onion-GW to sshd fix

2024-06-25 00:08:47 +00:00 · 2023-05-07 09:55:57 +01:00 · 2023-05-07 09:55:57 +01:00 · 198a55c594
commit 198a55c594
parent 577c09813e
7 changed files with 83 additions and 22 deletions
--- a/8
+++ b/8
@ -1,10 +1,12 @@
-0.4.5 - 2022-04-00
+0.5.1 - 2022-04-00
    * SF-UI alpha
-    * SetEnv HIDEIP, HUSHLOGIN, PRJ
+    * SetEnv HIDEIP, HUSHLOGIN, PRJ, TOKEN
    * NOVPN/DIRECT support
    * conntrack improvements
    * Fairer Network Scheduling (tc-cake)
-    * Private about SECRET and secret@
+    * MOTD improvements - more private about SECRET
+    * Avoid port 53 traffic to VPNs that mangle with DNS
+    * Fixed ARP MITM (thanks extencil@proton.thc.org)

 0.4.4 - 2022-03-00
    * Updated for quarterly Kali-latest
--- a/guest/Dockerfile
+++ b/guest/Dockerfile
@ -229,7 +229,7 @@ RUN /pkg-install.sh LARGE apt-get install -y --no-install-recommends \
 		proxychains \
 		python2-minimal \
 		python-is-python3 \
-		python-cheroot \
+		python3-cheroot \
 		python3-full \
 		python3-scapy \
 		python3-pwntools \
--- a/guest/fs-root/sf/bin/pkg-install.sh
+++ b/guest/fs-root/sf/bin/pkg-install.sh
@ -27,7 +27,6 @@ dearch()
 	}
    # ..and default is to set to ARCH value
    str=$(echo "$str" | sed -e "s/%arch:[^%]*%/$HOSTTYPE/g")
-	# echo  "'$1' => '$str'" >&2 # FIXME-2023
 	echo "$str"
 }

--- a/host/fs-root/bin/segfaultsh
+++ b/host/fs-root/bin/segfaultsh
@ -83,8 +83,7 @@ logout()
 			[[ ! -f "$fn" ]] && break # No pid file exists for this LID
 			pid=${fn##*.}
 			[[ ! -d "/proc/${pid}" ]] && {
-				# FIXME: This should never happen...but it does
-				# (e.g. when 'Failed to set up guest instance' is triggered)
+				# Happens when 'Failed to set up guest instance' is triggered.
 				LOG_E "Stale: pid-${LID}.${pid} [removed]"
 				rm -f "${fn}" 
 				continue
@ -493,6 +492,25 @@ print_to_many_servers()
 --> Contact us on Telegram: ${CW}https://t.me/thcorg${CN}"
 }

+show_last_server()
+{
+	local n
+	echo >&2 -e "\
+[${CDY}WARNING${CN}]
+--> You (${CDY}$YOUR_IP${CN}) now have $1 servers running. ${CDR}You can not create any more
+--> servers${CN} after this one! Use your ${CDY}SECRET${CN} to log in to your previously
+--> created servers. If you forgot the ${CDY}SECRET${CN} then you need to wait for
+--> the servers to time out and shut down automatically. Best to write down
+--> the ${CDY}SECRET${CN} for THIS SERVER and follow these instructions:
+--> ${CB}${CUL}https://www.thc.org/segfault/faq/#reconnect${CN}
+--> SECRET: ${CDY}${SF_SEC:-BAD}${CN}
+--> Contact us on Telegram: ${CW}https://t.me/thcorg${CN}"
+
+	sleep 5
+	echo -en "Press ENTER to continue..."
+	read -r -n8 -t120 || echo ""
+}
+
 echo_pty() { :;}

 sshd_to_ns()
@ -730,14 +748,15 @@ wait_for_load()
 {
 	local load
 	local max="$1"
+	local n

-	# FIXME: Stop after waiting for too long.
-	# FIXME: Implement garbage collector...
 	while :; do
 		read -r -a load </proc/loadavg
 		[[ ${load[0]%%.*} -lt "$max" ]] && break
 		echo -e >&2 "[${CY}SF${CN}] Waiting for load to go down..."
 		sleep 5
+		((n++))
+		[[ $n -ge 20 ]] && ERREXIT 255 "giving up."
 	done
 }

@ -756,8 +775,9 @@ print_tor_notice()
 	sleep 5
    echo >&2 -e "\
 [${CR}ERROR${CN}]
--> ${CDY}You ($YOUR_IP) are trying to connect from a Tor exit node${CN}
--> Tor exit node access is only available to ${CG}PREMIUM${CN} users
+--> You (${CDY}$YOUR_IP${CN}) are trying to connect from Tor.
+--> Log in from Tor is available for ${CG}VALUED${CN} users only.
+--> To log in from Tor please ask us for an ACCESS TOKEN.
 --> Read ${CB}${CUL}https://www.thc.org/segfault/youcheapfuck${CN}
 --> Contact us on Telegram: ${CW}https://t.me/thcorg${CN}"
 	sleep 5
@ -767,10 +787,24 @@ print_tor_notice()
 # TODO: Make this work with the IP hashes
 check_tor_status()
 {
-        [[ -n $SF_ALLOW_SRC_TOR ]] && return
-        [[ ! -f "/sf/share/tor-exit-nodes.txt" ]] && return
+	local is_tor

-        exec_devnull grep -q -Fx "${YOUR_IP}" "/sf/share/tor-exit-nodes.txt" && { print_tor_notice; LOG_W "TOR DENIED"; ERREXIT 255; }
+	# FIXME: If user is allowed to log in via TOR then we should use
+	# the TOKEN to limit his number of servers.
+	[[ -n $SF_ALLOW_SRC_TOR ]] && return
+	if [[ "${YOUR_IP}" == "${SF_TOR_IP}" ]]; then
+		is_tor=1
+	else
+		[[ -f "/sf/share/tor-exit-nodes.txt" ]] && {
+			exec_devnull grep -q -Fx "${YOUR_IP}" "/sf/share/tor-exit-nodes.txt" && is_tor=1
+		}
+	fi
+
+	[[ -z $is_tor ]] && return
+
+	print_tor_notice
+	LOG_W "TOR DENIED"
+	ERREXIT 255
 }

 # Check if max servers per IP are in use.
@ -821,6 +855,8 @@ check_limit_server_by_ip()
 			ERREXIT 254
 		}

+		[[ "$((n+1))" -ge "${SF_LIMIT_SERVER_BY_IP}" ]] && [[ -z $HUSHLOGIN ]] && [[ -n $IS_LOGIN ]] && show_last_server "$n"
+
 		[[ "$n" -ge 1 ]] && {
 			# The 3rd and more servers from same IP get less CPU share
 			SF_USER_CPU_SHARE=2
@ -916,8 +952,6 @@ else
 	SF_SEC="$(head -c 1024 /dev/urandom | tr -dc '[:alpha:]' | head -c 24)"
 fi

-
-
 [[ -n $SF_IS_WEBSHELL ]] && {
 	# Correct YOUR_IP
 	REMOTE_ADDR="${REMOTE_ADDR//[^0-9.:]}"
@ -931,7 +965,6 @@ fi
 }
 # Unset user supplied env variables
 unset SECRET HUSTLOGIN HIDEIP PRJ
-
 ### ----END SANITIZE----

 # Only output progress if this is a login shell _and_ not HUSHLOGIN
--- a/host/fs-root/etc/ssh/sshd_config
+++ b/host/fs-root/etc/ssh/sshd_config
@ -107,6 +107,7 @@ PrintMotd no
 AcceptEnv PRJ
 AcceptEnv SF_DEBUG
 AcceptEnv SECRET
+AcceptEnv TOKEN
 AcceptEnv REMOTE_ADDR
 AcceptEnv HUSHLOGIN
 AcceptEnv HIDEIP
--- a/router/init.sh
+++ b/router/init.sh
@ -237,6 +237,8 @@ ipt_set()
 	# The only way around this is to advertise a smaller MSS for TCP and hope for the best
 	# for all other protocols. Ultimately we need bad routers on the Internet to disappear.
 	iptables -A FORWARD -i "${DEV_LG}" -o "${DEV_GW}" -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380
+	# Mode when TOR goes via VPN (rarely used)
+	iptables -A FORWARD -i "${DEV_GW}" -o "${DEV_GW}" -s "${TOR_IP}" -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380

 	# -----BEGIN DIRECT SSH-----
 	# Note: The IP addresses are FLIPPED because we use DNAT/SNAT/MASQ in PREROUTING
@ -267,16 +269,17 @@ ipt_set()
 	iptables -A FORWARD -i "${DEV_ACCESS}" -o "${DEV_DIRECT}" -p tcp -s "${GSNC_IP}" -j ACCEPT
 	iptables -A FORWARD -o "${DEV_ACCESS}" -i "${DEV_DIRECT}" -p tcp -d "${GSNC_IP}" -j ACCEPT

-	# Onion to NGINX
+	# Onion-GW to NGINX
 	iptables -A FORWARD -i "${DEV_GW}" -o "${DEV_DMZ}" -s "${TOR_IP}" -d "${NGINX_IP}" -p tcp --dport 80 -j ACCEPT
 	iptables -A FORWARD -o "${DEV_GW}" -i "${DEV_DMZ}" -d "${TOR_IP}" -s "${NGINX_IP}" -p tcp --sport 80 -j ACCEPT

-	# TOR via VPN gateways
+	# Onion-GW to SSHD
+	iptables -A FORWARD -i "${DEV_GW}" -o "${DEV_ACCESS}" -s "${TOR_IP}" -d "${SSHD_IP}" -p tcp --dport 22 -j ACCEPT
+	iptables -A FORWARD -o "${DEV_GW}" -i "${DEV_ACCESS}" -d "${TOR_IP}" -s "${SSHD_IP}" -p tcp --sport 22 -j ACCEPT
+
+	# TOR via VPN (rarely used)
 	iptables -A FORWARD -i "${DEV_GW}" -o "${DEV_GW}" -s "${TOR_IP}" -j ACCEPT
 	iptables -A FORWARD -i "${DEV_GW}" -o "${DEV_GW}" -d "${TOR_IP}" -j ACCEPT
-	
-	# Onion to SSHD
-	# => Already set by SSHD -D1080 setup
 }

 ipset_add_ip()
--- a/sfbin/funcs_admin.sh
+++ b/sfbin/funcs_admin.sh
@ -111,6 +111,29 @@ lgwall()
 	done
 }

+# Enter a docker network namespace
+# [container] <cmd ...>
+dnenter()
+{
+	local pid
+	local c_id
+	# local str
+	local cmd
+	c_id="$1"
+
+	shift 1
+	pid=$(docker inspect -f '{{.State.Pid}}' "${c_id:?}") || return
+	[[ ${#} -le 0 ]] && {
+		env HISTFILE=/dev/null nsenter -t "${pid}" -a bash -il
+		return
+	}
+
+	# str=$(head -n1 "/proc/${pid}/cgroup")
+	# FIXME: '*' wont work if there are more than 1 cgroup.
+	# cgexec --sticky -g "*:${str##*:}" nsenter -t "${pid}" -a "${cmd[@]}"
+	nsenter -t "${pid}" -n "$@"
+}
+
 #                               Blocks                                          Inodes
 # Project ID       Used       Soft       Hard    Warn/Grace           Used       Soft       Hard    Warn/ Grace	
 # #9                   0    0    4194304     00 [--------]          0          0      65536     00 [--------]