Unable to Secure Computer and Have Relentless Man in the Middle

Hello,

I am a victim of a relentless man in the middle situation. I am sorry for the dramatic terminology but I think it describes my situation. I value any help in figuring out how to secure at least equipment that runs Fedora.

I am experiencing this in all computing equipment and smart phones. I have been trying to figure out a solution with the lap top that was my main device, and although I have been experimenting with Fedora, I am still subject to somebody monitoring all of my online activities. I will provide the evidence I have been able to gather as I describe some of the symptoms.

I have only access to the wireless connection of an Android Phone. The phone is a little over a year old, and I bought it directly from Google thinking that their Pixel line would be the most secure phone; I stand corrected. I mention this to highlight that I have absolutely no access to a wired connection.

My problems began more than a year ago, but I will jump to the current state of affairs which has to do with Fedora.

I’ve installed various versions of Fedora into an HP Envy 17. But no matter what version or OS, before it was Ubuntu, I continue to experience online surveillance and odd behavior from the OS. I’ve also experimented with VPN services and a variety of clients, and this only creates more problems (connectivity issues. I won’t be able to load webpages et all, constantly get ERR_TIME_OUT, and other problems).

Right now, I am using a live media DVD Fedora 31.1 I am using no VPN, just hte HotSpot from the Android and when I visit the website ipleak.net this is what I see:

But when I visit ipleak.net with my phone, I get: https://i.ibb.co/L05hZ42/Screenshot-20200726-030356.jpg

[liveuser@localhost-live ~]$ sudo traceroute ipleak.net

traceroute to ipleak.net (95.85.16.212), 30 hops max, 60 byte packets
 1  _gateway (192.168.43.177)  5.491 ms  5.441 ms  5.452 ms
 2  13.sub-66-174-19.myvzw.com (66.174.19.13)  36.995 ms  48.767 ms  48.483 ms
 3  * * *
 4  * * *
 5  99.sub-69-83-15.myvzw.com (69.83.15.99)  53.752 ms  53.498 ms  53.827 ms
 6  * * *
 7  134.sub-69-83-3.myvzw.com (69.83.3.134)  40.603 ms  57.762 ms  57.954 ms
 8  131.sub-66-174-18.myvzw.com (66.174.18.131)  52.078 ms  52.372 ms  51.902 ms
 9  et-1-0-2.GW2.BOS30.ALTER.NET (204.148.137.29)  57.808 ms  34.821 ms  34.857 ms
10  0.ae2.BR2.NYC4.ALTER.NET (140.222.229.93)  55.350 ms  55.690 ms  56.364 ms
11  verizon.com.customer.alter.net (152.179.120.230)  56.283 ms  56.074 ms  45.331 ms
12  if-ae-18-49.tcore2.l78-london.as6453.net (216.6.81.35)  116.862 ms if-ae-2-39.tcore2.l78-london.as6453.net (80.231.131.17)  129.326 ms if-ae-32-2.tcore2.ldn-london.as6453.net (63.243.216.23)  135.382 ms
13  * if-ae-15-2.tcore2.l78-london.as6453.net (80.231.131.117)  117.429 ms *
14  if-ae-11-2.tcore1.ad1-amsterdam.as6453.net (80.231.152.26)  122.665 ms  148.140 ms  120.303 ms
15  if-ae-11-2.tcore1.ad1-amsterdam.as6453.net (80.231.152.26)  107.230 ms 80.231.80.6 (80.231.80.6)  125.218 ms 195.219.150.110 (195.219.150.110)  131.526 ms
16  138.197.244.74 (138.197.244.74)  120.006 ms 138.197.244.84 (138.197.244.84)  122.939 ms 138.197.244.72 (138.197.244.72)  128.545 ms
17  * 138.197.250.17 (138.197.250.17)  118.312 ms  112.865 ms
18  * 95.85.16.212 (95.85.16.212)  125.370 ms  125.373 ms

[liveuser@localhost-live ~]$ sudo tracepath ipleak.net

 1?: [LOCALHOST]                      pmtu 1500
 1:  _gateway                                              2.800ms 
 1:  _gateway                                              2.162ms 
 2:  _gateway                                              3.356ms pmtu 1428
 2:  13.sub-66-174-19.myvzw.com                           59.467ms 
 3:  no reply
 4:  no reply
 5:  99.sub-69-83-15.myvzw.com                            74.929ms 
 6:  no reply
 7:  134.sub-69-83-3.myvzw.com                            63.192ms 
 8:  131.sub-66-174-18.myvzw.com                          54.733ms asymm  9 
 9:  et-1-0-2.GW2.BOS30.ALTER.NET                         61.144ms 
10:  0.ae1.BR2.NYC4.ALTER.NET                             61.607ms asymm 13 
11:  verizon.com.customer.alter.net                       69.617ms asymm 13 
12:  if-ae-32-2.tcore2.ldn-london.as6453.net             163.484ms asymm 19 
13:  if-ae-15-2.tcore2.l78-london.as6453.net             137.571ms asymm 19 
14:  if-ae-11-2.tcore1.ad1-amsterdam.as6453.net          140.483ms asymm 15 
15:  if-ae-11-2.tcore1.ad1-amsterdam.as6453.net          148.168ms 
16:  138.197.244.74                                      156.270ms 
17:  138.197.244.72                                      169.277ms asymm 16 
18:  138.197.250.17                                      146.089ms asymm 16 
19:  95.85.16.212                                        150.569ms reached
     Resume: pmtu 1428 hops 19 back 17 

Also, I am experiencing connectivity problems, and I lost part of what I had written, so I will continue in parts.

I started nmcli before I connected to the internet. If you scroll down, you’ll notice the intermittent full and limited connectivity

[liveuser@localhost-live ~]$ nmcli monitor

Networkmanager is not running (waiting for it)
lo: device created
wlo1: device created
Networkmanager is now in the 'disconnected' state
NetworkManager has started
lo: unmanaged
Hostname set to 'localhost-live'
Connectivity is now 'none'
p2p-dev-wlo1: device created
p2p-dev-wlo1: unavailable
p2p-dev-wlo1: disconnected
wlo1: disconnected
wlo1: using connection 'CriminalsRWatchingOurWiFis'
wlo1: connecting (prepare)
Networkmanager is now in the 'connecting' state
wlo1: connecting (configuring)
wlo1: connecting (need authentication)
wlo1: connecting (prepare)
wlo1: connecting (configuring)
wlo1: connecting (getting IP configuration)
wlo1: connecting (checking IP connectivity)
wlo1: connecting (starting secondary connections)
wlo1: connected
Networkmanager is now in the 'connected (local only)' state
Networkmanager is now in the 'connected (site only)' state
'CriminalsRWatchingOurWiFis' is now the primary connection
Connectivity is now 'limited'
Networkmanager is now in the 'connected' state
Connectivity is now 'full'
Networkmanager is now in the 'connected (site only)' state
Connectivity is now 'limited'
Networkmanager is now in the 'connected' state
Connectivity is now 'full'
Networkmanager is now in the 'connected (site only)' state
Connectivity is now 'limited'
Networkmanager is now in the 'connected' state
Connectivity is now 'full'
Networkmanager is now in the 'connected (site only)' state
Connectivity is now 'limited'
Networkmanager is now in the 'connected' state
Connectivity is now 'full'
Networkmanager is now in the 'connected (site only)' state
Connectivity is now 'limited'
Networkmanager is now in the 'connected' state
Connectivity is now 'full'

Hi @u20200423, sorry, I guess I’m a bit unclear on what your problem is.

Ignoring the connectivity issues for now, as that is a separate topic, do I understand correctly, that

  1. you’re connecting from your laptop to your phone’s wireless hotspot, the phone is connecting to the internet via whatever provider you have (verizon?) ?
  2. From the first screenshots, your phone’s public IPv4 is 174.242.xxx.xxx & your laptop doesn’t support IPv6
  3. From the second screenshot, same public IPv4, but apparently your phone & provider do support IPv6 & thus your phone has an IPv6 address assigned
  4. From the the traceroute, your laptop is connected to your phone at 192.168.43.77, the phone connects to verizon’s servers at 66.174.19.13 and the requests are passed on from there.

Which part of that is suspicious to you?

1 Like

in the past, the test from ipleak.net would pass. Notice from the screenshot of the lap top that the test generated 100 errors on 0 servers. Also, I never saw the private use address before. That just started today.

Here, is what I saw at least up to 6 days ago (notice the 15 servers that ipleak.net reports), and contrast to the 0 servers and 100 errors: ipleak-net_20200719201900 Verizon Cell Hot Spot.pdf | PDF Host

I am sorry it is not an image, is a pdf but hosted in safe public website. I just wanted to document this in a more reliable format.

In this other evidence I collected, I was using a VPN, and even then, I got 3 servers and no errors: ipleak-net_20200720114700 Verizon Cell Hot Spot ProtonVPN.pdf | PDF Host

Does the situation merits suspicion to you?

So that is suspicious to me. But I was just getting started. Below I continue to describe other symptoms.

Today, before I connected to the internet, I set firewalld to the drop zone, and I binded all interfaces I have noticed to the zone:

[liveuser@localhost-live ~]$ sudo firewall-cmd --permanent --zone=drop --add-interface=lo
success
[liveuser@localhost-live ~]$ sudo firewall-cmd --permanent --zone=drop --add-interface=wlo0
success
[liveuser@localhost-live ~]$ sudo firewall-cmd --permanent --zone=drop --add-interface=wlo1
success
[liveuser@localhost-live ~]$ sudo firewall-cmd --permanent --zone=drop --add-interface=tun0
success
[liveuser@localhost-live ~]$ sudo firewall-cmd --permanent --zone=drop --add-interface=tun1
success
[liveuser@localhost-live ~]$ sudo firewall-cmd --permanent --zone=drop --add-interface=p2p-dev-wlo1
success
[liveuser@localhost-live ~]$ sudo firewall-cmd --permanent --zone=drop --add-interface=p2p-dev-wlo0
success

But after the connectivity problems I reported earlier (the intermittent full and limited connection), I queried the zone and got:

[liveuser@localhost-live ~]$ sudo firewall-cmd --info-zone=drop

[sudo] password for liveuser: 
drop (active)
  target: DROP
  icmp-block-inversion: no
  interfaces: wlo1
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

Another inconsistency, is the wlo1 interface.

When I booted fedora, I blacklisted the Ethernet module, r8169. And I believe I only have one more internet network controller, the wireless card. However, ifconfig tells the wireless card is configured as Ethernet:

[liveuser@localhost-live ~]$ sudo ifconfig

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 127  bytes 11523 (11.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 127  bytes 11523 (11.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlo1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.43.216  netmask 255.255.255.0  broadcast 192.168.43.255
        inet6 fe80::bb11:d42c:5ede:67f1  prefixlen 64  scopeid 0x20<link>
        ether 1e:1b:93:e5:0b:1c  txqueuelen 1000  (Ethernet)
        RX packets 48  bytes 6146 (6.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 74  bytes 10428 (10.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

The problem here is that the wlo1 interface is configured as “Ethernet.” But as I said, I blocked the r8169 module through Grub’s booting command line.

When I lspci the Ethernet and Wireless cards, I get:

Ethernet Controller:

00:1c.6/0f:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 0c)
	DeviceName: Hanksville Gbe Lan Connection
	Subsystem: Hewlett-Packard Company Device 1968
	Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
	Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
	Latency: 0, Cache Line Size: 64 bytes
	Interrupt: pin A routed to IRQ 11
	Region 0: I/O ports at 3000 [size=256]
	Region 2: Memory at d3500000 (64-bit, non-prefetchable) [size=4K]
	Region 4: Memory at d3400000 (64-bit, prefetchable) [size=16K]
	Capabilities: [40] Power Management version 3
		Flags: PMEClk- DSI- D1+ D2+ AuxCurrent=375mA PME(D0+,D1+,D2+,D3hot+,D3cold+)
		Status: D0 NoSoftRst+ PME-Enable- DSel=0 DScale=0 PME-
	Capabilities: [50] MSI: Enable- Count=1/1 Maskable- 64bit+
		Address: 0000000000000000  Data: 0000
	Capabilities: [70] Express (v2) Endpoint, MSI 01
		DevCap:	MaxPayload 128 bytes, PhantFunc 0, Latency L0s <512ns, L1 <64us
			ExtTag- AttnBtn- AttnInd- PwrInd- RBE+ FLReset- SlotPowerLimit 10.000W
		DevCtl:	CorrErr- NonFatalErr- FatalErr- UnsupReq-
			RlxdOrd+ ExtTag- PhantFunc- AuxPwr- NoSnoop-
			MaxPayload 128 bytes, MaxReadReq 512 bytes
		DevSta:	CorrErr- NonFatalErr- FatalErr- UnsupReq- AuxPwr+ TransPend-
		LnkCap:	Port #0, Speed 2.5GT/s, Width x1, ASPM L0s L1, Exit Latency L0s unlimited, L1 <64us
			ClockPM+ Surprise- LLActRep- BwNot- ASPMOptComp+
		LnkCtl:	ASPM L1 Enabled; RCB 64 bytes Disabled- CommClk+
			ExtSynch- ClockPM+ AutWidDis- BWInt- AutBWInt-
		LnkSta:	Speed 2.5GT/s (ok), Width x1 (ok)
			TrErr- Train- SlotClk+ DLActive- BWMgmt- ABWMgmt-
		DevCap2: Completion Timeout: Range ABCD, TimeoutDis+, LTR+, OBFF Via message/WAKE#
			 AtomicOpsCap: 32bit- 64bit- 128bitCAS-
		DevCtl2: Completion Timeout: 50us to 50ms, TimeoutDis-, LTR+, OBFF Disabled
			 AtomicOpsCtl: ReqEn-
		LnkCtl2: Target Link Speed: 2.5GT/s, EnterCompliance- SpeedDis-
			 Transmit Margin: Normal Operating Range, EnterModifiedCompliance- ComplianceSOS-
			 Compliance De-emphasis: -6dB
		LnkSta2: Current De-emphasis Level: -6dB, EqualizationComplete-, EqualizationPhase1-
			 EqualizationPhase2-, EqualizationPhase3-, LinkEqualizationRequest-
	Capabilities: [b0] MSI-X: Enable- Count=4 Masked-
		Vector table: BAR=4 offset=00000000
		PBA: BAR=4 offset=00000800
	Capabilities: [d0] Vital Product Data
pcilib: sysfs_read_vpd: read failed: Input/output error
		Not readable
	Capabilities: [100 v1] Advanced Error Reporting
		UESta:	DLP- SDES- TLP- FCP- CmpltTO- CmpltAbrt- UnxCmplt- RxOF- MalfTLP- ECRC- UnsupReq- ACSViol-
		UEMsk:	DLP- SDES- TLP- FCP- CmpltTO- CmpltAbrt- UnxCmplt- RxOF- MalfTLP- ECRC- UnsupReq- ACSViol-
		UESvrt:	DLP+ SDES+ TLP- FCP+ CmpltTO- CmpltAbrt- UnxCmplt- RxOF+ MalfTLP+ ECRC- UnsupReq- ACSViol-
		CESta:	RxErr- BadTLP- BadDLLP- Rollover- Timeout- AdvNonFatalErr-
		CEMsk:	RxErr- BadTLP- BadDLLP- Rollover- Timeout- AdvNonFatalErr+
		AERCap:	First Error Pointer: 00, ECRCGenCap+ ECRCGenEn- ECRCChkCap+ ECRCChkEn-
			MultHdrRecCap- MultHdrRecEn- TLPPfxPres- HdrLogCap-
		HeaderLog: 00000000 00000000 00000000 00000000
	Capabilities: [140 v1] Virtual Channel
		Caps:	LPEVC=0 RefClk=100ns PATEntryBits=1
		Arb:	Fixed- WRR32- WRR64- WRR128-
		Ctrl:	ArbSelect=Fixed
		Status:	InProgress-
		VC0:	Caps:	PATOffset=00 MaxTimeSlots=1 RejSnoopTrans-
			Arb:	Fixed- WRR32- WRR64- WRR128- TWRR128- WRR256-
			Ctrl:	Enable+ ID=0 ArbSelect=Fixed TC/VC=ff
			Status:	NegoPending- InProgress-
	Capabilities: [160 v1] Device Serial Number 01-00-00-00-68-4c-e0-00
	Capabilities: [170 v1] Latency Tolerance Reporting
		Max snoop latency: 0ns
		Max no snoop latency: 0ns
	Kernel modules: r8169

Wireless Controller:

00:1c.0/07:00.0 Network controller: Realtek Semiconductor Co., Ltd. RTL8188EE Wireless Network Adapter (rev 01)
	DeviceName: Realtek RTL8188EE 802.11bgn Wi-Fi Adapter
	Subsystem: Hewlett-Packard Company RTL8188EE mini-PCIe card
	Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+
	Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
	Latency: 0, Cache Line Size: 64 bytes
	Interrupt: pin A routed to IRQ 34
	Region 0: I/O ports at 5000 [size=256]
	Region 2: Memory at d3600000 (64-bit, non-prefetchable) [size=16K]
	Capabilities: [40] Power Management version 3
		Flags: PMEClk- DSI- D1+ D2+ AuxCurrent=375mA PME(D0+,D1+,D2+,D3hot+,D3cold+)
		Status: D0 NoSoftRst+ PME-Enable- DSel=0 DScale=0 PME-
	Capabilities: [50] MSI: Enable+ Count=1/1 Maskable- 64bit+
		Address: 00000000fee04004  Data: 4023
	Capabilities: [70] Express (v2) Endpoint, MSI 00
		DevCap:	MaxPayload 128 bytes, PhantFunc 0, Latency L0s <128ns, L1 <2us
			ExtTag- AttnBtn- AttnInd- PwrInd- RBE+ FLReset- SlotPowerLimit 10.000W
		DevCtl:	CorrErr- NonFatalErr- FatalErr- UnsupReq-
			RlxdOrd+ ExtTag- PhantFunc- AuxPwr- NoSnoop-
			MaxPayload 128 bytes, MaxReadReq 512 bytes
		DevSta:	CorrErr- NonFatalErr- FatalErr- UnsupReq- AuxPwr+ TransPend-
		LnkCap:	Port #0, Speed 2.5GT/s, Width x1, ASPM L0s L1, Exit Latency L0s <512ns, L1 <64us
			ClockPM+ Surprise- LLActRep- BwNot- ASPMOptComp-
		LnkCtl:	ASPM L0s L1 Enabled; RCB 64 bytes Disabled- CommClk+
			ExtSynch- ClockPM+ AutWidDis- BWInt- AutBWInt-
		LnkSta:	Speed 2.5GT/s (ok), Width x1 (ok)
			TrErr- Train- SlotClk+ DLActive- BWMgmt- ABWMgmt-
		DevCap2: Completion Timeout: Not Supported, TimeoutDis+, LTR+, OBFF Via message/WAKE#
			 AtomicOpsCap: 32bit- 64bit- 128bitCAS-
		DevCtl2: Completion Timeout: 50us to 50ms, TimeoutDis+, LTR+, OBFF Disabled
			 AtomicOpsCtl: ReqEn-
		LnkCtl2: Target Link Speed: 2.5GT/s, EnterCompliance- SpeedDis-
			 Transmit Margin: Normal Operating Range, EnterModifiedCompliance- ComplianceSOS-
			 Compliance De-emphasis: -6dB
		LnkSta2: Current De-emphasis Level: -6dB, EqualizationComplete-, EqualizationPhase1-
			 EqualizationPhase2-, EqualizationPhase3-, LinkEqualizationRequest-
	Capabilities: [100 v1] Advanced Error Reporting
		UESta:	DLP- SDES- TLP- FCP- CmpltTO- CmpltAbrt- UnxCmplt- RxOF- MalfTLP- ECRC- UnsupReq- ACSViol-
		UEMsk:	DLP- SDES- TLP- FCP- CmpltTO- CmpltAbrt- UnxCmplt- RxOF- MalfTLP- ECRC- UnsupReq- ACSViol-
		UESvrt:	DLP+ SDES+ TLP- FCP+ CmpltTO- CmpltAbrt- UnxCmplt- RxOF+ MalfTLP+ ECRC- UnsupReq- ACSViol-
		CESta:	RxErr- BadTLP- BadDLLP- Rollover- Timeout- AdvNonFatalErr-
		CEMsk:	RxErr- BadTLP- BadDLLP- Rollover- Timeout- AdvNonFatalErr+
		AERCap:	First Error Pointer: 00, ECRCGenCap- ECRCGenEn- ECRCChkCap+ ECRCChkEn-
			MultHdrRecCap- MultHdrRecEn- TLPPfxPres- HdrLogCap-
		HeaderLog: 00000000 00000000 00000000 00000000
	Capabilities: [140 v1] Device Serial Number 00-e0-4c-ff-fe-81-91-01
	Capabilities: [150 v1] Latency Tolerance Reporting
		Max snoop latency: 0ns
		Max no snoop latency: 0ns
	Kernel driver in use: rtl8188ee
	Kernel modules: rtl8188ee

From dmesg, I found the wlan0 interface gets renamed to wlo1:

[   69.777443] rtl8188ee: rtl8188ee: FW Power Save off (module option)
[   69.777451] rtl8188ee: Using firmware rtlwifi/rtl8188efw.bin
[   69.778891] ieee80211 phy0: Selected rate control algorithm 'rtl_rc'
[   69.779186] rtlwifi: rtlwifi: wireless switch is on
[   70.133830] Console: switching to colour frame buffer device 240x67
[   70.158382] i915 0000:00:02.0: fb0: i915drmfb frame buffer device
[   70.651952] snd_hda_intel 0000:00:03.0: bound 0000:00:02.0 (ops i915_audio_component_bind_ops [i915])
[   70.995262] rtl8188ee 0000:0cd7:00.0 wlo1: renamed from wlan0

Again, I am using a Fedora DVD. Since i believe my equipment is compromized, I bought it from ShopLinuxOnline.com, and I only blacklisted a few modules through the grub boot command line. The initrd and kernel are as of the DVD.

Since I am trying to educate myself about linux, I began to manage my internet connection through nmcli. And there I also experience things that make no sense. For example, right now, for this post, I create a vpn connection through the nmcli editor, and if I try to set the connection.multi-connect to single, I am unable to save the configuration changes. But the prompt of the setting states “Allowed values for ‘multi-connect’ property: default, single, manual-multiple, multiple”

---snip---
nmcli> set connection.multi-connect single
nmcli> save persistent
Error: connection verification failed: cannot set connection.multi-connect for VPN setting
You may try running 'verify fix' to fix errors.
nmcli> set connection.multi-connect
Allowed values for 'multi-connect' property: default, single, manual-multiple, multiple
Enter 'multi-connect' value: single
nmcli> save persistent
Error: connection verification failed: cannot set connection.multi-connect for VPN setting
You may try running 'verify fix' to fix errors.
nmcli> verify fix
Verify connection: cannot set connection.multi-connect for VPN setting
The error cannot be fixed automatically.
nmcli> 

I can only save the connection changes, if I set connection.multi-connect to default

That’s not really an indicator of a MITM attack.
For what it’s worth, I get the same. I don’t know what exactly they are doing, but whatever it is, it doesn’t work. You can try e.g. https://www.dnsleaktest.com/ instead, the standard test will most likely return a Verizon DNS server (unless you’ve configured something different). It will be the same that your config displays, or that is returned as SERVER: by dig <some-url>.

That I don’t really understand either, but I also don’t really know how WebRTC works, so I can’t say what the reason would be. You can try to follow the steps on securing WebRTC ipleaks gives on their site, but again, I don’t know if that will help in anyway, or whether there even is anything to help with.
Regardless, that IP is a private network IP (your PCs, I guess?), and is not accessible from the outside. It also doesn’t tell anybody anything, other than where your PC can be found in your PC-phone local network.

OK, I’ll wait so as not to fragment this to much. Let us know when you’ve described everything.

1 Like

Also, I recall the initrd and kernel images were linked to in the root filesystem. And during this session, I don’t see them on /. This is what I see:

[liveuser@localhost-live /]$ ls -la /

total 88
dr-xr-xr-x.  18 root root  4096 Jul 26  2020 .
dr-xr-xr-x.  18 root root  4096 Jul 26  2020 ..
lrwxrwxrwx.   1 root root     7 Jul 24  2019 bin -> usr/bin
dr-xr-xr-x.   6 root root  4096 Oct 23  2019 boot
drwxr-xr-x.  21 root root  4340 Jul 26 02:25 dev
drwxr-xr-x. 146 root root 12288 Jul 26 02:25 etc
drwxr-xr-x.   3 root root  4096 Jul 26 03:34 home
-rw-r--r--.   1 root root 13031 Jul 26  2020 journalctl_NetworkManager_20200726.txt
lrwxrwxrwx.   1 root root     7 Jul 24  2019 lib -> usr/lib
lrwxrwxrwx.   1 root root     9 Jul 24  2019 lib64 -> usr/lib64
-rw-r--r--.   1 root root     0 Jul 26 03:34 .liveimg-configured
-rw-r--r--.   1 root root     0 Jul 26 03:34 .liveimg-late-configured
drwx------.   2 root root 16384 Oct 23  2019 lost+found
drwxr-xr-x.   2 root root  4096 Jul 24  2019 media
drwxr-xr-x.   8 root root  4096 Jul 26 02:29 mnt
drwxr-xr-x.   2 root root  4096 Jul 24  2019 opt
dr-xr-xr-x. 290 root root     0 Jul 25 23:25 proc
dr-xr-x---.   3 root root  4096 Jul 26  2020 root
drwxr-xr-x.  46 root root  1260 Jul 26 02:25 run
lrwxrwxrwx.   1 root root     8 Jul 24  2019 sbin -> usr/sbin
drwxr-xr-x.   2 root root  4096 Jul 24  2019 srv
dr-xr-xr-x.  13 root root     0 Jul 26 03:26 sys
drwxrwxrwt.  19 root root   400 Jul 26 05:36 tmp
drwxr-xr-x.  12 root root  4096 Oct 23  2019 usr
drwxr-xr-x.  21 root root  4096 Oct 23  2019 var

Also, during this session, I have no access to info grub

[liveuser@localhost-live /]$ info grub
bash: info: command not found...
[liveuser@localhost-live /]$ info grub
bash: info: command not found...
[liveuser@localhost-live /]$ grub info
bash: grub: command not found...
[liveuser@localhost-live /]$ man grub
No manual entry for grub

When I looked for the /etc/default/grub file, I noticed this .swp file, with the 05:28 timestamp. But it was around 03:30

[liveuser@localhost-live /]$ sudo ls -la /etc/default/
total 32
drwxr-xr-x. 2 root root 4096 Jul 26 05:28 .
drwxr-xr-x. 146 root root 12288 Jul 26 03:34 …
-rw-------. 1 root root 12288 Jul 26 05:28 .grub.swp
-rw-r–r–. 1 root root 119 Sep 2 2019 useradd

I did not delete the file, and now is gone:

[liveuser@localhost-live /]$ ls -la /etc/default/
total 20
drwxr-xr-x. 2 root root 4096 Jul 26 05:34 .
drwxr-xr-x. 146 root root 12288 Jul 26 02:25 …
-rw-r–r–. 1 root root 119 Sep 2 2019 useradd

When I was unable to find a normal /etc/default/grub file, I looked to the grub.cfg file but I could not find it:

[liveuser@localhost-live /]$ sudo ls -la /boot/grub2/

total 12
drwx------. 3 root root 4096 Oct 23  2019 .
dr-xr-xr-x. 6 root root 4096 Oct 23  2019 ..
lrwxrwxrwx. 1 root root   25 Oct 10  2019 grubenv -> ../efi/EFI/fedora/grubenv
drwxr-xr-x. 3 root root 4096 Oct 23  2019 themes

BUT, the grub environment variables, although linked as per the ls -la above, is missing when ls -la the path

[liveuser@localhost-live /]$ sudo ls -la /boot/efi/EFI/fedora

total 14828
drwx------. 3 root root    4096 Oct 23  2019 .
drwxr-xr-x. 4 root root    4096 Oct 23  2019 ..
-rwx------. 1 root root     112 Oct  2  2018 BOOTIA32.CSV
-rwx------. 1 root root     110 Oct  2  2018 BOOTX64.CSV
drwx------. 2 root root    4096 Oct 23  2019 fonts
-rwx------. 1 root root 1468744 Oct 10  2019 gcdia32.efi
-rwx------. 1 root root 2271560 Oct 10  2019 gcdx64.efi
-rwx------. 1 root root 1468744 Oct 10  2019 grubia32.efi
-rwx------. 1 root root 2271560 Oct 10  2019 grubx64.efi
-rwx------. 1 root root  927824 Oct  2  2018 mmia32.efi
-rwx------. 1 root root 1159560 Oct  2  2018 mmx64.efi
-rwx------. 1 root root 1210776 Oct  2  2018 shim.efi
-rwx------. 1 root root  975536 Oct  2  2018 shimia32.efi
-rwx------. 1 root root  969264 Oct  2  2018 shimia32-fedora.efi
-rwx------. 1 root root 1210776 Oct  2  2018 shimx64.efi
-rwx------. 1 root root 1204496 Oct  2  2018 shimx64-fedora.efi

During this session, apropos is not working

[liveuser@localhost-live /]$ apropos label
label: nothing appropriate.
[liveuser@localhost-live /]$ apropos ls
ls: nothing appropriate.

NOW, this is just during this session, and just what I remember right now. But this has been happening to me for over a year now. Well, it is getting worst. Not finding the grub.cfg is the first time.

I have much more I can report, but I will do it upon request.

As I said at the beginning of this post, I value any help in figuring out how to secure at least equipment that runs Fedora.

Thank you

OK, regarding your network interfaces.

Your wireless card uses the rtl8188ee driver, but you blacklisted the driver for a wired ethernet card, r8169. Note how the former lists a driver in use but the latter doesn’t. That’s because you blacklisted it. This is as expected.

Also normal. Systemd has changed default naming scheme to use predictable interface names, that’s why the interface gets renamed. You’d also see renaming of ethN entries for wired networks for the same reason.

Also normal. The ether is unrelated to the type of physical card used, it refers to a detail of the communication protocol. It doesn’t matter.

They’re in /boot. I don’t recall them ever being linked into /, but I might be wrong. They aren’t on any of my systems, and there is no reason for them to be.

To my knowledge the Live system boots using syslinux/extlinux, not grub, so the grub stuff isn’t really relevant. Also, the Live boot loader does not have to be configurable, so it would not be necessary to ship e.g. /etc/default/grub. Just to note:

The info command isn’t installed by default so bash can’t find it. You can install the info package to get it. info grub will then give you the GRUB developers manual. grub has no manpage, there are manpages for the various grub commands under man grub2-<subcommand>. There is also no command grub, so that can’t work either.

Don’t know about that. FWIW, it works on my Fedora 32 Workstation live system.

None of what you describe is in any way suspicious. Your system seems fine.

There might be some technical issues (connection problems, apropos not working etc.). If they also appear on your installed & updated system (not just the Live one), you can make threads for those here, I’m sure someone will be able to help. But again, those are technical issues, it is highly unlikely that they have anything to do with MITM attacks or somebody highjacking your system.

The WebRTC stuff I don’t know about, but even if it is unnecessary leakage, it doesn’t matter since it’s not a public IP. Local network addresses in the 192.168.xxx.yyy block are the equivalent of telling someone where in your flat your bathroom is - utterly useless unless you’re standing in your flat. My computer’s IP is 192.168.0.101, my printer’s is 192.168.0.105. This does not tell anybody anything useful.

If you’re worried about someone tracking your online movement, connect via a VPN service that you trust. But note that the threat level here is not really a MITM attack, but more the sites you visit and/or your ISP tracking your movements.

3 Likes

The firewall being modified seems quite worrisome. You seems to discard the many things wrong and that I have observed to behave differently in the past. In some cases stating that you don’t know but it it is not bad. Forgive I can’t help to feel leery and suspicious.

Perhaps you are it, and now are creating misinformation.

I have not looked at your reputation nor other “help” you may have provided, but you seem very invested in devaluing every thing I have described, which given the current state of cybersecuriry (with CISA escalating and increasing their alerts), could raise the concern of any knowledgeable and responsible network administrator.

Well, I can only hope that somebody who means to help crosses this post and gives input.

Sorry, I forgot to respond to that. Did you reload the firewall rules (firewall-cmd --reload) after adding those rules? Because - somewhat weirdly - rules added with --permanent don’t take effect until after the next reload/restart/reboot, so maybe that is why not all those interfaces appeared. Btw., you do not want to drop traffic on lo. It is a purely internal interface (basically when your machine is trying to talk to itself via ethernet protocols, and there are services that will break if it is not available.

Well, there’s really no way to respond to that, is there? Feel free to disregard my comments if you don’t think you can trust me. Good luck.

6 Likes

UPDATE

I have been trying to connect to ExpressVPN service from phone and I kept getting an unsuccessful message (screenshot below). Then, I tried to connect with the VPN connection that used to work but as of this morning would block internet connection, and a pop window telling me that I was already using the VPN service and if I continued, it would replaced.

The unsuccessful new ExpressVPN service:

So I visited ipleak.net I had not activated any connections), and look and behold the address of the VPN is displayed. notice no VPN icons at the top of the screen.

I ipleak.net to see what addresses I get this time

I value any help in figuring out how to secure at least equipment that runs Fedora.

Thank you

UPDATE

This is an example of the offline page I get a few seconds after I get a DNS_PROBE_FINISHED_NO_INTERNET

Notice that when “I” have turn the VPN service on, as opposed to the service that apparently gets activated without my awareness or explicit action, the icons of keys appear at the top of the screen

Is your phone running Fedora?

3 Likes