Still need to research this further:
Somewhere around 6.44, when upgrading an existing RouterOS device, this snippet became part of the configuration:
/ip ssh set allow-none-crypto=yes forwarding-enabled=remote
A few remarks:
Archive for the ‘Internet’ Category
Mikrotik RouterOS “/ip ssh” setting not available from WinBox and defaulting to insecure?
Posted by jpluimers on 2021/09/20
Posted in Hardware, Internet, MikroTik, Network-and-equipment, Power User, routers, WinBox | Leave a Comment »
Windows and the current state of S.M.A.R.T. tooling that understands NVMe
Posted by jpluimers on 2021/09/16
I had trouble with two Intel 600p NVMe SSD devices: read-errors.
It appeared only few tools understand how to get S.M.A.R.T. health information from them, and even then they did not explain the read errors.
I’m going to RMA them, but in case anyone else needs to get health information from NVMe SSD devices, here is which tools do what:
- [Wayback] CrystalDiskInfo version CrystalDiskInfo 8.12.7 ([Wayback/Archive.is] source code) can read the health data, and immediately showed one of the SSDs as bad, but not do a full read-scan of the device.
The support for NVMe health monitoring via the Intel RST drivers was added in [Wayback/Archive.is] CrystalDiskInfo 8.1.0 Beta2 (found via [Wayback] #1223 (Allow access of NVMe drives behind Intel RST drivers) – smartmontools), and before that other NVMe monitoring code had already been there for quite some time.
- [Wayback] HD Tune version 2.55, though old as in 2008 old, can do a full disk scan and shows the read errors perfectly.
- [Wayback/Archive.is] GSmartControl version 1.1.3 – despite being a few months old – cannot read the health data as it uses a far outdated smartmontools version 6.6:
smartctl 6.6 2017-11-05 r4594 [x86_64-w64-mingw32-w10-b19043] (sf-6.6-1) Copyright (C) 2002-17, Bruce Allen, Christian Franke, www.smartmontools.org - [Wayback] smartmontools version 7.2 (via command-line tool
smartctl) supports reading health data on Windows 10 via the Microsoft NVMe drivers (see [Wayback] NVMe_Support – smartmontools and [Wayback] Changeset 4348 – smartmontools); download via [Wayback/Archive.is] S.M.A.R.T. Monitoring Tools – Browse Files at SourceForge.net. I used this command for it:
smartctl.exe --xall /dev/sdc smartctl 7.2 2020-12-30 r5155 [x86_64-w64-mingw32-w10-b19043] (sf-7.2-1) Copyright (C) 2002-20, Bruce Allen, Christian Franke, www.smartmontools.org ... Warning Comp. Temp. Threshold: 70 Celsius ... === START OF SMART DATA SECTION === SMART overall-health self-assessment test result: FAILED! - available spare has fallen below threshold - media has been placed in read only mode ... - [Wayback] SpeedFan version 4.52 can only read temperature and reference temperature (which seems to be the [Wayback] Intel NVMe Warning Composite Temperature Threshold) likely because it is already 5 years old.
- [Wayback] Intel Memory and Storage Tool (the successor of the – now deprecated, but only Windows < 10 supported – [Wayback] Intel SSD Toolbox) only gets the health status when doing a full diagnostic scan.
The above two links are to StorageReview as links to the Intel site cannot archived in the Wayback machine nor Acrhive.is due to “you need to sign on“. These are the unarchived Intel links: Intel® Memory and Storage Tool (GUI) (download page) and Intel® SSD Toolbox (download page).
So basically, CrystalDiskInfo and HD Tune are my first line of checking for drive issues, followed by smartmontools to get text output, then by vendor specific tools to assist with the RMA.
In the past, I used another smartmontools wrapper, but it was discontinued and had an even older version than GSmartControl: Source: Closed: HDD Guardian – Home.
On Intel 600p becoming locked in read-only mode after failure:
- [Archive.is] Intel Clarifies 600p SSD Endurance Limitations, But TBW Ratings Can Be Misleading (Updated) | Tom’s Hardware
- [Archive.is] Intel Quietly Increases The 600p SSD Series Endurance Ratings | Tom’s Hardware
Start of Intel RMA procedure via [Wayback] Warranty Information.
My case looks remarkably similar to [Wayback] Full Diagnostic Scan always fails during Read Scan on my SSD 600p Series 256GB – Intel Community.
A few screenshots of the tools I used for health information:
Share this:
Posted in Hardware, NVMe, Power User, SSD, WayBack machine | Leave a Comment »
Overview of Client Libraries · Internet Archive
Posted by jpluimers on 2021/09/14
Besides manual upload at [Archive.is] Upload to Internet Archive, there are also automated ways of uploading content.
One day I need this to archive pages or sites into the WayBack machine: [WayBack] Overview of Client Libraries · Internet Archive (most of which is Python based):
Share this:
Posted in Bookmarklet, Development, Internet, InternetArchive, Power User, Python, Scripting, Software Development, WayBack machine, Web Browsers | Leave a Comment »
Tricks used by software developers to https://127.0.0.1
Posted by jpluimers on 2021/09/07
Long interesting thread at [WayBack] Thread by @sleevi_: “@SwiftOnSecurity So, some history: It used to be folks would get certs for “localhost”, just like they would from “webmail”, despite no CA e […]”
In 2019, applications were still using tricks (including shipping private keys!) to “securely” access https://127.0.0.1 on some port.
This should have stopped in 2015, but hadn’t. I wonder how bad it still is today.
Related:
- [WayBack] SwiftOnSecurity on Twitter: “Me: Threat-hunting rare DNS lookups in a corporate network. Confluence: … “
- [WayBack] Tavis Ormandy on Twitter: “Yes, it happens sometimes, as soon as someone pulls out the key the CA is required to revoke it. They probably did it to avoid mixed-content warnings, as you can probably guess… it’s not the correct solution. Anyone using this app is vulnerable to trivial MITM 😣… https://t.co/Dqpe5Z9hUu”
- [WayBack] Tavis Ormandy on Twitter: “I pulled out the certificates here, they do seem valid at first glance, not sure why they didn’t get logged in CT. 😆 https://t.co/LyB26oaW5S… https://t.co/DUNIByLSTl”
- [WayBack] Tavis Ormandy on Twitter: “It seems like Atlassian are a CVE CNA, you can ask them to assign a CVE if you like! (seriously, this is a real vulnerability) … “
- [WayBack] SwiftOnSecurity sur Twitter : “Thank you Tavis, I’ve always wondered what it would be like to have a CVE (even if you granted me the courtesy and I didn’t really do much). Thank you a lot. I’ve emailed them and asked for a CVE.… “
- [WayBack] Tavis Ormandy on Twitter: “This turned out to be a real vulnerability! 😮 The certificate was issued by @digicert, who are now required to revoke it. It was issued before mandatory CT, so didn’t show up in …. See … for context.…”
- [WayBack] Ryan Sleevi on Twitter: “So, some history: It used to be folks would get certs for “localhost”, just like they would from “webmail”, despite no CA ever having validated the name. They just relied on pinky promises to be good. Luckily, browsers forbid that … “
- [WayBack] Ryan Sleevi on Twitter: “Look at the dates on those. Yes, it’s a things CAs used to do, and they had to be dragged kicking and screaming into not doing it (and even then, *many* ignored/“oopsied” the requirement to revoke). I regret to inform you it didn’t stop until 2015/2016 – … “
- [WayBack] Guidance on Internal Names – CAB Forum
- [Archive.is] HTTPS encryption on the web – Google Transparency Report: atlassian-domain-for-localhost-connections-only.com
- [Archive.is] HTTPS encryption on the web – Google Transparency Report
- SubjectC=AU, O=Atlassian Pty Ltd, L=Sydney, ST=New South Wales, CN=atlassian-domain-for-localhost-connections-only.com
- Serial NumberA:3E:93:53:0E:74:53:AE:CB:40:BA:20:10:12:F8:FB
- IssuerC=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CAValidity11 May 2017 — 15 May 2020
- The domain is (at the time of writing, so hopefully that is now “was”) used by the [WayBack] Administering the Atlassian Companion App – Atlassian Documentation
- At the time of writing, the interactive Google DNS showed the domain pointing to localhost [WayBack] Google Public DNS:
Result for atlassian-domain-for-localhost-connections-only.com/A with DNSSEC validation:
{ "Status": 0, "TC": false, "RD": true, "RA": true, "AD": false, "CD": false, "Question": [ { "name": "atlassian-domain-for-localhost-connections-only.com.", "type": 1 } ], "Answer": [ { "name": "atlassian-domain-for-localhost-connections-only.com.", "type": 1, "TTL": 1620, "data": "127.0.0.1" } ] } - [Archive.is/WayBack] SSL Server Test: atlassian-domain-for-localhost-connections-only.com (Powered by Qualys SSL Labs)
Assessment failed: IP address is from private address space (RFC 1918)
Share this:
Posted in Communications Development, Development, DNS, HTTP, Internet, Power User, Software Development, TCP, TLS | Leave a Comment »
For my link archive: DNS over https
Posted by jpluimers on 2021/09/02
DNS over HTTPS
For my link archive:
- DNS over HTTPS – Wikipedia / Public recursive name server – Wikipedia
- [WayBack] RFC 8484 – DNS Queries over HTTPS (DoH)
- [WayBack] DNS over HTTPS · curl/curl Wiki · GitHub (which has a list of publicly available servers)
- [WayBack] A cartoon intro to DNS over HTTPS – Mozilla Hacks – the Web developer blog
- [WayBack] DNS over HTTPS – Cloudflare Resolver
JSON DNS output
Some DNS over HTTSP providers support dns-json, which Cloudflare delivers non-pretty printed.
Share this:
Posted in Cloud, Cloudflare, Communications Development, Development, DNS, Encryption, HTTP, https, HTTPS/TLS security, Infrastructure, Internet, Internet protocol suite, Power User, Security, Software Development, TCP, TLS | Leave a Comment »
MikroTik RB960PGS hEX PoE powering PoE devices: ensure you get a 48V power supply
Posted by jpluimers on 2021/08/24
By default, the [WayBack] MikroTik RB960PGS hEX PoE comes with a 24V power supply.
Most PoE capable devices cannot be powered by 24V but need 48V. I wrote about this before in the midst of the long post Linus Torvalds – Google+: Working gadgets: Ubiquiti UniFi collection (and a whole bunch of Unifi/Ubiquiti/Ubtn links)
- Mikrotik needs to make up their mind, as they ship a 24V power supply which cannot power any 802.3af/802.3at devices. The 48POW power supply enables 802.3af for the RB960PGS hEX PoE: [WayBack] hEX PoE (RB960PGS) – Need 48V Power Supply – MikroTik
So now I re-mention it in a much smaller post so it easier to find back, and a few links to Power over Ethernet – Wikipedia, where especially these bits are relevant:
- The PoE Standard implementation for 802.3af (802.3at Type 1) “PoE” requires DC 44.0–57.0 V.
- Of the PoE Non-standard_implementations, some common Passive specifications include:
- 24VDC 0.5A 100 Mbit/s or 1 Gbit/s
- 24VDC 1.0A 100 Mbit/s or 1 Gbit/s
- 48VDC 1.0A 100 Mbit/s or 1 Gbit/s
- 56VDC 1.0A and 2.0A 1 Gbit/s (used for 45W+ load point to point microwave and millimeter band radios
The 24V is what MikroTik sticks to with their default power supply.
Share this:
Posted in Internet, MikroTik, Network-and-equipment, Power User, routers, Unifi-Ubiquiti | Leave a Comment »
Winbox 3.19 can connect via MAC whereas Winbox 3.17 cannot
Posted by jpluimers on 2021/08/17
Not sure why, but Winbox 3.17 could not connect to out of the box blank MikroTik equipment at all.
Winbox 3.19 complains every now and than, but usually connects fine.
This was while configuring a bunch of [WayBack] MikroTik Routers and Wireless – Products: CRS305-1G-4S+IN.
Share this:
Posted in Development, Hardware, Internet, MikroTik, Network-and-equipment, Power User, RouterOS, routers, Scripting, Software Development, WinBox | Leave a Comment »
Mikrotik CCR devices based on NAND memory will eventually die
Posted by jpluimers on 2021/08/16
If you own a Mikrotik CCR device based on NAND memory, then be prepared that it will die.
I had this on a (now discontinued [WayBack] MikroTik Routers and Wireless – Products: CCR1009-8G-1S-1S+PC, superseded by the less functional [WayBack] MikroTik Routers and Wireless – Products: CCR1009-7G-1C-1S+PC, which is also NAND based).
Many more people had this or very similar problems:
- [WayBack] Corrupted routerboard firmware prevents booting – MikroTik
- [WayBack] CCR-1009-8G1S-1S Stuck at Starting Kernel – MikroTik
- [WayBack] ccr1009-8g-1s-1s+ stop in loading kernel from nand – MikroTik
- [WayBack] CCR-1016 ”loading kernel from nand ” Problem – MikroTik
- [WayBack] CCR Router Upgrades and often Fails with Reboot Loop – MikroTik
- [WayBack] CCR 1036-12G-EM reboot problem – MikroTik
- [WayBack] ccr 1009 after reboot/power loss boot loop – MikroTik
- [WayBack] CCR hangs on boot – MikroTik
- [WayBack] Mikrotik bricked by backup, reset button not working anymore – MikroTik
- [WayBack] Corrupted routerboard firmware prevents booting – MikroTik
- [WayBack] Cannot netinstall a CRS125 due to reboot loop – MikroTik
- [WayBack] RB493G, 60.0% Bad Blocks!!! What should I do now? – MikroTik
It also happens due to bad capacitors on the (also discontinued) [WayBack] MikroTik Routers and Wireless – Products: RB1200:
- [WayBack] RB1200 + Router keeps rebooting in loop (on power up one beep then it continues in loop) – MikroTik
There have been quite a few NAND related changes to the firmware over the years that have to do with handling corruption:
- [WayBack] mikrotik-tools/changelog-historic at master · 0ki/mikrotik-tools · GitHub from [WayBack] GitHub – 0ki/mikrotik-tools: Tools for Mikrotik devices
- [WayBack] www.mikrotik.ro/docs/changelog.txt
If you are really lucky (I was not), then it is a bad power supply: [WayBack] bootloop on CCR1036-12g-4s (almost 5 years old) [SOLVED] – MikroTik.
Sometimes you can partially recover using the Console port or NetInstall, but eventually you will trip another part of the faulty NAND storage and it will die again, until it has spent all its lives.
Unlike a cat, those are usually far less than 9 lives.
If you do need to recover, the links might help you:
- [WayBack] Recover a Broken Mikrotik Device | Murray’s Blog
- [WayBack] Manual:System/Serial Console – MikroTik Wiki
- [WayBack] Manual:Special Login – MikroTik Wiki
- [WayBack] Manual:RouterBOOT – MikroTik Wiki
- [WayBack] Manual:Netinstall – MikroTik Wiki
–jeroen
Share this:
Posted in Internet, MikroTik, Power User, routers | Leave a Comment »
Firefox: disable DNS over HTTPS (which they call TTR)
Posted by jpluimers on 2021/08/03
There are many reasons to disable DNS over HTTPS (DoH), of which enough are discussed in the links below.
Disabling DoH always talks about setting TTR (the abbreviation Mozilla uses for it) to 5 (like [WayBack] Thread by @isotopp: “Firefox is about to break DNS by enabling DNS-over-HTTP by default […]”), but hardly ever explains the meaning of 5, or any other potential values.
After some searching, I found [WayBack] Firefox disable trr | Knowledge Base:
0: Off by default1: Firefox chooses faster2: TRR default w/DNS fallback3: TRR only mode5: DisabledI imagine the setting we’re all looking for is:
user_pref(“network.trr.mode”, 5);(emphasis mine)
It pointed me to [WayBack] Trusted Recursive Resolver – MozillaWiki:
Share this:
Posted in Cloud, Cloudflare, Communications Development, Development, DNS, Firefox, Infrastructure, Internet protocol suite, Power User, TCP, Web Browsers | Leave a Comment »
Factory reset a MikroTik hEX PoE RB960PGS using the reset button
Posted by jpluimers on 2021/08/02
Edit 20260504: added link to the gist of the switch configuration and a link to a forum post I recently found.
[WayBack] Manual:Reset – MikroTik Wiki:
unplug the device from power
2) press and hold the button right after applying power
Note: hold the button for 5 seconds (USER LED will start flashing)
3) release the button to clear configuration.
Note: If you wait until LED stops flashing, and only then release the button – this will instead launch Netinstall mode, to reinstall RouterOS.
Initial configuration
(see also [WayBack] Manual:First time startup – MikroTik Wiki)
Share this:
Posted in Hardware, Internet, MikroTik, Network-and-equipment, Power User, routers, WinBox | Leave a Comment »
The Wiert Corner - irregular stream of stuff 