Stuck here on what should be somewhat easy. What am I missing? I setup a executable shell script on my Debian desktop. Right after mounting my Debian host I execute the shell script in a terminal using sudo to accomplish 5-6 steps every day before going down chain and heading to VM's for workspace. The script checks sha256 of the mbr and unallocated space behind the last partition (3 meg or so) and compares the results to a known baseline. The point is to assure nothing sinister (not one byte changes) happens outside of encryption. After confirming those it executes a complete apt-get (3 steps to update, upgrade, and autoremove). Working perfectly. I currently use a manual terminal where I drop ufw to connect to my VPN provider and then immediately enable ufw after connecting. Using the manual terminal this process couldn't be any easier. This firewall step is done between confirmation of the sha256 sums and before connecting the VPN, and then afterwards updating the OS. I want to add two additional steps to my script to handle ufw automatically, but its throwing errors. Lets just say that I want to write a shell script with the ufw steps only. As below: #! /bin/sh sudo ufw disable read -p "*** press Enter -- Firewall DOWN - Connect to VPN ***" nothing sudo ufw enable read -p "*** press Enter-- FIREWALL UP ***" nothing Let me again repeat that doing this manually of course takes seconds and always works, but if I can add these two steps to my script, which is already running and with sudo also already running, then it becomes somewhat automatic and easier. I like easy and quick and not having to re-enter sudo credentials again into the manual terminal. When I enter those commands above (excluding #! /bin/sh obviously) into my script it throws the errors pasted below. paste: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/ufw/util.py", line 412, in under_ssh ppid = get_ppid(pid) File "/usr/lib/python3/dist-packages/ufw/util.py", line 406, in get_ppid return int(ppid) ValueError: invalid literal for int() with base 10: 't)' During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/sbin/ufw", line 108, in <module> not ui.continue_under_ssh(): File "/usr/lib/python3/dist-packages/ufw/frontend.py", line 850, in continue_under_ssh if self.backend.do_checks and ufw.util.under_ssh(): File "/usr/lib/python3/dist-packages/ufw/util.py", line 441, in under_ssh return under_ssh(ppid) File "/usr/lib/python3/dist-packages/ufw/util.py", line 441, in under_ssh return under_ssh(ppid) File "/usr/lib/python3/dist-packages/ufw/util.py", line 419, in under_ssh raise ValueError(err_msg) ValueError: Couldn't find parent pid for '2133' end paste. I am wondering if there is some terminal command line or code I could enter to permit me to re-enable UFW from within my shell script. The UFW firewall drops (disable) perfectly. Then I connect to my VPN, but when I use the script terminal to enable UFW the above errors fly. BTW the "read -p" command causes the script/terminal to pause until I hit Enter so that I can confirm things as the processes move along in my script. Its strange to me that the "enable" command is highlighted in the script, while the "disable" command is not. Why?? There is no difference when using the terminal manually of course. The PID thing is slightly outside of my area of expertise. I wonder if it would help to kill sudo after dropping ufw and then re-authorizing by typing in my sudo credentials to enable ufw? Don't know if that manual step would re-establish anything PID related? Again, PID is over my head. I'll bet this may be simple for some of you but I am missing something here. Any ideas??
Some of that is over my head. But why not just tweak your ufw rules to allow connections to your VPN server(s)? Also, why not just have the VPN connect at bootup?
My vpn1 varies among well over 100 servers. That is too many IP's to list in the firewall, assuming I even wanted (I don't) my machine to head towards the vpn1 server automatically. I operate on the assumption that ALL devices on my LAN are hostile. That may seem extreme but in truth my network has a dozen devices, which if I am being honest, I don't truly control. Therefore, while using the computer in question here, my notion is that IP tables (set via UFW's frontend) should be set so that ONLY tun0 can ever get in or out of this computer while I am using it. I drop UFW, connect, and then raise UFW specifically eliminating all traffic excluding tun0. In addition to controlling my WAN experience, this also makes this device invisible (won't even respond to pings) regarding other LAN devices. Even if my router is completely compromised it will never get inside of tun0. The liability is that even the wireless printer cannot be seen by this computer, and I keep it that way intentionally. Hope this all makes sense. I do NOT auto-connect at bootup on purpose. I realize I didn't paste my entire shell script above. The first thing the script does (after booting the HOST and before any networking/chaining) is to sha256 the disk MBR and the unallocated space behind the final partition (I did a /dev/urandom of that unallocated space in the past). Then a quick comparison of those sha256's to saved baseline copies of the same. In other words; I am going nowhere until I am certain all space outside of my encrypted partitions has had no one byte changed. It may sound over the top but skilled adversaries deal in those little spaces and my counter is to assure they haven't been in there. Its just what I do! The linux /boot files (not encrypted) are on a removable usb, and that is extracted before I ever get to any workspace so it stays clean. I realize the above sounds like alot but the script runs in a few seconds, and I can know every single non-encrypted byte has been left unchanged. Comfort is the byproduct. After I have that certainty, I connect, firewall, and move to vpn2's VM, and on to TOR, etc.... The HOST sees no workspace ---- EVER. So my original question remains unanswered. For now I am using two terminals - my shell script terminal, and the manual terminal to "toggle" UFW. It would make it convenient to include UFW in the shell script but it "errors" on me when I do. Not a biggie, just trying to learn some code here. Open to others' thoughts.
If you ask me I would not invoke sudo from inside the script. I would do it when running the script. Also full path for everything, no aliases, no environment variables. Mrk
I would treat that metaphorically the same as a warning instrument flag on my car. Specifically, if that happened today when I booted my system, I wouldn't be here on this machine just yet. In that instance before taking my computer online even to connect to the vpn, I would stop and do diagnostics - locally. I would immediately know where the change happened; either in the mbr, or the only other option would be the unallocated space resident behind the final encrypted partition. The two separate checksums generated would isolate that for me. A quick WinHex comparison would show the exact byte that was for whatever reason toggled. Since this has never happened yet, I can only surmise how many bytes would be changed. Any adversary that broke out of a VM two links down in a pretty solidly bridged chain would need to manipulate more than one byte to accomplish very much. You know linux pretty well and there should be NO change in the areas I am querying via script. Reminding you that my /boot is not present on the hard disk and that of course does change when the OS updates images, etc..... needed to mount the proper kernels, etc... BUT as noted above; those precious /boot files are not available because the usb is extracted long before I head down the chain to anything "workspace" related. Those couldn't be any safer sitting absent a connection, LOL! Additionally, I went this route because all the encrypted partitions are actually independent OS's, one being Windows 10 (rarely used). Each OS has a separate bootable USB to mount that system. The Linux ones use /boot and Win uses Grub4Dos with the needed files. So my MBR on this disk platter should not and for now does not change. I just want my script to verify it before I take the computer "out on the highway"!! I do keep flawless sector based backups and in candor if something changed, which I could not explain, I would literally blow away the changed area's contents and write back the known/proven image and go from there. If it happened twice I would blow away the suspected OS's partition contents and restore that OS from sector image too. Hasn't happened yet so its theory for now. I keep my chain tight and snapshot workspace VM's back to CLEAN often.
Would you care to elaborate on that some? Every task performed by my shell script requires/uses a command that only sudo can execute. e.g. the first command directs dd to generate the file MBR-today (copy of the currently present 512 byte file) and place it in a folder location on my user. Then checksum that file and proceed down script to the next step (command).
What you're doing is you're effectively spawning a sub-shell that runs with different privileges from the parent program. This can be fine, but it may in some cases result in weird errors. Scripting languages are not perfectly suited for the whole real, effective uid changes, and you do not know 100% if your entire user environment is correctly preserved during your script execution (you can grab with with env at each step and compare). Again, most of the time this won't affect you, but I've seen a few odd cases where seemingly random things wonk up and it takes a lot of digging figuring out the tiniest of differences. My recommendation is you execute the entire (maintenance) script with sudo from your shell - after all, that's the idea. As for full path, do not just use <command> or whatever, use /bin/<command> or /usr/bin/<command>, so you always know what runs, and it is not affected by your current working directory or path. If your path includes your home dir as a first entry and you have a custom-compiled program there, invoking it by name rather than full path will run it instead of the expected system tool, leading to potentially unknown results. Aliases and environment variables are also dangerous as they may change or be empty, and this could lead to big problems in your execution. You should make sure your scripts are as deterministic as possible. ALWAYS validate your commands. If there's any way the system could misinterpret the output, change it, and add if/then checks to make sure nothing wrong happens. You want create a directory? Check it exists. Want to delete it? Check it exists. Check it's empty. Check permissions. Log your output (to a log file, using tee). Want to enable firewall - check it's not already enabled. Check if the ruleset is valid. Check the exit code from commands before moving on to the next step that expects the previous command to have completed. Mrk
@Palancar OK, but please say more about the risks of connecting the VPN automatically. I mean, if you're concerned about malware phoning home, just keep the system entirely offline until checksums verify. Then bring the network up, and connect the VPN. Allowing output to numerous IPs isn't a problem for iptables.
Now that is an intriguing thought, as opposed to my running the current sub-shell. Hmmmmm?? I will do some reading about this so that I can better "visualize" why this may be the way to go. Let's jump back to those two simple steps and I'll paste them below as examples. These will be just two of several commands executed but my understanding with just these two will get me starting in the right direction. sudo ufw disable read -p "*** press Enter -- Firewall DOWN - Connect to VPN ***" nothing # I then connect the VPN client sudo ufw enable read -p "*** press Enter-- FIREWALL UP ***" nothing I can get the Path but my questions concern how to do these commands at the shell level (as opposed to an executable shell script). This is going to be some great reading and it might help with some other things I do using shell script approaches as well. As you mentioned, they almost always work but sometimes for reasons that evade me they just don't!! I should have tried something before I left home. I am now wondering about pasting in my commands directly into a terminal as opposed to calling out #! /bin/sh. That would be interesting if it all worked by using that approach.
Agreed, BUT: I used to go that route but now my VPN1 provider has a huge numbers of servers and frankly I do rotate (manually select one) from a list using a great Linux client. I don't want to maintain a list of > 100 server IP's. You know, two more added today, while one or two get discontinued, etc...... kind of thing. The client handles it automatically while I only need to drop the UFW shield and then raise it after connection. In fact the client will protect from a connection break, but once again I never trust my true IP to someone else's work. I decided long ago to write my own firewall for this purpose. We are in agreement. I just don't want the IP log maintenance.
You may get different results if you run it interactive, via cron, on login, etc. This is why there's a lot of magic in being pendantic and deterministic! Mrk
