Is this (Marek assisted) Internet privacy procedure as good as I can make it?

[Mark Bannon]

Is this (Marek assisted) security procedure as good as I can make it?

I just would like to improve "my" privacy by asking *you* what you'd
suggest I improve in my setup, which has evolved over the past year,
taking advantage of some scripts written by Marek and others.

Note that I have a static public IP address which has been the same
for the past 5 years so I *never* want it to show up, so, I must use
VPN or Tor (if there is any other option, please let me know!).

Here's my current procedure - which I am open to IMPROVE!
Please provide hints and suggestions as to how to improve this!

1. I make a directory for each task, e.g., here are sample folders:
dir_email, dir_nntp, dir_web, dir_webforum1, dir_webforum2, etc.
where the separate tasks are something like the following, each
of which gets a DIFFERENT VPN IP address:
a. Log into gmail account #1
b. Log into gmail account #2
c. Log into NNTP account #1
d. Log into NNTP account #2
e. Log into Craigslist account #1
f. Log into Craigslist account #2
g. Log into Web forum #1
h. Log into Web forum #2
etc.

2. In each directory, I populate it with a half dozen or so vpn
configuration files from mofolinux (these files change over time).
(http://mofolinux.com/vpngate.html)

3. The gmail directories (one for each account) are the hardest ones
because gmail absolutely hates when you change IP addresses, so,
a modified Marek vpnchecker.sh script is PERFECT for gmail because
it will use the same VPN every time, until/unless the config script
no longer works (which happens all the time) and then it moves on
to the next previously working vpn script (it kicks out the non-
working script, which is saved for re-use at a later date).

The beauty of this script is *consistency*.
Gmail, for example, hates inconsistency.
So, you log in using the same VPN for as long as that VPN works.
Once it fails (and it will), you automatically move on to the next
working VPN using Marek's script (which does all that automatically).

It's as consistent as you can make it anyway.

4. Once the vpn works, I run Marek's vpnstatus.sh script to shut
down the WiFi and the running apps if/when the vpn momentarily
fails (which they often do). That preserves my privacy somewhat
because you can accidentally be on your own ISP without knowing
it since these VPNs fail once or twice a day without giving you
any warning if you don't use Marek's scripts to warn you).

5. Every once in a while, I go to the directory of failed scripts,
and I run Marek's vpnchecker.sh which generally finds something
like 10% of them are working again, so, I put them *back* into the
separate vpn directories created in step 1 above.

6. Of course, I try to only log into web sites and NNTP newsservers
which use encryption (e.g., mixmin uses encryption for nntp and
gmail uses encryption for mail.google.com) but when I log into a
forum that does NOT use encryption (e.g., craigslist uses encryption
but it won't *default* to using encryption) I then use https
everywhere (which then makes craigslist default to encryption).

For the forums that do not even have the option of Encryption,
I'm forced to use the Tor Browser Bundle (in which case, I don't
think adding the VPN on top of that adds anything - do you?).

7. What else can I do to protect my privacy on the net?

[Mark Bannon]

Nobody has a better system than what I came up with on my own?
Not a single improvement suggested?

[J G Miller]

On Wednesday, December 9th, 2015, at 05:08:29h +0000,

Mark Bannon wrote:

> Not a single improvement suggested?

Some of us chose not to use gmail.

[Bit Twister]

On Wed, 9 Dec 2015 05:08:29 -0000 (UTC), Mark Bannon wrote:
> Nobody has a better system than what I came up with on my own?
> Not a single improvement suggested?

Did you ever go back and back out those sudo holes you poked in your
system administration security layer? :-(

[Mark Bannon]

On Wed, 09 Dec 2015 20:10:14 +0000, Bit Twister wrote:

> Did you ever go back and back out those sudo holes you poked in your
> system administration security layer? :-(

Good point. There are plenty of holes in the /etc/sudoers.d/vpn-ifconfig
configuration Marek (or someone) provided to me long ago.

There are also a few holes in my (modified) changehost script!
#################################################
#
# Script: changehostname.sh
# written by: Tom McDonald
# Contributors : Marek Novotny, Bit Twister
# version: 0.1
# Date: 2015-10-17
# Notes: Change hostname on Kubuntu
#
#################################################

[Mark Bannon]

On Wed, 09 Dec 2015 18:49:22 +0000, J G Miller wrote:

> Some of us chose not to use gmail.

I had Yahoo mail for a while but they can't figure out how to get
rid of spam, nor can they make a clean web page.

I use Gmail mostly because it ties nicely to Thunderbird (for the
most part).

Like it or not, we *must* use a mail service.

I prefer the no-registration types (which is why Gmail hates me, because
it has no phone number nor IP address since I only use Gmail under VPN).

So, I'd *love* to ditch gmail.

What mail service do you use that will allow you an account without
registration (which gmail allows)?

[Mark Bannon]

On Mon, 07 Dec 2015 18:20:44 +0000, Mark Bannon wrote:

> 7. What else can I do to protect my privacy on the net?

I also have the following privacy extensions installed in Firefox:
CanvasBlocker
Ghostery
NoScript
RandomAgentSpoofer or SecretAgent or UserAgentSwitcher/UserAgentJSFixer
HTTPS Everywhere

And, of course, my hosts file is a combination of most of the following:
$ wget http://winhelp2002.mvps.org/hosts.txt
$ wget http://someonewhocares.org/hosts/
$ wget http://www.malwaredomainlist.com/mdl.php
$ wget http://pgl.yoyo.org/adservers/serverlist.php
$ wget http://hosts-file.net/download/hosts.zip <== (too big to really use though)

Where I manually download, sort, combine, and cull out of these files any additions
to add to my existing hosts file. (I should write a script some day, because
that would be generally useful to everyone.)

I also ensure that Firefox checks the hosts file *every* time!
about:config browser.cache.check_doc_frequency;1
0 = check once per session
1 = check every time the page is accessed
2 = never check no matter what
3 = check when the cached copy of the page says it might be out of date

What *else* would you recommend for basic privacy?

[Wildman]

Try this one...

https://mailinator.com/
or
http://www.spamgourmet.com/index.pl

--
<Wildman> GNU/Linux user #557453
Keyboard not detected! Press any key to continue...

[Bit Twister]

Wow, that is one concise script.

What little bit of that thread that I can remember was when I
wondered how the user could run some network command which only root
could run.

You replied you had added user command(s) overrides in sudo
configuration file.

The other comment I had was your setup connected to wifi (*), dropped the
connection, toggled desired variables, then reconnected.

(*) and there was the rub. The hotspot would have had all your
system's "dna" before you went stealthy.

I had mentioned some files like /etc/network/if-up.d, if-down.d,
if-pre-up.d, if-post-down.d which I maintain you would do all the
stealth setup, then make the connection.

[Mark Bannon]

On Thu, 10 Dec 2015 00:58:53 +0000, Bit Twister wrote:

> Wow, that is one concise script.

It was just the header! :)
I'm embarrassed by "my" code, so I generally don't supply my
code because it really sucks (compared to yours or Marek's).

> What little bit of that thread that I can remember was when I
> wondered how the user could run some network command which only root
> could run.

I've been using the solution you guys provided in a thread long ago
to allow a user to run a script without having to type the root
password, which is to put any file in /etc/sudoers.d/ which allows
that.

The problem is that the hostname is a requirement of that file, so,
the changehost script you contributed to has to also change the
sudoers.d/ files. Sigh.

USERNAME HOSTNAME = (root) NOPASSWD: /sbin/ifconfig

Why the sudoers.d files *require* the hostname is a silly requirement,
but it's something we have to deal with.

> You replied you had added user command(s) overrides in sudo
> configuration file.

I use "ifconfig" to shut down the WiFi the moment Marek's vpnstatus.sh
script detects that the VPN dropped.

I think, sometimes, that the NSA runs these flaky vpn services, because
the moment the vpn drops, you're back on your original ISP, and you
wouldn't even know it without Marek's vpnstatus script.

> The other comment I had was your setup connected to wifi (*), dropped the
> connection, toggled desired variables, then reconnected.

I had to switch to wicd, which works much better on the automatic
reconnection.

> (*) and there was the rub. The hotspot would have had all your
> system's "dna" before you went stealthy.

I do regret that Marek's vpnstatus script has a two second wait.
I dropped that to a second, but, still, there is a second wait
before it toggles off the wifi NIC.

> I had mentioned some files like /etc/network/if-up.d, if-down.d,
> if-pre-up.d, if-post-down.d which I maintain you would do all the
> stealth setup, then make the connection.

I was having a devil of a time trying to reconnect after the default
Ubuntu network manager dropped the connection, but, once I switched
to wicd, everything worked much smoother.

So, the default network manager is crap, compared to wicd (IMHO).

Best thing I ever installed!
1. Download the latest NetworkManager, in case we need to reinstall if WICD doesn't work:
$ sudo apt-get install -d --reinstall network-manager plasma-widget-networkmanagement
2. Install WICD:
$ sudo apt-get install wicd-kde
3. Now uninstall NetworkManager:
$ sudo apt-get remove plasma-widget-networkmanagement network-manager
4. Reboot and test (keep a debian file for network-manager in the /var/cache/apt/archives):
$ sudo reboot
5. Remove config files for NetworkManager:
$ sudo dpkg --purge plasma-widget-networkmanagement network-manager
6. Add the Wicd widget to the panel for the user interface.

[Mark Bannon]

On Thu, 10 Dec 2015 00:58:53 +0000, Bit Twister wrote:

> The other comment I had was your setup connected to wifi (*), dropped the
> connection, toggled desired variables, then reconnected.
>
> (*) and there was the rub. The hotspot would have had all your
> system's "dna" before you went stealthy.

BTW, most of the time I'm at home, so, the initial state of the WiFi
isn't an issue (especially since my home SSID is not hidden).

Had I a *hidden* SSID, I'd lose privacy at a WiFi hotspot (because it's
my understanding that the *first* broadcast *from* your WiFi NIC is for
that hidden SSID, which won't exist at a WiFi hotstpot - but by the
time the laptop figures that the home SSID isnt' anywhere near - that
broadcast would already have given away your home SSID to the hotspot's
router and to everyone in the room with Kismet or WiFi Radar or WireShark,
etc.

[Mark Bannon]

On Thu, 10 Dec 2015 00:58:53 +0000, Bit Twister wrote:

> The other comment I had was your setup connected to wifi (*), dropped the
> connection, toggled desired variables, then reconnected.
> (*) and there was the rub. The hotspot would have had all your
> system's "dna" before you went stealthy.

What I would *like* to do, when I am at a WiFi hotspot, is manually shut off
the WiFi NIC with the switch on the side of the laptop, and then to change
parameters such as the hostname, username, macaddress, as in the Marek-inspired
scripts that I run...

$ changemac.sh <--- mandatory
$ changehost.sh <--- optional
$ changeuser.sh <--- optional

The problem is that I can't change the mac when the NIC is turned off!
:(

So, I have to boot the laptop out of range of the WiFi hotspot, and
then change the mac, before I come in range of the WiFi hotspot.

So, that's a flaw in my process that I don't have a solution to, since
I can't seem to change the MAC address with the WiFi NIC physically turned off.

#!/bin/bash
#################################################
#
# Script: changemac.sh
# written by: Marek Novotny
# modified by: Lots of people
# version: 0.5
# date: 2015-10-17
# notes: MAC Address Changing Ubuntu
#
#################################################
# In the future, change the MAC address in /etc/network/interfaces.
# That way, the interface starts up with fake mac.
# When the interface goes down it gets re-configured.
# You can put the hide_me script in /etc/if-pre-up.d
# and the change would go in before the interface comes up.


# use sudo if you're not root (add ifconfig to sudoers.d)
if [ $(id -u) != 0 ] ; then
priv="sudo"
else
priv=""
fi

# grab the NIC interface (e.g., devID=wlan0)
# WIP: Add a check if device ID is "tun0", don't change it
devID=$(ip route get 8.8.8.8 | awk 'NR==1 {print $5}')
# Get the device MAC address
MACaddr=$(ifconfig $devID | grep HWaddr | awk '{print $5}')
echo "old MAC: $MACaddr"

# Set up a list of organizationally unique identifiers OUI
# https://www.adminsub.net/mac-address-finder
OUIArray=(
00:01:2a # telematica sistems inteligente
00:02:b3 # intel corporation
00:04:3a # intelligent telecommunications, inc.
... really really really long list of MAC addresses deleted ...
00:08:1a # sanrad intelligence storage communications 2000 ltd.
00:05:b5 # Broadcom Technologies
00:06:5b # dell computer corp.
)

# if [ $# -eq 0 ]
# then
# echo -n "Enter new MAC: "
# read $newMAC
# else
RANGE=$((${#OUIArray[@]} + 1))
i=$RANDOM
let "i %= $RANGE"
OUI=${OUIArray[$i]}

# generate a new NIC specific identifier
NIC=$(date | md5sum | sed 's/../&:/g' | cut -b 9-17)
newMAC="$OUI$NIC"
# fi

echo "new MAC: $newMAC"

# Offer to replace old mac addr with the new
echo "Do you wish to assign $newMAC to $devID?"
echo "Press 1 to assign $newMAC to $devID? (otherwise press 2)"
select yn in "Yes" "No" ; do
case $yn in
Yes )
$priv ifconfig $devID down
sleep 2 # allow interface to go down
$priv ifconfig $devID hw ether $newMAC
sleep 2 # allow time to assign MAC to interface
$priv ifconfig $devID up && $priv ifconfig $devID | grep HWaddr
break
;;
No )
exit 0
;;
esac
done

## END ##

[Mark Bannon]

On Wed, 09 Dec 2015 18:57:40 -0600, Wildman wrote:

>
> Try this one...
>
> https://mailinator.com/
> or
> http://www.spamgourmet.com/index.pl

Thanks for the suggestion, but, that first one, I sure hope you *never* use!
"Mailinator email is auto-deleted after a few hours."
"Email to Mailinator is in the public domain."

The second one is new to me, so, I'll check it out, but I don't see the
setup yet for the SMTP and POP3/IMAP server names and ports yet.

[Bit Twister]

On Thu, 10 Dec 2015 01:18:50 -0000 (UTC), Mark Bannon wrote:
> On Thu, 10 Dec 2015 00:58:53 +0000, Bit Twister wrote:
>
>> Wow, that is one concise script.
>
> It was just the header! :)
> I'm embarrassed by "my" code, so I generally don't supply my
> code because it really sucks (compared to yours or Marek's).

While I am thinking about it, would you remove my name anywhere you
have it. Reason I don't need to be dragged into an investigation if
your system gets sucked up in a computer crime.

Not saying all this "Internet privacy" is to cover up future crimes,
but if you are at a hotspot and get cracked, and is used to
buy/sell/use stolen credit cards or any other crime, I do not need to be
dragged in as a "person of interest".

>
> I've been using the solution you guys provided in a thread long ago
> to allow a user to run a script without having to type the root
> password, which is to put any file in /etc/sudoers.d/ which allows
> that.

And that is exactly what you need to manage correctly. Get your root
priv work move under "root" privs.

> The problem is that the hostname is a requirement of that file, so,
> the changehost script you contributed to has to also change the
> sudoers.d/ files. Sigh.
>
> USERNAME HOSTNAME = (root) NOPASSWD: /sbin/ifconfig
>
> Why the sudoers.d files *require* the hostname is a silly requirement,
> but it's something we have to deal with.

NO it is not silly. It's a security feature. You should not have made
it a requirement if it bothers you.
My restriction was a bit loose since I am bouncing around on 4 nodes.

# head -2 /etc/sudoers.d/my__sys_owner
Host_Alias CSNETS = 192.168.11.0/24
User_Alias FULLTIMERS = bittwister

> I use "ifconfig" to shut down the WiFi the moment Marek's vpnstatus.sh
> script detects that the VPN dropped.

NOTE: I have not followed what all is going on with the scripts and no
knowledge about vpn and whatnot.

It would help if you were to setup a vpn connection and post the
output of ifconfig while the connection is up.

>> I had mentioned some files like /etc/network/if-up.d, if-down.d,
>> if-pre-up.d, if-post-down.d which I maintain you would do all the
>> stealth setup, then make the connection.
>
> I was having a devil of a time trying to reconnect after the default
> Ubuntu network manager dropped the connection, but, once I switched
> to wicd, everything worked much smoother.

Again, no experience with wicd. What I am failing to do is getting you
to look into what those /etc/network/if*.d sub directories can do for you.

Create a whats_up script, verify it runs, create a soft link to it
from each of those directories, then bring a nic or wireless
connection up or down to see what you can see. here is the script
-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<
!/bin/bash

_exe=$0
_args=$*

nohup xmessage -display :0 -title $_exe "
.
$_exe
arguments are $_args
" \
> /dev/null 2>&1 &
#*********** end of whats_up ******************

Whatever runs from those directories will be running with root privs.

> So, the default network manager is crap, compared to wicd (IMHO).

Hehehe. I have moved on to systemd-networkd.service which has knocked
off ~20 seconds delay in boot up time on my Mageia install.
sytemctl restart systemd-networkd is over before I read the prompt.

> BTW, most of the time I'm at home, so, the initial state of the WiFi
> isn't an issue (especially since my home SSID is not hidden).
>
> Had I a *hidden* SSID, I'd lose privacy at a WiFi hotspot (because it's
> my understanding that the *first* broadcast *from* your WiFi NIC is for

There is where I am wondering if a script in if-pre-up.d could run
something like wpa_cli to get the scan results, then help your scripts
to know what to do.


I do need to get back to playing with my wireless setup.

My phone bill is about $30 a year.

Problem is when my ISP connection is down, no phone.

Made a deal with my neighbor, I upgrade/fix his Linux install and I
can borrow his wireless connection to make a service call anytime my
service is dead.

I just need to see what it is going to take to switch between using my
ISP wireless "hotspot" or his.

[Marek Novotny]

On 2015-12-10, Bit Twister <BitTw...@mouse-potato.com> wrote:
> On Thu, 10 Dec 2015 01:18:50 -0000 (UTC), Mark Bannon wrote:
>> On Thu, 10 Dec 2015 00:58:53 +0000, Bit Twister wrote:
>>
>>> Wow, that is one concise script.
>>
>> It was just the header! :)
>> I'm embarrassed by "my" code, so I generally don't supply my
>> code because it really sucks (compared to yours or Marek's).
>
> While I am thinking about it, would you remove my name anywhere you
> have it. Reason I don't need to be dragged into an investigation if
> your system gets sucked up in a computer crime.
>
> Not saying all this "Internet privacy" is to cover up future crimes,
> but if you are at a hotspot and get cracked, and is used to
> buy/sell/use stolen credit cards or any other crime, I do not need to be
> dragged in as a "person of interest".

I'd like to opt out as well. You're welcome to take whatever I write
from github or in a group post, but there is no need to add me to
scripts you author regardless of contribution.

--
Marek Novotny
https://github.com/marek-novotny

[Wildman]

I haven't used either one. Intended as something to look at,
not necessarily recommended.

--
<Wildman> GNU/Linux user #557453

The cow died so I don't need your bull!

[Mark Bannon]

On Thu, 10 Dec 2015 02:41:05 +0000, Bit Twister wrote:

> Not saying all this "Internet privacy" is to cover up future crimes,

I just might commit those heinous future crimes when/if I can successfully
cloak myself on a computing device.

Unfortunately, *nobody* can successfully cloak themselves using
a computing device, and, especially not after mentioning the letters
NSA or VPN or whatnot in a Usenet post (and having been on Usenet
for decades mentioning those letters - who knows - I might even work
for the NSA and this is just a ruse to get them to look at YOU!).

So, the jig is already (long ago) up for me (and for you).

However, your and my kids and grandkids haven't been on Usenet yet, so,
we can leave it up to *them* to commit those heinous future crimes!

Meanwhile, I'll just try to eek out some privacy while I still can......




:)

[Mark Bannon]

On Wed, 09 Dec 2015 20:51:45 -0600, Wildman wrote:

>
> I haven't used either one. Intended as something to look at,
> not necessarily recommended.

I appreciate the suggestions.
Unfortunately, I haven't found a better alternative to gmail
yet, despite gmail being the devil incarnate.

Outlook.com might work if it had an smtp/pop3 server, but, I'm
not sure that's a step up from gmail.

The one thing gmail does well is spam control though ....

[Bit Twister]

On Wed, 9 Dec 2015 18:48:01 -0800, Marek Novotny wrote:

> I'd like to opt out as well. You're welcome to take whatever I write
> from github or in a group post, but there is no need to add me to
> scripts you author regardless of contribution.

Heheheh, makes you a little nervous, huh. 8-)

[Mark Bannon]

On Thu, 10 Dec 2015 02:55:19 +0000, Bit Twister wrote:

> Heheheh, makes you a little nervous, huh. 8-)

I can understand your desire to distance yourself from my
goal of increased privacy on the net; but all of us who post on
Usenet are already *tagged* by those that would be watching us.

We're marked men already.

What we need to do is train our kids and grandkids to perform
those nefarious heinous Internet acts of crime in our stead.

So, I, for one, will continue to learn how to improve my
Internet privacy (and my phone privacy), but since I am already
doomed ... I'll leave it to the next generation to perform
the crimes that this privacy allots us.


< / sarcasm font >




:)
























Dear NSA,
I was only kidding.
mb

[Marek Novotny]

On 2015-12-10, Bit Twister <BitTw...@mouse-potato.com> wrote:

A little, yes. However, I'll admit sometimes it is a code issue. If I
don't like the code I'd rather not see my name on it. Every month or so
I re-read what I wrote and want to throw up. But at least if it is mine
I can update it. If someone else wrote it I can't and it bothers me when
I see my name attached to it.

I do appreciate the thought though. Kind of a delicate issue I guess as
I don't want to offend anyone either. In general, if I don't sign it, I
don't want my name on it. And much of the time what I post is not
signed. Meaning it is just an example to the user to help out if
possible, but I don't care much for it. Some of the code posted here are
things I don't test at all and just kind of wrote as an example.

Maybe I'll just post it as 'free lame code', no attribution please... :)

[Mark Bannon]

On Wed, 09 Dec 2015 19:14:57 -0800, Marek Novotny wrote:

> Maybe I'll just post it as 'free lame code', no attribution please...

Marek,
I use a lot of your scripts.
Some I use as examples, but most I use as the framework for what I need.

For example, I have a folder called 'gmail_fake_account_1' with a dozen
or so *.ovpn configuration files lying in it.

When I want to log into that gmail account, I run your vpn testing
script in reverse. That is, your script runs the first ovpn file it
sees and if it works, I then log into Gmail fake account #1.

However, if that first ovpn config file fails, then your script
kicks it out and places it elsewhere. Your script then moves on to
the next ovpn file in that directory.

This keeps Gmail as happy as I can keep it, given I never give Gmail
a phone number or any other identifying information (of course the
actual mail bodies are replete with identifying information; such
is the nature of email).

At the same time, I run your vpnstatus script which will kill the
WiFi connection the moment it senses that the vpn is failing.

I don't think your vpnstatus.sh script actually kills the connection
quickly enough to be safe, but, it's better than not running it would
be.

At the same time, I use your tbird.sh script which won't start
certain mail user agents or nntp user agents unless it senses
a VPN tunnel.

I haven't integreated the speedtest-cli script which would test a
vpn connection for speed and dump those connections that are too
slow, and then move on to the next one though.

My biggest problem is that I don't know what I don't know, so, I'm
seeking advice for plugging privacy leaks that I don't even know
exist.

For example, who knew that there was a text file in your Mozilla
hierarchy that allows anyone who wants to test whether you've been
to a previously defined encrypted web sites?

To prevent those kinds of who-knew-it-was-there privacy leaks, I
ensure that my dot directories are blown away at each login.

But, there's always a new privacy leak to plug (as you well know).
So, that's why I ask if my method is foolproof yet.
(Because it's not.)

[Marek Novotny]

On 2015-12-10, Mark Bannon <mba...@spam.invalid> wrote:

// snip

> At the same time, I run your vpnstatus script which will kill the
> WiFi connection the moment it senses that the vpn is failing.
>
> I don't think your vpnstatus.sh script actually kills the connection
> quickly enough to be safe, but, it's better than not running it would
> be.

So I started to write a reply with some example code for how to
terminate a process without using sleep which can be slow. Since you
want something really fast I modified the last vpnstatus script I have
in my collection. I removed all sleep commands and instead it runs in a
loop constantly looking for changes in the tun0 device.

This should function instantly now.

The difference here is that this will no longer act as a polling process
where it tells you every few minutes, or seconds that the link is up or
down. Instead it watches the link and only tells you if the status of
the link has changed. If it has not changed, you see nothing. But if
tun0 even hickups for a second, this will detect it, and kill apps. If
tun0 restores itself, it will detect that too, and instantly update.

#!/bin/bash

#############################################################
#
# script: vpnstatus.sh

# written by: Marek Novotny

# version: 2.5
# date: Wed Dec 09 21:00:00 PDT 2015
# purpose: test status of live vpn connection
# : kill torrent if vpn disconnects
# license: GPL v2 (only)
#
#############################################################

condition=""

sendMessage()
{
echo "$1"
}

# apps that should be terminated if VPN fails
processList=("transmission" "firefox")
# apps that should not be running under vpn
restrictedApps=("thunderbird" "slrn")

# check if a process stored in the variable task is running or not

checkProcess()
{
if [ $(pgrep $task) ] ; then
return 0
else
return 1
fi
}

# terminate the given process stored in the variable task

terminateProcess()
{
kill $(pgrep $task) && return 0
}

# routine to test for processes, report their status and kill them if running

processTerminator()
{
checkProcess
if (($? == 0)) ; then
sendMessage "$task is running..."
sendMessage "Terminating $task..."
terminateProcess
if (($? == 0)) ; then
sendMessage "$task terminated..."
else
sendMessage "$task is still running..."
fi
fi
}

# generate a random IP to test ip route against

randomizer()
{
IFS=$' '
ary=()
for x in {1..4} ; do
ary+=($(($RANDOM % 221 + 1)))
done

if [[ ${ary[0]} -eq 10 || ${ary[0]} -eq 100 ]] ; then
randomizer
elif [[ ${ary[0]} -eq 169 ]] && [[ ${ary[1]} -eq 254 ]] ; then
randomizer
elif [[ ${ary[0]} -eq 172 ]] && [[ ${ary[1]} -eq 16 ]] ; then
randomizer
elif [[ ${ary[0]} -eq 192 ]] && [[ ${ary[1]} -eq 168 ]] ; then
randomizer
elif [[ ${ary[0]} -eq 198 ]] && [[ ${ary[1]} -eq 18 ]] ; then
randomizer
else
addr=$(echo "${ary[@]}" | awk '{print $1"."$2"."$3"."$4}')
fi
}

# kill apps that should not be running if VPN is connected.
# kills these apps once, if the script is running and the VPN
# tunnel becomes active

vpnOn()
{
if [[ $condition != "on" ]] ; then
condition="on"
echo "VPN status: $condition - ${deviceStatus[0]}: ${deviceStatus[1]}"

for x in ${restrictedApps[@]} ; do
task=$x
processTerminator
done
fi
}

# drop apps that should not be running if vpn tunnel fails

vpnOff()
{
if [[ $condition != "off" ]] ; then
condition="off"
echo "VPN status: $condition - ${deviceStatus[0]}: ${deviceStatus[1]}"
echo "Terminating apps..."

for x in ${processList[@]} ; do
task=$x
processTerminator
done
fi
}

randomizer
while true ; do
deviceStatus=($(ip route get $addr | awk 'NR==1 {print $5,$7}'))
if [[ ${deviceStatus[0]} == "tun0" ]] ; then
vpnOn
else
vpnOff
fi
done

#END

// snip

[Jasen Betts]

On 2015-12-10, Mark Bannon <mba...@spam.invalid> wrote:

I use exim, gmail and yahoo forward emails to my (dynamic-ip) domain and
i read them from the system mail spool using a command-line client, but
I also have an imap server installed to support other users in the
household.

--
\_(ツ)_

[Jasen Betts]

On 2015-12-10, Mark Bannon <mba...@spam.invalid> wrote:

> On Wed, 09 Dec 2015 20:51:45 -0600, Wildman wrote:
>
>>
>> I haven't used either one. Intended as something to look at,
>> not necessarily recommended.
>
> I appreciate the suggestions.
> Unfortunately, I haven't found a better alternative to gmail
> yet, despite gmail being the devil incarnate.
>
> Outlook.com might work if it had an smtp/pop3 server, but, I'm
> not sure that's a step up from gmail.

AIUI it does, it'll forward to a third party as an option.



--
\_(ツ)_

[Mark Bannon]

On Thu, 10 Dec 2015 05:46:27 +0000, Jasen Betts wrote:

> AIUI it does, it'll forward to a third party as an option.

You are correct that Outlook.com has POP/IMAP/SMTP settings:
https://support.office.com/en-us/article/Outlook-settings-for-POP-and-IMAP-access-for-Office-365-for-business-or-Microsoft-Exchange-accounts-7FC677EB-2491-4CBC-8153-8E7113525F6C

However ...

Under VPN, I tried to create an account on outlook.com, but it
initially required both an email and a phone number (Gmail
requires neither but you have to purposefully ignore the
questions).

Yet, with persistence, I was able to type past both seemingly
required requirements by the use of legal but clearly bogus
email address syntax; so, it appears to work as Gmail does
(it says stuff is required (such as gender), but that stuff
isn't really required if you just try a little bit not to
answer the questions).

Outlook captcha was far easier than the captcha that you get when you
sign up for Gmail while using Tor (when you sign up for Gmail
using VPN and not Tor, you get a far easier Captcha which is sort
of like a home address plate - but boy oh boy - it's virtually
impossible to get the captcha right when you sign up using Tor).

We'll see if Outlook does better than Gmail with spam.
And, we'll see if it figures out the bogus email syntax over time.

Does anyone know if Microsoft is as bad or better than Gmail
when it comes to privacy of the contents of your email bodies?

[Mark Bannon]

On Wed, 09 Dec 2015 21:52:35 -0800, Marek Novotny wrote:

> I removed all sleep commands and instead it runs in a
> loop constantly looking for changes in the tun0 device.
>
> This should function instantly now.

Ooooooooh. Sexy. Verrrrry sexy.

I will implement it as soon as I send off this post and let
you know how it works after testing it out a bit.

I'm using your kdialog version instead of Zenity because of
KDE, the key statements being listed below ...

deviceInfo=($(ip route get 8.8.8.8 | awk 'NR==1 {print $5,$7}'))

if [[ ${deviceInfo[0]} == "tun0" ]] ; then
(it prints stuff using printf)
else
(it shuts down the WiFi NIC first and foremost)
sudo ifconfig "${deviceInfo[0]}" down

(then it kills stuff using killall & finally shows & sounds an alert)

aplay /usr/share/kde4/apps/korganizer/sounds/alert.wav > /dev/null 2>&1 &
kdialog --error "$IP $TIME VPN disconnected" --title "${deviceInfo[0]} ${deviceInfo[1]}"

[Mark Bannon]

On Wed, 09 Dec 2015 21:52:35 -0800, Marek Novotny wrote:

> The difference here is that this will no longer act as a polling process
> where it tells you every few minutes, or seconds that the link is up or
> down. Instead it watches the link and only tells you if the status of
> the link has changed. If it has not changed, you see nothing. But if
> tun0 even hickups for a second, this will detect it, and kill apps. If
> tun0 restores itself, it will detect that too, and instantly update.

Hi Marek,
Here is the first pass results on the first test for a few minutes

SUMMARY:
A. I ran your vpnchecker.sh script in a directory full of *ovpn files
B. Once I was on a good vpn, I ran your vpnstatus.sh in another window
C. I started firefox
D. I started pan using a reverse of your tbird.sh script
(which only allows pan to start when on VPN)
E. Then, I aborted the VPN session with a control+c
F. This immediately killed pan & firefox (woohoo! it worked!)
G. It did not kill the WiFi connection (I gotta think if that matters or not)
H. The vpnchecker.sh script asked if the openvpn task was successful
I. I said Yes and the vpnchecker.sh moved on to the next ovpn file
J. Once I was back on VPN, the vpnstatus.sh kicked in anew!

DETAILS:
1. I changed into a directory full of vpn scripts and started the
reverse vpnchecker script, which does the following:
a. It starts "openvpn --config the-next-ovpn-file.ovpn"
b. If that works, I go about my business (e.g., torrent or whatever)
c. If that fails, the vpnchecker asks "Was that successful?"
d. If I say "No", the vpnchecker moves the ovpn file somewhere else
e. And then the vpnchecker starts openvpn on the next *.ovpn file
f. If I say "Yes", the vpnchecker keeps the *.ovpn file, and
g. It moves on to the next *ovpen file to run openvpn on.

2. Once a vpn session starts, in another terminal, I run vpnstatus.sh
a. vpnstatus.sh version 2.5 has a process list of the following:
processList=("transmission" "transmission-gtk" "firefox" "pan")
b. vpnstatus.sh v2.5 reports:
VPN status: on - tun0: 10.211.1.17

3. Then I control+c in the vpnchecker terminal window.
a. Immediately, I get the output in the vpnchecker.sh terminal window:
CONTROL+C
Wed Dec 9 23:54:10 2015 event_wait : Interrupted system call (code=4)
Wed Dec 9 23:54:10 2015 /sbin/ip route del 60.239.82.237/32
Wed Dec 9 23:54:10 2015 /sbin/ip route del 0.0.0.0/1
Wed Dec 9 23:54:10 2015 /sbin/ip route del 128.0.0.0/1
Wed Dec 9 23:54:10 2015 Closing TUN/TAP interface
Wed Dec 9 23:54:10 2015 /sbin/ip addr del dev tun0 local 10.211.1.17 peer 10.211.1.18
Wed Dec 9 23:54:10 2015 SIGINT[hard,] received, process exiting

Was that successful?

4. I notice immediately the following in the vpnstatus.sh terminal window:
VPN status: on - tun0: 10.211.1.17
VPN status: off - wlan0: 192.168.1.28
Terminating apps...
firefox is running...
Terminating firefox...
firefox terminated...
pan is running...
Terminating pan...
pan terminated...

5. Now, I go back to the vpnchecker window, and I type either "Y" or "N".
a. The vpnchecker script goes back to running the next ovpn config file
b. If that config file fails, I simply type "No" to the success question.
c. And the checker kicks the bad *ovpn config file out of that directory.
d. If that ovpn config file works, I'm back on VPN ...
Was that successful?
y <===== I hit Yes because I had control+c out of a good config file
Was that successful?
n <===== the next ovpn file was bad, so, the script kicked it out
Wed Dec 9 23:56:43 2015 /sbin/ip route add 24.154.231.149/32 via 192.168.1.1
Wed Dec 9 23:50:56 2015 /sbin/ip route add 0.0.0.0/1 via 10.211.1.22
Wed Dec 9 23:50:56 2015 /sbin/ip route add 128.0.0.0/1 via 10.211.1.22
Wed Dec 9 23:50:56 2015 Initialization Sequence Completed
e. So now I'm back on a good *ovpn file.

6. Looking back to the still-running vpnchecker.sh window, I see it's back
in business!
a. VPN status: on - tun0: 10.211.1.21

Woo hooo! This is nice! Clever. Pretty. Elegant.

The only thing it doesn't do is kill the WiFi connection; but, if the apps
are actually killed fast enough, I wonder if I still need to shut the WiFi
NIC down?

As noted by BitTwister, it was a hole that I had to put ifconfig in the
sudoers.d directory just to shut down the WiFi NIC from the old script:
bannon laptop1 = (root) NOPASSWD: /sbin/ifconfig

This is the command in the old vpnstatus.sh that shut down the wlan0 NIC:

[Bit Twister]

On Wed, 9 Dec 2015 21:52:35 -0800, Marek Novotny wrote:
> On 2015-12-10, Mark Bannon <mba...@spam.invalid> wrote:
>
> // snip
>

> So I started to write a reply with some example code for how to
> terminate a process without using sleep which can be slow. Since you
> want something really fast I modified the last vpnstatus script I have
> in my collection. I removed all sleep commands and instead it runs in a
> loop constantly looking for changes in the tun0 device.

Ah, there is some of the information I was after. Keep I mind I have no
knowledge about VPN but you might consider looking into what happens
in /etc/network/if-up.d, if-down.d, if-pre-up.d, if-post-down.d

I would think you could put some links in there that link back to your
controlling software that might not require polling or sleeping.
It might also remove some of the current user sudo commands.

Just for fun, save as whats_up,
chmod +x whats_up
./whats_up just testing with and with out arguments
./whats_up

./whats_up install_me
now bring a connection/nic down/up and read the contents of the pop ups.

When done playing around,
./whats_up uninstall_me

-----8<-----8<-----8<-----8<---cut below line --8<-----8<-----8<----
#!/bin/bash

_exe=$0
_app=$(basename $_exe)
_args=$*

# array of ?buntu or RedHat type OS networking directories
arr=(
/etc/network/if-up.d
/etc/network/if-down.d
/etc/network/if-pre-up.d
/etc/network/if-post-down.d
/etc/sysconfig/network-scripts/ifup.d
/etc/sysconfig/network-scripts/ifdown.d
/etc/sysconfig/network-scripts/ifdown.d
/etc/sysconfig/network-scripts/vpn.d/openvpn
/etc/sysconfig/network-scripts/vpn.d/pptp
/etc/sysconfig/network-scripts/vpn.d/vpnc
)

if [ $# -gt 0 ] ; then
if [ "$1" = "install_me" ] ; then
for _ix in ${!arr[*]} ; do
if [ -d "${arr[$_ix]}" ] ; then
ln -s $_exe ${arr[$_ix]}/xxx_$_app
fi
done
echo "$_exe installed links, bounce a nic"
fi
fi

if [ $# -gt 0 ] ; then
if [ "$1" = "uninstall_me" ] ; then
for _ix in ${!arr[*]} ; do
if [ -e "${arr[$_ix]}/xxx_$_app" ] ; then
unlink ${arr[$_ix]}/xxx_$_app
fi
done
fi
echo "$_exe has uninstalled links"
exit 0
else
_args=" no argument provided"
fi

nohup xmessage -display :0 -title $_exe "
.
$_exe arguments are
$_args
" \
> /dev/null 2>&1 &

exit 0
#************ end of whats_up ****************************


--
The warranty and liability expired as you read this message.
If the above breaks your system, it's yours and you keep both pieces.
Practice safe computing. Backup the file before you change it.
Do a, man command_here or cat command_here, before using it.

[Bit Twister]

On Thu, 10 Dec 2015 08:26:14 -0000 (UTC), Mark Bannon wrote:
>
> As noted by BitTwister, it was a hole that I had to put ifconfig in the
> sudoers.d directory just to shut down the WiFi NIC from the old script:
> bannon laptop1 = (root) NOPASSWD: /sbin/ifconfig
>
> This is the command in the old vpnstatus.sh that shut down the wlan0 NIC:
> sudo ifconfig "${deviceInfo[0]}" down

And there is where I suggest a link in
/etc/network/if-post-down.d
would shutdown wlan0 without user needing sudo privs.

[Mark Bannon]

On Thu, 10 Dec 2015 08:37:10 +0000, Bit Twister wrote:

>> This is the command in the old vpnstatus.sh that shut down the wlan0 NIC:
>> sudo ifconfig "${deviceInfo[0]}" down
>
> And there is where I suggest a link in
> /etc/network/if-post-down.d
> would shutdown wlan0 without user needing sudo privs.

As I recall, I had tried that approach in the past and it failed for me
(Ubuntu 14.04 with KDE desktop).

I'll try anew, but first, I'll tell you what I currently have:

$ ls -l /etc/network/if-post-down.d/
total 4
lrwxrwxrwx 1 root root 23 Jan 13 2014 avahi-daemon -> ../if-up.d/avahi-daemon
-rwxr-xr-x 1 root root 1070 Apr 20 2012 wireless-tools
lrwxrwxrwx 1 root root 32 Oct 10 2014 wpasupplicant -> ../../wpa_supplicant/ifupdown.sh

The "wpasupplicant" file is too long to post here, but the avahi-daemon is short:

$ cat avahi-daemon
#!/bin/sh

# Don't run the avahi-daemon unicast local check while bringing up
# the loopback device; it's not necessary until we bring up a real network
# device
[ "$IFACE" != "lo" ] || exit 0
case "$ADDRFAM" in
inet|inet6) ;;
*) exit 0 ;;
esac

# If we have an unicast .local domain, we immediately disable avahi to avoid
# conflicts with the multicast IP4LL .local domain
if [ -x /usr/lib/avahi/avahi-daemon-check-dns.sh ] ; then
exec /usr/lib/avahi/avahi-daemon-check-dns.sh
fi

[Mark Bannon]

On Thu, 10 Dec 2015 08:31:34 +0000, Bit Twister wrote:

> Keep I mind I have no knowledge about VPN

I don't know anything about vpn, but, here's an *easy* way to
test out VPN in about two minutes.

1. Point your web browser to http://vpngate.net & you'll see a table.
2. The 7th column of that table is titled: OpenVPN
(Don't worry that Linux isn't listed - the files work fine on Linux!)
3. Choose a few of those files in that 7th column to download, e.g.,
vpngate_153.175.238.148_udp_1852.ovpn
vpngate_1.55.221.70_udp_1216.ovpn
vpngate_203.106.156.218_udp_6827.ovpn
vpngate_221.149.241.130_udp_1195.ovpn
vpngate_37.146.82.185_udp_1844.ovpn
vpngate_58.8.139.242_udp_1303.ovpn
4. I then run Marek's vpnchecker.sh script on those files, limiting his
script to only *.ovpn files so that it ignores other stuff in
that directory but you can just run the openvpn command directly:

$ sudo openvpn --config vpngate_153.175.238.148_udp_1852.ovpn

5. You'll know it worked if you see within seconds that the connection
was established. If you don't see that it was established, just
control+c out and try again with the next *.ovpn file.

6. You can tell you're on the vpn session using "route -n":
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.211.1.6 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0
10.211.1.6 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
153.175.238.148 192.168.1.1 255.255.255.255 UGH 0 0 0 wlan0
128.0.0.0 10.211.1.6 128.0.0.0 UG 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0

7. At this point, *everything* you do is going through that VPN server.
Of course, you have to trust them to keep to their promise of 2-week logs,
but, as you well know, there is no privacy on the Internet that is real.

But, at least you can test this in seconds.

When you control+c out of the VPN session, it gracefully restores your routing
table back to what it was (which is kind'a magical to me since a control+c is
so inelegant a way to kill something).

At this point, while you're on VPN, you won't notice anything different.
If you like, you can run a speedtest-cli to see what you've lost in speed.

$ alias speedtest
alias speedtest='speedtest-cli --share --simple >> ~/log/speedtest.log'

[Bit Twister]

On Thu, 10 Dec 2015 08:48:30 -0000 (UTC), Mark Bannon wrote:
> On Thu, 10 Dec 2015 08:37:10 +0000, Bit Twister wrote:
>
>>> This is the command in the old vpnstatus.sh that shut down the wlan0 NIC:
>>> sudo ifconfig "${deviceInfo[0]}" down
>>
>> And there is where I suggest a link in
>> /etc/network/if-post-down.d
>> would shutdown wlan0 without user needing sudo privs.
>
> As I recall, I had tried that approach in the past and it failed for me
> (Ubuntu 14.04 with KDE desktop).

I run with 8 virtual desktops.
$ env | grep _desktop |sort -V -t '=' --key=2
_login_desktop=1
_binaries_desktop=2
_usenet_desktop=3
_browsing_desktop=4
_root_desktop=5
_users_desktop=6
_bank_desktop=7
_mail_desktop=8

Here is a script you might find handy. I have several desktop
shortcuts to scripts like browser, bank, .... those scripts run my
switch_desktop script then launches the application.
No idea if it works on your kde release.

-------8<-------8<-------8<-------8<-------8<
#!/bin/bash
#****************************************************************
#* script to switch KDE desktop
#*
#* Usage: switch_desktop X
#*
#****************************************************************

export PATH=/usr/local/sbin\
:/sbin:/usr/sbin\
:/usr/local/bin:/usr/bin:/bin\
:/usr/libexec:/usr/games\
:/usr/lib64/qt5/bin:/usr/lib64/qt4/bin

if [ $# -eq 0 ] ; then
echo "
Usage: $_exe desktop_number
"
exit 1
fi

_dt=$1
_ct=0

if [ -e /etc/sysconfig/desktop ] ; then
qdbus org.kde.KWin /KWin org.kde.KWin.setCurrentDesktop $_dt > /dev/null
while [ $_ct -ne $_dt ] ; do
_ct=$(qdbus org.kde.KWin /KWin currentDesktop)
done
fi

#*************** end switch_desktop *****************************

> I'll try anew, but first, I'll tell you what I currently have:

Does not matter what you have. I selected the xxx_whats_up name so
that it would run last during that event.

[David W. Hodgins]

On Wed, 09 Dec 2015 00:08:29 -0500, Mark Bannon <mba...@spam.invalid> wrote:

> Nobody has a better system than what I came up with on my own?
> Not a single improvement suggested?

The whole premise is wrong. If you don't want to be tracked, the best way is to look like everyone else.

Regards, Dave Hodgins

--
Change dwho...@nomail.afraid.org to davidw...@teksavvy.com for
email replies.

[Marek Novotny]

On 2015-12-10, Bit Twister <BitTw...@mouse-potato.com> wrote:

> On Wed, 9 Dec 2015 21:52:35 -0800, Marek Novotny wrote:
>> On 2015-12-10, Mark Bannon <mba...@spam.invalid> wrote:
>>
>> // snip
>>
>> So I started to write a reply with some example code for how to
>> terminate a process without using sleep which can be slow. Since you
>> want something really fast I modified the last vpnstatus script I have
>> in my collection. I removed all sleep commands and instead it runs in a
>> loop constantly looking for changes in the tun0 device.
>
> Ah, there is some of the information I was after. Keep I mind I have no
> knowledge about VPN but you might consider looking into what happens
> in /etc/network/if-up.d, if-down.d, if-pre-up.d, if-post-down.d

// snip

I'll look into that idea.

[Marek Novotny]

On 2015-12-10, Mark Bannon <mba...@spam.invalid> wrote:

Ah yes, We're different in that space. I never want to kill my network.
But you could just add a line of code to kill off the network, same as
you did in the past. But the apps you really want to get rid of should
kill pretty darn quickly with this method.

[Bit Twister]

Sounds like the app needs a configuration file.
kill_wifi_vpn_down=yes/no

[Mark Bannon]

On Thu, 10 Dec 2015 09:09:52 -0800, Marek Novotny wrote:

> Ah yes, We're different in that space. I never want to kill my network.
> But you could just add a line of code to kill off the network, same as
> you did in the past. But the apps you really want to get rid of should
> kill pretty darn quickly with this method.

I agree with everything you said.

Today the program failed to kill pan, for some reason.
I think it's because Pan hung when it tried to kill it.

I will see if that happens again, but, that's kind of why I'll add the
network shutdown line, if for no other reason than as a failsafe.

Thanks for the great script!

[Mark Bannon]

On Thu, 10 Dec 2015 00:49:19 -0500, David W. Hodgins wrote:

> The whole premise is wrong.
> If you don't want to be tracked, the best way is to look like everyone else.

I don't disagree.

But, how do you look like everyone else when you're coming from a single
static IP address.

That looks like me every single time.

So I have to come from someone else's IP address.

[Marek Novotny]

On 2015-12-10, Mark Bannon <mba...@spam.invalid> wrote:

> On Thu, 10 Dec 2015 09:09:52 -0800, Marek Novotny wrote:
>
>> Ah yes, We're different in that space. I never want to kill my network.
>> But you could just add a line of code to kill off the network, same as
>> you did in the past. But the apps you really want to get rid of should
>> kill pretty darn quickly with this method.
>
> I agree with everything you said.
>
> Today the program failed to kill pan, for some reason.
> I think it's because Pan hung when it tried to kill it.

Huh... Well I could put two kill commands in there. The default SIGTERM
will do a graceful close of the app, but if that fails I could add a
SIGKILL to it, which is will instruct the kernel to drop the process and
the app should die immediately. Like being shot in the head.

Find this function and replace what you have with this.

terminateProcess()
{
kill $(pgrep $task) && return 0 || kill -9 $(pgrep $task) \
&& return 0 || return 1
}

Try that out and let me know if a hung process refuses die in the
future.

> I will see if that happens again, but, that's kind of why I'll add the
> network shutdown line, if for no other reason than as a failsafe.

Shouldn't need to kill the network. SIGKILL tells the kernel to drop the
process. It should just die instantly. So first it will do it gracefully
and if it fails it will shoot the app in the head.

> Thanks for the great script!

[Mark Bannon]

On Thu, 10 Dec 2015 10:19:16 -0800, Marek Novotny wrote:

> Find this function and replace what you have with this.
>
> terminateProcess()
> {
> kill $(pgrep $task) && return 0 || kill -9 $(pgrep $task) \
> && return 0 || return 1
> }
>
> Try that out and let me know if a hung process refuses die in the
> future.

Thanks Marek for that additional safety feature.

I have added it and will use it as soon as I drop this particular
vpn connection (I'm always on vpn when I'm on Usenet).

[J G Miller]

On Thursday, December 10th, 2015, at 03:14:25 +0000, Mark Bannon proposed:

> What we need to do is train our kids and grandkids to perform
> those nefarious heinous Internet acts of crime in our stead.

Apparently the newer generations are being socially conditioned
to act without regard for whether or not they care or claim to
care about their privacy.

<https://www.aclu.ORG/blog/do-young-people-care-about-privacy>

<https://www.infosecurity-magazine.COM/magazine-features/the-generation-x-y-z-of/>

[Bit Twister]

On Thu, 10 Dec 2015 00:39:06 -0000 (UTC), Mark Bannon wrote:
> On Wed, 09 Dec 2015 20:10:14 +0000, Bit Twister wrote:
>
>> Did you ever go back and back out those sudo holes you poked in your
>> system administration security layer? :-(
>
> Good point. There are plenty of holes in the /etc/sudoers.d/vpn-ifconfig
> configuration Marek (or someone) provided to me long ago.

Ran across this awhile back
man ifconfig
NAME
ifconfig - configure a network interface

NOTE
This program is obsolete! For replacement check ip addr and ip link.
For statistics use ip -s link.


and while removing ifconfig from all my scripts, I saw a method to
keep the user from running root priv commands directly.

Snippet from vboxtap follows:

# This script uses sudo to create/destroy dynamic tapN devices, so
# /etc/sudoers should contain something like the following if members
# of the "users" group can create/destroy dynamic tapN devices.
#
# %users ALL=(ALL) NOPASSWD: /local/bin/vboxtap

Marek Novotny's install script would create a file in /etc/sudoers.d/
and his wrapper would have all the privs it need to run.

The script allows the user or network script to do tap management.
Another snippet from vboxtap

else
# Called from command line for static tap devices.

# Run via sudo if not root.
if [ "$USERNAME" != "root" ]; then exec /usr/bin/sudo "$0" "$1" "$2" "$3"; fi

# $1 OWNER is the owner of the device (the user running VirtualBox).
# $2 START is the starting tapN device.
# $3 END is the last tapN interfaces you want.
#
# eg. vboxtap fred 0 4
# vboxtap wilma 5 9
#
# The above would create tap0, tap1, tap2, tap3 & tap4 owned by "fred",
# and tap5, tap6, tap7, tap8 & tap9 owned by "wilma".

[Bit Twister]

On Thu, 10 Dec 2015 01:29:54 -0000 (UTC), Mark Bannon wrote:

> What I would *like* to do, when I am at a WiFi hotspot, is manually shut off
> the WiFi NIC with the switch on the side of the laptop, and then to change
> parameters such as the hostname, username, macaddress, as in the Marek-inspired
> scripts that I run...
>
> $ changemac.sh <--- mandatory
> $ changehost.sh <--- optional
> $ changeuser.sh <--- optional
>
> The problem is that I can't change the mac when the NIC is turned off!
>:(

I do not see why not. There is where the magic of links come into play.

You run changemac.sh and it generates a custom network configuration
file, set links to it in /etc/network/interfaces.d and you are good to
go when the nic comes up. Remove or reset to default and you would be
back to normal.

I have no experience on ?buntu but on RedHat type OS you can set
MACADDR=xxxxx in the nic's config file and your done with it.

If changing mac, I would suggest it would also run changehost.sh.

For the forth time man interfaces

[Mark Bannon]

On Thu, 10 Dec 2015 20:31:40 +0000, Bit Twister wrote:

> Snippet from vboxtap follows:

Just so you know I'm not ignoring you in the least, I have to say
that half your posts are so far above my capabilities, that I don't
understand the solution you propose.

I'm sure the solution you propose is valid, reasonable, and logical.
But, just so you know, if I don't respond, then it just means that
I'm pondering the solution - but - usually that means I really am
in over my head (technically).

There's a *lot* I didn't understand in your last post, for example.
I read it three times. I'll read it 'smore.

:(

[Bit Twister]

On Fri, 11 Dec 2015 02:57:36 -0000 (UTC), Mark Bannon wrote:
> On Thu, 10 Dec 2015 20:31:40 +0000, Bit Twister wrote:
>
>> Snippet from vboxtap follows:
>
> Just so you know I'm not ignoring you in the least, I have to say
> that half your posts are so far above my capabilities, that I don't
> understand the solution you propose.

Not a problem. The vboxtap example basically showed a sudo example on
how the script does the actual commands. In other words, you can not do
any ifconfig commands as user. You run the script, it does the desired
activity.

> I'm sure the solution you propose is valid, reasonable, and logical.
> But, just so you know, if I don't respond, then it just means that
> I'm pondering the solution - but - usually that means I really am
> in over my head (technically).

That was one of the reasons I gave out the whats_up script with the
install/uninstall code.

Installing it as root, bringing a nic down/up allows you to see what a
script in the directory has in its environment.

For instance, when the nic goes down, it can set the mac address
(hwaddress) for the next boot.

The script would base that decision on $MODE, $IFACE, $PHASE

> There's a *lot* I didn't understand in your last post, for example.
> I read it three times. I'll read it 'smore.

Well, if you read anything, over and over, read the results of
man interfaces

Found out xmessage will not run in the network directories/environment.

Here is a new & improved script which also dumps the environment at
a given event.
-------8<-------8<-------8<-------8<-------8<-------8<
#!/bin/bash
#************************************************************************
#*
#* whats_up - logs what is available to script in if down/up directories
#*
#* Install Procedure:
#* save script as whats_up
#* chmod +x whats_up
#* whats_up help to test, the as root
#* /wherever/whats_up install_me
#*
#*
#* Now you can bring vpn/ethernet/wireless connections down/up
#* and run "whats_up print_log" to see what environment variables
#* are available for the given event.
#*
#************************************************************************
_exe=$0
_app=$(basename $_exe)
_args="$*"
_char1=""
_tmp_fn=/var/tmp/$_app.event.$$
_log_fn=/var/tmp/$_app.log
_xxx_log_fn=/var/tmp/xxx_$_app.log

# array of ?buntu or RedHat type OS networking directories
arr=(
/etc/network/if-up.d
/etc/network/if-down.d
/etc/network/if-pre-up.d
/etc/network/if-post-down.d
/etc/sysconfig/network-scripts/ifup.d
/etc/sysconfig/network-scripts/ifdown.d
/etc/sysconfig/network-scripts/ifdown.d
/etc/sysconfig/network-scripts/vpn.d/openvpn
/etc/sysconfig/network-scripts/vpn.d/pptp
/etc/sysconfig/network-scripts/vpn.d/vpnc
)

function usage ()
{
echo -e "\n\t$_app usage"
while read -r line; do
_tmp=$(echo $line | tr ')#' ' ' )
echo "$_tmp"
done < <(grep ') #' $_exe | grep -v grep)
echo "help or ? for usage"
echo "log file is in $_xxx_log_fn"

exit 0
} # end function usage

if [ $# -gt 0 ] ; then

case $1 in
install_me) # installs /xxx_whats_up links in network directories
_char1=${_exe:0:1}
if [ "$_char1" != "/" ] ; then
echo "
$_app install_me requires a full path name. Example:
$PWD/$_app install_me
"
exit 1
fi

for _ix in ${!arr[*]} ; do
if [ -d "${arr[$_ix]}" ] ; then

ln -sf $_exe ${arr[$_ix]}/xxx_$_app
if [ $? -ne 0 ] ; then
echo "ln -sf $_exe ${arr[$_ix]}/xxx_$_app failed with $?"
fi
fi
done
echo "$_xxx_log_fn" > $_xxx_log_fn
date >> $_xxx_log_fn
echo "$_exe installed $_app now bounce a nic"
exit 0
;;
uninstall_me) # removes /xxx_whats_up links in network directories

for _ix in ${!arr[*]} ; do
if [ -e "${arr[$_ix]}/xxx_$_app" ] ; then
unlink ${arr[$_ix]}/xxx_$_app

if [ $? -ne 0 ] ; then
echo "unlink -f ${arr[$_ix]}/xxx_$_app failed with $?"
fi
fi
done
rm -f $_xxx_log_fn
echo "$_exe has uninstalled $_app"
exit 0
;;
clear_log) # clears log file
echo "$_xxx_log_fn" > $_xxx_log_fn
date >> $_xxx_log_fn
exit 0
;;
print_log) # prints log file
cat /var/tmp/xxx_$_app.log
exit 0
;;
help|?) usage ;;
esac

else
_args=" no argument provided"
fi

echo "

$_exe arguments are:
$_args
" >> $_tmp_fn
env | sort >> $_tmp_fn
cat $_tmp_fn >> $_log_fn
rm -f $_tmp_fn
exit 0

#******************** end whats_up **********************************

[Jim Diamond]

On 2015-12-11 at 03:49 AST, Bit Twister <BitTw...@mouse-potato.com> wrote:
>
> Found out xmessage will not run in the network directories/environment.

What do you mean by 'the network directories/environment' ?

Do you really mean that is xmessage is run without DISPLAY in its
environment it can't create a window? Or, if run by a user which
doesn't have permission to create a window, it doesn't create a
window?

Jim

[Bit Twister]

On Sat, 12 Dec 2015 10:57:41 -0400, Jim Diamond wrote:
> On 2015-12-11 at 03:49 AST, Bit Twister <BitTw...@mouse-potato.com> wrote:
>>
>> Found out xmessage will not run in the network directories/environment.
>

> Do you really mean that is xmessage is run without DISPLAY in its
> environment it can't create a window?

Did not say that, you can always use -display :0
Result is window pop up on whatever "display" is active.

My cron jobs sets DISPLAY=:0 if $DISPLAY is not set.

> Or, if run by a user which doesn't have permission to create a
> window, it doesn't create a window?

The original script had "-display :0" which works in all my root cron jobs.
Because of that I never bothered to run the whats_up as an actual test. :(

> What do you mean by 'the network directories/environment' ?

Network directories is about the directories where scripts reside
which are executed for the given directory event.

Event is whatever the directory is about, up, down,....
Directory name/event are different for a given OS.

Environment is whatever is supplied/available to the script when it is
executed.

Two example snippets from Mageia and Ubuntu.


/etc/sysconfig/network-scripts/ifdown.d/xxx_whats_up arguments are:
enp0s3

_=/bin/env
IFPLUGD_CURRENT=disabled
IFPLUGD_PREVIOUS=up
LANG=en_US.UTF-8
LANGUAGE=en_US.UTF-8:en_US:en
LOCPATH=/etc/locale
PATH=/sbin:/usr/sbin:/bin:/usr/bin
PWD=/etc/sysconfig/network-scripts
SHLVL=4
TEXTDOMAINDIR=/etc/locale
TMPDIR=/tmp
TMP=/tmp


/etc/network/if-post-down.d/xxx_whats_up arguments are:
no argument provided

ADDRFAM=inet
CONNECTION_ID=Wired connection 1
CONNECTION_UUID=135049d2-48de-4edf-ad7f-7b75fc548d12
DEVICE_IFACE=eth0
DEVICE_IP_IFACE=eth0
IFACE=eth0
LOGICAL=eth0
METHOD=NetworkManager
MODE=stop
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PHASE=post-down
PWD=/
SHLVL=1
VERBOSITY=0
_=/usr/bin/env

My argument is the "stealth_me" install_me script drops xxx_stealth_me
links in the event directories. That allows the stealth_me script to
parse $_exe to figure what event is going on, decide if the interface
is one that it is controlling and if so, do whatever is required.

For example, on a down event for wan0, create a new wan0 configuration
file with an new hardware address.

Next wan0 up would be using the new mac address and need for the user
to have ifconfig privileges.

If the interface is tun0 on an down event, shut down the wan0 interface.

When the user wants to bring wan0 back up for an new vpn, he runs
stealth_me new vlan

If stealth_me install_me creates /etc/sudoers.d/stealth_me with something like
#******************************************************************
#
# stealth_me uses sudo to create/destroy dynamic vlan devices, so everyone
# in the "users" group can create/destroy dynamic vlan connections.
#
#******************************************************************

%users ALL=(ALL) NOPASSWD: /local/bin/stealth_me

#****************end /etc/sudoers.d/stealth_me *********************

install_me function might even create a stealth_me group.
That way stealth_me's what_2_do function could do user assignments.

With that in place, the user might do something like
stealth_me new hostname now
would change wan0 mac address, system's hostname and reboot.
No privs needed by the user.

[Bit Twister]

On Sat, 12 Dec 2015 20:09:08 -0000 (UTC), Bit Twister wrote:
> Environment is whatever is supplied/available to the script when it is
> executed.
>
> Two example snippets from Mageia and Ubuntu.
>

Should have mentioned mageia

> /etc/sysconfig/network-scripts/ifdown.d/xxx_whats_up arguments are:
> enp0s3

Should have mentioned ubuntu

> /etc/network/if-post-down.d/xxx_whats_up arguments are:
> no argument provided

As you can see one passes device on command line, other does not and
provides it as an environment variable.

>
> For example, on a down event for wan0, create a new wan0 configuration
> file with an new hardware address.
>
> Next wan0 up would be using the new mac address and need for the user
> to have ifconfig privileges.

that should have been "and NO need for the user"

[Mark Bannon]

On Mon, 07 Dec 2015 18:20:44 +0000, Mark Bannon wrote:

Just FYI, I'm not sure *why* but today, transmission and pan were killed,
but, for some reason, firefox remained running.

$ vpnchecker.sh
VPN status: on - tun0: 10.211.1.29
thunderbird is running...
Terminating thunderbird...
thunderbird terminated...

VPN status: off - wlan0: 192.168.1.28
Terminating apps...

transmission is running...
Terminating transmission...
transmission terminated...

firefox is running...
Terminating firefox...

/usr/local/bin/vpnchecker.sh: line 51: kill: 10796
20623: arguments must be process or job IDs
/usr/local/bin/vpnchecker.sh: line 51: kill: 10796
20623: arguments must be process or job IDs
firefox is still running...
VPN status: on - tun0: 10.211.1.129

24 processList=("transmission" "transmission-gtk" "firefox" "pan")
...
48 # This terminates less gracefully but more reliably
49 terminateProcess()
50 {
51 kill $(pgrep $task) && return 0 || kill -9 $(pgrep $task) \
52 && return 0 || return 1
53 }
54

I will try to debug, but I figured I'd report it.

[Mark Bannon]

On Sun, 13 Dec 2015 07:22:28 +0000, Mark Bannon wrote:

> I will try to debug, but I figured I'd report it.

I tried a few more times, with Firefox running, and then killing the
VPN on purpose, but I didn't get the same error.

So, sometimes, the kill doesn't work (dunno why).
But, almost all the time, the kill does work.

In fact, the kill kicked in maybe two dozen times since Marek posted
this vpn watching script (yes, I have the double-kill that Marek
suggested later).

Only twice has it *not* killed everything.
Once pan hung, and then I added more kill stuff from Marek.
ANd once Firefox remained (for some odd reason).

So, it work 99% of the time just perfectly.

[Marek Novotny]

Okay, try this and let me know. Otherwise I might have to use an array
on the process IDs if they are showing up multiple times. I don't think
they are, but maybe they are.

change these two functions:

checkProcess()
{
unset procID
procID="$(ps aux -e | grep $task | grep -v panel | grep -v grep | awk '{print $2}')"
if [ ! -z $procID ] ; then
return 0
else
return 1
fi
}

terminateProcess()
{
kill -9 $procID

}

-=-=-=-=-=-=-=-=-=-=-=-=-

Full script follows here

#!/bin/bash

#############################################################
#
# script: vpnstatus.sh
# written by: Marek Novotny
# version: 2.6
# date: Sun Dec 13 05:53:00 PST 2015
# purpose: test status of live vpn connection
# : kill torrent if vpn disconnects
# licence: GPL v2 (only)
#
#############################################################

condition=""

sendMessage()
{
echo "$1"
}

# apps that should be terminated if VPN fails
processList=("transmission" "firefox" "pan")
# apps that should not be running under vpn
restrictedApps=("thunderbird" "slrn")

# check of a process stored in the variable task is running or not

checkProcess()
{
unset procID
procID="$(ps aux -e | grep $task | grep -v panel | grep -v grep | awk '{print $2}')"
if [ ! -z $procID ] ; then
return 0
else
return 1
fi
}

# terminate the given process stored in the variable task

terminateProcess()
{
kill -9 $procID

}

# routine to test for processes, report their status and kill them if running

processTerminator()
{
checkProcess
if (($? == 0)) ; then
sendMessage "$task is running..."
sendMessage "Terminating $task..."
terminateProcess
if (($? == 0)) ; then
sendMessage "$task terminated..."
else
sendMessage "$task is still running..."
fi
fi
}

# generate a random IP to test ip route against

randomizer()
{
IFS=$' '
ary=()
for x in {1..4} ; do
ary+=($(($RANDOM % 221 + 1)))
done

if [[ ${ary[0]} -eq 10 || ${ary[0]} -eq 100 ]] ; then
randomizer
elif [[ ${ary[0]} -eq 169 ]] && [[ ${ary[1]} -eq 254 ]] ; then
randomizer
elif [[ ${ary[0]} -eq 172 ]] && [[ ${ary[1]} -eq 16 ]] ; then
randomizer
elif [[ ${ary[0]} -eq 192 ]] && [[ ${ary[1]} -eq 168 ]] ; then
randomizer
elif [[ ${ary[0]} -eq 198 ]] && [[ ${ary[1]} -eq 18 ]] ; then
randomizer
else
addr=$(echo "${ary[@]}" | awk '{print $1"."$2"."$3"."$4}')
fi
}

# kill apps that should not be running if VPN is connected.
# kills these apps once, if the script is running and the VPN
# tunnel becomes active

vpnOn()
{
if [[ $condition != "on" ]] ; then
condition="on"
echo "VPN status: $condition - ${deviceStatus[0]}: ${deviceStatus[1]}"

for x in ${restrictedApps[@]} ; do
task=$x
processTerminator
done
fi
}

# drop apps that should not be running if vpn tunnel fails

vpnOff()
{
if [[ $condition != "off" ]] ; then
condition="off"
echo "VPN status: $condition - ${deviceStatus[0]}: ${deviceStatus[1]}"
echo "Terminating apps..."

for x in ${processList[@]} ; do
task=$x
processTerminator
done
fi
}

randomizer
while true ; do
deviceStatus=($(ip route get $addr | awk 'NR==1 {print $5,$7}'))
if [[ ${deviceStatus[0]} == "tun0" ]] ; then
vpnOn
else
vpnOff
fi
done

#END

[Marek Novotny]

On 2015-12-13, Marek Novotny <marek....@marspolar.com> wrote:

Made a little mistake...

Use this...

checkProcess()
{
unset procID
procID="$(ps -e | grep $task | grep -v panel | awk '{print $1}')"

if [ ! -z $procID ] ; then
return 0
else
return 1
fi
}

[Mark Bannon]

On Sun, 13 Dec 2015 08:08:15 -0800, Marek Novotny wrote:

> Made a little mistake...
>
> Use this...
>
> checkProcess()
> {
> unset procID
> procID="$(ps -e | grep $task | grep -v panel | awk '{print $1}')"
> if [ ! -z $procID ] ; then
> return 0
> else
> return 1
> fi
> }

Adding it now.
Will let you know how it works out.
Thanks.

[Mark Bannon]

On Sun, 13 Dec 2015 16:53:01 +0000, Mark Bannon wrote:

> Adding it now.
> Will let you know how it works out.
> Thanks.

I added both changes...checkProcess & terminateProcess