Archive for the ‘Ubuntu’ Category

#!/bin/bash
# This script allows you to permanently enable Face ID/facial recognition instead of
# sudo password when using sudo commands
#  Based on following guide:  https://itsfoss.com/face-unlock-ubuntu/
sudo add-apt-repository ppa:boltgolt/howdy
sudo apt update
sudo apt install howdy
sudo apt install v4l-utils
#######################################################################
# add correct videocamera device into /lib/security/howdy/config.ini 
DEVICENAME=`v4l2-ctl --list-devices |grep dev |head -n 1` 
echo $DEVICENAME

# configure howdy to set device_path to value stored in variable DEVICENAME
# for example: devicename might be /dev/video0
sudo howdy config

# video section of /lib/security/howdy/config.ini file could contain following lines:

# The path of the device to capture frames from 
#device_path = /dev/video0


####################################################################### 
# Use the following command to associate a face to the currently logged in user:
sudo howdy add
# List all the known face models for a user
sudo howdy list
#!/bin/bash
# This bash shell script is compatible with Debian 10 Buster running in Qubes OS 4
# Required free disk space: at least 3.5 GB free disk space in / (root) directory
sudo apt update
sudo apt install gnome-software-plugin-flatpak flatpak
flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
flatpak install flathub org.libreoffice.LibreOffice
flatpak install flathub org.onlyoffice
flatpak install flathub com.wps.Office
flatpak update
# enable ufw firewall in Ubuntu 18.04 or newer:
# restrict Internet access to certain ports
sudo apt install ufw gufw
sudo ufw status
sudo ufw status > /tmp/ufw-status-old
sudo ufw disable
sudo ufw reset
# inbound rules are not needed
#sudo ufw allow in to any port 53
#sudo ufw allow in to any port 80
#sudo ufw allow in to any port 443
#sudo ufw allow in to any port 853
#sudo ufw allow in to any port 5938
# only outbound rules are required
sudo ufw allow out to any port 53
# http needed in order to get and update packages via apt command:
sudo ufw allow out to any port 80
# NTP port 123 needed to sync time:
sudo ufw allow out to any port 123
sudo ufw allow out to any port 443
# following port needed for DNS-over-TLS:
sudo ufw allow out to any port 853
# following port needed so that TeamViewer works:
sudo ufw allow out to any port 5938
# following port needed so that gpg can connect to keyserver:
sudo ufw allow out to any port 11371
sudo ufw enable
sudo ufw status
sudo ufw status > /tmp/ufw-status-new
# Start of bash shell script:
# ProcDump is a Linux reimagining of the classic
# ProcDump tool from the Sysinternals suite of tools 
# for Windows. ProcDump provides a convenient way for Linux 
# developers to create core dumps of their application based 
# on performance triggers.
cd
sudo rm -rf procdump-for-linux
sudo apt update
sudo apt install git checkinstall build-essential
git clone https://github.com/microsoft/procdump-for-linux
cd procdump-for-linux
sudo make
sudo checkinstall
# End of shell script

 

Checkinstall configuration and terminal output should be similar to this:

This package will be built according to these values:

0 – Maintainer: [ <restricted> ]
1 – Summary: [ Package created with checkinstall 1.6.2 ]
2 – Name: [ procdump ]
3 – Version: [ 20181112 ]
4 – Release: [ 1 ]
5 – License: [ GPL ]
6 – Group: [ checkinstall ]
7 – Architecture: [ amd64 ]
8 – Source location: [ procdump-for-linux ]
9 – Alternate source location: [ ]
10 – Requires: [ ]
11 – Provides: [ procdump ]
12 – Conflicts: [ ]
13 – Replaces: [ ]

Enter a number to change any of them or press ENTER to continue:

Installing with make install…

========================= Installation results ===========================
mkdir -p //usr/bin
cp bin/procdump //usr/bin
mkdir -p //usr/share/man/man1
cp procdump.1 //usr/share/man/man1

======================== Installation successful ==========================

Copying documentation directory…
./
./LICENSE
./README.md

Copying files to the temporary directory…OK

Stripping ELF binaries and libraries…OK

Compressing man pages…OK

Building file list…OK

Building Debian package…OK

Installing Debian package…OK

Erasing temporary files…OK

Writing backup package…OK
OK

Deleting temp dir…OK
**********************************************************************

Done. The new package has been installed and saved to

/home/<restricted>/procdump-for-linux/procdump_20181112-1_amd64.deb

You can remove it from your system anytime using:

dpkg -r procdump

**********************************************************************

#######################################################################################################################v
# enable new DNS over TLSv1.2 encrypted communications
# in Ubuntu 18.04 64-bit using a bash shell script
# Source: https://www.linuxbabe.com/ubuntu/ubuntu-stubby-dns-over-tls
sudo apt purge unbound avahi-daemon
LogTime=$(date '+%Y-%m-%d_%Hh%Mm%Ss')

cp /etc/resolv.conf $HOME/resolv.conf_$LogTime
cp /etc/nsswitch.conf $HOME/nsswitch.conf_$LogTime
cp /etc/systemd/resolved.conf $HOME/resolved.conf_$LogTime
cp /etc/network/interfaces $HOME/interfaces_$LogTime

sudo service resolvconf stop
sudo update-rc.d resolvconf remove

sudo apt install stubby
systemctl status stubby
sudo netstat -lnptu | grep stubby
sudo netstat -lnptu | grep systemd-resolve

cp /etc/resolv.conf /tmp/resolv.conf
grep -v nameserver /tmp/resolv.conf > /tmp/resolv.conf.1
echo 'nameserver 127.0.0.1' >> /tmp/resolv.conf.1
# echo 'nameserver 2620:fe::fe' >> /tmp/resolv.conf.1
echo 'domain dnsknowledge.com' >> /tmp/resolv.conf.1
echo 'options rotate' >> /tmp/resolv.conf.1
sudo cp /tmp/resolv.conf.1 /etc/resolv.conf
sudo service resolvconf start

# configure DNS server on Ubuntu 18.04 LTS:
cp /etc/network/interfaces /tmp/interfaces
grep -v nameservers /tmp/interfaces > /tmp/interfaces.1
grep -v search /tmp/interfaces.1 > /tmp/interfaces.2
grep -v options /tmp/interfaces.2 > /tmp/interfaces.3
#echo 'dns-nameservers 9.9.9.9 2620:fe::fe' >> /tmp/interfaces.3
echo 'dns-nameservers 127.0.0.1' >> /tmp/interfaces.3
echo 'dns-search dnsknowledge.com' >> /tmp/interfaces.3
echo 'dns-options rotate' >> /tmp/interfaces.3
sudo cp /tmp/interfaces.3 /etc/network/interfaces

# enable systemd caching DNS resolver
rm /tmp/nsswitch.conf
rm /tmp/nsswitch.conf.1
cp /etc/nsswitch.conf /tmp/nsswitch.conf
grep -v hosts /tmp/nsswitch.conf > /tmp/nsswitch.conf.1
# dns must be mentioned in next line, or else wget does not work
echo 'hosts: files mdns4_minimal [NOTFOUND=return] resolv dns myhostname mymachines' >> /tmp/nsswitch.conf.1
sudo cp /tmp/nsswitch.conf.1 /etc/nsswitch.conf

# set DNS server to 127.0.0.1
rm /tmp/resolved.conf
rm /tmp/resolved.conf.1
cp /etc/systemd/resolved.conf /tmp/resolved.conf
grep -v DNS /tmp/resolved.conf > /tmp/resolved.conf.1
#echo 'DNS=9.9.9.9' >> /tmp/resolved.conf.1
echo 'DNS=127.0.0.1' >> /tmp/resolved.conf.1
echo 'DNSSEC=yes' >> /tmp/resolved.conf.1
sudo cp /tmp/resolved.conf.1 /etc/systemd/resolved.conf
sudo systemd-resolve --flush-caches
sudo systemctl restart systemd-resolved
sudo systemd-resolve --flush-caches
sudo systemd-resolve --status

# It is probably also necessary to manually set
# the DNS server to 127.0.0.1 in the router's configuration
# and in the NetworkManager GUI

# Then reboot your PC to enable new DNS over TLSv1.2 encrypted communications
# Use wireshark application and capture encrypted DNS packages on port 853 
# There should be no more DNS handshakes on port 53 and only encrypted DNS handshakes on port 853

# Test DNSSEC validation using dig command-line tool
# See: https://docs.menandmice.com/display/MM/How+to+test+DNSSEC+validation
dig pir.org +dnssec +multi
host dnsknowledge.com

# To get similar functionality on iOS: install "DNSCloak" application
# To get similar functionality on Android: install "Intra" application

Please first visit this bug report that I filed:

https://bugs.chromium.org/p/chromium/issues/detail?id=889072#c2

So disabling the cipher suites below in Mozilla Firefox will make certain websites inaccessible, but will make the browsing experience more secure.

It is up to you to decide if you want extra security or not.

If you wish to proceed, visit following website to test the weaknesses in your Mozilla Firefox browser:

https://www.ssllabs.com/ssltest/viewMyClient.html

Then upgrade Mozilla Firefox to the latest version.

In Mozilla Firefox, navigate to   “about:config”

Set security.tls.version.max to 4

Set security.tls.version.min to 3

Set security.ssl3.rsa_aes_128_sha to false

Set security.ssl3.rsa_aes_256_sha to false

Set security.ssl3.rsa_des_ede3_sha to false

Go back to this website to retest weaknesses:

https://www.ssllabs.com/ssltest/viewMyClient.html

After the changes above, only following Protocols and Cipher Suites should be supported by Mozilla Firefox.

HTTPS protocols TLS 1.0 and older are known to be weak and should be disabled as described above.

TLS_RSA_*_CBC_SHA Cipher Suites should not be used anymore, as they are considered weak. But disabling them will make certain websites inaccessible.

Protocols
TLS 1.3 Yes
TLS 1.2 Yes

 

Cipher Suites (in order of preference)
TLS_AES_128_GCM_SHA256 (0x1301)   Forward Secrecy 128
TLS_CHACHA20_POLY1305_SHA256 (0x1303)   Forward Secrecy 256
TLS_AES_256_GCM_SHA384 (0x1302)   Forward Secrecy 256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)   Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   Forward Secrecy 128
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)   Forward Secrecy 256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)   Forward Secrecy 256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)   Forward Secrecy 256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   Forward Secrecy 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   Forward Secrecy 256

Further instructions (more extensive) can be found here:

https://vikingvpn.com/cybersecurity-wiki/browser-security/guide-hardening-mozilla-firefox-for-privacy-and-security

#!/bin/bash
# install lightweight GTK-based Youtube viewer (inspired by XenialDog 64-bit LiveUSB distro)
# Prerequisite: Ubuntu 20.04 or Debian 10
# source: https://github.com/trizen/youtube-viewer
# source:  https://mark911.wordpress.com/2018/05/02/how-to-install-gtk-youtube-viewer-from-github-source-into-ubuntu-18-04-lts-using-a-bash-shell-script/

# Please follow the instructions at https://github.com/trizen/youtube-viewer
# to update your Youtube API key in ~/.config/youtube-viewer/api.json
# in order to be able to use this program
# You will need to go to https://console.developers.google.com/apis/dashboard
# The new Google API project must be called gtk2-youtube-viewer
# The API key must be called gtk2-youtube-viewer and must be restricted to YouTube Data API v3 only.
# The OAuth 2.0 Client ID name must be called gtk2-youtube-viewer and must be defined for Desktop use.
# Make sure to put the API key, OAuth 2.0 Client ID (not gtk2-youtube-viewer, but long string of letters and numbers)
# and OAuth 2.0 Client secret in ~/.config/youtube-viewer/api.json
# For best playback performance, choose mpv as video player backend for gtk2-youtube-viewer program
cd
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv ED75B5A4483DA07C
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 9A2FD067A2E3EF7B
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 2EA8F35793D8809A
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 9D6D8F6BC857C906
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 8B48AD6246925553
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 7638D0442B90D010
sudo apt update
sudo apt install youtube-dl mplayer mpv cpanminus perl git libncurses5-dev libtinfo-dev libreadline-dev pkg-config libgtk2.0-dev libgtk3-perl
sudo rm -rf youtube-viewer
git clone https://github.com/trizen/youtube-viewer
cd youtube-viewer
cpanm .
cpanm --installdeps .
cpanm --from https://cpan.metacpan.org/ CPAN ExtUtils::PkgConfig Module::Build inc::latest PAR::Dist Term::ReadLine::Gnu::XS Unicode::GCString LWP::Protocol::https Data::Dump JSON Gtk2 Gtk3 File::ShareDir LWP::UserAgent::Cached Term::ReadLine::Gnu JSON::XS Unicode::LineBreak
sudo cpanm --from https://cpan.metacpan.org/ CPAN ExtUtils::PkgConfig Module::Build inc::latest PAR::Dist Term::ReadLine::Gnu::XS Unicode::GCString LWP::Protocol::https Data::Dump JSON Gtk2 Gtk3 File::ShareDir LWP::UserAgent::Cached Term::ReadLine::Gnu JSON::XS Unicode::LineBreak
perl Build.PL --gtk2
sudo ./Build installdeps
sudo ./Build install
# install lightweight GTK-based Youtube viewer (inspired by XenialDog 64-bit LiveUSB distro)
# Please follow the instructions at https://github.com/trizen/youtube-viewer
# to update your Youtube API key in ~/.config/youtube-viewer/api.json
# in order to be able to use this program
# You will need to go to https://console.developers.google.com/apis/dashboard
# The new Google API project must be called gtk2-youtube-viewer
# The API key must be called gtk2-youtube-viewer and must be restricted to YouTube Data API v3 only.
# The OAuth 2.0 Client ID name must be called gtk2-youtube-viewer and must be defined for Desktop use.
# Make sure to put the API key, OAuth 2.0 Client ID (not gtk2-youtube-viewer, but long string of letters and numbers)
# and OAuth 2.0 Client secret in ~/.config/youtube-viewer/api.json
# For best playback performance, choose mpv as video player backend for gtk2-youtube-viewer program
cat README.md | more
cd
sudo apt update
sudo apt install git
git clone --depth=1 --recursive https://github.com/HBCD/Hiren-s-Boot-CD-reborn.git
cd Hiren-s-Boot-CD-reborn
git pull --recurse-submodules
git submodule update --remote --recursive
mkisofs -R -D -J -l -joliet-long  -o ./myhbcd.iso -b HBCD/grldr -c HBCD/boot.cat -hide-joliet HBCD/boot.cat -hide HBCD/boot.cat -no-emul-boot -N -boot-info-table -V HirensBootCD  -boot-load-size 4 CD
ls -larth *.iso
# list of tools: https://github.com/HBCD/Hiren-s-Boot-CD-reborn/projects/1
#!/bin/bash
# Procedure to copy mp3 files from Youtube or Soundcloud playlist to a smartphone
# Prerequisites: Ubuntu 20.04, Debian 10 or newer, bash shell, detox, 
# Prerequisites: aacgain, mp3gain, pip3, python, snap, parallel (to use multi-core processors)
# Prerequisites: Google Chrome Web browser in Debian 10, 
# Prerequisites: AirDroid on Android smartphone, 
# Prerequisites: Cloud Music Player - Listener on Apple iPhone
# Prerequisites: Only ports to keep open for this are the
# DNS or DNS-over-HTTPS port, port 80 and port 443
# Author: Mark Rijckenberg
# Last modification date: 2021/3/26

echo -n "Enter Youtube/Soundcloud playlist URL to convert to mp3 files: " 
read URL

echo -n "Enter full path where mp3 files should be stored: " 
read INSTALLDIR

# update contents of software repositories:
sudo dnf update
sudo DEBIAN_FRONTEND=noninteractive apt update

# select right tool for the job 
DETECTSOUNDCLOUD=`echo $URL | grep soundcloud | wc -l`
echo $DETECTSOUNDCLOUD

if [ $DETECTSOUNDCLOUD -gt 0 ] ; then
    TOOL=scdl
    echo $TOOL
  else
     TOOL=youtube-dl
     echo $TOOL
fi

# install snap (if not installed)
if ! type "snap" > /dev/null; then
sudo DEBIAN_FRONTEND=noninteractive apt install --yes --force-yes  snapd || sudo dnf install snapd
  else
  echo "snap installed"
fi

# install pip3 (if not installed)
if ! type "pip3" > /dev/null; then
sudo DEBIAN_FRONTEND=noninteractive apt install --yes --force-yes  python3-pip || sudo dnf install python3-pip
  else
  echo "pip3 installed"
fi

# install python (if not installed)
if ! type "python" > /dev/null; then
sudo DEBIAN_FRONTEND=noninteractive apt install --yes --force-yes  python-is-python3 || sudo dnf install python-is-python3
  else
  echo "python installed"
fi

# install detox (if not installed)
if ! type "detox" > /dev/null; then
sudo DEBIAN_FRONTEND=noninteractive apt install --yes --force-yes  detox || sudo dnf install detox
  else
  echo "detox installed"
fi

# install ffmpeg (if not installed)
if ! type "ffmpeg" > /dev/null; then
sudo DEBIAN_FRONTEND=noninteractive add-apt-repository --yes ppa:flexiondotorg/audio
sudo DEBIAN_FRONTEND=noninteractive apt update
sudo DEBIAN_FRONTEND=noninteractive apt install --yes --force-yes   ffmpeg || sudo dnf install ffmpeg
  else
  echo "ffmpeg installed"
fi

# install lame (if not installed)
if ! type "lame" > /dev/null; then
sudo DEBIAN_FRONTEND=noninteractive apt install --yes --force-yes  lame || sudo dnf install lame
  else
  echo "lame installed"
fi

# install mp3gain (if not installed)
if ! type "mp3gain" > /dev/null; then
sudo snap install mp3gain || sudo apt install mp3gain || sudo dnf install mp3gain
  else
  echo "mp3gain installed"
fi

# install aacgain (if not installed)
if ! type "aacgain" > /dev/null; then
sudo snap install aacgain || sudo apt install aacgain || sudo dnf install aacgain
  else
  echo "aacgain installed"
fi

# install parallel (if not installed)
if ! type "parallel" > /dev/null; then
sudo DEBIAN_FRONTEND=noninteractive apt install --yes --force-yes   parallel || sudo dnf install parallel
  else
  echo "parallel installed"
fi

if [ $DETECTSOUNDCLOUD -gt 0 ] ; then

# Soundcloud specific:
echo $TOOL
mkdir $INSTALLDIR
cd $INSTALLDIR
pip uninstall scdl 
pip3 uninstall scdl 
sudo rm /usr/local/bin/scdl
pip3 install git+https://github.com/flyingrub/scdl
sudo cp $HOME/.local/bin/scdl  /usr/local/bin/scdl
sudo cp $HOME/.local/bin/scdl  /usr/bin/scdl
$TOOL --addtofile -c -l $URL

  else
  
# Youtube specific:
echo $TOOL
mkdir $INSTALLDIR
rm $INSTALLDIR/$TOOL

# install/upgrade youtube-dl to newest version
# use pip instead of wget if wget command fails:
sudo -H pip install --upgrade youtube-dl || sudo wget https://yt-dl.org/downloads/latest/youtube-dl -O /usr/bin/youtube-dl
sudo chmod a+rx /usr/bin/youtube-dl
sudo chmod a+rx /usr/local/bin/youtube-dl
youtube-dl --version

cd $INSTALLDIR
PLAYLISTNAME=`$TOOL --flat-playlist --no-check-certificate  $URL | egrep -v "just" | egrep "Downloading playlist" | head -n1 | cut -d":" -f2`
PLAYLISTDIR=$(echo $PLAYLISTNAME | tr -d ' '| tr -d '&')
mkdir $INSTALLDIR/$PLAYLISTDIR
cd $INSTALLDIR/$PLAYLISTDIR
$TOOL --postprocessor-args "-threads 6" --restrict-filenames -o '%(title)s.%(ext)s' --no-check-certificate -v  --extract-audio --audio-format mp3 -i  $URL

fi

# rename problematic filenames using detox utility
detox -r $INSTALLDIR

# normalize volume (run 3 times in case mp3gain skips treatment of files during first 2 attempts)
cd $INSTALLDIR
find . -type f | parallel -X "xargs /snap/bin/mp3gain -r -T"
find . -type f | parallel -X "xargs /snap/bin/mp3gain -r -T"
find . -type f | parallel -X "xargs /snap/bin/mp3gain -r -T"

find . -type f | parallel -X "xargs mp3gain -r -T"
find . -type f | parallel -X "xargs mp3gain -r -T"
find . -type f | parallel -X "xargs mp3gain -r -T"

# normalize volume (run 3 times in case aacgain skips treatment of files during first 2 attempts)
find . -type f | parallel -X "xargs /snap/bin/aacgain -r "
find . -type f | parallel -X "xargs /snap/bin/aacgain -r "
find . -type f | parallel -X "xargs /snap/bin/aacgain -r "

find . -type f | parallel -X "xargs aacgain -r "
find . -type f | parallel -X "xargs aacgain -r "
find . -type f | parallel -X "xargs aacgain -r "


echo "Temporarily disable all extensions in Google Chrome webbrowser and reboot your Android smartphone before attempting the .mp3 file transfer from Ubuntu to Android via AirDroid"
echo "The Mozilla Firefox web browser is not (yet) compatible with AirDroid. You have to use Google Chrome."

sudo apt update
sudo apt install git
cd
rm -rf spectre-meltdown-checker
git clone https://github.com/speed47/spectre-meltdown-checker.git
cd spectre-meltdown-checker
chmod +x spectre-meltdown-checker.sh
sudo ./spectre-meltdown-checker.sh

grep CONFIG_PAGE_TABLE_ISOLATION=y /boot/config-`uname -r` && echo "patched :)" || echo "unpatched :("
grep cpu_insecure /proc/cpuinfo && echo "patched :)" || echo "unpatched :("
dmesg | grep "Kernel/User page tables isolation: enabled" && echo "patched :)" || echo "unpatched :("
uname -a