mirror of
https://github.com/hackerschoice/segfault.git
synced 2024-06-28 09:41:18 +00:00
onion-GW to sshd fix
This commit is contained in:
parent
577c09813e
commit
198a55c594
@ -1,10 +1,12 @@
|
|||||||
0.4.5 - 2022-04-00
|
0.5.1 - 2022-04-00
|
||||||
* SF-UI alpha
|
* SF-UI alpha
|
||||||
* SetEnv HIDEIP, HUSHLOGIN, PRJ
|
* SetEnv HIDEIP, HUSHLOGIN, PRJ, TOKEN
|
||||||
* NOVPN/DIRECT support
|
* NOVPN/DIRECT support
|
||||||
* conntrack improvements
|
* conntrack improvements
|
||||||
* Fairer Network Scheduling (tc-cake)
|
* Fairer Network Scheduling (tc-cake)
|
||||||
* Private about SECRET and secret@
|
* MOTD improvements - more private about SECRET
|
||||||
|
* Avoid port 53 traffic to VPNs that mangle with DNS
|
||||||
|
* Fixed ARP MITM (thanks extencil@proton.thc.org)
|
||||||
|
|
||||||
0.4.4 - 2022-03-00
|
0.4.4 - 2022-03-00
|
||||||
* Updated for quarterly Kali-latest
|
* Updated for quarterly Kali-latest
|
||||||
|
@ -229,7 +229,7 @@ RUN /pkg-install.sh LARGE apt-get install -y --no-install-recommends \
|
|||||||
proxychains \
|
proxychains \
|
||||||
python2-minimal \
|
python2-minimal \
|
||||||
python-is-python3 \
|
python-is-python3 \
|
||||||
python-cheroot \
|
python3-cheroot \
|
||||||
python3-full \
|
python3-full \
|
||||||
python3-scapy \
|
python3-scapy \
|
||||||
python3-pwntools \
|
python3-pwntools \
|
||||||
|
@ -27,7 +27,6 @@ dearch()
|
|||||||
}
|
}
|
||||||
# ..and default is to set to ARCH value
|
# ..and default is to set to ARCH value
|
||||||
str=$(echo "$str" | sed -e "s/%arch:[^%]*%/$HOSTTYPE/g")
|
str=$(echo "$str" | sed -e "s/%arch:[^%]*%/$HOSTTYPE/g")
|
||||||
# echo "'$1' => '$str'" >&2 # FIXME-2023
|
|
||||||
echo "$str"
|
echo "$str"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -83,8 +83,7 @@ logout()
|
|||||||
[[ ! -f "$fn" ]] && break # No pid file exists for this LID
|
[[ ! -f "$fn" ]] && break # No pid file exists for this LID
|
||||||
pid=${fn##*.}
|
pid=${fn##*.}
|
||||||
[[ ! -d "/proc/${pid}" ]] && {
|
[[ ! -d "/proc/${pid}" ]] && {
|
||||||
# FIXME: This should never happen...but it does
|
# Happens when 'Failed to set up guest instance' is triggered.
|
||||||
# (e.g. when 'Failed to set up guest instance' is triggered)
|
|
||||||
LOG_E "Stale: pid-${LID}.${pid} [removed]"
|
LOG_E "Stale: pid-${LID}.${pid} [removed]"
|
||||||
rm -f "${fn}"
|
rm -f "${fn}"
|
||||||
continue
|
continue
|
||||||
@ -493,6 +492,25 @@ print_to_many_servers()
|
|||||||
--> Contact us on Telegram: ${CW}https://t.me/thcorg${CN}"
|
--> Contact us on Telegram: ${CW}https://t.me/thcorg${CN}"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
show_last_server()
|
||||||
|
{
|
||||||
|
local n
|
||||||
|
echo >&2 -e "\
|
||||||
|
[${CDY}WARNING${CN}]
|
||||||
|
--> You (${CDY}$YOUR_IP${CN}) now have $1 servers running. ${CDR}You can not create any more
|
||||||
|
--> servers${CN} after this one! Use your ${CDY}SECRET${CN} to log in to your previously
|
||||||
|
--> created servers. If you forgot the ${CDY}SECRET${CN} then you need to wait for
|
||||||
|
--> the servers to time out and shut down automatically. Best to write down
|
||||||
|
--> the ${CDY}SECRET${CN} for THIS SERVER and follow these instructions:
|
||||||
|
--> ${CB}${CUL}https://www.thc.org/segfault/faq/#reconnect${CN}
|
||||||
|
--> SECRET: ${CDY}${SF_SEC:-BAD}${CN}
|
||||||
|
--> Contact us on Telegram: ${CW}https://t.me/thcorg${CN}"
|
||||||
|
|
||||||
|
sleep 5
|
||||||
|
echo -en "Press ENTER to continue..."
|
||||||
|
read -r -n8 -t120 || echo ""
|
||||||
|
}
|
||||||
|
|
||||||
echo_pty() { :;}
|
echo_pty() { :;}
|
||||||
|
|
||||||
sshd_to_ns()
|
sshd_to_ns()
|
||||||
@ -730,14 +748,15 @@ wait_for_load()
|
|||||||
{
|
{
|
||||||
local load
|
local load
|
||||||
local max="$1"
|
local max="$1"
|
||||||
|
local n
|
||||||
|
|
||||||
# FIXME: Stop after waiting for too long.
|
|
||||||
# FIXME: Implement garbage collector...
|
|
||||||
while :; do
|
while :; do
|
||||||
read -r -a load </proc/loadavg
|
read -r -a load </proc/loadavg
|
||||||
[[ ${load[0]%%.*} -lt "$max" ]] && break
|
[[ ${load[0]%%.*} -lt "$max" ]] && break
|
||||||
echo -e >&2 "[${CY}SF${CN}] Waiting for load to go down..."
|
echo -e >&2 "[${CY}SF${CN}] Waiting for load to go down..."
|
||||||
sleep 5
|
sleep 5
|
||||||
|
((n++))
|
||||||
|
[[ $n -ge 20 ]] && ERREXIT 255 "giving up."
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -756,8 +775,9 @@ print_tor_notice()
|
|||||||
sleep 5
|
sleep 5
|
||||||
echo >&2 -e "\
|
echo >&2 -e "\
|
||||||
[${CR}ERROR${CN}]
|
[${CR}ERROR${CN}]
|
||||||
--> ${CDY}You ($YOUR_IP) are trying to connect from a Tor exit node${CN}
|
--> You (${CDY}$YOUR_IP${CN}) are trying to connect from Tor.
|
||||||
--> Tor exit node access is only available to ${CG}PREMIUM${CN} users
|
--> Log in from Tor is available for ${CG}VALUED${CN} users only.
|
||||||
|
--> To log in from Tor please ask us for an ACCESS TOKEN.
|
||||||
--> Read ${CB}${CUL}https://www.thc.org/segfault/youcheapfuck${CN}
|
--> Read ${CB}${CUL}https://www.thc.org/segfault/youcheapfuck${CN}
|
||||||
--> Contact us on Telegram: ${CW}https://t.me/thcorg${CN}"
|
--> Contact us on Telegram: ${CW}https://t.me/thcorg${CN}"
|
||||||
sleep 5
|
sleep 5
|
||||||
@ -767,10 +787,24 @@ print_tor_notice()
|
|||||||
# TODO: Make this work with the IP hashes
|
# TODO: Make this work with the IP hashes
|
||||||
check_tor_status()
|
check_tor_status()
|
||||||
{
|
{
|
||||||
[[ -n $SF_ALLOW_SRC_TOR ]] && return
|
local is_tor
|
||||||
[[ ! -f "/sf/share/tor-exit-nodes.txt" ]] && return
|
|
||||||
|
|
||||||
exec_devnull grep -q -Fx "${YOUR_IP}" "/sf/share/tor-exit-nodes.txt" && { print_tor_notice; LOG_W "TOR DENIED"; ERREXIT 255; }
|
# FIXME: If user is allowed to log in via TOR then we should use
|
||||||
|
# the TOKEN to limit his number of servers.
|
||||||
|
[[ -n $SF_ALLOW_SRC_TOR ]] && return
|
||||||
|
if [[ "${YOUR_IP}" == "${SF_TOR_IP}" ]]; then
|
||||||
|
is_tor=1
|
||||||
|
else
|
||||||
|
[[ -f "/sf/share/tor-exit-nodes.txt" ]] && {
|
||||||
|
exec_devnull grep -q -Fx "${YOUR_IP}" "/sf/share/tor-exit-nodes.txt" && is_tor=1
|
||||||
|
}
|
||||||
|
fi
|
||||||
|
|
||||||
|
[[ -z $is_tor ]] && return
|
||||||
|
|
||||||
|
print_tor_notice
|
||||||
|
LOG_W "TOR DENIED"
|
||||||
|
ERREXIT 255
|
||||||
}
|
}
|
||||||
|
|
||||||
# Check if max servers per IP are in use.
|
# Check if max servers per IP are in use.
|
||||||
@ -821,6 +855,8 @@ check_limit_server_by_ip()
|
|||||||
ERREXIT 254
|
ERREXIT 254
|
||||||
}
|
}
|
||||||
|
|
||||||
|
[[ "$((n+1))" -ge "${SF_LIMIT_SERVER_BY_IP}" ]] && [[ -z $HUSHLOGIN ]] && [[ -n $IS_LOGIN ]] && show_last_server "$n"
|
||||||
|
|
||||||
[[ "$n" -ge 1 ]] && {
|
[[ "$n" -ge 1 ]] && {
|
||||||
# The 3rd and more servers from same IP get less CPU share
|
# The 3rd and more servers from same IP get less CPU share
|
||||||
SF_USER_CPU_SHARE=2
|
SF_USER_CPU_SHARE=2
|
||||||
@ -916,8 +952,6 @@ else
|
|||||||
SF_SEC="$(head -c 1024 /dev/urandom | tr -dc '[:alpha:]' | head -c 24)"
|
SF_SEC="$(head -c 1024 /dev/urandom | tr -dc '[:alpha:]' | head -c 24)"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
[[ -n $SF_IS_WEBSHELL ]] && {
|
[[ -n $SF_IS_WEBSHELL ]] && {
|
||||||
# Correct YOUR_IP
|
# Correct YOUR_IP
|
||||||
REMOTE_ADDR="${REMOTE_ADDR//[^0-9.:]}"
|
REMOTE_ADDR="${REMOTE_ADDR//[^0-9.:]}"
|
||||||
@ -931,7 +965,6 @@ fi
|
|||||||
}
|
}
|
||||||
# Unset user supplied env variables
|
# Unset user supplied env variables
|
||||||
unset SECRET HUSTLOGIN HIDEIP PRJ
|
unset SECRET HUSTLOGIN HIDEIP PRJ
|
||||||
|
|
||||||
### ----END SANITIZE----
|
### ----END SANITIZE----
|
||||||
|
|
||||||
# Only output progress if this is a login shell _and_ not HUSHLOGIN
|
# Only output progress if this is a login shell _and_ not HUSHLOGIN
|
||||||
|
@ -107,6 +107,7 @@ PrintMotd no
|
|||||||
AcceptEnv PRJ
|
AcceptEnv PRJ
|
||||||
AcceptEnv SF_DEBUG
|
AcceptEnv SF_DEBUG
|
||||||
AcceptEnv SECRET
|
AcceptEnv SECRET
|
||||||
|
AcceptEnv TOKEN
|
||||||
AcceptEnv REMOTE_ADDR
|
AcceptEnv REMOTE_ADDR
|
||||||
AcceptEnv HUSHLOGIN
|
AcceptEnv HUSHLOGIN
|
||||||
AcceptEnv HIDEIP
|
AcceptEnv HIDEIP
|
||||||
|
@ -237,6 +237,8 @@ ipt_set()
|
|||||||
# The only way around this is to advertise a smaller MSS for TCP and hope for the best
|
# The only way around this is to advertise a smaller MSS for TCP and hope for the best
|
||||||
# for all other protocols. Ultimately we need bad routers on the Internet to disappear.
|
# for all other protocols. Ultimately we need bad routers on the Internet to disappear.
|
||||||
iptables -A FORWARD -i "${DEV_LG}" -o "${DEV_GW}" -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380
|
iptables -A FORWARD -i "${DEV_LG}" -o "${DEV_GW}" -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380
|
||||||
|
# Mode when TOR goes via VPN (rarely used)
|
||||||
|
iptables -A FORWARD -i "${DEV_GW}" -o "${DEV_GW}" -s "${TOR_IP}" -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380
|
||||||
|
|
||||||
# -----BEGIN DIRECT SSH-----
|
# -----BEGIN DIRECT SSH-----
|
||||||
# Note: The IP addresses are FLIPPED because we use DNAT/SNAT/MASQ in PREROUTING
|
# Note: The IP addresses are FLIPPED because we use DNAT/SNAT/MASQ in PREROUTING
|
||||||
@ -267,16 +269,17 @@ ipt_set()
|
|||||||
iptables -A FORWARD -i "${DEV_ACCESS}" -o "${DEV_DIRECT}" -p tcp -s "${GSNC_IP}" -j ACCEPT
|
iptables -A FORWARD -i "${DEV_ACCESS}" -o "${DEV_DIRECT}" -p tcp -s "${GSNC_IP}" -j ACCEPT
|
||||||
iptables -A FORWARD -o "${DEV_ACCESS}" -i "${DEV_DIRECT}" -p tcp -d "${GSNC_IP}" -j ACCEPT
|
iptables -A FORWARD -o "${DEV_ACCESS}" -i "${DEV_DIRECT}" -p tcp -d "${GSNC_IP}" -j ACCEPT
|
||||||
|
|
||||||
# Onion to NGINX
|
# Onion-GW to NGINX
|
||||||
iptables -A FORWARD -i "${DEV_GW}" -o "${DEV_DMZ}" -s "${TOR_IP}" -d "${NGINX_IP}" -p tcp --dport 80 -j ACCEPT
|
iptables -A FORWARD -i "${DEV_GW}" -o "${DEV_DMZ}" -s "${TOR_IP}" -d "${NGINX_IP}" -p tcp --dport 80 -j ACCEPT
|
||||||
iptables -A FORWARD -o "${DEV_GW}" -i "${DEV_DMZ}" -d "${TOR_IP}" -s "${NGINX_IP}" -p tcp --sport 80 -j ACCEPT
|
iptables -A FORWARD -o "${DEV_GW}" -i "${DEV_DMZ}" -d "${TOR_IP}" -s "${NGINX_IP}" -p tcp --sport 80 -j ACCEPT
|
||||||
|
|
||||||
# TOR via VPN gateways
|
# Onion-GW to SSHD
|
||||||
|
iptables -A FORWARD -i "${DEV_GW}" -o "${DEV_ACCESS}" -s "${TOR_IP}" -d "${SSHD_IP}" -p tcp --dport 22 -j ACCEPT
|
||||||
|
iptables -A FORWARD -o "${DEV_GW}" -i "${DEV_ACCESS}" -d "${TOR_IP}" -s "${SSHD_IP}" -p tcp --sport 22 -j ACCEPT
|
||||||
|
|
||||||
|
# TOR via VPN (rarely used)
|
||||||
iptables -A FORWARD -i "${DEV_GW}" -o "${DEV_GW}" -s "${TOR_IP}" -j ACCEPT
|
iptables -A FORWARD -i "${DEV_GW}" -o "${DEV_GW}" -s "${TOR_IP}" -j ACCEPT
|
||||||
iptables -A FORWARD -i "${DEV_GW}" -o "${DEV_GW}" -d "${TOR_IP}" -j ACCEPT
|
iptables -A FORWARD -i "${DEV_GW}" -o "${DEV_GW}" -d "${TOR_IP}" -j ACCEPT
|
||||||
|
|
||||||
# Onion to SSHD
|
|
||||||
# => Already set by SSHD -D1080 setup
|
|
||||||
}
|
}
|
||||||
|
|
||||||
ipset_add_ip()
|
ipset_add_ip()
|
||||||
|
@ -111,6 +111,29 @@ lgwall()
|
|||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Enter a docker network namespace
|
||||||
|
# [container] <cmd ...>
|
||||||
|
dnenter()
|
||||||
|
{
|
||||||
|
local pid
|
||||||
|
local c_id
|
||||||
|
# local str
|
||||||
|
local cmd
|
||||||
|
c_id="$1"
|
||||||
|
|
||||||
|
shift 1
|
||||||
|
pid=$(docker inspect -f '{{.State.Pid}}' "${c_id:?}") || return
|
||||||
|
[[ ${#} -le 0 ]] && {
|
||||||
|
env HISTFILE=/dev/null nsenter -t "${pid}" -a bash -il
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
# str=$(head -n1 "/proc/${pid}/cgroup")
|
||||||
|
# FIXME: '*' wont work if there are more than 1 cgroup.
|
||||||
|
# cgexec --sticky -g "*:${str##*:}" nsenter -t "${pid}" -a "${cmd[@]}"
|
||||||
|
nsenter -t "${pid}" -n "$@"
|
||||||
|
}
|
||||||
|
|
||||||
# Blocks Inodes
|
# Blocks Inodes
|
||||||
# Project ID Used Soft Hard Warn/Grace Used Soft Hard Warn/ Grace
|
# Project ID Used Soft Hard Warn/Grace Used Soft Hard Warn/ Grace
|
||||||
# #9 0 0 4194304 00 [--------] 0 0 65536 00 [--------]
|
# #9 0 0 4194304 00 [--------] 0 0 65536 00 [--------]
|
||||||
|
Loading…
Reference in New Issue
Block a user