On Sat, 2024-01-13 at 08:49 -0600, twlewis via beginners wrote: > Hi hw, I had a similar situation in which I travelled. I wanted to > lock down the ufw firewall but be able to allow certain IP addresses > based on the hotel IP or my cell service IP. To that I developed > Perl that would check my smtp account. The script is controlled > through a cron job that runs as root. Through email I can send > commands to that email address that is set up for my server. I have > an INI file with parameters. The script reads that INI each time. > I control access to not allow any other outside email from sending > commands by using a specific email address in the INI that can send > commands.
How do you verify that the email was actually sent from the sender address which is allowed to send commands? The From: header is irrelevant, and I wouldn't trust Envelope-From: headers either since that can also be faked. Using SPF and/or DKIM might help, and you might have to go to some lengths to check on that. I'd at least use a list of passwords, known only to your server and to you, so every email you want processed needs to contain the next password on the list to be considered. That's pretty simple to do, and pwgen is your friend :) Other than that, xmpp is way easier to process than emails, and someone who wants to send something first needs to log into their account with a password. That may be safer than just emails alone. Another advantage is that emails can be delayed whereas xmpp is (supposed to be) instant (and usually is). > Any other email addresses that attempt to send commands > are ignored and it sends me a report if this occurs. When you use a UUID as the local part of the receiving address, it's somewhat unlikely that anyone but you will send emails to it (unless you publish the address). > In the Perl script I was able to set up things such as allowing > certain IPs in ufw, check disk space, run apt to update the server, > and even reboot the server. > > I don't know if you have access to a SMTP email server or not. I'm running one on my server which relays the emails through the SMTP server of an email provider. Creating this daemon is really only intended to allow me to reboot/shutdown my workstation when the screen has gone black. That sometimes happens since NVIDIA drivers aren't perfect. Of course, if it gets otherwise locked up, the daemon will also be useful. The other day I came back to my keyboard right when the display said 'no signal' because the screen saver had just switched it off, and I pressed a button and the display remained switched off. Switching to consoles and back didn't help, switching the display off and back on didn't help either. I could't even get a picture on the 2nd monitor (which is usually switched off but things go haywire when switching displays on/off because someone programmed it stupidly so it does unwanted stuff automatically despite the 2nd display is switched off, and the 2nd display usually needs some convincing to work or doesn't work at all when I try to enable it); pressing Ctrl+Atl+Del didn't do anything, the Reset button of my workstation is probably disabled (I need to check that in the BIOS) and at the point, the only thing remains is to power it off while it's running, which I don't want to do at all. All that is time consuming and annoying and that Ctrl+Alt+Del doesn't work anymore is retarded, and I'm totally pissed and I've had it. So I created this daemon so I can least reboot my workstation when things aren't working as they should. I could log in via ssl, but I'd have to set up my laptop for that or the 2nd display and a keyboard for the server which usually aren't connected, so that's also annoying. It's not so difficult to send xmpp messages from a phone or a tablet. > Gmail used to allow this type of interaction and allow log ins from > scripts, but I believe that they have locked down security to no > longer allow that. You could use some dyndns provider like noip, and wireguard to connect to your home network/server from afar. Wireguard is awesome, and what's better than the option of having full access same as if you were at home, or limited access if you want. It sure beats both xmpp and emails. Or you could directly connect to your xmpp server or email server through wireguard to send commands, which would avoid doing it openly over the internet. > I hope this helps. > > Tim -- To unsubscribe, e-mail: beginners-unsubscr...@perl.org For additional commands, e-mail: beginners-h...@perl.org http://learn.perl.org/
