Re: [PLUG] Troubleshooting ssh [FIXED]

[Larry Brigman]

Have this problem all the time at work.  It didn't occur to me to share.
We reinstall systems all the time.  So much so that I wrote a shell wrapper
around ssh-keygen.
It has an option to manage known hosts.
ssh-keygen -q -v -R ${host}

On Sep 10, 2017 3:47 PM, "Ken Stephens"  wrote:

> Rich Shepard wrote:
> > On Tue, 5 Sep 2017, Rich Shepard wrote:
> >
> >> I'm out of ideas of what to test so I can fix this issue, and seek
> advice
> >> from experienced network admins.
> > Having tried all suggestions from my thread on LQ I re-read openssh
> web
> > pages, particularly the sections on authorized_keys and known_hosts. It
> > occurred to me that for reasons known only to computers, the server's
> entry
> > in ~/.ssh/known_hosts was FUBAR.
> >
> > Yep. That was the problem. Cleaned out all known_host entries on each
> > portable, then entered the command $ ssh salmo. Told openssh to connect
> to
> > the unknown server, correctly entered my passphrase, and the connection
> was
> > established for each portable.
> >
> > My web searches did not find any result that suggested cleaning
> > known_hosts when a client refuses to connect to a server. This is a
> lesson
> > I'll not soon forget.
> >
> > Rich
> >
> Rich,
>
> Thanks for sharing your findings.  You come up with interesting problems
> and solutions in Linux.  I
> learn from them.
>
> I find that if I don't find a solution after diligent searching, the
> problem is usually something very
> obvious that I have missed.  My forehead is much flatter after discovering
> what I did from the slap
> that reflexibly happens at that time.
>
> Thanks, again,
> Ken
> ___
> PLUG mailing list
> PLUG@lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>
___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] Internet access certificate issues

[Denis Heidtmann]

So it is unlikely that the router was the issue, and even if it was, any
hope of confirming that is gone.

Now  to the present state.  I am connected directly to the Comcast Modem,
an Arris  TG1268T.  The modem has wireless, and that is set up to function
(I use it for my laptop.)  This afternoon I noticed that the 2.5Ghz light
is flashing once every 6 seconds.  I do not know if that is new or not.
But assuming that the bad behavior was caused by bad actors, might I still
have nasty stuff installed somewhere?  How do I check?  If it recurs, what
should I do to find out what is happening?

There is an SSID and PW label pasted to  the modem, said to be unique to
this particular box.  What does that information allow one to access, and
from where?

Where does DNS poisoning occur?  Since it was just local to my machine (no
general complaints noticed), then something local must have been hacked.
This could have been either my router or my modem, since my laptop
connecting via wireless to the router also had the problem.  The modem was
reset a few times during my contact with Comcast's technician, so it could
have been the modem if reset clears the cache.

This whole thing is above my pay grade. Bottom line, if it recurs, what
should I do to find out what is happening?

Thanks for all the helpful comments.

-Denis

On Fri, Sep 15, 2017 at 10:38 AM, Russell Senior 
wrote:

> > "Denis" == Denis Heidtmann  writes:
>
> Denis> The router is out of service, not powered.  Is there any way to
> Denis> diagnose it at this point, or would I have to place it back in
> Denis> service and observe a repeat of the problem?  Or is the problem
> Denis> not in the router at all; just coincidence that it went away when
> Denis> I removed the router?  Clearly I need some very basic
> Denis> understanding of how all these things operate.
>
> Assuming my wild-assed guess has any merit ...
>
> The problem probably wasn't in the router, except for some transient
> state, which probably would go away with a power cycle.  Unless it was
> under an ongoing "attack".  I don't think the stock firmware preserves
> any state, to speak of, over a reboot.
>
> One thing to do is to determine whether DNS is the problem.  You can
> ping hosts where you were seeing the problem and see if the IP address(es)
> makes sense.  If possible, try from a different machine (or have someone
> else do that), and see if they agree.
>
> The certificate issue comes from asking the machine to provide some
> proof it is who it claims to be and finding that it can't.  My theory is
> that it's because it isn't the right machine.  It could be that the
> service is broken (e.g. the certificate expired, or the server is
> misconfigured). However, if you are seeing this at a big name, popular
> service, or at more than one unrelated services at the same time, then
> the probability of that being innocent seems to go way down.
>
>
> --
> Russell Senior, President
> russ...@personaltelco.net
> ___
> PLUG mailing list
> PLUG@lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>
___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] Internet access certificate issues

[Larry Brigman]

If the wireless router was providing the DNS lookup services for wireless
clients, then the conclusion that the router was hacked and providing bogus
DNS info was correct.  Figuring that out would need to recreate the
situation and check the IP against the DNS name received.

Earlier references to DNS poisoning were the correct term.

On Sep 15, 2017 9:16 AM, "Denis Heidtmann" 
wrote:

> The router is out of service,  not powered.  Is there any way to diagnose
> it at this  point, or would I have to place it back in service and observe
> a repeat of the problem?  Or is the problem not in  the router at all; just
> coincidence that it went away when I removed the router?  Clearly I need
> some very basic understanding of how all  these things operate.
>
> -Denis
>
> On Fri, Sep 15, 2017 at 2:52 AM, Russell Senior  >
> wrote:
>
> > > "Denis" == Denis Heidtmann  writes:
> >
> > Denis> [...] My son suggested that the router was attacked.  Other
> > Denis> explanations could be poor wired connections: one end of one of
> > Denis> the Ethernet cables is missing the mechanical lock. Maybe it got
> > Denis> noisy.  Also, it could be the power supply to the router is
> > Denis> failing.  I have not checked it yet.
> >
> > Denis> My son want to examine the router.  How about you, Russell?
> >
> > That sounds like maybe DNS poisoning, someone giving incorrect answers
> > to your device's DNS requests in order to try to redirect your browser
> > to a spoofed site, possibly to try to steal your credentials.
> >
> > Don't tell your browser to accept invalid certificates!  Rebooting the
> > AirRouter should clear its cache.  Diagnosing probably involves running
> > tcpdump to see what's going on.
> >
> >
> > --
> > Russell Senior, President
> > russ...@personaltelco.net
> > ___
> > PLUG mailing list
> > PLUG@lists.pdxlinux.org
> > http://lists.pdxlinux.org/mailman/listinfo/plug
> >
> ___
> PLUG mailing list
> PLUG@lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>
___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] Xlib.

[Rich Shepard]

On Fri, 15 Sep 2017, Michael Robinson wrote:

> I need to take a demo program that displays a PNG file via Xlib and modify
> the output. It is a C program, not C# or C++. Has xlib been replaced by
> xcb? I'm developing this for an HDMI projector hooked to a Raspberry Pi 3
> model B.

Michael,

   Have you looked at the extensive ImageMagick toolkit?

Rich
___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

[PLUG] Xlib.

[Michael Robinson]

Hello pluggers,

I need to take a demo program that displays a PNG file via Xlib and
modify the output.  It is a C program, not C# or C++.  Has xlib been
replaced by xcb?  I'm developing this for an HDMI projector hooked 
to a Raspberry Pi 3 model B.

Preferably, I don't want to pull out cairo or any other graphical
library that is heavier than Xlib.  If I have to pull out another
tool, what should I use?

I need to remove the title bar and all areas that can be clicked on, 
the image is a target for calibration.  The program that I'm trying 
to fix ASAP uses opencv, a computer vision package.  Obviously, the
program calculates or accepts user input on where the target should
project and that has to work.  So the image can't pop up willy nilly 
on the screen the way it does in the current demo program.


___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] Internet access certificate issues

[Russell Senior]

> "Denis" == Denis Heidtmann  writes:

Denis> The router is out of service, not powered.  Is there any way to
Denis> diagnose it at this point, or would I have to place it back in
Denis> service and observe a repeat of the problem?  Or is the problem
Denis> not in the router at all; just coincidence that it went away when
Denis> I removed the router?  Clearly I need some very basic
Denis> understanding of how all these things operate.

Assuming my wild-assed guess has any merit ...

The problem probably wasn't in the router, except for some transient
state, which probably would go away with a power cycle.  Unless it was
under an ongoing "attack".  I don't think the stock firmware preserves
any state, to speak of, over a reboot.

One thing to do is to determine whether DNS is the problem.  You can
ping hosts where you were seeing the problem and see if the IP address(es)
makes sense.  If possible, try from a different machine (or have someone
else do that), and see if they agree.

The certificate issue comes from asking the machine to provide some
proof it is who it claims to be and finding that it can't.  My theory is
that it's because it isn't the right machine.  It could be that the
service is broken (e.g. the certificate expired, or the server is
misconfigured). However, if you are seeing this at a big name, popular
service, or at more than one unrelated services at the same time, then
the probability of that being innocent seems to go way down.


-- 
Russell Senior, President
russ...@personaltelco.net
___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] Internet access certificate issues

[Denis Heidtmann]

The router is out of service,  not powered.  Is there any way to diagnose
it at this  point, or would I have to place it back in service and observe
a repeat of the problem?  Or is the problem not in  the router at all; just
coincidence that it went away when I removed the router?  Clearly I need
some very basic understanding of how all  these things operate.

-Denis

On Fri, Sep 15, 2017 at 2:52 AM, Russell Senior 
wrote:

> > "Denis" == Denis Heidtmann  writes:
>
> Denis> [...] My son suggested that the router was attacked.  Other
> Denis> explanations could be poor wired connections: one end of one of
> Denis> the Ethernet cables is missing the mechanical lock. Maybe it got
> Denis> noisy.  Also, it could be the power supply to the router is
> Denis> failing.  I have not checked it yet.
>
> Denis> My son want to examine the router.  How about you, Russell?
>
> That sounds like maybe DNS poisoning, someone giving incorrect answers
> to your device's DNS requests in order to try to redirect your browser
> to a spoofed site, possibly to try to steal your credentials.
>
> Don't tell your browser to accept invalid certificates!  Rebooting the
> AirRouter should clear its cache.  Diagnosing probably involves running
> tcpdump to see what's going on.
>
>
> --
> Russell Senior, President
> russ...@personaltelco.net
> ___
> PLUG mailing list
> PLUG@lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>
___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] Internet access certificate issues

[Russell Senior]

> "Denis" == Denis Heidtmann  writes:

Denis> [...] My son suggested that the router was attacked.  Other
Denis> explanations could be poor wired connections: one end of one of
Denis> the Ethernet cables is missing the mechanical lock. Maybe it got
Denis> noisy.  Also, it could be the power supply to the router is
Denis> failing.  I have not checked it yet.

Denis> My son want to examine the router.  How about you, Russell?

That sounds like maybe DNS poisoning, someone giving incorrect answers
to your device's DNS requests in order to try to redirect your browser
to a spoofed site, possibly to try to steal your credentials.

Don't tell your browser to accept invalid certificates!  Rebooting the
AirRouter should clear its cache.  Diagnosing probably involves running
tcpdump to see what's going on.


-- 
Russell Senior, President
russ...@personaltelco.net
___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug