The first time spam pisses me off

There seems to be a new method to extract money via spam. This is the mail I got today:

Hi there.

I hope you will not really mind my english language sentence structure, because im from Germany. I toxified your gadget with a malware and now have your private information out of your os.

It previously was installed on a mature web site and then you’ve selected the video clip and it, my software quickly got into your os.

After that, your camera captured you going manual, furthermore i captured a footage that you have viewed.

Soon after a short while in addition, it picked up every one of your device contact information. If you ever wish me to get rid of your all that i have – transfer me 840 euros in bitcoin it is a cryptocurrency. It is my wallet address: 1K5CPpzHABZ7JXYDC7JRjok2a2FAerks6L

At this point you have 21hours. to make a decision The minute i will get the transfer i will eliminate this evidence and every thing thoroughly. Otherwise, please remember that this evidence is going to be forwarded to your friends.

I like how the domain it comes from is registered with an organization called “Volatile Game Cult”, and the IP it came from is of course Russian and I guess the wallet was opened just for this e-mail since it has no transactions yet.

I wonder what I can do because reporting it to the authorities will do exactly nothing I guess. I kind of dare to answer with something like “lol” and wait for the response. But should I do that or are there any dangers that might come with it? Mmm…

There is a flatpack for signal-desktop. Thus it can be also used on Fedora for example

flatpak --user install --from https://flathub.org/repo/appstream/org.signal.Signal.flatpakref

You cannot migrate your data from the Chrome-App though.

A Declaration of the Independence of the Cyberspace

John Perry Barlow (1947–2018):

Governments of the Industrial World, you weary giants of flesh and steel, I come from Cyberspace, the new home of Mind. On behalf of the future, I ask you of the past to leave us alone. You are not welcome among us. You have no sovereignty where we gather.

We have no elected government, nor are we likely to have one, so I address you with no greater authority than that with which liberty itself always speaks. I declare the global social space we are building to be naturally independent of the tyrannies you seek to impose on us. You have no moral right to rule us nor do you possess any methods of enforcement we have true reason to fear.

Read the full declaration on the site of the EFF.

Script to “centralize” checking for updates on FreeBSD

I have to administrate several FreeBSD-servers and I need to know which servers need updates. Eveen though I have a poudriere running, I also have a local ports-tree on the machines because they are either not using the poudriere because they are not migrated to it yet or there was some reason to have a locally compiled package.
Now I want to know daily which servers need package-updates and if any server has packages that have known CVEs. Thus I update the index of the portstree daily with the following cronjob for root:

0 3 * * * portsnap -I cron updateI have several “classes” of servers, thus I want mails for every class of server. For each class I have a cronjob like this in my personal crontab (or you could put it on one of your servers):
0 6 * * 1-5 /usr/local/scripts/check_for_updates.sh class1The user needs to be able to log into each server with an ssh-key.


#!/bin/sh

TMPFILE=`mktemp`
case $1 in
class1)
SERVERS="server1 server2"
MAILADDRESS="my@mailaddress.foo"
;;
class2)
SERVERS="server3 server4 server5"
MAILADDRESS="my@mailaddress.foo"
;;
private)
SERVERS="privateserver1 privateserver2"
MAILADDRESS="myprivate@mailaddress.foo"
;;
esac

for i in $SERVERS; do
  echo "$i:" >> $TMPFILE
  update_count=`ssh $i "pkg version" | grep \< | wc -l`
  if [ $update_count -gt 0 ]; then
    echo "$i needs $update_count updates" >> $TMPFILE
    ssh $i "pkg version" | grep \< >> $TMPFILE
    echo "" >> $TMPFILE
    echo "" >> $TMPFILE
    ssh $i "pkg audit" >> $TMPFILE
  else
    echo "$i needs no updates" >> $TMPFILE
  fi
  echo "" >> $TMPFILE
  echo "" >> $TMPFILE
done

mail -s "$1 update status" $MAILADDRESS < $TMPFILE
rm $TMPFILE

mail -s "$1 update status" $MAILADDRESS < $TMPFILE
rm $TMPFILE

Blacklistd and pf on FreeBSD

In FreeBSD 11.0 there was a new daemon delivered in base that helps to blacklist IPs on unsuccessful logins called blacklistd. Its advantage over fail2ban: it works with IPv6 and it is part of base. Its disadvantage is that as far as I understand it applications have to be linked against blacklistd, so that they can work with it.

With the recently released FreeBSD 11.1 sshd got linked against blacklistd. Therefore there is a new option in sshd_config: UseBlacklist. Per default it is set to no. Uncomment it, set it to yes and then reload sshd.

The config is in /etc/blacklistd.conf. Usually you define blocking rules in the [local]-section and whitelisting in [remote]. The sample file and the man page are good enough to explain that part.

In addition you need to start the blacklistd-service and enable it in rc.conf or even better in a file in /etc/rc.conf.d.

In /etc/pf.conf you need to add the following line:

 anchor "blacklistd/*" in on $ext_if

Then you need to reload pf with the new rule:

 pfctl -f /etc/pf.conf

Now blocking should already work. To get the blocked IPs use the following command

 blacklistctl -b

If there are IPv6-adresses blocked, you need to add -w, so it is then

 blacklistctl -bw

If you want to unblock an IP you can look into the tables with pfctl. To see for example the table for sshd, the command is:

 pfctl -a blacklistd/22 -t port22 -T show

Now let’s say you want to unblock the IP 23.23.23.23, then you could issue a:

 pfctl -a blacklistd/22 -t port22 -T delete 23.23.23.23

This will remove the IP from the table and it is now unblocked. blacklistctl will still show the IP as blocked though. But if the IP tries again to log in and fails often enough, it will get blocked again.

Some plaintext-productivity love with Taskpaper

I finally got my plaintext-todo-system together. It was a bit cumbersome because I did and could not want to use Dropbox, but it works now. The problem is that some of my machines either run FreeBSD or OpenBSD and all the plaintext-productivity apps on iOS either require Dropbox or iCloud1. I have a Nextcloud but the Nextcloud-client on iOS does not really integrate into iOS and nearly no one offers to sync with something else than iCloud or Dropbox on iOS.

But there is a really good git-client on iOS: Working Copy. And there is a really good markdown-editor, that also has taskpaper-support and integrates with some workarounds with Working Copy: Editorial2.

The final piece that was missing where some reminders which work somehow automagically. There is a way to create iOS-reminders in Editorial from Taskpaper-files but there I would need to run a workflow in Editorial manually to create them. And I wouldn’t get a mail in the morning with a summary of tasks that are due, overdue etc. But I have now some scripts and cronjobs which create the mail and will send out push notifications via Pushover3.

How does it work?

I created a git-repo on my server. And have it checked out on my clients and in the home-directory of my user on the server. When I change something on the clients, I commit and push to the server. On the server there is cronjob in the crontab of my user running every minute to pull the repo. Additionally there is a cronjob running a python-script that checks if a task has an alarm set. If one is set, it will send the task as message to pushover, which sends a push notification to my iPhone. At 4 am in the morning there is an additional cronjob that runs a script that will generate a summary mail and sends it to me via e-mail.

The scripts expect the following tags, so that they can work:

  • @today or @due[YYYY-MM-DD]
  • @alarm[YYYY-MM-DD HH:MM]

The basis is the Taskpaper-Parser from github-user kmarchand. My push-script is a derivate from the script4:

 

<br />
from datetime import datetime, timedelta<br />
from collections import namedtuple<br />
from dateutil import parser<br />
import sys<br />
import re<br />
import httplib<br />
import urllib</p>
<p>tpfile = sys.argv[1]</p>
<p>with open(tpfile, 'rb') as f:<br />
    tplines = f.readlines()</p>
<p>Flagged = namedtuple('Flagged', ['type', 'tasktime', 'taskdate', 'project', 'task'])<br />
flaglist = []<br />
errlist = []</p>
<p>project = ''</p>
<p>for line in tplines:<br />
    try:<br />
        if '@done' in line:<br />
            continue<br />
        if ':\n' in line:<br />
            project = line.strip()[:-1]<br />
        if '@alarm' in line:<br />
            alarmtag = re.search(r'\@alarm\((.*?)\)', line).group(1)<br />
            tasktime = datetime.time(parser.parse(alarmtag))<br />
            taskdate = datetime.date(parser.parse(alarmtag))<br />
            #print(tasktime)<br />
            #print(taskdate)<br />
            flaglist.append(<br />
                    Flagged('alarm', tasktime, taskdate, project, line.strip()))<br />
    except Exception, e:<br />
        errlist.append((line, e))</p>
<p>today = alarm = overdue = duethisweek = startthisweek = None<br />
today_date = datetime.date(datetime.now())<br />
today_time = datetime.time(datetime.now())<br />
time_tmp = datetime.now() - timedelta(minutes = 1)<br />
today_time_less1min = time_tmp.time()</p>
<p>for task in flaglist:<br />
    if task.type == 'alarm' and today_date == task.taskdate and today_time &gt; task.tasktime and today_time_less1min &lt; task.tasktime:<br />
        alarm = True<br />
        #print '\t[%s] %s' % (task.project, task.task)<br />
        conn = httplib.HTTPSConnection(&quot;api.pushover.net:443&quot;)<br />
        conn.request(&quot;POST&quot;, &quot;/1/messages.json&quot;,<br />
          urllib.urlencode({<br />
            &quot;token&quot;: &quot;APP-Token&quot;,<br />
            &quot;user&quot;: &quot;User-Token&quot;,<br />
            &quot;message&quot;: task.project + &quot; &quot; + task.task,<br />
          }), { &quot;Content-type&quot;: &quot;application/x-www-form-urlencoded&quot; })<br />
        conn.getresponse()<br />
if not alarm:<br />
    print '\t (none)'<br />

It is simple, it could be probably far more elegant but it works for me™.

In addition there is a simple shell-script5:

<br />
#!/bin/sh<br />
/usr/local/bin/python2 /home/user/python/tpp.py /home/user/taskpaper/Work.taskpaper &gt; /tmp/taskpaper.mail<br />
/usr/local/bin/python2 /home/user/python/tpp.py /home/user/taskpaper/Personal.taskpaper &gt;&gt; /tmp/taskpaper.mail<br />
mail -s 'Your Daily Taskpaper Summary' my@mailaddress.org &lt; /tmp/taskpaper.mail<br />

And here is my crontab:

<br />
* * * * * /bin/sh -c 'cd ~user/taskpaper &amp;&amp; /usr/local/bin/git pull -q origin master' &gt;&gt; ~/git.log<br />
* * * * * /usr/local/bin/python2 /home/user/bin/tpp_alarms.py /home/user/taskpaper/Work.taskpaper<br />
* * * * * /usr/local/bin/python2 /home/user/bin/tpp_alarms.py /home/user/taskpaper/Personal.taskpaper<br />
0 4 * * * /home/user/bin/taskpaper_mail.sh<br />

Since I am running FreeBSD on my server I have to rely on a crontab and cannot use systemd-timers.

On my computers I am an avid vim-user and I use taskpaper.vim for having syntax highlighting and some additional shortcuts for marking tasks as done or today etc.

In Editorial I use the Working Copy-workflow.

It is all very simple and not very elegant. But it works and brings me the funtcionality I was missing from using apps like Todoist or on the “local” level Taskmator. And everything runs on my own machines except the delivery for the push notifications. But the only chance to get there my own solution would be to develop an iOS-app because you can’t get in any other way push notifications to your iOS-device. And if I should switch back to Android at any point, I still can use pushover. I pushover goes down, I hope there are alternatives… 😉


  1. To be honest, I do not understand why so many iOS-apps expect a Mac on the desktop. Do so many iOS-owners also own a Mac? I would expect that most actually own a Windows-machine

  2. It does not integrate as Textastic but that might come in the future

  3. I use Pushover because our Icinga2, the monitoring system we use at work, already uses pushover to send notifications when an alert is coming up.

  4. Please forgive me since I am not very knowledgable in the arts of programming and just hacked around to get a works-for-me-thing

  5. I am running it on my FreeBSD-server, thus the path to python is /usr/local/bin/python2 – when you are running Linux the path is probably /usr/bin/python2

OpenVPN, pf and alias-IP-adresses

Recently I had to build an OpenVPN-server on a FreeBSD-machine that uses already port 443. But I wanted to use port 443 because its reachability is usually guaranteed. So I added a second IP-address to the interface. Let’s say for this example the adresses are 10.10.10.1 and 10.10.10.21. And then I followed the few hints I found on the net for NATing through the interface. Since it is FreeBSD and I have pf available, I use it of course. And after that I opened up certain hosts to 10.10.10.2 on the other hosts.

What is the rule you find when you google?

nat on $ext_if inet from $vpn_clients to any -> $ext_if

ext_if is your interface to the outside world. In my case the one with the two IP-adresses. $vpn_clients is the openvpn-network2.

And then I was up to a surprise. When I connected to the VPN and then tried to connect to the hosts I wanted to reach through the NAT via ssh the following happened: ssh host1 – connection denied, ssh host1 – please log in. If I waited a short moment instead of trying to connect immediately a second time the connection was denied again. And some other strange behavior like that was observable.

What happend? FreeBSD NATed all the time through either address 1 or address 2 but never through the same.

What you can do is define the address for the NATing you want to rewrite to. So it becomes:

nat on $ext_if inet from $vpn_clients to any -> $vpn_nat_ip

In this case vpn_nat_ip is 10.10.10.2.

Another side-note: you don’t want to add a second interface for the second IP-address but use an alias-IP on the first network card. Otherwise you have to start use routing tables etc. for getting your traffic correctly moved through your system.


  1. Yes, I know…the original host has routable adresses there

  2. by default 10.8.0.0/24

Current state: looking into a book about shell scripts and I wonder which she’ll they use. sh or do I need bash? How about other shells?

TIL: the Debian-installer calculates in base 10 and fdisk in base 2. Why Debian, why?