diff --git a/docker-compose.yml b/docker-compose.yml index 863879c..2e86286 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -108,7 +108,7 @@ services: cgroup_parent: sf.slice volumes: - "${SF_BASEDIR:-.}/config/etc/logpipe/:/app/config/:ro" - - "/dev/shm/sf/run/logpipe/:/app/sock/:rw" + - "${SF_SHMDIR:-/dev/shm/sf}/run/logpipe/:/app/sock/:rw" sf-portd: build: encfsd @@ -424,7 +424,8 @@ services: - SF_MULLVAD_IP=${SF_MULLVAD_IP:?} - SF_GUEST_MTU=${SF_GUEST_MTU:-1420} volumes: - - "${SF_SHMDIR:-/dev/shm/sf}/run/vpn:/sf/run/vpn" + - "${SF_SHMDIR:-/dev/shm/sf}/run:/sf/run" + - "${SF_BASEDIR:-.}/config/db:/config/db:ro" - "${SF_BASEDIR:-.}/config/etc/sf:/config/host/etc/sf:ro" - "${SF_SHMDIR:-/dev/shm/sf}/config-for-guest:/config/guest" # vpn_status to guest - "${SF_BASEDIR:-.}/sfbin:/sf/bin:ro" @@ -653,7 +654,7 @@ services: - "/var/run/docker.sock:/var/run/docker.sock" - "/var/lib/lxcfs:/var/lib/lxcfs:ro" - "${SF_SHMDIR:-/dev/shm/sf}/run/redis/sock:/redis-sock" - # - /research/segfault/host/fs-root/bin/segfaultsh:/bin/segfaultsh:ro # FIXME-TESTING + #- /research/segfault/host/fs-root/bin/segfaultsh:/bin/segfaultsh:ro # FIXME-TESTING # - /research/segfault/host:/host:ro # FIXME-TESTING sshd debug nginx: diff --git a/guest/Dockerfile b/guest/Dockerfile index 55e81b4..ed63fb4 100644 --- a/guest/Dockerfile +++ b/guest/Dockerfile @@ -610,7 +610,7 @@ RUN /pkg-install.sh HUGE apt-get install -y --no-install-recommends \ gobjc++-mingw-w64-i686-posix gobjc++-mingw-w64-i686-win32 gobjc-mingw-w64-i686-posix gobjc-mingw-w64-i686-win32 \ maven \ rust-src -RUN /pkg-install.sh HACK ghbin shadow1ng/fscan 'fscan_%arch:x86_64=amd64:aarch64=arm64%$' fscan \ +RUN /pkg-install.sh HACK ghbin shadow1ng/fscan 'fscan%arch:x86_64=:aarch64=_arm64%$' fscan \ && /pkg-install.sh HACK ghbin 'theaog/spirit' 'spirit%arch:x86_64=:DEFAULT=SKIP%.tgz$' spirit `# x86_64 only, spirit-arm bad` \ && /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/tomnomnom/gf@latest \ && mkdir -p /usr/share/gf \ diff --git a/host/fs-root/bin/segfaultsh b/host/fs-root/bin/segfaultsh index 58474ee..c2366d4 100755 --- a/host/fs-root/bin/segfaultsh +++ b/host/fs-root/bin/segfaultsh @@ -326,7 +326,6 @@ init_vars() init_defaults init_emu - [[ -f "${SF_RUN_DIR}/logs/segfault.log" ]] && IS_LOGGING=1 NOW="$(date +%s)" [[ -z $YOUR_IP ]] && { @@ -374,6 +373,8 @@ init_vars() fi fi + [[ -f "${SF_RUN_DIR}/logs/segfault.log" ]] && IS_LOGGING=1 + xmkdir "${LG_RUN_DIR}" # Check if we are still in sshd's Network Namespace IS_SSHD_NS_NET=1 @@ -455,8 +456,8 @@ ${CDY}@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ sysmsg "/config/host/etc/logoutmsg-all.sh" echo -e "\ -RTFM : ${CB}${CUL}https://www.thc.org/segfault/faq${CN} -GOODBYE : ${CW}Join us on Telegram - https://t.me/thcorg${CN}" +📖 RTFM : ${CB}${CUL}https://www.thc.org/segfault/faq${CN} +🤗 GOODBYE : ${CW}Join us on Telegram - https://t.me/thcorg${CN}" [[ -z $SF_IS_NEW_SERVER ]] && return prompt_wait_yN 10 "Would you like to see your ${CDY}SECRET${CN} to log back in to ${CDY}${SF_HOSTNAME:-UNKNOWN}${CN}?" || return @@ -528,7 +529,7 @@ spawn_shell_exit() sem_release # Add a log entry into elastisearch using logpipe - logpipe "Type:Login|LID:${LID}|Hostname:${SF_HOSTNAME}||C_ISO:${YOUR_COUNTRY_ISO}|CONTINENT=${YOUR_CONTINENT_CODE}|" + logpipe "Type:Login|LID:${LID}|Hostname:${SF_HOSTNAME}|IPHASH:${YOUR_IP_HASH}|C_ISO:${YOUR_COUNTRY_ISO^^}|CONTINENT=${YOUR_CONTINENT_CODE}|" # Update current IP: tofile "${YOUR_IP_DISPLAY:?}" "/config/self-for-guest/lg-${LID}/ip" @@ -616,7 +617,6 @@ load_limits() { local prefix local is_need_update_token - local is_token_loaded # Set the default values. # No default for ROOT_FS limit. Should be set in sf.conf or if not set # then root is mounted read-only @@ -634,8 +634,6 @@ load_limits() SF_ULIMIT_NOFILE="8192" SF_USER_SYN_BURST=8196 SF_USER_SYN_LIMIT=1 - SF_USER_DL_BURST=8gb - SF_USER_UL_BURST=8gb SF_RPORT=1 # No new shells until load goes below STRAIN*NPROC. @@ -652,18 +650,19 @@ load_limits() load_limits_fn "${SF_LIMITS_DIR}/limits-continent-${YOUR_CONTINENT_CODE}.conf" # Source country specific limits - load_limits_fn "${SF_LIMITS_DIR}/limits-country-${YOUR_COUNTRY_ISO}.conf" + load_limits_fn "${SF_LIMITS_DIR}/limits-country-${YOUR_COUNTRY_ISO,,}.conf" - prefix="${SF_TOKEN_PREFIX//[^a-z]}-" + unset prefix + [[ -n $SF_TOKEN_PREFIX ]] && prefix="${SF_TOKEN_PREFIX//[^a-z]}-" if [[ -z $SF_TOKEN ]]; then # HERE: SF_TOKEN _not_ supplied [[ -f "${SF_USER_DB_DIR}/token" ]] && { SF_TOKEN="$(<"${SF_USER_DB_DIR}/token")" - is_token_loaded=1 } else # HERE: SF_TOKEN is user supplied. [[ ! -f "${SF_TOKEN_DIR}/token-${prefix}${SF_TOKEN,,}.conf" ]] && ERREXIT 255 "The TOKEN '${CDY}${SF_TOKEN}${CN}' is not valid." + logpipe "Type:Token|TOKEN:${SF_TOKEN_NAME}|LID:${LID}|HOSTNAME:${SF_HOSTNAME}|IPHASH:${YOUR_IP_HASH}|C_ISO:${YOUR_COUNTRY_ISO^^}|CONTINENT=${YOUR_CONTINENT_CODE}|" is_need_update_token=1 fi @@ -782,6 +781,7 @@ TX=${tx:-unlimited} RX=${SF_MAXIN:-unlimited} SYN_BURST=${SF_USER_SYN_BURST} SYN_RATE=${SF_USER_SYN_LIMIT}/sec +FW=${SF_USER_FW} SERVERS=${SF_LIMIT_SERVER_BY_IP} GREETINGS='${SF_SYSCOP_MSG}'" "/config/self-for-guest/lg-${LID}/limits" } @@ -794,7 +794,12 @@ SF_USER_ROOT_FS_INODE=\"$SF_USER_ROOT_FS_INODE\" SF_USER_FS_SIZE=\"$SF_USER_FS_SIZE\" SF_USER_FS_INODE=\"$SF_USER_FS_INODE\" SF_USER_UL_RATE=\"$SF_USER_UL_RATE\" +SF_HOSTNAME=\"$SF_HOSTNAME\" +YOUR_COUNTRY_ISO=\"$YOUR_COUNTRY_ISO\" +YOUR_CONTINENT_CODE=\"$YOUR_CONTINENT_CODE\" +YOUR_IP_HASH=\"$YOUR_IP_HASH\" SF_RPORT=\"$SF_RPORT\" +SF_USER_FW=\"$SF_USER_FW\" SF_TOKEN_IMMUTABLE=\"$SF_TOKEN_IMMUTABLE\" SF_USER_IMMUNE=\"$SF_USER_IMMUNE\"" "${LG_RUN_DIR}/limits.txt" } @@ -1042,7 +1047,7 @@ mk_geoip() [[ -z $SF_HIDEIP ]] && city=$(echo "$res" | jq -r '.[0].Records[0].Record.city.names.en | select(. != null)') country=$(echo "$res" | jq -r '.[0].Records[0].Record.country.names.en | select(. != null)') country_iso=$(echo "$res" | jq -r '.[0].Records[0].Record.country.iso_code | select(. != null)') - continent_code=$(echo "$res" | jq -r '.[0].Records[0].Record.country.iso_code | select(. != null)') + continent_code=$(echo "$res" | jq -r '.[0].Records[0].Record.continent.code | select(. != null)') country_iso="${country_iso,,}" country_iso="${country_iso//[^a-z]}" @@ -1224,7 +1229,7 @@ else [[ -d "${HNLID_DIR}" ]] || exec_devnull mkdir "${HNLID_DIR}" tofile "$LID" "${HNLID_FILE}" || ERREXIT 231 "tofile: Failed to create hnlid_file" # Add a log entry into elastisearch using logpipe - logpipe "Type:Create|LID:${LID}|Hostname:${SF_HOSTNAME}|C_ISO:${YOUR_COUNTRY_ISO}|CONTINENT=${YOUR_CONTINENT_CODE}|" + logpipe "Type:Create|LID:${LID}|Hostname:${SF_HOSTNAME}|IPHASH:${YOUR_IP_HASH}|C_ISO:${YOUR_COUNTRY_ISO^^}|CONTINENT=${YOUR_CONTINENT_CODE}|" fi DEBUGF "LID=${LID} SF_HOSTNAME=${SF_HOSTNAME}" @@ -1232,7 +1237,7 @@ unset str [[ -n $SF_LOG_IP ]] && str="[${CDY}${YOUR_IP}${CN}] " str+="${CDG}${SF_HOSTNAME}" [[ -n $SF_PRJ ]] && str+="/${CW}${SF_PRJ}" -LOG "${str}${CN} ${CDC}$*${CN}" +LOG "${str}${CN} [${CF}${YOUR_IP_HASH}${CN}/${CDY}${YOUR_COUNTRY_ISO}${CN}/${CDM}${YOUR_CONTINENT_CODE}${CN}] ${CDC}$*${CN}" # Record which SSHD process is connect to guest LG. tofile "SSHD_PID=$PPID @@ -1261,7 +1266,7 @@ sem_wait [[ $str == "running" ]] && { echo_pty -e "..........[${CG}Ok${CN}]" DEBUGF "Attaching to existing container lg-${LID}..." - LOG "Attaching to existing container" + # LOG "Attaching to existing container" spawn_shell_exit "$@" # NOT REACHED } @@ -1377,7 +1382,7 @@ echo_pty -n ".." res=$(red SET "ip:${C_IP}" "${LID} ${CID} ${LG_PID}") || STOPEXIT "$LID" 252 "Failed to set LID in Redis" # Set FW rules for this container -exec_devnull docker exec sf-router /user-limit.sh "${YOUR_IP_HASH}" "${YOUR_IP}" "${C_IP}" "$SF_USER_SYN_LIMIT" "$SF_USER_SYN_BURST" "$SF_USER_DL_RATE" "$SF_USER_DL_BURST" "$SF_USER_UL_RATE" "$SF_USER_UL_BURST" || STOPEXIT "${LID}" 251 "Faild to set syn-limit..."; +exec_devnull docker exec sf-router /user-limit.sh "${LID}" "${YOUR_IP_HASH}" "${YOUR_IP}" "${C_IP}" "$SF_USER_SYN_LIMIT" "$SF_USER_SYN_BURST" || STOPEXIT "${LID}" 251 "Faild to set syn-limit..."; # Ready container exec_devnull docker exec sf-master /ready-lg.sh "${LID}" "${C_IP}" "${LG_PID}" "${SF_USER_DL_RATE}" "${SF_USER_UL_RATE}" || STOPEXIT "${LID}" 246 "Failed-#3 to ready guest container..." diff --git a/master/cgi-bin/rpc b/master/cgi-bin/rpc index f7aec8a..781fa1e 100755 --- a/master/cgi-bin/rpc +++ b/master/cgi-bin/rpc @@ -7,6 +7,7 @@ WG_PORT_MAX=65535 WT_VER=1 COLOR="always" ICON_ERROR="" +SF_RUN_DIR="/dev/shm/sf/run" source /sf/bin/funcs.sh source /sf/bin/funcs_redis.sh @@ -18,6 +19,12 @@ WG_EP_HOST=${WG_EP_IP} echo -en "Content-Type: text/plain\r\n\r\n" +logpipe() { + [[ ! -e "${SF_RUN_DIR}/logpipe/logPipe.sock" ]] && return + + echo "$*" | nc -U unix-socket-client +} + # BAIL # STDOUT goes to user. # STDERR is logged. @@ -683,6 +690,7 @@ cmd_token() { [[ ! -f "${token_fn}" ]] && { sleep 1; BAIL "${M}Token '${R}${TOKEN_NAME}${M}' does not exist.${N}"; } echo "${TOKEN_NAME}" >"/config/db/user/lg-${LID}/token" + logpipe "Type:Token|TOKEN:${TOKEN_NAME,,}|LID:${LID}|HOSTNAME:${SF_HOSTNAME}|IPHASH:${YOUR_IP_HASH}|C_ISO:${YOUR_COUNTRY_ISO^^}|CONTINENT=${YOUR_CONTINENT_CODE}|" echo -en "${G}🦋 Token set. ${N}Type ${C}halt${N} and log back in." diff --git a/router/user-limit.sh b/router/user-limit.sh index e755adc..84767da 100755 --- a/router/user-limit.sh +++ b/router/user-limit.sh @@ -1,23 +1,36 @@ #! /bin/bash +# Executed on router # Set User's TCP SYN limit and others # [YOUR_IP] [Container IP] [SYN_LIMIT 1/sec] [SYN_BURST] -YOUR_IP_HASH="$1" -YOUR_IP="$2" -C_IP="$3" -SYN_LIMIT="$4" -SYN_BURST="$5" -USER_DL_RATE="$6" -USER_DL_BURST="$6" -USER_UL_RATE="$7" -USER_UL_BURST="$8" +LID="$1" +YOUR_IP_HASH="$2" +YOUR_IP="$3" +C_IP="$4" +SYN_LIMIT="$5" +SYN_BURST="$6" + +set -e # Exit immediately on error +source "/dev/shm/net-devs.txt" +source "/sf/run/users/lg-${LID}/limits.txt" + +fn="/config/db/token/netns-${SF_USER_FW}.sh" +FORWARD_USER="FW-${C_IP:?}" +set +e +iptables -F "${FORWARD_USER}" 2>/dev/null || iptables -N "${FORWARD_USER}" +[[ -n $SF_USER_FW ]] && [[ -f "$fn" ]] && { + iptables -C FORWARD -i "${DEV_LG:?}" -s "${C_IP}" -j "${FORWARD_USER}" &>/dev/null || iptables -I FORWARD 1 -i "${DEV_LG}" -s "${C_IP}" -j "${FORWARD_USER}" + set -e + source "$fn" + set +e +} + # Create our own 'hashmap' so that SYN is limited by user's source IP (e.g. user can spawn two # servers and both servers have a total limit of SYN_LIMIT) IDX=$((0x${YOUR_IP_HASH} % 1024)) [[ $IDX -lt 0 ]] && IDX=$((IDX * -1)) -source /dev/shm/net-devs.txt || exit [[ -n $SYN_LIMIT ]] && { CHAIN="SYN-${SYN_LIMIT}-${SYN_BURST}-${IDX}"