Advanced script in Bash (bash + md5) to protect 'something' (+ Detailed explanation)

Some days ago I told them about FlatPress, a web application (CMS) through which they can have a blog or something similar without using databases, or getting too complicated 🙂

Well, I have on my laptop a FlatPress for personal notes, things that I do not want to forget and that is why I write them in this personal blog. But, as several of you must already know ... I am somewhat paranoid with security, and, if it concerns the security of MY thoughts, you have no idea how paranoid I can be llegar

So I was faced with the problem: How using FlatPress can I protect all the content on it?

I thought of several applications that allow data encryption, but… none did exactly what I wanted, so I took on the task of programming what I wanted myself.

Now I will show you a script that I made, which does the following:

The script is designed to work in KDE, if they don't have KDE dialog boxes will not appear to them.

1. It shows a dialog box asking if you are KZKG ^ Gaara, if you press NO the script closes, if you press YES everything continues as normal. 2. Show a text box asking what the password is:

3. If you press Cancel the script closes, now comes one of the script tricks 😉 ...

3.1. The logic is that the script compares the password that we write with one that is already predefined within the same script, and if the passwords match then it continues to run, and if the passwords do not match then an error message will appear. The problem is that, if we put the correct password inside the script like that, anyone who opens the script with a text editor could see very clearly the correct password .. and this my friends, it is simply an unforgivable failure

3.2. To avoid putting the password like that in plain text in the script, I used MD5. That is, at the beginning of the script, I declared that the correct password is «2dac690b816a43e4fd9df5ee35e3790d«, And this is the MD5 of:«from linux«. ... I do not understand anything!! … 😀

Let's detail a little more. If I now write to a file (eg ~ / pass.txt) of text: from linux

If in a terminal I write: md5sum ~ / pass.txt

It will return to me: 2dac690b816a43e4fd9df5ee35e3790d sum

And ... as you can see, that first column that has a lot of numbers and letters in no apparent order, is identically the same as the one I put above, and is the one in the declared script.

Well, that first column is the MD5 of from linux 😉

If they put the following, it will return only the 1st column, which is the one that interests us: md5sum ~/pass.txt | awk '{print $1}'

4. So, the operation of the script in this specific part is:

4.1. The script will put the password that you have written in a temporary file called temp.txt, and it will extract the MD5 from the content of that file by using the command:

md5sum temp.txt | awk '{print $1}'

4.2. If the MD5 of the password you just wrote is NOT identical to the one it has defined (that is, the one written in the script) it will close and give an error: 4.3. If the password matches, perfect ... the script continues 😀

5. When the password matches, the script will do a series of steps, in my case:

5.1. It will enter the folder / home / shared / hosted / - » cd / home / shared / hosted /

5.2. The FlatPress folder is called "me", and it is compressed in .RAR protected with a password (the password is the same as it should be set before), so the script will decompress that file (me.rar) - » rar x me.rar -hp $ MWORD

rare x - »What it does is decompress files and folders keeping the same order they have.

me.rare - »This is the file I want to unzip.

-hp $ MWORD - »Here I tell you that you must use password to unzip the file, and the password is the variable $ MWORD (this variable is the password that we entered before)

5.3. So, if it was unzipped well, I will delete the file me.rar ... why? Well, because it makes no sense that the .rar exists if I am working with the files that I had inside, and those files are changing because I am writing new things on the blog - » rm me.rar

5.4. I must change the permissions for everything to work well - » chmod 777 -R me / (remember that the folder me / is what contained the compressed me.rar)

5.5. It will show me a window that tells me I have 10 seconds to open "the" browser…. WTF !, what does this mean? ...

5.5 (a). Simple, very simple… 🙂… I open the browser (in this case rekonq) and I am working on a new post, but when I close the browser, the script compresses the me / folder again in .rar (remaining in me.rar).

This is possible because the script is checking every 3 seconds if Rekonq is open or not, if it detects that it is open, the script does nothing, but if it detects that it is NOT open, it executes: rar a me.rar -hp $ MWORD me / * && rm -R me /

Which means it will compress the folder I/ en me.rare (and it will put a password, which would be the same as we have already seen), and once you compress it and if there were no errors, it will delete the folder I/ with all its content.

5.5 (b). How does this help us? ... simple, this avoids us having to remember that we must protect our content again, since we only need to stop working on it (close the browser) and the script will do all the rest of the work 😉

6. Ready, this has been all explained in a general way 🙂

... although there is still another detail 😀

The script has an even greater protection, protection that is disabled (commented) are these lines:

if [ "$USER" != "$ME" ]; then
rm *.sh
kdialog --error "Sorry but u are not me. Auto-destroying..." --title "Im Me..."
exit
fi

What it does is simple. The variable $ USER is a global variable of the system, if in a terminal put:

echo $USER

You will see what your user shows you ... well, the logic of these lines is simple.

If $ USER does not match the $ ME variable (and it was declared by me in the script, and it is: "gaara") the script will delete ALL the files . Sh that are in that folder, that is, it will self-destruct 😉

This is to prevent someone else from running the script on another computer hehehehe.

And well, I don't think there is much more to explain, I leave the script:

.SH file download
See the script in our Paste

I know that many will find it extremely complex, but it actually scares more than it should ... the script has really simple working logic, for a simple purpose.

I did this to meet a very specific need of mine, I share it hoping that some other line or idea explained here can be of use to someone 😉

By the way, the script is intended for KDE, because the dialogs (windows) it displays are from KDE (using KDialog), but it can be adapted for Gnome / Unity / Cinnamon / Mate using zenity, or use it 100% in terminal using simply the command dialog.

And yes, even the script has some other flaws, for example if the script unzips the .rar, and then someone forcibly closes (kills) the script, the content of the .rar will be unprotected, there are some details that remain to be polished ... but hey, we must also control that no one can check our computer 😀

To finish I want to clarify that I am NOT a programmer, much less, I do not consider myself such, I imagine that you can optimize lines in the code, or use some function to improve the operation of the script ... but I said, I am not a programmer 😉

Any questions they have about it they tell me, although the script may not serve them because they do not need it, they can always learn some other tip from it 😀

regards

PD: I know that elav he will say that I am too paranoid ... or that I waste my time, but it is not like that. I wanted something very specific, a very specific security system, and I programmed it myself… how geeky is that? … LOL!!


The content of the article adheres to our principles of editorial ethics. To report an error click here!.

41 comments, leave yours

Leave a Comment

Your email address will not be published.

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   hackan said

    This interesting, but I think the question of yes / no is very fart xD
    And what do you think, instead of using rar that is proprietary and does not offer true security, replace it with gpg, which is a security software more than proven over the years, and exists in practically all distros 😉
    Another thing, you can pass md5sum a string, you don't need to create a temporary file. Here I also recommend you go to sha which is much more secure, try in the terminal: shasum

    Regards!

    1.    KZKG ^ Gaara said

      Hello and thank you for your comment 😀
      GPG allows me to package a directory with all its content? It is that I have actually only used it for individual files, not for directories containing subdirectories and files.

      ooo… great about shasum, I didn't know him 😀
      I'll go on to modify the script to use this one, and… yes !! true, with simply: echo "$ PASSWORD" | shasum I already get the string, in effect there is no need to write it to a file :)

      Thank you very much for your comment, I have already learned something new 🙂
      regards

    2.    sieg84 said

      is the same thing I was asking ...

      1.    KZKG ^ Gaara said

        What you would need is to figure out how to GPG encrypt a file and pass it the password on the same line ... for example:
        gpg -e file.tar.gz –password elpassword whatever

        Any idea how to do it? 🙂

        1.    hackan said

          To encrypt a directory c / gpg, you must first pack it with tar.
          then, for this case, it is convenient to use symmetric encryption, with the -c parameter (see the difference between symmetric and asymmetric encryption on wikipedia).
          this would then be something like:
          tar -czf destination.tgz source_directory / && echo $ passwd | gpg –batch –compress-level 0 -c –passphrase-fd 0
          this will create a compressed file called "destination.tgz" and the encrypted file called "destination.tgz.gpg". both the source directory and the compress itself should be removed for security (note the shred command)

          to decrypt:
          echo $ passwd | gpg –batch -d –passphrase-fd 0 encryption_file.tgz.gpg | tar -xz
          that would extract the files in the current directory (then mv can be used to move them elsewhere)

          Any questions, answer this comment 🙂

          Greetings!

          1.    hackan said

            ehm, watch out for double hyphens (-) and single hyphens (-)… is there a way to write something as if it were code so that the format doesn't change?
            prueba de codigo -- -
            [code] test code - - [/ code]

          2.    hackan said

            I spend it more verbose

            compress and encrypt:
            tar -czf destino.tgz directorio_fuente/ && echo $passwd | gpg –batch –compress-level 0 -c –passphrase-fd 0
            Note that here are two steps: first create the compressed file and then, if there was no error, continue with the encryption (chaining with &&)

            decrypt and unzip:
            echo $passwd | gpg –batch -d –passphrase-fd 0 archivo_cifrado.tgz.gpg | tar -xz

            Hello!

          3.    KZKG ^ Gaara said

            Yesp, in fact yesterday at home I read the man of gpg and there was everything I needed
            Actually I didn't quite do it like that, I didn't use echo or compression, I made a post about this, I just posted it.

            Thank you very much for the help friend, I really do.

  2.   Josh said

    Wonderful! I was just looking for something like that and I came across your article. I am going to test it to protect my data. When it comes to computer security, you can never be too paranoid. Thank you

    1.    KZKG ^ Gaara said

      Thanks haha.
      Did you understand how the script works, right?

      It seems much more complex than it actually is lol.

      Thanks for the comment, really 😀

      regards

      PS: Indeed, security is never enough hahaha.

      1.    Josh said

        It cost me a bit to understand it (I read it 3 times) since I have not been using linux for a long time. But it's really simple and it's always nice to learn things like this. Greetings and thanks again.

        1.    KZKG ^ Gaara said

          The important thing is to understand it hehe. I tried to explain everything extremely detailed, but I think I extended too much hahaha.
          Thanks to you 🙂

  3.   auroszx said

    Wow, very good script 🙂

    PS: Paranoia is Over 9000! xD

    1.    KZKG ^ Gaara said

      hahahahahahaha that's me… LOL !!

  4.   Rafael said

    Looking at your script I think it can be done with xdialog in case you don't have kde :)! Cheers

    1.    KZKG ^ Gaara said

      Oh, I didn't know about xdialog ... I'll have to take a look to see 😀
      Thanks for the information.

  5.   sieg84 said

    instead of rar why not use tar.xz / gz and gpg?

    1.    Rafael said

      it is because you already have it in rar where you have your CMS

  6.   Citux said

    Excellent @ KZKG ^ Gaara days ago I was thinking about something like that, but I'm in exams so I haven't had time for anything, and suddenly I see your article….
    I'll try it next week 🙂

    1.    KZKG ^ Gaara said

      Thank you, any details here I am 😀

  7.   truko22 said

    xD I did not understand anything uu but if I would like how to use kdialog correctly in the scripts, how to get a message in the KDE notifier

    1.    KZKG ^ Gaara said

      To get messages in KDE notifications try installing the package: libnotify-bin
      Then in a terminal you put:
      notify-send "texto texto texto"

      And you'll see how cool 😀… and, this works for KDE, Gnome, Unity, Cinnamon, Mate and Xfce 😉

      However, in this script I don't use notifications as such, but just KDialog windows. In a terminal type:
      kdialog

      And you will see the help there 😉

      regards

      1.    truko22 said

        Thank you very much o /

  8.   Joel antonio vasquez said

    Hello, good post, just a suggestion, it is worth that with md5 it is not seen with the naked eye, but some curious may use a rainbow table to see if the password converted into md5 is inside there, I recommend using bcrypt (http://bcrypt.sourceforge.net/), it is only a suggestion, you can take it for any occasion, Greetings.

    1.    KZKG ^ Gaara said

      Thank you
      Actually yes, MD5 is not perfect and there are those who have managed to get passwords, I will take a look at this application 😉

      Thanks for your comment.

  9.   sieg84 said

    with the symmetric one just in kdialog it asks you for the password
    and with the asymmetric one using a public key.

    I must clarify that I do not have a trace of a programmer.

    1.    KZKG ^ Gaara said

      Yes, I already managed to encrypt with GPG (in fact I just put a post about this) hehe.

  10.   Caro said

    KZKG ^ Gaara always read your post.
    Build one to use with XFCE.
    Kiss. Expensive

    1.    KZKG ^ Gaara said

      Hello and first of all, welcome to the blog 😀
      hahaha thank you, I know that sometimes it is difficult because I write somewhat technical things, but I always try to explain everything as clearly as possible 🙂

      I will experiment a bit with XDialog or Zenity to see if it works for Xfce haha, I will do the tests in a virtual Xubuntu 🙂

      regards

  11.   Elynx said

    Quite useful man, thanks!

    Regards!

  12.   Damian rivera said

    Thank you, it will help me a lot to protect some files

    I had to adapt it to zenity because I don't have kde at the moment: \

    Here I leave the skeleton that I am going to use adapted to zenity

    http://paste.desdelinux.net/4641

    Thanks again and greetings 😀

    1.    KZKG ^ Gaara said

      oooo great, thank you so much 😀 😀
      I remember someone asked for this but for Xfce, with Zenity it would work in Xfce right?

      1.    Damian rivera said

        Yes, only that the command was left to add the commands to execute, after passing the password of shasum or md5

        It would have to be modified to different needs for each person, to protect different things in different routes with different commands

        Or maybe adding another part (GUI) to create the security configuration of our file

        Greetings 😀

        1.    Damian rivera said

          I had time and xfce (in Archlinux) and I have already fully adapted the script as it was, for xfce using zenity (I think) since the one I left above was only the skeleton that I used

          http://paste.desdelinux.net/4644

          Can it be edited if it has a bug from the paste?

          What happens is that I have several graphical shells and I don't know if it will work in clean xfce, for example in xubuntu

          regards

  13.   Matias Gaston said

    Interesting che !!! Good contribution!!!!!!

    I'm very new to programming, I'm learning BASH little by little ... but some things occurred to me and they may or may not be useful to you.
    When you say that the stripped script has the password incorporated and it would be unforgivable for someone to open it and read it from there ... you propose this whole trick of embedding the MD5 as a protection measure.

    Which is pretty good as a first step in making life difficult for the would-be intruder, but check out the following ideas (which can even be applied one on top of the other)

    IDEA 1) What if you save the password in a file on your machine, and not host it in the script?

    EJ: in a txt put the key and save it in / home / /bla/bla/key.txt
    In your script you call the key as KEY = "$ (cat $ HOME / blah / bla / key.txt)", then you throw the if $ questionkey = $ KEY, then .. etc etc

    In this way, you are achieving 3 things +1 advantage:
    1) That the password was never in the script. (You avoid the MD5)
    2) The path where the password is, depends on the username. (Anyone who wants to open it, redirects it anywhere) In 99.9% of cases the script will fail.
    3) In case you want more security, remove all permissions to the key.txt file for all other users except yours.
    4) Advantage: Portability to change the password whenever you want, without editing script. Because the verification is external through a file.

    IDEA 2) How about you obfuscate the whole bash script, so it can't even be opened?

    One way to do this is to take advantage of the fact that you need to compile in C.
    Then, it introduces the script inside a C code that all it does is call that Script (but that is inside the program). At the time of compiling ... everything is left inside and your output is an executable ... and no more a script. There is a person who has already made a "script" that does the obfuscation process, which is very practical.

    More info here: http://es.wikibooks.org/wiki/El_Manual_de_BASH_Scripting_B%C3%A1sico_para_Principiantes/Compilar_%28ofuscar%29_BASH_scripts_con_C_-_SHC

    IDEA 3) What if you put a virtual condition in the script where it requires an administrator password?

    For example, execute a condition using "sudo" and then continue with the script, if not stop it.
    In this way, all the protection would fall as a bridge over your ROOT password.

    Well, nothing more ...
    Cheers!!!!!!!! and hold BASH.

    1.    KZKG ^ Gaara said

      HAHAHAHA Thank you 😀
      Actually now I'm using SHA512 because it is much better than MD5: https://blog.desdelinux.net/como-saber-la-suma-md5-o-sha-de-una-palabra-oracion-o-archivo/
      As well as GPG as a means of protection instead of compressing with .RAR: https://blog.desdelinux.net/como-proteger-datos-con-gpg-de-forma-simple/

      The problem with putting the password in a different file, is that then it would put the password in another place, yes, but would it be in plain text? If I have to encrypt it (which is recommended), I leave it in the same script, well ... I doubt sooooo much that someone can break SHA512 hahaha (see the 1st link and you will understand 😉)

      Regarding the permissions, if someone uses a LiveCD then they could open the .txt using the root of the LiveCD, so the permissions is not entirely the best option.

      About obfuscating the Bash code ... yes, I had thought about this and the idea is GREAT, the problem is that I don't know how to do it, in fact I don't even know if it can be done HAHAHA.

      Oh wait ... now I read the rest of the comment O_O ... hehe, I didn't know you could do that. I have no idea of ​​C or C ++, but it might be worth a try lol.

      About idea 3, not bad 😀

      I have made several improvements to the script since I published this post, 2 are the ones I mentioned in the links at the beginning of this comment, another is that if you change any character in the script, it is deleted. And now I have to try this to obfuscate the code hahahaha.

      Thanks for your comment and… yes, hold on, bash !!! HAHA

    2.    KZKG ^ Gaara said

      WTF!!!
      I've already used SHC… GE-NI-AL !!!! O_O

  14.   Atheyus said

    Very good script, hey and if you use a root checker, to be able to run the script as sudo ./script

    You would just have to add this code at the beginning

    http://paste.desdelinux.net/4663

    A greeting

  15.   Neo61 said

    KZKG ^ Gaara, my friend, I think that extending an explanation is not the problem, that is good for those of us who do not have that much knowledge. Articles that do not teach have been published right here, they only give information about something that exists. So don't excuse yourself and let there be more with extended explanations.

  16.   dhunter said

    For things like this I use http://www.truecrypt.org/

  17.   Abel said

    Could someone share the script? I'm curious and all the links are down. 🙁

    Thank you.

bool (true)