Waking Up inside a Camera Obscura

This weekend I woke up inside an actual camera obscura. Our (hotel) bedroom had Velux roof window which was minimally opened. The tiny openings on the lower side of the window projected the neighboring scenery on our (white) bedroom walls.

Camera Obscura Scene (stitch of multiple photos)

The smaller the hole, the sharper the projected image is. You can even see the beer crates in front of the neighboring house.

 Rotated photo showing the beer crates

Rotated photo showing the beer crates

All photos were taken handheld from the bed at ISO30.000 (or higher), so there is wee bit of noise. The photos also show the bed, door-handle and a radiator in the room.

Posted on July 9, 2018 and filed under Personal, Photography.

Juniper SRX, Virtual Routers, and SNMPv3

In this continuing story about Junos and virtual routers an episode about SNMPv3.

A simple SNMPv3 config for Junos would be the following:

set snmp v3 usm local-engine user authpriv authentication-md5 authentication-password My_Password_01
set snmp v3 usm local-engine user authpriv privacy-aes128 privacy-password My_Password_02
set snmp v3 vacm security-to-group security-model usm security-name v3test group v3test
set snmp v3 vacm security-to-group security-model usm security-name authpriv group v3test
set snmp v3 vacm access group v3test default-context-prefix security-model any security-level authentication read-view v3testview
set snmp v3 vacm access group v3test default-context-prefix security-model any security-level authentication write-view v3testview
set snmp v3 vacm access group v3test default-context-prefix security-model any security-level authentication notify-view v3testview
set snmp v3 vacm access group v3test default-context-prefix security-model any security-level privacy read-view v3testview
set snmp v3 vacm access group v3test default-context-prefix security-model any security-level privacy write-view v3testview
set snmp v3 vacm access group v3test default-context-prefix security-model any security-level privacy notify-view v3testview
set snmp v3 snmp-community v3test security-name v3test
set snmp view v3testview oid system include
set snmp view v3testview oid .1 include

Authenticating with the correct credentials (U: authpriv, P: My_Password_01) will give results in a single (default) virtual router.

Using this config in a multiple VR environment will result in Authentication and/or authorization errors. Reason being the not using the root/single VR configuration.

Adding some details to the config, AND altering the actual SNMPv3 query will solve that.

set snmp v3 usm local-engine user authpriv authentication-md5 authentication-password My_Password_01
set snmp v3 usm local-engine user authpriv privacy-aes128 privacy-password My_Password_02
set snmp v3 vacm security-to-group security-model usm security-name authpriv group v3test
set snmp v3 vacm access group v3test context-prefix DEFAULT security-model any security-level authentication read-view v3testview
set snmp v3 vacm access group v3test context-prefix DEFAULT security-model any security-level authentication write-view v3testview
set snmp v3 vacm access group v3test context-prefix DEFAULT security-model any security-level authentication notify-view v3testview
set snmp v3 vacm access group v3test context-prefix DEFAULT security-model any security-level privacy read-view v3testview
set snmp v3 vacm access group v3test context-prefix DEFAULT security-model any security-level privacy write-view v3testview
set snmp v3 vacm access group v3test context-prefix DEFAULT security-model any security-level privacy notify-view v3testview
set snmp v3 snmp-community v3test security-name v3test
set snmp view v3testview oid system include
set snmp view v3testview oid .1 include
set snmp routing-instance-access access-list DEFAULT

The main differences are:

  • context-prefix <VR-NAME>
  • snmp routing-instant-access access-list <VR-NAME>

Having done that, AND adding a context parameter to the actual query will give the correct results.

Posted on June 27, 2018 and filed under Junos, Security, Tips'n Tricks.

Juniper SRX, Routing Instances, and Syslog Challenges

In the previous post I described the issue I had with routing instances and DHCP-relay, and how I fixed it. It turns out that DHCP-relay wasn't my only problem. Turns out that syslog also stopped at the time I implemented the routing instances.

Syslog-gap

To solve this I needed to inject the route to my syslog server (Splunk) in the global routing instance by using policy options.

set policy-options policy-statement syslog-policy term 10 from instance DEFAULT
set policy-options policy-statement syslog-policy term 10 from route-filter 192.168.20.0/24 exact
set policy-options policy-statement syslog-policy term 10 then accept
set policy-options policy-statement syslog-policy then reject

set routing-options instance-import syslog-policy
Posted on June 25, 2018 and filed under Annoying, Security, Tips'n Tricks.

Juniper SRX, Virtual Routers and DHCP Relay

A couple of weeks ago, I started to implement virtual routers in my SRX300. The reason being a new external subnet that  needed to route to a specific security zone. Using the default VR only wouldn't work because of the (single) default route.

Implementing it was fairly easy. The trouble began this week;

  • Wireless controller not accessible
  • Client with weird behaviour
  • etc.

In my network, I have 1 DHCP server serving multiple internal subnets. The (basic) DHCP relay configuration was:

set forwarding-options dhcp-relay maximum-hop-count 10
set forwarding-options dhcp-relay client-response-ttl 10
set forwarding-options dhcp-relay server-group DHCP_Server 192.168.x.x
set forwarding-options dhcp-relay active-server-group DHCP_Server
set forwarding-options dhcp-relay group clients active-server-group DHCP_Server
set forwarding-options dhcp-relay group clients interface ge-0/0/0.1
set forwarding-options dhcp-relay group clients interface ge-0/0/0.20
set forwarding-options dhcp-relay group clients interface ge-0/0/0.30
set forwarding-options dhcp-relay group clients interface ge-0/0/0.200

Turns out that this stops to function when implementing Virtual Routers. Something I forgot to adjust. And since the DHCP scope on my server was set to a lease-time of 14 days.... That means that problems tend to introduce themselves after a couple of days.....

Anyway, after changing the DHCP relay configuration to include the correct Virtual Router name (DEFAULT) everything worked just fine.

set routing-instances DEFAULT forwarding-options dhcp-relay maximum-hop-count 10
set routing-instances DEFAULT forwarding-options dhcp-relay client-response-ttl 10
set routing-instances DEFAULT forwarding-options dhcp-relay server-group DHCP_Server 192.168.x.x
set routing-instances DEFAULT forwarding-options dhcp-relay active-server-group DHCP_Server
set routing-instances DEFAULT forwarding-options dhcp-relay group clients active-server-group DHCP_Server
set routing-instances DEFAULT forwarding-options dhcp-relay group clients interface ge-0/0/0.1
set routing-instances DEFAULT forwarding-options dhcp-relay group clients interface ge-0/0/0.20
set routing-instances DEFAULT forwarding-options dhcp-relay group clients interface ge-0/0/0.30
set routing-instances DEFAULT forwarding-options dhcp-relay group clients interface ge-0/0/0.200

So. DHCP is a bit like DNS. Both have timers (TTL and lease-time) that might bite you in the butt.

Posted on June 10, 2018 and filed under Annoying, Junos, Security.

Juniper vSRX Firewall and VMWare Workstation 14

For a work related project, I wanted to run the Juniper vSRX firewall (v15.1X49-D110) on my work laptop by using VMWare Workstation Pro 14. Unfortunately, the installation (importing the Juniper vSRX OVA file resulted in a VMWare Workstation crash.

Enhancing Sonoff TH16 Functionality and Domoticz Integration

In my previous blogpost, the Sonoff worked, but was lacking a manual override. The switch could only be triggered by Domoticz. Since it also has a physical push button (connected to GPIO0 (D3)), it can be switched by hand. All that needs to be done is:

  1. Create a new switch device in the Sonoff
  2. Enable 'Rules' in the Tools / advanced settings
  3. Create a rule
  4. Change the On/Off commands in the switch parameters in Domoticz
Posted on January 1, 2018 and filed under Hardware, Programming, Raspberry Pi, Tips'n Tricks, Domotica.

Flashing the Sonoff TH16 Wireless Switch

The Sonoff TH16 is an inexpensive piece of hardware that can be controlled over WiFi. Apart from the switch (that's capable of handling electrical currents up to 16A) there's an interface for temperature and humidity. The actual temp/humid sensor is sold separately (in most cases).

Posted on December 31, 2017 and filed under Gadgets, Hardware, Programming, Raspberry Pi, Tips'n Tricks, Domotica.

Add Routes To Ubuntu Server

Routes (non-default ones) can be added to the platform by using the interfaces configurations file.

Just add the following to the interface configuration:

up route add -net <destination_network> netmask <netmask> gw <gateway_address>

Example:

$ cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto ens160
iface ens160 inet static
        address 192.168.168.1
        netmask 255.255.255.0
        network 192.168.168.0
        broadcast 192.168.168.255
        gateway 192.168.168.254
        # dns-* options are implemented by the resolvconf package, if installed
        dns-nameservers 192.168.0.1
        dns-search mydomain.com
        up route add -net 172.16.16.0 netmask 255.255.255.0 gw 192.168.168.30
Posted on September 15, 2017 and filed under Linux, Tips'n Tricks.

Reset Apple macOS Spotlight

The macOS Spotlight service might loose its touch. E.g. when some applications or documents won't show up when you <CMD><SPACE> them. Reason could be that the service or its database got corrupt for some reason.

The following 4 commands will reset the Spotlight service and database. So after you issue those commands the PC/laptop will be re-indexed (which could take a while).

sudo mdutil -a -i off
sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.metadata.mds.plist
sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.metadata.mds.plist
sudo mdutil -a -i on

Now, wait a bit, and everything should be back to normal.

Happy Spotlighting.

Posted on August 1, 2017 and filed under Apple, Operating Systems, Tips'n Tricks.

E-Mail Spam Prevention

E-mail spam is still annoying as hell. Especially when someone else is sending e-mail on your behalf, and even more annoying if your e-mail address is used for phishing purposes.

From a protocol (SMTP) perspective, there's not much that can be done. SPAM wasn't something they thought of when they developed it in the early 80's. But there are several enhancements that can be used to prevent others by abusing your e-mail (domain). These enhancements are:

  • Sender Policy Framework (SPF)
  • Domain Keys Identified Mail (DKIM)
  • Domain-based Message Authentication, Reporting and Conformance (DMARC)
Posted on May 10, 2017 .