From 2d44ba50001fa0e6c7988b4e419616e7e3e3a2d7 Mon Sep 17 00:00:00 2001 From: acidvegas Date: Tue, 12 Sep 2023 16:44:54 -0400 Subject: [PATCH] more stuff get fucked ok --- archlinux/arch | 73 ++++++++++++++++++++++++++ archlinux/arm | 11 ++++ archlinux/fstab | 9 ++++ archlinux/x86 | 34 +++++++++++++ bash.bashrc | 32 ++++++++++++ btkb | 12 +++++ buyvm.py | 36 ++++++------- confusables.py | 2 +- ddosmonit | 28 +++------- docs/elkstack.md | 110 ++++++++++++++++++++++++++++++++++++++++ iprange.py | 44 ---------------- iptables.sh | 45 ++++++++++++++++ logga.py | 28 +++++----- logs/debug.log | 5 ++ proxscrap | 62 ---------------------- stagit/stagit => stagit | 0 stagit/README.md | 27 ---------- termux | 36 +++++++++++++ vps | 18 +++++++ 19 files changed, 426 insertions(+), 186 deletions(-) create mode 100755 archlinux/arch create mode 100755 archlinux/arm create mode 100644 archlinux/fstab create mode 100755 archlinux/x86 create mode 100644 bash.bashrc create mode 100755 btkb create mode 100644 docs/elkstack.md delete mode 100644 iprange.py create mode 100644 iptables.sh create mode 100644 logs/debug.log delete mode 100755 proxscrap rename stagit/stagit => stagit (100%) delete mode 100644 stagit/README.md create mode 100755 termux create mode 100755 vps diff --git a/archlinux/arch b/archlinux/arch new file mode 100755 index 0000000..187c366 --- /dev/null +++ b/archlinux/arch @@ -0,0 +1,73 @@ +#!/bin/sh +set -xev + +GIT_URL="https://raw.githubusercontent.com/acidvegas/archlinux/master" +RPI=0 + +setup_initial() { + systemctl stop sshd && systemctl disable sshd + history -c && export HISTFILESIZE=0 && export HISTSIZE=0 && unset HISTFILE + [ -f /root/.bash_history ] && rm /root/.bash_history + passwd + [ $RPI -eq 1 ] && userdel -r alarm + useradd -m -s /bin/bash acidvegas && gpasswd -a acidvegas wheel && passwd acidvegas + timedatectl set-timezone America/New_York && timedatectl set-ntp true + echo "LANG=en_US.UTF-8" > /etc/locale.conf && echo "en_US.UTF-8 UTF-8" > /etc/locale.gen && locale-gen +} + +setup_wifi() { + echo "wildwest" > /etc/hostname + echo -e "[Match]\nName=wlan0\n\n[Network]\nDHCP=ipv4\nMulticastDNS=yes\n#Address=10.0.0.200/24\nGateway=10.0.0.1" > /etc/systemd/network/25-wireless.network + echo -e "[Resolve]\nDNS=8.8.4.4 8.8.8.8 2001:4860:4860::8888 2001:4860:4860::8844\nFallbackDNS=1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001\nMulticastDNS=yes\nDNSSEC=no\nCache=yes" > /etc/systemd/resolved.conf + ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf + wpa_passphrase MYSSID passphrase > /etc/wpa_supplicant/wpa_supplicant-wlan0.conf && chmod 600 /etc/wpa_supplicant/wpa_supplicant-wlan0.conf + systemctl start systemd-networkd && systemctl enable systemd-networkd + systemctl start systemd-resolved && systemctl enable systemd-resolved + systemctl start wpa_supplicant@wlan0 && systemctl enable wpa_supplicant@wlan0 +} + +setup_pacman() { + MI="Include = /etc/pacman.d/mirrorlist" + echo -e "[options]\nArchitecture = auto\nColor\nCheckSpace\nHoldPkg = pacman glibc\nParallelDownloads = 10\nSigLevel = Required DatabaseOptional\nLocalFileSigLevel = Optional\nRemoteFileSigLevel = Required\n\n" > /etc/pacman.conf + echo -e "[core-testing]\n$MI\n\n[core]\n$MI\n\n[extra-testing]\n$MI\n\n[extra]\n$MI\n\n" >> /etc/pacman.conf + [ $RPI -eq 0 ] && echo -e "[multilib-testing]\n$MI\n\n[multilib]\n$MI" >> /etc/pacman.conf + [ $RPI -eq 1 ] && echo -e "[community]\n$MI\n\n[alarm]\n$MI\n\n[aur]\n$MI" >> /etc/pacman.conf + pacman-key --init + [ $RPI -eq 1 ] && pacman-key --populate archlinuxarm && echo 'Server = http://mirror.archlinuxarm.org/$arch/$repo' > /etc/pacman.d/mirrorlist + [ $RPI -eq 0 ] && pacman-key --populate archlinux + pacman -Syyu + pacman -S checkbashisms gcc go make patch pkg-config python python-pip + pacman -S asciiquarium cmatrix hollywood tty-solitaire + pacman -S abduco curl fzf git man nano ncdu progress rsync sudo tor unzip weechat which yank + pacman -S bandwhich exa glow gping gpm + pacman -S alsa-utils alsa-lib alsa-firmware libpulse pulseaudio cmus id3v2 mps-youtube python-eyed3 youtube-dl # TODO: check these + pacman -S dmenu dunst firefox scrot unclutter xclip + pacman -S acpi xorg-xbacklight xorg-xinit xorg-xrandr xorg-server xorg-xsetroot + pacman -S fakeroot xorg-font-util xorg-mkfontscale xorg-mkfontdir + [ $RPI -eq 1 ] && pacman -S xf86-video-fbdev + [ $RPI -eq 0 ] && pacman -S xf86-video-intel mesa lib32-mesa + #[ $RPI -eq 0 ] && pacman -S nvidia nvidia-utils lib32-nvidia-utils + [ $RPI -eq 1 ] && systemctl start gpm && systemctl enable gpm +} + +setup_configs() { + if [ $RPI -eq 1 ]; then + sed -i 's/^console=tty1/console=tty3/' /boot/cmdline.txt && echo "quiet loglevel=3 rd.systemd.show_status=auto rd.udev.log_level=3 logo.nologo consoleblank=0" >> /boot/cmdline.txt + echo -e "avoid_warnings=1\ndisable_splash=1\ndtparam=act_led_trigger=none\ndtparam=act_led_activelow=on\ndtparam=audio=on" > /boot/config.txt + wget -O /etc/fstab $GIT_URL/etc/fstab + fi + wget -O /etc/issue $GIT_URL/etc/issue + wget -O /etc/sudoers.d/sudoers.lecture $GIT_URL/etc/sudoers.d/sudoers.lecture + echo -e "set boldtext\nset minibar\nset nohelp\nset nowrap\nset quickblank\nset tabsize 4\nunbind ^J main\nset selectedcolor black,red\ninclude \"/usr/share/nano/*.nanorc\"" > /etc/nanorc + echo -e "export VISUAL=nano\nexport EDITOR=nano\nunset HISTFILE\nln /dev/null ~/.bash_history -sf" >> /etc/profile + echo -e "AuthenticationMethods publickey\nBanner /etc/issue\nClientAliveInterval 0\nDisableForwarding yes\nPermitRootLogin no\nPort CHANGEME\nPrintLastLog no" > /etc/ssh/sshd_config + echo -e "Defaults lecture = always\nDefaults lecture_file = /etc/sudoers.d/sudoers.lecture\nroot ALL=(ALL) ALL\n%wheel ALL=(ALL) ALL" > /etc/sudoers + echo -e "[Journal]\nStorage=volatile\nSplitMode=none\nRuntimeMaxUse=500K" > /etc/systemd/journald.conf + mkdir -p /etc/systemd/system/systemd-logind.service.d && echo -e "[Service]\nSupplementaryGroups=proc" > /etc/systemd/system/systemd-logind.service.d/hidepid.conf + [ $RPI -eq 1 ] && echo "FONT=ohsnap6x11r" > /etc/vconsole.conf +} + +setup_initial +setup_wifi +setup_pacman +setup_configs diff --git a/archlinux/arm b/archlinux/arm new file mode 100755 index 0000000..fb4342d --- /dev/null +++ b/archlinux/arm @@ -0,0 +1,11 @@ +#!/bin/sh +# required: dosfstools +set -xev +echo -e "o\nn\np\n1\n\n+100M\nt\nc\nn\np\n2\n\n\nw\n" | fdisk -w always -W always /dev/sda +mkdir boot root +mkfs.vfat /dev/sda1 && mount /dev/sda1 boot +mkfs.ext4 /dev/sda2 && mount /dev/sda2 root +wget -O archlinuxarm.tar.gz http://os.archlinuxarm.org/os/ArchLinuxARM-rpi-armv7-latest.tar.gz +bsdtar -xpf archlinuxarm.tar.gz -C root && sync +mv root/boot/* boot +umount boot root && rm -r archlinuxarm.tar.gz boot root diff --git a/archlinux/fstab b/archlinux/fstab new file mode 100644 index 0000000..7d63efc --- /dev/null +++ b/archlinux/fstab @@ -0,0 +1,9 @@ +# NOTE: This fstab file was made for a Raspberry Pi runnning Arch Linux ARM +# +/dev/mmcblk0p1 /boot vfat ro,noatime,nodev,noexec,nosuid 0 2 +/dev/mmcblk0p2 / ext4 rw,noatime,data=ordered,commit=60 0 1 +proc /proc proc nosuid,nodev,noexec,hidepid=2,gid=proc 0 0 +tmpfs /dev/shm tmpfs rw,noatime,nodev,noexec,nosuid 0 0 +tmpfs /tmp tmpfs rw,mode=0755,noatime,nodev,nosuid,size=100m 0 0 +tmpfs /var/log tmpfs rw,mode=0755,noatime,nodev,noexec,nosuid,size=25m 0 0 +tmpfs /run tmpfs rw,mode=0755,noatime,nodev,nosuid,size=25m 0 0 diff --git a/archlinux/x86 b/archlinux/x86 new file mode 100755 index 0000000..c47d91e --- /dev/null +++ b/archlinux/x86 @@ -0,0 +1,34 @@ +#!/bin/sh +# arch linxu x86 helper - developed by acidvegas (https://git.acid.vegas/archlinux) + +MNT="sda" +DEV="wlan0" + +lspci -v | grep -A1 -e VGA -e 3D +iwctl --passphrase PASSWORD station $DEV connect SSID +#fdisk # convert mbr to gpt +mkfs.ext4 /dev/${MNT}p2 +#mkswap /dev/swap_partition +mkfs.fat -F 32 /dev/${MNT}p1 +mount /dev/${MNT}p2 /mnt +mount --mkdir /dev/${MNT}p1 /mnt/boot +#swapon /dev/swap_partition +pacstrap -K /mnt base linux linux-firmware # Microcodes: amd-ucode intel-ucode +genfstab -U /mnt >> /mnt/etc/fstab +arch-chroot /mnt + +ln -sf /usr/share/zoneinfo/Region/City /etc/localtime +hwclock --systohc +echo "en_US.UTF-8 UTF-8" > /etc/locale.gen && locale-gen +echo "LANG=en_US.UTF-8" > /etc/locale.conf +echo "wildwest" > /etc/hostname +passwd +bootctl install +systemctl enable systemd-boot-update.service +mkdir -p /etc/pacman.d/hooks +echo -e "[Trigger]\nType = Package\nOperation = Upgrade\nTarget = systemd\n\n[Action]\nDescription = Gracefully upgrading systemd-boot...\nWhen = PostTransaction\nExec = /usr/bin/systemctl restart systemd-boot-update.service" > /etc/pacman.d/hooks/95-systemd-boot.hook +echo -e "title Arch Linux\n\nlinux /vmlinuz-linux\ninitrd /intel-ucode.img\ninitrd /initramfs-linux.img\noptions root=\"/dev/mmcblk0p2\" rw" > /boot/loader/entries/arch.conf +echo -e "title Arch Linux (fallback initramfs)\n\nlinux /vmlinuz-linux\ninitrd /intel-ucode.img\ninitrd /initramfs-linux-fallback.img\noptions root=\"/dev/mmcblk0p2\" rw" > /boot/loader/entries/arch-fallback.conf +exit + +umount -R /mnt diff --git a/bash.bashrc b/bash.bashrc new file mode 100644 index 0000000..62ca19b --- /dev/null +++ b/bash.bashrc @@ -0,0 +1,32 @@ +[[ $- != *i* ]] && return + +shopt -s checkwinsize + +export LC_CTYPE=en_US.UTF-8 +export LC_ALL=en_US.UTF-8 + +# color +alias diff='diff --color=auto' +alias dir='dir --color=auto' +alias egrep='egrep --color=auto' +alias grep='grep --color=auto' +alias fgrep='fgrep --color=auto' +alias ip='ip -color=auto' +alias ls='ls --color=auto' +alias ncdu='ncdu --color dark -rr' +alias vdir='vdir --color=auto' + +# rewrites +alias pip='pip3' +alias python='python3' +alias wget='wget -q --show-progress' + +# random +alias ..="cd ../" +alias up="sudo apt-get update && sudo apt-get upgrade && sudo apt autoremove" + +if [ $(id -u) == "0" ]; then + export PS1="\e[31m\u@\h\e[0m \e[33m\w \e[0m: " +else + export PS1="\e[38;5;41m\u@\h\e[0m \e[38;5;69m\w \e[0m: " +fi diff --git a/btkb b/btkb new file mode 100755 index 0000000..9e00b9a --- /dev/null +++ b/btkb @@ -0,0 +1,12 @@ +#!/bin/sh +pacman -S bluez bluez-utils +systemctl enable bluetooth && sudo systemctl start bluetooth +sed -i 's/#AutoEnable=false/AutoEnable=true/' /etc/bluetooth/main.conf +bluetoothctl power on # possible bluetoothctl -- +bluetoothctl agent KeyboardOnly +bluetoothctl pairable on +bluetoothctl scan on +bluetoothctl pair CC:C5:0A:20:91:5B +bluetoothctl trust CC:C5:0A:20:91:5B +bluetoothctl connect CC:C5:0A:20:91:5B +bluetoothctl scan off diff --git a/buyvm.py b/buyvm.py index 0e167ef..9ac8c5a 100644 --- a/buyvm.py +++ b/buyvm.py @@ -12,21 +12,23 @@ nodes = { 'Miami' : '48' } -for node in nodes: - data = urllib.request.urlopen('https://my.frantech.ca/cart.php?gid=' + nodes[node]).read().decode() - packages = re.findall(r'

(.+?)Available\n', data, re.I | re.M | re.S | re.U) - print(f'Servers in \033[34m{node}\033[0m:') - for server in packages: - name = server.split('

')[0].ljust(18) - price = server.split('')[1].split('
  • ')[1].split('')[0].split('NVME')[0] - for item in ('
  • ','
    • ','',''): - features = features.replace(item,'') - features = features.ljust(39) - stock = server.split()[-1] - if stock == '0': - stock = f'\033[31m{stock}\033[0m' - else: - stock = f'\033[32m{stock}\033[0m' - print(f'{name} \033[1;30m|\033[0m {price} \033[1;30m|\033[0m {features} \033[1;30m|\033[0m {stock}') +while True: + for node in nodes: + data = urllib.request.urlopen('https://my.frantech.ca/cart.php?gid=' + nodes[node]).read().decode() + packages = re.findall(r'

    (.+?)Available\n', data, re.I | re.M | re.S | re.U) + print(f'Servers in \033[34m{node}\033[0m:') + for server in packages: + name = server.split('

    ')[0].ljust(18) + price = server.split('    ')[1].split('
  • ')[1].split('')[0].split('NVME')[0] + for item in ('
  • ','
    • ','',''): + features = features.replace(item,'') + features = features.ljust(39) + stock = server.split()[-1] + if stock == '0': + stock = f'\033[31m{stock}\033[0m' + else: + stock = f'\033[32m{stock}\033[0m' + print(f'{name} \033[1;30m|\033[0m {price} \033[1;30m|\033[0m {features} \033[1;30m|\033[0m {stock}') + time.sleep(300) diff --git a/confusables.py b/confusables.py index 79bf8c1..1e236ab 100644 --- a/confusables.py +++ b/confusables.py @@ -102,4 +102,4 @@ confusable = { } for i in range(30): - print(confuse('IRC.SUPERNETS.ORG #SUPERBOWL GET FUCKED')) \ No newline at end of file + print(confuse('facebook')) diff --git a/ddosmonit b/ddosmonit index dfeb96b..587f00f 100755 --- a/ddosmonit +++ b/ddosmonit @@ -1,27 +1,13 @@ #!/bin/sh -interface=eth0 -dumpdir=/tmp/ -email="admin@domain.tld" -subject="DDoS Notification: `hostname`" -sender="admin@domain.tld" -while /bin/true; do - pkt_old=`grep $interface: /proc/net/dev | cut -d : -f2 | awk '{ print $2 }'` +while true; do + pkt_old=$(grep eth0: /proc/net/dev | cut -d ':' -f2 | awk '{ print $2 }') sleep 1 - pkt_new=`grep $interface: /proc/net/dev | cut -d : -f2 | awk '{ print $2 }'` - pkt=$(( $pkt_new-$pkt_old )) + pkt_new=$(grep eth0: /proc/net/dev | cut -d ':' -f2 | awk '{ print $2 }') + pkt=$(( $pkt_new - $pkt_old )) echo -ne "\r$pkt packets/s\033[0K" if [ $pkt -gt 5000 ]; then - filename=$dumpdir/dump.`date +"%Y%m%d-%H%M%S"`.cap - tcpdump -n -s0 -c 2000 > $filename - echo "`date` Packets dumped, sleeping now." - sleep 1 - data=`cat $filename` - sendmail -F $sender -it < Elasticsearch, Logstash, & Kibana + +This is just a little write-up on my research in deploying the ELK stack. + +## Prerequisites +```shell +sudo apt-get install -y gpg apt-transport-https` +wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg +echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list +sudo apt-get update && sudo apt-get install elasticsearch kibana logstash +sudo certbot certonly --standalone --preferred-challenges http -d elastic.domain.org +``` + +## Setup Elasticsearch +* Copy your certificates to `/etc/elasticsearch/certs`: +```shell +mkdir -p /etc/elasticsearch/certs/ +sudo cp /etc/letsencrypt/live/elastic.domain.org/fullchain.pem /etc/elasticsearch/certs/fullchain.pem +sudo cp /etc/letsencrypt/live/elastic.domain.org/privkey.pem /etc/elasticsearch/certs/privkey.pem +sudo chmod -R 777 /etc/elasticsearch/certs/ +``` + +* Edit your `/etc/elasticsearch/elasticsearch.yml` and change the follow options: +```yaml +cluster.name: BeeHive +node.name: gibson +network.host: 0.0.0.0 +bootstrap.memory_lock: true +xpack.security.audit.enabled: true +xpack.security.http.ssl: + enabled: true + key: /etc/elasticsearch/ssl/privkey.pem + certificate: /etc/elasticsearch/ssl/fullchain.pem +``` + +* System changes: +```shell +sudo su + ulimit -n 65535 + ulimit -u 4096 + +echo "elasticsearch - nofile 65535" > /etc/security/limits.conf +mkdir -p /etc/systemd/system/elasticsearch.service.d/ +echo "[Service]\nLimitMEMLOCK=infinity" > /etc/systemd/system/elasticsearch.service.d/override.conf +sudo swapoff -a +sudo sysctl -w vm.swappiness=1 # Add these +sudo sysctl -w vm.max_map_count=262144 # to /etc/systctl.conf +sudo sysctl -w net.ipv4.tcp_retries2=5 # +``` + +* Set the password for Kibana: +`./usr/share/elasticsearch/bin/elasticsearch-reset-password -u kibana_system` +`./usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token --scope kibana # Save this for when we access Kibana the first time` +`./usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node # enrollment token for a new node` + +## Setup Kibana +* Copy your certificates to `/etc/kibana/certs`: +```shell +mkdir -p /etc/kibana/certs/ +sudo cp /etc/letsencrypt/live/elastic.domain.org/fullchain.pem /etc/kibana/certs/fullchain.pem +sudo cp /etc/letsencrypt/live/elastic.domain.org/privkey.pem /etc/kibana/certs/privkey.pem +``` + +* Edit your `/etc/kibana/kibana.yml` and change the follow options: +```yaml +server.host: "0.0.0.0" +server.publicBaseUrl: "https://elastic.domain.org" +server.ssl.enabled: true +server.ssl.certificate: /etc/kibana/certs/fullchain.pem +server.ssl.key: /etc/kibana/certs/privkey.pem +elasticsearch.hosts: ["https://elastic.domain.org:9200"] +elasticsearch.username: "kibana_system" +elasticsearch.password: "changeme" # Use the password from the reset command we did earlier +``` + +## Setup Logstash +* Copy your certificates to `/etc/logstash/certs`: +```shell +mkdir -p /etc/logstash/certs/ +sudo cp /etc/letsencrypt/live/elastic.domain.org/fullchain.pem /etc/logstash/certs/cacert.pem +``` + +* Edit your `/etc/logstash/logstash.yml` and change the follow options: +```yaml +input { + beats { + port => 5044 + } +} +output { + elasticsearch { + hosts => ["https://elastic.domain.org:9200"] + index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}" + user => "elastic" + password => "changeme" + cacert => "/etc/logstash/cacert.pem" + } +} +``` + +* `logstash-plugin install logstash-input-irc` + +## Start the ELK stack: +```shell +sudo systemctl daemon-reload +sudo systemctl enable elasticsearch.service && sudo systemctl start elasticsearch.service +sudo systemctl enable kibana.service && sudo systemctl start kibana.service +sudo systemctl enable logstash.service && sudo systemctl start logstash.service +``` diff --git a/iprange.py b/iprange.py deleted file mode 100644 index b1f6761..0000000 --- a/iprange.py +++ /dev/null @@ -1,44 +0,0 @@ -#!/usr/bin/env python - -import ipaddress - -donotscan = { - '0.0.0.0/8', # "This" network - '10.0.0.0/8', # Private networks - '100.64.0.0/10', # Carrier-grade NAT - RFC 6598 - '127.0.0.0/8', # Host loopback - '169.254.0.0/16', # Link local - '172.16.0.0/12', # Private networks - '192.0.0.0/24', # IETF Protocol Assignments - '192.0.0.0/29', # DS-Lite - '192.0.0.170/32', # NAT64 - '192.0.0.171/32', # DNS64 - '192.0.2.0/24', # Documentation (TEST-NET-1) - '192.88.99.0/24', # 6to4 Relay Anycast - '192.168.0.0/16', # Private networks - '198.18.0.0/15', # Benchmarking - '198.51.100.0/24', # Documentation (TEST-NET-2) - '203.0.113.0/24', # Documentation (TEST-NET-3) - '240.0.0.0/4', # Reserved - '255.255.255.255/32', # Limited Broadcast - '6.0.0.0/8', # Army Information Systems Center - '7.0.0.0/8', # DoD Network Information Center - '11.0.0.0/8', # DoD Intel Information Systems - '21.0.0.0/8', # DDN-RVN - '22.0.0.0/8', # Defense Information Systems Agency - '26.0.0.0/8', # Defense Information Systems Agency - '28.0.0.0/8', # DSI-North - '29.0.0.0/8', # Defense Information Systems Agency - '30.0.0.0/8', # Defense Information Systems Agency - '33.0.0.0/8', # DLA Systems Automation Center - '55.0.0.0/8', # DoD Network Information Center - '205.0.0.0/8', # US-DOD - '214.0.0.0/8', # US-DOD - '215.0.0.0/8' # US-DOD -} - -total = ipaddress.IPv4Network('0.0.0.0/0').num_addresses -print(f'Total IPv4 Addresses : {total:,}') -for i in donotscan: - total -= ipaddress.IPv4Network(i).num_addresses -print(f'Total After Clean : {total:,}') diff --git a/iptables.sh b/iptables.sh new file mode 100644 index 0000000..6ad4a8b --- /dev/null +++ b/iptables.sh @@ -0,0 +1,45 @@ +### 1: Drop invalid packets ### +/sbin/iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP + +### 2: Drop TCP packets that are new and are not SYN ### +/sbin/iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP + +### 3: Drop SYN packets with suspicious MSS value ### +/sbin/iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP + +### 4: Block packets with bogus TCP flags ### +/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP +/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP +/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP +/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP +/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP +/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP +/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP + +### 5: Block spoofed packets ### +/sbin/iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP +/sbin/iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP +/sbin/iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP +/sbin/iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP +/sbin/iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP +/sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP +/sbin/iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP +/sbin/iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP +/sbin/iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP + +### 6: Drop ICMP (you usually don't need this protocol) ### +/sbin/iptables -t mangle -A PREROUTING -p icmp -j DROP + +### 7: Drop fragments in all chains ### +/sbin/iptables -t mangle -A PREROUTING -f -j DROP + +### 8: Limit connections per source IP ### +/sbin/iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset + +### 9: Limit RST packets ### +/sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT +/sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP + +### 10: Limit new TCP connections per second per source IP ### +/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT +/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP diff --git a/logga.py b/logga.py index 9067912..1b3f58b 100644 --- a/logga.py +++ b/logga.py @@ -7,25 +7,25 @@ import os log_file=True # Set to False for console logging only # Set up logging -sh = logging.StreamHandler() -sh.setFormatter(logging.Formatter('%(asctime)s | %(levelname)9s | %(message)s', '%I:%M %p')) -if log_file: - if not os.path.exists('logs'): - os.makedirs('logs') - fh = logging.handlers.RotatingFileHandler('logs/debug.log', maxBytes=250000, backupCount=7, encoding='utf-8') - fh.setFormatter(logging.Formatter('%(asctime)s | %(levelname)9s | %(filename)s.%(funcName)s.%(lineno)d | %(message)s', '%Y-%m-%d %I:%M %p')) - logging.basicConfig(level=logging.NOTSET, handlers=(sh,fh)) - del fh -else: - logging.basicConfig(level=logging.NOTSET, handlers=(sh,)) -finally: +def setup_logger(): + sh = logging.StreamHandler() + sh.setFormatter(logging.Formatter('%(asctime)s | %(levelname)9s | %(message)s', '%I:%M %p')) + if log_file: + if not os.path.exists('logs'): + os.makedirs('logs') + fh = logging.handlers.RotatingFileHandler('logs/debug.log', maxBytes=250000, backupCount=7, encoding='utf-8') + fh.setFormatter(logging.Formatter('%(asctime)s | %(levelname)9s | %(filename)s.%(funcName)s.%(lineno)d | %(message)s', '%Y-%m-%d %I:%M %p')) + logging.basicConfig(level=logging.NOTSET, handlers=(sh,fh)) + del fh + else: + logging.basicConfig(level=logging.NOTSET, handlers=(sh,)) del sh # Logging examples +setup_logger() logging.debug('This message should go to the log file') logging.info('So should this') logging.critical('ok') logging.warning('And this, too') logging.error('And non-ASCII stuff, too, like Øresund and Malmö') - -logging.shutdown() \ No newline at end of file +logging.shutdown() diff --git a/logs/debug.log b/logs/debug.log new file mode 100644 index 0000000..801ceab --- /dev/null +++ b/logs/debug.log @@ -0,0 +1,5 @@ +2023-07-23 12:57 AM | DEBUG | logga.py..26 | This message should go to the log file +2023-07-23 12:57 AM | INFO | logga.py..27 | So should this +2023-07-23 12:57 AM | CRITICAL | logga.py..28 | ok +2023-07-23 12:57 AM | WARNING | logga.py..29 | And this, too +2023-07-23 12:57 AM | ERROR | logga.py..30 | And non-ASCII stuff, too, like Øresund and Malmö diff --git a/proxscrap b/proxscrap deleted file mode 100755 index 1661114..0000000 --- a/proxscrap +++ /dev/null @@ -1,62 +0,0 @@ -#!/bin/env bash -# Author: perp -# Description: Scrape free proxies - -URLS=( - # SOCKS5 - "https://api.proxyscrape.com/v2/?request=displayproxies&protocol=socks5&timeout=10000&country=all" - "https://www.proxyscan.io/download?type=socks5" - "https://raw.githubusercontent.com/TheSpeedX/PROXY-List/master/socks5.txt" - "https://raw.githubusercontent.com/jetkai/proxy-list/main/online-proxies/txt/proxies-socks5.txt" - "https://raw.githubusercontent.com/RX4096/proxy-list/main/online/socks5.txt" - "https://raw.githubusercontent.com/UptimerBot/proxy-list/main/proxies/socks5.txt" - "https://raw.githubusercontent.com/ShiftyTR/Proxy-List/master/socks5.txt" - "https://raw.githubusercontent.com/saschazesiger/Free-Proxies/master/proxies/socks5.txt" - - # SOCKS4 - "https://api.proxyscrape.com/v2/?request=displayproxies&protocol=socks4&timeout=10000&country=all" - "https://www.proxyscan.io/download?type=socks4" - "https://raw.githubusercontent.com/TheSpeedX/PROXY-List/master/socks4.txt" - "https://raw.githubusercontent.com/jetkai/proxy-list/main/online-proxies/txt/proxies-socks4.txt" - "https://raw.githubusercontent.com/RX4096/proxy-list/main/online/socks4.txt" - "https://raw.githubusercontent.com/UptimerBot/proxy-list/main/proxies/socks4.txt" - "https://raw.githubusercontent.com/ShiftyTR/Proxy-List/master/socks4.txt" - "https://raw.githubusercontent.com/saschazesiger/Free-Proxies/master/proxies/socks4.txt" - - # HTTP - "https://api.proxyscrape.com/v2/?request=displayproxies&protocol=http&timeout=10000&country=all" - "https://www.proxyscan.io/download?type=http" - "https://raw.githubusercontent.com/TheSpeedX/PROXY-List/master/http.txt" - "https://raw.githubusercontent.com/jetkai/proxy-list/main/online-proxies/txt/proxies-http.txt" - "https://raw.githubusercontent.com/RX4096/proxy-list/main/online/http.txt" - "https://raw.githubusercontent.com/UptimerBot/proxy-list/main/proxies/http.txt" - "https://raw.githubusercontent.com/ShiftyTR/Proxy-List/master/http.txt" - - # HTTPS - "https://api.proxyscrape.com/v2/?request=displayproxies&protocol=https&timeout=10000&country=all" - "https://www.proxyscan.io/download?type=https" - "https://raw.githubusercontent.com/jetkai/proxy-list/main/online-proxies/txt/proxies-https.txt" - "https://raw.githubusercontent.com/RX4096/proxy-list/main/online/https.txt" - "https://raw.githubusercontent.com/ShiftyTR/Proxy-List/master/https.txt" - - # MIXED - "https://raw.githubusercontent.com/sunny9577/proxy-scraper/master/proxies.txt" - "https://raw.githubusercontent.com/saschazesiger/Free-Proxies/master/proxies/http.txt" -) - -# Remove proxies file -rm -f -- proxies.txt - -# Go through each URL -for URL in "${URLS[@]}"; -do - # Curl & append to file - echo "Downloading from $URL" - curl -s $URL >> proxies.txt & -done -wait - -# Sort the uniques -sort -u -o proxies.txt proxies.txt - -echo "Finished downloading proxies" diff --git a/stagit/stagit b/stagit similarity index 100% rename from stagit/stagit rename to stagit diff --git a/stagit/README.md b/stagit/README.md deleted file mode 100644 index f7417d3..0000000 --- a/stagit/README.md +++ /dev/null @@ -1,27 +0,0 @@ -# stagit -> static git page generator - -## Information -This is basically a pure shell script clone of [stagit](https://git.2f30.org/stagit/). - -It is meant to be hosted on [Github](https://github.com) using [Github Pages](https://pages.github.com) with a [Custom Domain](https://help.github.com/en/articles/using-a-custom-domain-with-github-pages). - -It also has support for hosting on [Gitlab](https://gitlab.com) using [Gitlab Pages](https://docs.gitlab.com/ee/user/project/pages/) with a [Custom Domain](https://docs.gitlab.com/ee/user/project/pages/custom_domains_ssl_tls_certification/) - -## Settings -| Setting | Default | Description | -| ---------------- | -------------- | ------------------------------------------------------------------ | -| CLONE_URL | remote | base url for cloning repositories *(remote = remote.origin.url)* | -| CNAME | empty | create a CNAME file with a custom domain *(empty = do not create)* | -| MAX_COMMITS | 100 | maximum number of commits to show (0 = all) | -| MAX_COMMIT_MSG | 100 | maximum characters in a commit message to display *(0 = all)* | -| MAX_COMMIT_LINES | 999 | maximum number of lines to show in a commit *(0 = all)* | -| REPO_DIR | $HOME/git | directory containing repositories | -| TITLE | "Repositories" | title used on homepage | -| WWW_DIR | $HOME/www | directory to output to | - -If the `CLONE_URL` was set to `https://github.com/acidvegas/` for example, then it will display as `git clone https://github.com/acidvegas/REPO_NAME.git` on all repository indexes, otherwise if you leave it as `remote` it will just parse the remote url *(`git config --get remote.origin.url`)* for that repository. For those using the `remote` option, remote urls from Github/Gitlab that use SSH will be converted to an HTTPS url. This applies to Github/Gitlab remote urls only, so if you cloned your repositories with SSH, then people may not be able to clone your repositories! - -The `CNAME` option is optional if you are planning on using a custom domain with Github pages. See [here](https://help.github.com/en/articles/troubleshooting-custom-domains#github-repository-setup-errors) for more information. - -Lastly, stagit will ignore the `$REPO_DIR/mirrors` directory by default. To make stagit include this directory, remove `-path $REPO_DIR/mirrors -prune` from the `find` command in the source. \ No newline at end of file diff --git a/termux b/termux new file mode 100755 index 0000000..f43e0e8 --- /dev/null +++ b/termux @@ -0,0 +1,36 @@ +#!bin/sh +# termux helper - developed by acidvegas (https://git.acid.vegas/archlinux) +set -xev +passwd +termux-setup-storage +pkg upgrade +pkg install abduco cmatrix gcc git exa make man nano ncdu oath-toolkit openssh python python-pip rsync tor wget +wget https://github.com/64BitAsura/ohsnap-ttf/raw/master/ohsnap6x11r.icons.ttf /data/data/com.termux/files/home/.termux/font.ttf +termux-reload-settings +echo "\nE N T E R T H E V O I D\n\n" > $PREFIX/etc/motd +echo "set boldtext\nset minibar\nnset nohelp\net nonewlines\nset nowrap\nset quickblank\nset tabsize 4\ninclude \"/usr/share/nano/*.nanorc\"" > $PREFIX/etc/nanorc +{ + echo "export LC_CTYPE=en_US.UTF-8" + echo "export LC_ALL=en_US.UTF-8" + echo "export GPG_TTY=$(tty)" + + echo "# colors" + echo "alias diff='diff --color=auto'" + echo "alias grep='grep --color=auto'" + echo "alias ip='ip -color=auto'" + echo "alias ls='ls --color=auto'" + + echo "# rewrites" + echo "alias exa='exa -aghl --git'" + echo "alias ssh-add='ssh-add -t 1h'" + echo "alias su='su -l'" + + echo "# random" + echo "alias ..='cd ../'" + echo "alias busy=\"cat /dev/urandom | hexdump -C | grep 'ca fe'\"" + echo "alias musync=\"rsync -vcahz --delete-before pi:music/ $HOME/storage/music\"" + echo "alias updatemux=\"pkg update && pkg clean\"" + + echo "export PS1=\"\e[38;5;237m\T\e[0m \e[38;5;69m\w \e[0m: \"" +} > ~/.bashrc +echo "shortcut.create-session=ctrl + t\n\nshortcut.next-session=ctrl + 2\nshortcut.previous-session=ctrl + 1\nshortcut.rename-session=ctrl + n\nbell-character=ignore" > $HOME/.termux/termux.properties diff --git a/vps b/vps new file mode 100755 index 0000000..efcb20a --- /dev/null +++ b/vps @@ -0,0 +1,18 @@ +#!/bin/sh +apt-get update && apt-get upgrade +echo "LANG=en_US.UTF-8" > /etc/locale.conf && echo "en_US.UTF-8 UTF-8" > /etc/locale.gen && locale-gen +localectl set-locale LANG=en_US.UTF-8 +echo -e "set boldtext\nset nohelp\nset nowrap\nset quickblank\nset tabsize 4\nunbind ^J main\nset selectedcolor black,red\ninclude \"/usr/share/nano/*.nanorc\"" > /etc/nanorc +echo -e "export VISUAL=nano\nexport EDITOR=nano\nunset HISTFILE" >> /etc/profile +echo -e "AuthenticationMethods publickey\nBanner /etc/issue\nClientAliveInterval 0\nDisableForwarding yes\nPermitRootLogin no\nPort CHANGEME\nPrintLastLog no" > /etc/ssh/sshd_config +echo -e "[Journal]\nStorage=volatile\nSplitMode=none\nRuntimeMaxUse=500K" > /etc/systemd/journald.conf +apt-get install cmake curl firehol gcc git htop make nano ncdu python3 python-pip screen sudo tor tmate +apt-get install build-essential pkg-config gdb libssl-dev libpcre2-dev libargon2-0-dev libsodium-dev libc-ares-dev libcurl4-openssl-dev +useradd -m -s /bin/bash acidvegas && gpasswd -a acidvegas sudo && passwd acidvegas + +mkdir $HOME/.ssh +echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ/fz4INjgCmSZOUiE9HL3+YRalyF/ptk1+qybcBCwUp" > $HOME/.ssh/authorized_keys +chmod 700 $HOME/.ssh && chown -R acidvegas $HOME/.ssh && chmod 400 $HOME/.ssh/authorized_keys +mkdir $HOME/build + +mkdir $HOME/.scripts && wget -O $HOME/.scipts/ddosmonit https://github.com/acidvegas/random/blob/master/ddosmonit && screen -S ddosmonit sudo ./.scripts/ddosmonit