ($Views as $view)
 {
	$query_result = null;
	$columns_total = null;
 	$str_query = "SELECT * FROM $view";
 	$query_result = mysqli_query($link_myMovies, $str_query);
 	$columns_total = mysqli_num_fields($query_result);
 
 	$col_names = array();
 
 	for ($i = 0; $i < $columns_total; $i++) 
	 {
	 	$Heading = mysqli_fetch_field_direct($query_result, $i);
	 	array_push($col_names,$Heading->name);
	 }
 
	 $fileOut = fopen("$out_path$view.csv", 'w') or die("Unable open ./$out_path$view.csv"); 
	 fputcsv($fileOut, $col_names);

	 while ($row = mysqli_fetch_array($query_result, MYSQLI_NUM)) 
	 {
	 	fputcsv($fileOut, array_values($row)); 
	 }
	 
	 fclose($fileOut) or die("Unable to close ./$view.csv");
}
?>

bind9 and DHCP

Some emphasis on rndc freeze could save headaches.

Want to get full services on my home LAN such that devices that get DHCP addresses can be called by their host names. In other words, Dynamic DNS on the LAN. In a Windows domain it isn’t something I’ve thought about. It is inherent in setting up the DNS and DHCP server in the same domain. Or maybe doing that just masks netbind sharing names. In any case, can do DNS for DHCP hosts and address by name very easily.

Want the same for home network but am using Ubuntu server. DNS is BIND9 and DHCP is ISC-DHCP. Both work. DNS for the fixed IP devices, home servers, router, printer, works fine. Can ping by hostname or FQDN. The DHCP devices, not so much. They get an IP just fine and can all be seen by dhcp-lease-list. They just can’t be pinged by hostname or FQDN.

At least the home DNS has primary and secondary servers. And for DHCP clients, IP for <name> is available via dhcp-lease-list. But ping <name> fails with error … .

All the above was written before an eventual solution was found. The error was one part me (syntax) and one part bind9.

Ping by hostname would require the host’s A record appear in the domain’s zone file. But the majority of hosts get dynamic IP address so there’s no fixed list of hostname to IP address for LOTS of hosts.

The server providing IP addresses is isc-dhcp-server.service and the server providing DNS is bind9.service. The method, isc-dhcp-server.service updates bind9.service when an IP address is leased.

Of course. But it worked initially then didn’t. What happened?

CARDINAL RULE of BIND9 never update zone files while bind server is running or while bind is actively maintaining the zone files. And twice as emphatically, once zone file replication to secondary server(s) has been established and .jnl files have been created, never update zone files unless bind server has been rndc freeze frozen or systemctl stop stopped !!!!

Use rndc to freeze the zone files while leaving the name server running and responding to queries.

Make sure to update the zone file’s sequence number.

Delete any dynamic entries in the file. (when troubleshooting, not for routine maintenance)

Delete any .jnl files. (again, troubleshooting, not for routine)

Unfreeze the zone files.

Excepting “troubleshooting options”, if the steps above are not followed then the zone files will not properly update going forward. And no freeze, maintain, unfreeze, will fix the failures to update.

Plus named-checkconf and named-checkzone didn’t detect any errors after bind and dhcp were no longer updating zone and .jnl files. Nor did named-compilezone.

And I was confounding that with a failure of reverse zone lookup. Couldn’t get a host name for any dynamic IP address. “But it works in the virtual setup”, and it did. Reverse look ups and all.

Eventually I found a different spelling of in-addr.arpa between the primary and secondary zone files. With that fixed, zone update of dynamic IPs still not happening.

The final fix? The procedure above including the “for troubleshooting” steps. With the zones cleared of dynamic A records and managed keys .jnl file and zone .jnl files on both the primary and secondary removed while bind9 was frozen by rndc on both. Then restart both. Then, it all works.

Lesson learned, ALWAYS rndc freeze before doing any bind9 maintenance.