diff --git a/Makefile b/Makefile index ee3bfce..8806e3c 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -VER := 0.3.3 +VER := 0.3.3c all: make -C guest @@ -21,6 +21,14 @@ FILES_GUEST += "segfault-$(VER)/guest/fs-root/sf/bin/sf-motd.sh" FILES_GUEST += "segfault-$(VER)/guest/fs-root/sf/bin/sf-setup.sh" FILES_GUEST += "segfault-$(VER)/guest/fs-root/etc/rc.local-example" FILES_GUEST += "segfault-$(VER)/guest/fs-root/etc/vim/vimrc.local" +FILES_GUEST += "segfault-$(VER)/guest/fs-root/usr/share/www/pelicanconf.py" +FILES_GUEST += "segfault-$(VER)/guest/fs-root/usr/share/www/tasks.py" +FILES_GUEST += "segfault-$(VER)/guest/fs-root/usr/share/www/Makefile" +FILES_GUEST += "segfault-$(VER)/guest/fs-root/usr/share/www/content/Articles/hello.md" +FILES_GUEST += "segfault-$(VER)/guest/fs-root/usr/share/www/content/Articles/world.md" +FILES_GUEST += "segfault-$(VER)/guest/fs-root/usr/share/www/content/pages/mydw.md" +FILES_GUEST += "segfault-$(VER)/guest/fs-root/usr/share/www/content/pages/about.md" +FILES_GUEST += "segfault-$(VER)/guest/fs-root/usr/share/www/content/images" FILES_HOST += "segfault-$(VER)/host/Dockerfile" FILES_HOST += "segfault-$(VER)/host/Makefile" diff --git a/docker-compose.yml b/docker-compose.yml index 0027746..0dabd32 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -114,6 +114,7 @@ services: depends_on: - dnsmasq - sf-redis + - router dns: 172.20.0.53 cap_add: - NET_ADMIN #required @@ -146,6 +147,7 @@ services: depends_on: - dnsmasq - sf-redis + - router dns: 172.20.0.53 cap_add: - NET_ADMIN #required @@ -178,6 +180,7 @@ services: depends_on: - dnsmasq - sf-redis + - router dns: 172.20.0.53 cap_add: - NET_ADMIN #required @@ -226,6 +229,7 @@ services: - net.ipv4.conf.all.rp_filter=2 ports: - "${SF_SSH_PORT:-22}:22" + - "${SF_SSH_PORT2:-443}:22" environment: - SF_DEBUG - SF_MAXOUT diff --git a/encfsd/encfsd.sh b/encfsd/encfsd.sh index 9cbcbc9..d0e6efb 100755 --- a/encfsd/encfsd.sh +++ b/encfsd/encfsd.sh @@ -26,7 +26,12 @@ xmkdir() [[ -d "$1" ]] && return # Odd occasion when no EncFS is running but kernel still has a stale mountpoint # mountpoint: everyone-root: Transport endpoint is not connected - fusermount -zu "$1" 2>/dev/null + # If EncFS died then a stale mount point might exist. + # -d/-e/-f all fail (Transport endpoint is not connected) + # Force an unmount if it's not a directory. + # After unmounting check again if it's a directory (it should be!) + fusermount -zu "${1}" 2>/dev/null && [[ -d "$1" ]] && return + mkdir "$1" } @@ -58,6 +63,7 @@ encfs_mount() return 255 } + xmkdir "${secdir}" || return 255 xmkdir "${rawdir}" || return 255 diff --git a/encfsd/portd.sh b/encfsd/portd.sh index 996e100..eab29d0 100755 --- a/encfsd/portd.sh +++ b/encfsd/portd.sh @@ -234,12 +234,16 @@ remport_provider() cmd_remport() { local lid - lid="$1" local c_ipports local n_ipports local m_ipports local provider + local selfdir + lid="$1" + selfdir="/config/self-for-guest/lg-${lid}" + # Remove files from instance + rm -f "${selfdir}/reverse_ip" "${selfdir}/reverse_port" 2>/dev/null # Remove routing # -> Dont need to. There is no harm leaving it. diff --git a/guest/Dockerfile b/guest/Dockerfile index 8735812..32101b4 100644 --- a/guest/Dockerfile +++ b/guest/Dockerfile @@ -3,7 +3,7 @@ FROM kalilinux/kali-rolling WORKDIR /root/ # Valid options are: -# MINI BASE DEVEL NET HACK LARGE HUGE ALL +# MINI BASE DEVEL NET WEB HACK LARGE HUGE ALL # SF_PACKAGES=ALL make # Default is "MINI BASE NET" (see pkg-install.sh) ARG SF_PACKAGES @@ -29,8 +29,10 @@ RUN apt-get update -y \ bc \ bsdmainutils \ dos2unix \ + file \ less \ openssh-sftp-server \ + python3-pip \ screen \ sharutils \ tmux \ @@ -146,7 +148,9 @@ RUN apt-get update -y \ ruby \ x11-apps \ && /pkg-install.sh HUGE go install -v github.com/projectdiscovery/uncover/cmd/uncover@latest \ - && /pkg-install.sh LARGE pip install --pre scapy[basic] \ + && /pkg-install.sh LARGE pip install --pre 'scapy[basic]' \ + && /pkg-install.sh WEB pip install \ + 'pelican[Markdown]' \ && /pkg-install.sh LARGE pip install \ git-dumper \ ipython \ diff --git a/guest/Makefile b/guest/Makefile index 483c943..bbee025 100644 --- a/guest/Makefile +++ b/guest/Makefile @@ -1,3 +1,3 @@ all: Dockerfile - docker build --build-arg SF_PACKAGES=$(SF_PACKAGES) -t sf-guest . + docker build --build-arg SF_PACKAGES="$(SF_PACKAGES)" -t sf-guest . diff --git a/guest/fs-root/sf/bin/sf-setup.sh b/guest/fs-root/sf/bin/sf-setup.sh index 68ea1bf..9dc83dc 100755 --- a/guest/fs-root/sf/bin/sf-setup.sh +++ b/guest/fs-root/sf/bin/sf-setup.sh @@ -103,6 +103,12 @@ setup() xmkdir /sec/usr/sbin xmkdir /sec/usr/share + # Copy Pelican www + [[ ! -d /sec/www ]] && { + cp -a /usr/share/www /sec + sed "s/^SITEURL.*/SITEURL = '\/${SF_HOSTNAME,,}'/" -i /sec/www/pelicanconf.py + } + # Setup rc.local (if not exist) and execute rc.local [[ ! -f /sec/usr/etc/rc.local ]] && setup_rclocal /bin/bash /sec/usr/etc/rc.local diff --git a/guest/setup.sh b/guest/setup.sh index 3d8d458..f733ccb 100755 --- a/guest/setup.sh +++ b/guest/setup.sh @@ -30,7 +30,11 @@ chown root:root /etc /etc/profile.d /etc/profile.d/segfault.sh && \ chmod 755 /usr /etc /etc/profile.d && \ chmod 644 /etc/profile.d/segfault.sh && \ chmod 644 /etc/shellrc /etc/zsh_command_not_found /etc/zsh_profile && \ +find /usr/share/www -type f -exec chmod 644 {} \; && \ +find /usr/share/www -type d -exec chmod 755 {} \; && \ ln -s batcat /usr/bin/bat && \ +ln -s /sf/bin/sf-motd.sh /usr/bin/motd && \ +ln -s /sf/bin/sf-motd.sh /usr/bin/help && \ echo DONE && exit 0 exit 254 diff --git a/host/fs-root/bin/segfaultsh b/host/fs-root/bin/segfaultsh index 76e655c..37e3833 100755 --- a/host/fs-root/bin/segfaultsh +++ b/host/fs-root/bin/segfaultsh @@ -287,12 +287,12 @@ print_goodbye() n="$(bash -c "docker exec \"lg-${LID}\" pgrep . 2>/dev/null|wc -l")" DEBUGF "Processes running: $n" if [[ "$n" -gt 2 ]]; then - echo -e "Number of processes running: ${CDY}$((n-2))${CN}" + # echo -e "Number of processes running: ${CDY}$((n-2))${CN}" # Display the running processes str="process is" [[ "$n" -gt 3 ]] && str="processes are" echo -e "${CY}WARNING: ${CR}$((n-2))${CY} ${str} still running:${CN}" - exec_errnull docker exec "lg-${LID}" pgrep -v '^\[SF' -al | tail -n+2 | while read x; do p="${x%% *} "; n="${x#* }"; echo -e "${CDY}--> ${CDR}${p:0:8}${CDG}${n:0:68}${CN}"; done + exec_errnull docker exec "lg-${LID}" pgrep -v '^\[SF' -al | tail -n+3 | while read x; do p="${x%% *} "; n="${x#* }"; echo -e "${CDY}--> ${CDR}${p:0:8}${CDG}${n:0:68}${CN}"; done echo -e "\ -------> The encrypted filesystem in /sec will remain accessible until -------> the last shell exits or all background processes terminate. @@ -334,6 +334,7 @@ spawn_shell_exit() DEBUGF "ARG(${#})=$*" # Update current IP: + touch "/config/self-for-guest/lg-${LID}/THIS-DIRECTORY-IS-IN-MEMORY-ONLY" tofile "${YOUR_IP}" "/config/self-for-guest/lg-${LID}/ip" [[ -n $YOUR_GEOIP ]] && tofile "${YOUR_GEOIP}" "/config/self-for-guest/lg-${LID}/geoip" @@ -687,7 +688,9 @@ echo_pty -n "...." # FIXME: Could write my own tiny-init that spawns itself, sleeps forever and # waits for child. Would save memory. ### Start the care taker... -xmkdir "/config/self-for-guest/lg-${LID}" +selfdir="/config/self-for-guest/lg-${LID}" +xmkdir "${selfdir}" +# rm -f "${selfdir}/reverse_ip" "${selfdir}/reverse_port" # NOTE: Deleted by portd.sh exec_devnull docker run \ --hostname "sf-${SF_HOSTNAME}" \ "${DOCKER_ARGS[@]}" \ diff --git a/provision/env.example b/provision/env.example index c24c39a..7188fcf 100644 --- a/provision/env.example +++ b/provision/env.example @@ -3,6 +3,7 @@ SF_BASEDIR=${HOME}/segfault ## Status information between containers is exchanged via _SHMDIR/run #SF_SHMDIR=/dev/shm/sf #SF_SSH_PORT=22 +#SF_SSH_PORT2=443 #SF_DEBUG=1 #SF_USER=root #SF_USER_PASSWORD=segfault diff --git a/router/Dockerfile b/router/Dockerfile index 56069c2..8c68e24 100644 --- a/router/Dockerfile +++ b/router/Dockerfile @@ -1,17 +1,18 @@ FROM ubuntu:22.04 RUN apt-get update \ && apt-get install -y --no-install-recommends curl \ - wget \ - curl \ ca-certificates \ - net-tools \ + curl \ + fping \ inetutils-ping \ - netcat \ iptables \ iproute2 \ iperf \ + net-tools \ + netcat \ tcpdump \ - fping \ + wget \ + vim \ && rm -rf /var/lib/apt/lists/* COPY tc.sh init.sh fix-network.sh / diff --git a/router/init.sh b/router/init.sh index a98fe21..a345809 100755 --- a/router/init.sh +++ b/router/init.sh @@ -55,7 +55,6 @@ init_revport() { [[ -n $IS_REVPORT_INIT ]] && return IS_REVPORT_INIT=1 - # -----BEGIN REVERSE CONNECTION----- ### Create routing tables for reverse connection and when multipath routing is used: # We are using multipath routing _and_ reverse port forwarding from the VPN Provider. # See Cryptostorm's http://10.31.33.7/fwd as an example: @@ -88,6 +87,8 @@ init_revport() done iptables -A PREROUTING -t mangle -i "${DEV_GW}" -j CONNMARK --save-mark + echo -e >&2 "[$(date '+%F %T' -u)] RevPort set up for 172.20.0.[${ips[@]}]" + # Route return traffic back to VPN-GW the packet came in from. # Every return packet is marked (11nnn). If it is marked (e.g. it is a return packet) # then also mark it as 12nnn. Then use customer routing rule for all packets @@ -104,8 +105,6 @@ init_revport() ip rule add fwmark "12${n}" table "8${n}" ip route add default via "172.20.0.${n}" dev ${DEV_GW} table "8${n}" done - - # -----END REVERSE CONNECTION----- } use_vpn() @@ -150,10 +149,9 @@ use_tor() monitor_failover() { - # ts=$(date +%s) local status_sha - + # FIXME: use redis here instead of polling while :; do bash -c "exec -a '[sleep router failover]' sleep 1" sha="$(sha256sum /config/guest/vpn_status 2>/dev/null)" @@ -169,6 +167,10 @@ monitor_failover() done } + +# Delete old vpn_status +[[ -f /config/guest/vpn_status ]] && rm -f /config/guest/vpn_status + DEV_I22="$(devbyip 172.28.0. eth0)" DEV="$(devbyip 10.11. eth1)" DEV_SSHD="$(devbyip 172.22.0. eth2)" @@ -227,8 +229,6 @@ iptables -t nat -A POSTROUTING -s 172.28.0.1 -o ${DEV_SSHD} -j MASQUERADE && \ iptables -A PREROUTING -i ${DEV_SSHD} -t mangle -p tcp -s 172.22.0.21 -j MARK --set-mark 22 # -----END GSNC traffic is routed via Internet---- - - ifconfig "$DEV" 10.11.0.1/16 && \ # MASQ all traffic because the VPN/TOR instances dont know the route back # to sf-guest (10.11.0.0/16).