mirror of
https://github.com/hackerschoice/segfault.git
synced 2024-06-28 09:41:18 +00:00
onion-GW to sshd fix
This commit is contained in:
parent
577c09813e
commit
198a55c594
@ -1,10 +1,12 @@
|
||||
0.4.5 - 2022-04-00
|
||||
0.5.1 - 2022-04-00
|
||||
* SF-UI alpha
|
||||
* SetEnv HIDEIP, HUSHLOGIN, PRJ
|
||||
* SetEnv HIDEIP, HUSHLOGIN, PRJ, TOKEN
|
||||
* NOVPN/DIRECT support
|
||||
* conntrack improvements
|
||||
* Fairer Network Scheduling (tc-cake)
|
||||
* Private about SECRET and secret@
|
||||
* MOTD improvements - more private about SECRET
|
||||
* Avoid port 53 traffic to VPNs that mangle with DNS
|
||||
* Fixed ARP MITM (thanks extencil@proton.thc.org)
|
||||
|
||||
0.4.4 - 2022-03-00
|
||||
* Updated for quarterly Kali-latest
|
||||
|
@ -229,7 +229,7 @@ RUN /pkg-install.sh LARGE apt-get install -y --no-install-recommends \
|
||||
proxychains \
|
||||
python2-minimal \
|
||||
python-is-python3 \
|
||||
python-cheroot \
|
||||
python3-cheroot \
|
||||
python3-full \
|
||||
python3-scapy \
|
||||
python3-pwntools \
|
||||
|
@ -27,7 +27,6 @@ dearch()
|
||||
}
|
||||
# ..and default is to set to ARCH value
|
||||
str=$(echo "$str" | sed -e "s/%arch:[^%]*%/$HOSTTYPE/g")
|
||||
# echo "'$1' => '$str'" >&2 # FIXME-2023
|
||||
echo "$str"
|
||||
}
|
||||
|
||||
|
@ -83,8 +83,7 @@ logout()
|
||||
[[ ! -f "$fn" ]] && break # No pid file exists for this LID
|
||||
pid=${fn##*.}
|
||||
[[ ! -d "/proc/${pid}" ]] && {
|
||||
# FIXME: This should never happen...but it does
|
||||
# (e.g. when 'Failed to set up guest instance' is triggered)
|
||||
# Happens when 'Failed to set up guest instance' is triggered.
|
||||
LOG_E "Stale: pid-${LID}.${pid} [removed]"
|
||||
rm -f "${fn}"
|
||||
continue
|
||||
@ -493,6 +492,25 @@ print_to_many_servers()
|
||||
--> Contact us on Telegram: ${CW}https://t.me/thcorg${CN}"
|
||||
}
|
||||
|
||||
show_last_server()
|
||||
{
|
||||
local n
|
||||
echo >&2 -e "\
|
||||
[${CDY}WARNING${CN}]
|
||||
--> You (${CDY}$YOUR_IP${CN}) now have $1 servers running. ${CDR}You can not create any more
|
||||
--> servers${CN} after this one! Use your ${CDY}SECRET${CN} to log in to your previously
|
||||
--> created servers. If you forgot the ${CDY}SECRET${CN} then you need to wait for
|
||||
--> the servers to time out and shut down automatically. Best to write down
|
||||
--> the ${CDY}SECRET${CN} for THIS SERVER and follow these instructions:
|
||||
--> ${CB}${CUL}https://www.thc.org/segfault/faq/#reconnect${CN}
|
||||
--> SECRET: ${CDY}${SF_SEC:-BAD}${CN}
|
||||
--> Contact us on Telegram: ${CW}https://t.me/thcorg${CN}"
|
||||
|
||||
sleep 5
|
||||
echo -en "Press ENTER to continue..."
|
||||
read -r -n8 -t120 || echo ""
|
||||
}
|
||||
|
||||
echo_pty() { :;}
|
||||
|
||||
sshd_to_ns()
|
||||
@ -730,14 +748,15 @@ wait_for_load()
|
||||
{
|
||||
local load
|
||||
local max="$1"
|
||||
local n
|
||||
|
||||
# FIXME: Stop after waiting for too long.
|
||||
# FIXME: Implement garbage collector...
|
||||
while :; do
|
||||
read -r -a load </proc/loadavg
|
||||
[[ ${load[0]%%.*} -lt "$max" ]] && break
|
||||
echo -e >&2 "[${CY}SF${CN}] Waiting for load to go down..."
|
||||
sleep 5
|
||||
((n++))
|
||||
[[ $n -ge 20 ]] && ERREXIT 255 "giving up."
|
||||
done
|
||||
}
|
||||
|
||||
@ -756,8 +775,9 @@ print_tor_notice()
|
||||
sleep 5
|
||||
echo >&2 -e "\
|
||||
[${CR}ERROR${CN}]
|
||||
--> ${CDY}You ($YOUR_IP) are trying to connect from a Tor exit node${CN}
|
||||
--> Tor exit node access is only available to ${CG}PREMIUM${CN} users
|
||||
--> You (${CDY}$YOUR_IP${CN}) are trying to connect from Tor.
|
||||
--> Log in from Tor is available for ${CG}VALUED${CN} users only.
|
||||
--> To log in from Tor please ask us for an ACCESS TOKEN.
|
||||
--> Read ${CB}${CUL}https://www.thc.org/segfault/youcheapfuck${CN}
|
||||
--> Contact us on Telegram: ${CW}https://t.me/thcorg${CN}"
|
||||
sleep 5
|
||||
@ -767,10 +787,24 @@ print_tor_notice()
|
||||
# TODO: Make this work with the IP hashes
|
||||
check_tor_status()
|
||||
{
|
||||
[[ -n $SF_ALLOW_SRC_TOR ]] && return
|
||||
[[ ! -f "/sf/share/tor-exit-nodes.txt" ]] && return
|
||||
local is_tor
|
||||
|
||||
exec_devnull grep -q -Fx "${YOUR_IP}" "/sf/share/tor-exit-nodes.txt" && { print_tor_notice; LOG_W "TOR DENIED"; ERREXIT 255; }
|
||||
# FIXME: If user is allowed to log in via TOR then we should use
|
||||
# the TOKEN to limit his number of servers.
|
||||
[[ -n $SF_ALLOW_SRC_TOR ]] && return
|
||||
if [[ "${YOUR_IP}" == "${SF_TOR_IP}" ]]; then
|
||||
is_tor=1
|
||||
else
|
||||
[[ -f "/sf/share/tor-exit-nodes.txt" ]] && {
|
||||
exec_devnull grep -q -Fx "${YOUR_IP}" "/sf/share/tor-exit-nodes.txt" && is_tor=1
|
||||
}
|
||||
fi
|
||||
|
||||
[[ -z $is_tor ]] && return
|
||||
|
||||
print_tor_notice
|
||||
LOG_W "TOR DENIED"
|
||||
ERREXIT 255
|
||||
}
|
||||
|
||||
# Check if max servers per IP are in use.
|
||||
@ -821,6 +855,8 @@ check_limit_server_by_ip()
|
||||
ERREXIT 254
|
||||
}
|
||||
|
||||
[[ "$((n+1))" -ge "${SF_LIMIT_SERVER_BY_IP}" ]] && [[ -z $HUSHLOGIN ]] && [[ -n $IS_LOGIN ]] && show_last_server "$n"
|
||||
|
||||
[[ "$n" -ge 1 ]] && {
|
||||
# The 3rd and more servers from same IP get less CPU share
|
||||
SF_USER_CPU_SHARE=2
|
||||
@ -916,8 +952,6 @@ else
|
||||
SF_SEC="$(head -c 1024 /dev/urandom | tr -dc '[:alpha:]' | head -c 24)"
|
||||
fi
|
||||
|
||||
|
||||
|
||||
[[ -n $SF_IS_WEBSHELL ]] && {
|
||||
# Correct YOUR_IP
|
||||
REMOTE_ADDR="${REMOTE_ADDR//[^0-9.:]}"
|
||||
@ -931,7 +965,6 @@ fi
|
||||
}
|
||||
# Unset user supplied env variables
|
||||
unset SECRET HUSTLOGIN HIDEIP PRJ
|
||||
|
||||
### ----END SANITIZE----
|
||||
|
||||
# Only output progress if this is a login shell _and_ not HUSHLOGIN
|
||||
|
@ -107,6 +107,7 @@ PrintMotd no
|
||||
AcceptEnv PRJ
|
||||
AcceptEnv SF_DEBUG
|
||||
AcceptEnv SECRET
|
||||
AcceptEnv TOKEN
|
||||
AcceptEnv REMOTE_ADDR
|
||||
AcceptEnv HUSHLOGIN
|
||||
AcceptEnv HIDEIP
|
||||
|
@ -237,6 +237,8 @@ ipt_set()
|
||||
# The only way around this is to advertise a smaller MSS for TCP and hope for the best
|
||||
# for all other protocols. Ultimately we need bad routers on the Internet to disappear.
|
||||
iptables -A FORWARD -i "${DEV_LG}" -o "${DEV_GW}" -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380
|
||||
# Mode when TOR goes via VPN (rarely used)
|
||||
iptables -A FORWARD -i "${DEV_GW}" -o "${DEV_GW}" -s "${TOR_IP}" -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380
|
||||
|
||||
# -----BEGIN DIRECT SSH-----
|
||||
# Note: The IP addresses are FLIPPED because we use DNAT/SNAT/MASQ in PREROUTING
|
||||
@ -267,16 +269,17 @@ ipt_set()
|
||||
iptables -A FORWARD -i "${DEV_ACCESS}" -o "${DEV_DIRECT}" -p tcp -s "${GSNC_IP}" -j ACCEPT
|
||||
iptables -A FORWARD -o "${DEV_ACCESS}" -i "${DEV_DIRECT}" -p tcp -d "${GSNC_IP}" -j ACCEPT
|
||||
|
||||
# Onion to NGINX
|
||||
# Onion-GW to NGINX
|
||||
iptables -A FORWARD -i "${DEV_GW}" -o "${DEV_DMZ}" -s "${TOR_IP}" -d "${NGINX_IP}" -p tcp --dport 80 -j ACCEPT
|
||||
iptables -A FORWARD -o "${DEV_GW}" -i "${DEV_DMZ}" -d "${TOR_IP}" -s "${NGINX_IP}" -p tcp --sport 80 -j ACCEPT
|
||||
|
||||
# TOR via VPN gateways
|
||||
# Onion-GW to SSHD
|
||||
iptables -A FORWARD -i "${DEV_GW}" -o "${DEV_ACCESS}" -s "${TOR_IP}" -d "${SSHD_IP}" -p tcp --dport 22 -j ACCEPT
|
||||
iptables -A FORWARD -o "${DEV_GW}" -i "${DEV_ACCESS}" -d "${TOR_IP}" -s "${SSHD_IP}" -p tcp --sport 22 -j ACCEPT
|
||||
|
||||
# TOR via VPN (rarely used)
|
||||
iptables -A FORWARD -i "${DEV_GW}" -o "${DEV_GW}" -s "${TOR_IP}" -j ACCEPT
|
||||
iptables -A FORWARD -i "${DEV_GW}" -o "${DEV_GW}" -d "${TOR_IP}" -j ACCEPT
|
||||
|
||||
# Onion to SSHD
|
||||
# => Already set by SSHD -D1080 setup
|
||||
}
|
||||
|
||||
ipset_add_ip()
|
||||
|
@ -111,6 +111,29 @@ lgwall()
|
||||
done
|
||||
}
|
||||
|
||||
# Enter a docker network namespace
|
||||
# [container] <cmd ...>
|
||||
dnenter()
|
||||
{
|
||||
local pid
|
||||
local c_id
|
||||
# local str
|
||||
local cmd
|
||||
c_id="$1"
|
||||
|
||||
shift 1
|
||||
pid=$(docker inspect -f '{{.State.Pid}}' "${c_id:?}") || return
|
||||
[[ ${#} -le 0 ]] && {
|
||||
env HISTFILE=/dev/null nsenter -t "${pid}" -a bash -il
|
||||
return
|
||||
}
|
||||
|
||||
# str=$(head -n1 "/proc/${pid}/cgroup")
|
||||
# FIXME: '*' wont work if there are more than 1 cgroup.
|
||||
# cgexec --sticky -g "*:${str##*:}" nsenter -t "${pid}" -a "${cmd[@]}"
|
||||
nsenter -t "${pid}" -n "$@"
|
||||
}
|
||||
|
||||
# Blocks Inodes
|
||||
# Project ID Used Soft Hard Warn/Grace Used Soft Hard Warn/ Grace
|
||||
# #9 0 0 4194304 00 [--------] 0 0 65536 00 [--------]
|
||||
|
Loading…
Reference in New Issue
Block a user