Hi hw,
I had a similar situation in which I travelled. I wanted to lock down the ufw firewall but be able to allow certain IP addresses based on the hotel IP or my cell service IP. To that I developed Perl that would check my smtp account. The script is controlled through a cron job that runs as root. Through email I can send commands to that email address that is set up for my server. I have an INI file with parameters. The script reads that INI each time. I control access to not allow any other outside email from sending commands by using a specific email address in the INI that can send commands. Any other email addresses that attempt to send commands are ignored and it sends me a report if this occurs. In the Perl script I was able to set up things such as allowing certain IPs in ufw, check disk space, run apt to update the server, and even reboot the server.
I don't know if you have access to a SMTP email server or not. Gmail used to allow this type of interaction and allow log ins from scripts, but I believe that they have locked down security to no longer allow that.
I hope this helps.
Tim
-----Original Message-----
From: "hw" <h...@adminart.net>
Sent: Friday, January 12, 2024 7:16am
To: "Perl Beginners" <begi...@perl.org>
Subject: How to reboot?
Hi,
I would like to write a program (daemon) which will be automatically
started by systemd at boot which will allow me to reboot or restart my
computer through commands sent via xmpp. The xmpp part (xmpp client)
and starting that program is no problem.
But how can I reboot/restart the computer from the xmpp client? I
don't want the xmpp client to run as root all the time. I would use
something like
system('shutdown', '-r', 'now');
in the xmpp client, and that does require root privileges. To make
things more complicated, systemd will probably interfere in some ways,
and selinux also may get in the way. So how I can do that?
The background is that some idiots have decided that pressing
Ctrl+Alt+Del doesn't reboot the computer anymore but, at best,
restarts after 60 seconds if I'm logged in to a gnome session or, if
I'm not logged in --- like when the screen saver logged me out --- it
does nothing. It doesn't seem to work when I'm on the console,
either.
That totally sucks when the display remains black and doesn't come
back no matter what you do. In such cases, I still want to be able to
reboot or to shutdown the computer instead of having to hold the power
button until it turns off, and without pressing the reset button.
Preferably, I'd like to get Ctrl+Alt+Del to work again like it should,
but that's probably something we can only dream of these days :(
--
To unsubscribe, e-mail: beginners-...@perl.org
For additional commands, e-mail: beginne...@perl.org
http://learn.perl.org/
On Sat, 2024-01-13 at 08:49 -0600, twlewis via beginners wrote:
Hi hw, I had a similar situation in which I travelled. I wanted tolock down the ufw firewall but be able to allow certain IP addressesbased on the hotel IP or my cell service IP. To that I developedPerl that would check my smtp account. The script is controlledthrough a cron job that runs as root. Through email I can sendcommands to that email address that is set up for my server. I havean INI file with parameters. The script reads that INI each time.I control access to not allow any other outside email from sendingcommands by using a specific email address in the INI that can sendcommands.
How do you verify that the email was actually sent from the senderaddress which is allowed to send commands?The From: header is irrelevant, and I wouldn't trust Envelope-From:headers either since that can also be faked. Using SPF and/or DKIMmight help, and you might have to go to some lengths to check on that.I'd at least use a list of passwords, known only to your server and toyou, so every email you want processed needs to contain the nextpassword on the list to be considered. That's pretty simple to do,and pwgen is your friend :)Other than that, xmpp is way easier to process than emails, andsomeone who wants to send something first needs to log into theiraccount with a password. That may be safer than just emails alone.Another advantage is that emails can be delayed whereas xmpp is(supposed to be) instant (and usually is).
Any other email addresses that attempt to send commandsare ignored and it sends me a report if this occurs.
When you use a UUID as the local part of the receiving address, it'ssomewhat unlikely that anyone but you will send emails to it (unlessyou publish the address).
In the Perl script I was able to set up things such as allowingcertain IPs in ufw, check disk space, run apt to update the server,and even reboot the server.I don't know if you have access to a SMTP email server or not.
I'm running one on my server which relays the emails through the SMTPserver of an email provider.Creating this daemon is really only intended to allow me toreboot/shutdown my workstation when the screen has gone black. Thatsometimes happens since NVIDIA drivers aren't perfect. Of course, ifit gets otherwise locked up, the daemon will also be useful.The other day I came back to my keyboard right when the display said'no signal' because the screen saver had just switched it off, and Ipressed a button and the display remained switched off. Switching toconsoles and back didn't help, switching the display off and back ondidn't help either. I could't even get a picture on the 2nd monitor(which is usually switched off but things go haywire when switchingdisplays on/off because someone programmed it stupidly so it doesunwanted stuff automatically despite the 2nd display is switched off,and the 2nd display usually needs some convincing to work or doesn'twork at all when I try to enable it); pressing Ctrl+Atl+Del didn't doanything, the Reset button of my workstation is probably disabled (Ineed to check that in the BIOS) and at the point, the only thingremains is to power it off while it's running, which I don't want todo at all. All that is time consuming and annoying and thatCtrl+Alt+Del doesn't work anymore is retarded, and I'm totally pissedand I've had it.So I created this daemon so I can least reboot my workstation whenthings aren't working as they should. I could log in via ssl, but I'dhave to set up my laptop for that or the 2nd display and a keyboardfor the server which usually aren't connected, so that's alsoannoying. It's not so difficult to send xmpp messages from a phone ora tablet.
Gmail used to allow this type of interaction and allow log ins fromscripts, but I believe that they have locked down security to nolonger allow that.
You could use some dyndns provider like noip, and wireguard to connectto your home network/server from afar. Wireguard is awesome, andwhat's better than the option of having full access same as if youwere at home, or limited access if you want. It sure beats both xmppand emails.Or you could directly connect to your xmpp server or email serverthrough wireguard to send commands, which would avoid doing it openlyover the internet.I hope this helps.Tim
On Sat, 2024-01-13 at 17:09 +0000, Tim Lewis via beginners wrote:
You bring an excellent point about the ability to spoof the email address.In my case the email that for the server is not made public, but that is avulnerability. I will have to read up on pwgen. That sounds like a goodauthentication that changes like a token number.
It may be the safest way; nobody else would have the passwords and forwhen someone tries to guess them, you can put a delay to slow themdown once an invalid password has been received. If you increase thedelay like exponentially for every wrong password received in a row,you "only" risk being disabled yourself until a long delay expires.Pwgen is a nice program to generate passwords.
Another approach could be secondary authentication where it sendssomething to my phone, and then waits for a text response from the
phone before executing anything.Are you able to send something to your phone without using xmpp?You could have your asterisk call your phone so you can enter anumber, and when it's the right number you entered, the processing ofthe particular email that triggered the call becomes allowed. Youcould even put the number you have to enter into the email, assumingthat nobody who has the number can intercept the call. That way youwouldn't need to use a list of pre-defined passwords.If you do that, perhaps you might as well call your asterisk yourselfdirectly. Asterisk can verify the caller number and require you toenter a password (a fixed one, or one which you might have sent byemail beforehand); after that, it can present you with a menu for thecommands you want to get executed and execute them.Asterisk and xmpp can be a rather powerful combination.