[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Add relayd/acme-client/pf support for botnow

[Thread Prev] | [Thread Next]
[Date Prev] | [Date Next]
Subject: Add relayd/acme-client/pf support for botnow
From: jrmu <jrmu@xxxxxxxxxx>
Date: Wed, 21 Jul 2021 20:26:31 +0800
To: codeforce@xxxxxxxxxx
This patch adds pf/relayd support for Shell.pm in botnow; it
incorporates some changes made by sarah:

diff -ru botnow/BNC.pm botnow-jrmu/BNC.pm
--- botnow/BNC.pm	Wed Jul 21 07:15:27 2021
+++ botnow-jrmu/BNC.pm	Tue Jul 20 08:42:37 2021
@@ -233,7 +233,7 @@
 		main::putserv($bot, "PRIVMSG $nick :https://$hostname/register.php?hashirc=$hashid";);
 		main::putserv($bot, "PRIVMSG $nick :Type !bnc captcha <text>");
 		foreach my $chan (@teamchans) {
-			main::putservlocalnet($bot, "PRIVMSG $chan :$nick\'s captcha is $captcha");
+			main::putservlocalnet($bot, "PRIVMSG $chan :$nick\'s on $bot->{name} bnc captcha is $captcha");
 		}
 	} else {
 		main::putserv($bot, "PRIVMSG $nick :Invalid username or email. Type !bnc <username> <email> to try again.");
Only in botnow: CVS
diff -ru botnow/Shell.pm botnow-jrmu/Shell.pm
--- botnow/Shell.pm	Wed Jul 21 07:15:30 2021
+++ botnow-jrmu/Shell.pm	Wed Jul 21 04:17:11 2021
@@ -27,6 +27,10 @@
 my $passpath = "/etc/passwd";
 my $httpdconfpath = "/etc/httpd.conf";
 my $acmeconfpath = "/etc/acme-client.conf";
+my $pfconfpath = "/etc/pf.conf";
+my $relaydconfpath = "/etc/relayd.conf";
+my $startPort;
+my $endPort;
 main::cbind("pub", "-", "shell", \&mshell);
 main::cbind("msg", "-", "shell", \&mshell);
 
@@ -39,6 +43,8 @@
 	unveil($passpath, "r") or die "Unable to unveil $!";
 	unveil($httpdconfpath, "rwxc") or die "Unable to unveil $!";
 	unveil($acmeconfpath, "rwxc") or die "Unable to unveil $!";
+	unveil($pfconfpath, "rwxc") or die "Unable to unveil $!";       
+	unveil($relaydconfpath, "rwxc") or die "Unable to unveil $!";       
 	unveil("/usr/sbin/chown", "rx") or die "Unable to unveil $!";
 	unveil("/bin/chmod", "rx") or die "Unable to unveil $!";
 	unveil("/usr/sbin/groupadd", "rx") or die "Unable to unveil $!";
@@ -75,7 +81,7 @@
 		my $username = $1;
 		if (SQLite::deleterows("shell", "username", $username)) {
 			# TODO delete shell
-			deleteshell($bot, $username);
+			deleteshell($username);
 			foreach my $chan (@teamchans) {
 				main::putserv($bot, "PRIVMSG $chan :$username deleted");
 			}
@@ -111,7 +117,7 @@
 		SQLite::set("shell", "ircid", $ircid, "password", $encrypted);
 		if (DNS::nextdns($username)) {
 			sleep(2);
-			createshell($bot, $username, $pass, $bindhost);
+			createshell($username, $pass, $bindhost);
 			mailshell($username, $email, $pass, "shell", $version);
 			main::putserv($bot, "PRIVMSG $nick :Check your email!");
 
@@ -159,7 +165,6 @@
 	my( $username, $email, $password, $service, $version )=@_;
 	my $passhash = sha256_hex("$username");
 	my $versionhash = encode_base64($version);
-	my $ports;
 	my $body = <<"EOF";
 You created a shell account!
 
@@ -167,13 +172,15 @@
 Password: $password
 Server: $hostname
 SSH Port: 22
-Your Ports: $ports for plaintext
+Your Ports: $startPort to $endPort
 
+To customize your vhost, connect to ask in #ircnow
+
 *IMPORTANT*: Verify your email address:
 
 https://www.$hostname/register.php?id=$passhash&version=$versionhash
 
-You *MUST* click on the link or your account will be deleted.
+You *MUST* click on the link within 24 hours or your account will be deleted.
 
 IRCNow
 EOF
@@ -244,8 +251,7 @@
 #}
 
 sub createshell {
-	my ($bot, $username, $password, $bindhost) = @_;
-	my $netname = $bot->{name};
+	my ($username, $password, $bindhost) = @_;
 	system "doas groupadd $username";
 	system "doas adduser -batch $username $username $username `encrypt $password`";
 	system "doas chmod 700 /home/$username /home/$username/.ssh";
@@ -259,7 +265,6 @@
 	my $block = <<"EOF";
 server "$lusername.$hostname" {
 	listen on * port 80
-	listen on * port 8001
 	location "/.well-known/acme-challenge/*" {
 		root "/acme"
 		request strip 2
@@ -274,24 +279,27 @@
 	$block = <<"EOF";
 domain "$lusername.$hostname" {
 	domain key "/etc/ssl/private/$lusername.$hostname.key"
-	domain full chain certificate "/etc/ssl/$lusername.$hostname.fullchain.pem"
+	domain full chain certificate "/etc/ssl/$lusername.$hostname.crt"
 	sign with letsencrypt
 }
 EOF
 	main::appendfile($acmeconfpath, $block);
-
+	configurepf($username);
 	system "doas rcctl reload httpd";
-	system "doas mv /etc/ssl/private/$hostname.key /etc/ssl/private/l.k";
         system "doas acme-client -F $lusername.$hostname";
-	system "doas ln -s /etc/ssl/crt/$lusername.$hostname.fullchain.pem /etc/ssl/$lusername.$hostname.crt";
-        system "doas mv /etc/ssl/private/l.k /etc/ssl/private/$hostname.key";
+	system "doas ln -s /etc/ssl/$lusername.$hostname.crt /etc/ssl/$lusername.$hostname.fullchain.pem";
+	system "doas pfctl -f /etc/pf.conf";
+	configurerelayd($username);
+	$block = <<"EOF";
+~       *       *       *       *       acme-client $lusername.$hostname && rcctl reload relayd
+EOF
+	system "echo $block | doas crontab -";
 #edquota $username
 	return 1;
 }
 
 sub deleteshell {
-	my ($bot, $username, $bindhost) = @_;
-	my $netname = $bot->{name};
+	my ($username, $bindhost) = @_;
 	my $lusername = lc $username;
 	system "doas groupdel $username";
 	system "doas userdel $username";
@@ -348,5 +356,44 @@
 	}
 	return @results;
 }
+
+sub configurepf {
+    my $username = shift;
+    my @read = split('\n', main::readstr($pfconfpath) );
+    
+    my $previousline = "";
+    my @pfcontent;
+    foreach my $line(@read)
+    {
+        my $currline = $line;    
+        if( $currline ne "# end user ports") {
+            $previousline = $currline;        
+        } else {
+            #pass in proto {tcp udp} to port {31361:31370} user {JL}
+            if( $previousline =~ /(\d*):(\d*)/ ) {            
+                my $startport = ( $1 + 10 );
+                my $endport = ( $2 + 10 );
+                my $insert = "pass in proto {tcp udp} to port {$startport:$endport} user {$username}";
+                push(@pfcontent, $insert);
+		$startPort = $startport;
+		$endPort = $endport;
+            }
+        }
+        push(@pfcontent, $currline)
+    }
+    main::writefile("$pfconfpath", join("\n",@pfcontent))
+}
+
+sub configurerelayd {  
+        my ($username) = @_;                 
+	my $block = "tls { keypair $username.$hostname }";
+	my $relaydconf = main::readstr($relaydconfpath);
+	my $newconf;
+	if ($relaydconf =~ /^.*tls\s+{\s+keypair\s+[.0-9a-zA-Z]+\s*}/m) {
+		$newconf = "$`$&\n\t$block$'";
+	}
+	main::writefile($relaydconfpath, $newconf);
+}
+
 #unveil("./newacct", "rx") or die "Unable to unveil $!";
 1; # MUST BE LAST STATEMENT IN FILE
diff -ru botnow/botnow.conf.example botnow-jrmu/botnow.conf.example
--- botnow/botnow.conf.example	Wed Jul 21 07:15:31 2021
+++ botnow-jrmu/botnow.conf.example	Tue Jul 20 23:26:22 2021
@@ -33,10 +33,6 @@
 mailfrom = support@xxxxxxxxxx
 #mailname = support
 
-#rDNS keys from Stallion in BuyVM
-key = ABCDE-FGHIJ-KLMNO
-hash = ABCDEFGHIJKLMNOPQRST
-
 #Modules to load
 modules = BNC DNS Mail Shell SQLite Hash Help
 
@@ -70,4 +66,4 @@
 #verbose = ERRORS
 
 #Terms of Service
-#terms = IRCNow: Of the User, By the User, For the User. Rules: no profanity, no porn, no illegal drugs, no gambling, no slander, no warez, no promoting violence, no spam, illegal cracking, or DDoS. Only one account per person. Don't share passwords. Full terms: https://ircnow.org/terms.php
+#terms = IRCNow: Of the User, By the User, For the User. Rules: no porn, no illegal drugs, no gambling, no slander, no warez, no promoting violence, no spam, illegal cracking, or DDoS. Only one account per person. Don't share passwords. Full terms: https://ircnow.org/terms.php
diff -ru botnow/botnow.pl botnow-jrmu/botnow.pl
--- botnow/botnow.pl	Wed Jul 21 07:15:32 2021
+++ botnow-jrmu/botnow.pl	Tue Jul 20 23:26:12 2021
@@ -57,10 +57,6 @@
 	}
 }
 
-# rDNS keys from Stallion in BuyVM
-$conf{key} = $conf{key} or die "ERROR: botnow.conf: key";
-$conf{hash} = $conf{hash} or die "ERROR: botnow.conf: hash";
-
 # ZNC install directory
 $conf{zncdir} = $conf{zncdir} || "/home/znc/home/znc";
 
@@ -80,7 +76,7 @@
 $conf{verbose} = $conf{verbose} || ERRORS;
 
 # Terms of Service; don't edit lines with the word EOF
-$conf{terms} = $conf{terms} || "IRCNow: Of the User, By the User, For the User. Rules: no profanity, no porn, no illegal drugs, no gambling, no slander, no warez, no promoting violence, no spam, illegal cracking, or DDoS. Only one account per person. Don't share passwords. Full terms: https://ircnow.org/terms.php";;
+$conf{terms} = $conf{terms} || "IRCNow: Of the User, By the User, For the User. Rules: no porn, no illegal drugs, no gambling, no slander, no warez, no promoting violence, no spam, illegal cracking, or DDoS. Only one account per person. Don't share passwords. Full terms: https://ircnow.org/terms.php";;
 
 $conf{ipv6path} = "ipv6s"; # ipv6 file path
 $conf{netpath} = "networks"; # networks file path
diff -ru botnow/makefile botnow-jrmu/makefile
--- botnow/makefile	Wed Jul 21 07:15:33 2021
+++ botnow-jrmu/makefile	Tue Jul 20 23:17:56 2021
@@ -30,7 +30,7 @@
 	chmod g+rw ${HTTPDCONF} ${ACMECONF}
 	echo "permit nopass ${USERNAME} as _nsd cmd nsd-control" >> /etc/doas.conf
 	cp captcha.png register.php ${HTDOCS}/
-	cp LICENSE README botnow.pl botnow.conf.example BNC.pm DNS.pm Mail.pm SQLite.pm Shell.pm table.sql Hash.pm Help.pm makefile networks captcha.png register.php words shell ${HOMEDIR}/
+	cp LICENSE README botnow.pl botnow.conf.example BNC.pm DNS.pm Mail.pm SQLite.pm Shell.pm table.sql Hash.pm Help.pm makefile networks captcha.png register.php words ${HOMEDIR}/
 	chown -R ${USERNAME}:${USERNAME} ${HOMEDIR}
 	chmod u+x ${HOMEDIR}/botnow.pl
 	chown -R ${ZNCUSER}:daemon ${ZNCDIR}
@@ -41,8 +41,8 @@
 	pkg_add figlet-2.2.5
 
 php: 
-	pkg_add php-7.4.12
-	pkg_add php-sqlite3-7.4.12
+	pkg_add php-8.0.8
+	pkg_add php-sqlite
 
 sqlite:
 	pkg_add p5-DBI
Only in botnow: shell
Attachment: 20210721botnow.tgz
Description: application/tar-gz
Attachment: signature.asc
Description: PGP signature