diff options
Diffstat (limited to 'retiolum/scripts')
17 files changed, 596 insertions, 447 deletions
diff --git a/retiolum/scripts/adv_graphgen/all_the_graphs.sh b/retiolum/scripts/adv_graphgen/all_the_graphs.sh index 5533c722..d3ce8f86 100755 --- a/retiolum/scripts/adv_graphgen/all_the_graphs.sh +++ b/retiolum/scripts/adv_graphgen/all_the_graphs.sh @@ -4,11 +4,14 @@ echo "`date` begin all graphs" >> /tmp/build_graph cd $(dirname $(readlink -f $0)) PATH=$PATH:../../../util/bin/ - export LOG_FILE=/var/log/retiolum.log + export LOG_FILE=/var/log/syslog + export TINC_LEGACY=true + EXTERNAL_FOLDER=/var/www/euer.krebsco.de/graphs/retiolum + INTERNAL_FOLDER=/var/www/euer/graphs/retiolum begin=`timer` export GRAPHITE_HOST="no_omo" - (./anonytize.sh /srv/http/pub/graphs/retiolum/ && echo "`date` anonytize done" >> /tmp/build_graph)& - (./sanitize.sh /srv/http/priv/graphs/retiolum/ && echo "`date` sanitize done" >> /tmp/build_graph)& + (./anonytize.sh $EXTERNAL_FOLDER && echo "`date` anonytize done" >> /tmp/build_graph)& + (./sanitize.sh $INTERNAL_FOLDER && echo "`date` sanitize done" >> /tmp/build_graph)& # wait graphitec "retiolum.graph.buildtime" "$(timer $begin)" >> /tmp/build_graph echo "`date` end all graphs" >> /tmp/build_graph diff --git a/retiolum/scripts/adv_graphgen/anonytize.sh b/retiolum/scripts/adv_graphgen/anonytize.sh index d49793cb..b31f4dbb 100755 --- a/retiolum/scripts/adv_graphgen/anonytize.sh +++ b/retiolum/scripts/adv_graphgen/anonytize.sh @@ -11,7 +11,7 @@ TYPE2=png OPENER=/bin/true DOTFILE=`mktemp` trap 'rm $DOTFILE' INT TERM -sudo LOG_FILE=$LOG_FILE python tinc_stats.py |\ +sudo -E python tinc_stats2json |\ python parse_tinc_anon.py> $DOTFILE diff --git a/retiolum/scripts/adv_graphgen/find_super.py b/retiolum/scripts/adv_graphgen/find_super.py new file mode 100644 index 00000000..df01734e --- /dev/null +++ b/retiolum/scripts/adv_graphgen/find_super.py @@ -0,0 +1,50 @@ +#!/usr/bin/python + +def find_super(path="/etc/tinc/retiolum/hosts"): + import os + import re + + needle_addr = re.compile("Address\s*=\s*(.*)") + needle_port = re.compile("Port\s*=\s*(.*)") + for f in os.listdir(path): + with open(path+"/"+f) as of: + addrs = [] + port = "655" + + for line in of.readlines(): + + addr_found = needle_addr.match(line) + if addr_found: + addrs.append(addr_found.group(1)) + + port_found = needle_port.match(line) + if port_found: + port = port_found.group(1) + + if addrs : yield (f ,[(addr ,int(port)) for addr in addrs]) + +def check_super(path="/etc/tinc/retiolum/hosts"): + from socket import socket,AF_INET,SOCK_STREAM + for host,addrs in find_super(path): + valid_addrs = [] + for addr in addrs: + try: + s = socket(AF_INET,SOCK_STREAM) + s.settimeout(3) + s.connect(addr) + #print("success connecting %s:%d"%(addr)) + s.settimeout(None) + s.close() + valid_addrs.append(addr) + except Exception as e: + pass + #print("cannot connect to %s:%d"%(addr)) + if valid_addrs: yield (host,valid_addrs) + + +if __name__ == "__main__": + """ + usage + """ + for host,addrs in check_super(): + print host,addrs diff --git a/retiolum/scripts/adv_graphgen/parse_tinc_anon.py b/retiolum/scripts/adv_graphgen/parse_tinc_anon.py index e0bea913..21c36e0f 100755 --- a/retiolum/scripts/adv_graphgen/parse_tinc_anon.py +++ b/retiolum/scripts/adv_graphgen/parse_tinc_anon.py @@ -15,7 +15,7 @@ try: sys.stderr.write("connecting to %s:%d"%(host,port)) s.connect((host,port)) except Exception as e: - print >>sys.stderr, "Cannot connect to graphite: " + str(e) + sys.stderr.write( "Cannot connect to graphite: " + str(e)) """ TODO: Refactoring needed to pull the edges out of the node structures again, it should be easier to handle both structures""" DUMP_FILE = "/krebs/db/availability" @@ -151,4 +151,4 @@ try: msg = '%s.graph.anon_build_time %d %d\r\n' % (g_path,((end-begin)*1000),end) s.send(msg) s.close() -except Exception as e: print >>sys.stderr, e +except Exception as e: pass diff --git a/retiolum/scripts/adv_graphgen/parse_tinc_stats.py b/retiolum/scripts/adv_graphgen/parse_tinc_stats.py index 16f4f795..76a3ffcd 100755 --- a/retiolum/scripts/adv_graphgen/parse_tinc_stats.py +++ b/retiolum/scripts/adv_graphgen/parse_tinc_stats.py @@ -2,6 +2,7 @@ # -*- coding: utf8 -*- from BackwardsReader import BackwardsReader import sys,json +from find_super import check_super try: from time import time import socket @@ -16,10 +17,13 @@ try: except Exception as e: sys.stderr.write("Cannot connect to graphite: %s\n" % str(e)) -supernodes= [ "kaah","supernode","euer","pa_sharepoint","oxberg" ] +supernodes= [ ] +for supernode,addr in check_super(): + supernodes.append(supernode) """ TODO: Refactoring needed to pull the edges out of the node structures again, it should be easier to handle both structures""" DUMP_FILE = "/krebs/db/availability" + def write_digraph(nodes): """ writes the complete digraph in dot format @@ -53,8 +57,7 @@ def write_stat_node(nodes): try: msg = '%s.num_nodes %d %d\r\n' %(g_path,num_nodes,begin) s.send(msg) - #print >>sys.stderr, msg - except Exception as e: print sys.stderr,e + except Exception as e: pass #except: pass for k,v in nodes.iteritems(): num_conns+= len(v['to']) @@ -82,8 +85,7 @@ def generate_stats(nodes): jlines.append(jline) lines_to_use -=1 - except Exception,e: - sys.stderr.write(str(e)) + except Exception,e: sys.stderr.write(str(e)) for k,v in nodes.iteritems(): conns = v.get('to',[]) for c in conns: #sanitize weights @@ -169,7 +171,11 @@ def write_node(k,v): for addr in v.get('internal-ip',['¯\\\\(°_o)/¯']): node += "internal:"+addr+"\\l" node +="\"" - if k in supernodes: + + # warning if node only has one connection + if v['num_conns'] == 1: + node += ",fillcolor=red" + elif k in supernodes: node += ",fillcolor=steelblue1" #node +=",group=\""+v['external-ip'].replace(".","")+"\"" node += "]" diff --git a/retiolum/scripts/adv_graphgen/sanitize.sh b/retiolum/scripts/adv_graphgen/sanitize.sh index c46662f3..45d29a22 100755 --- a/retiolum/scripts/adv_graphgen/sanitize.sh +++ b/retiolum/scripts/adv_graphgen/sanitize.sh @@ -11,7 +11,7 @@ TYPE2=png OPENER=/bin/true DOTFILE=`mktemp` trap 'rm $DOTFILE' INT TERM -sudo LOG_FILE=$LOG_FILE python tinc_stats.py |\ +sudo -E python tinc_stats2json |\ python parse_tinc_stats.py > $DOTFILE diff --git a/retiolum/scripts/adv_graphgen/tinc_stats.py b/retiolum/scripts/adv_graphgen/tinc_stats2json index d0d47aff..ede19b26 100755 --- a/retiolum/scripts/adv_graphgen/tinc_stats.py +++ b/retiolum/scripts/adv_graphgen/tinc_stats2json @@ -1,13 +1,17 @@ #!/usr/bin/python -from BackwardsReader import BackwardsReader +import subprocess import os import re import sys import json -TINC_NETWORK = os.environ.get("TINC_NETWORK","retiolum") -os.environ["LOG_FILE"] + +TINC_NETWORK =os.environ.get("TINC_NETWORK","retiolum") + +# is_legacy is the parameter which defines if the tinc config files are handled old fashioned (parse from syslog), +# or if the new and hip tincctl should be used +is_legacy= os.environ.get("TINC_LEGACY",False) SYSLOG_FILE = os.environ.get("LOG_FILE","/var/log/everything.log") @@ -21,11 +25,14 @@ BEGIN_EDGES = "Edges:" END_EDGES = "End of edges." def get_tinc_block(log_file): - """ returns an iterateable block from the given log file (syslog) """ + """ returns an iterateable block from the given log file (syslog) + This function became obsolete with the introduction of tincctl + """ + from BackwardsReader import BackwardsReader tinc_block = [] in_block = False bf = BackwardsReader(log_file) - BOL = re.compile(".*tinc.retiolum\[[0-9]+\]: ") + BOL = re.compile(".*tinc.%s\[[0-9]+\]: " % TINC_NETWORK) while True: line = bf.readline() if not line: @@ -44,6 +51,37 @@ def get_tinc_block(log_file): break return reversed(tinc_block) +def parse_new_input(): + nodes = {} + pnodes = subprocess.Popen(["tincctl","-n",TINC_NETWORK,"dump","reachable","nodes"], stdout=subprocess.PIPE).communicate()[0] + #pnodes = subprocess.check_output(["tincctl","-n",TINC_NETWORK,"dump","reachable","nodes"]) + for line in pnodes.split('\n'): + if not line: continue + l = line.split() + nodes[l[0]]= { 'external-ip': l[2], 'external-port' : l[4] } + psubnets = subprocess.check_output(["tincctl","-n",TINC_NETWORK,"dump","subnets"]) + for line in psubnets.split('\n'): + if not line: continue + l = line.split() + try: + if not nodes[l[2]].get('internal-ip',False): + nodes[l[2]]['internal-ip'] = [] + nodes[l[2]]['internal-ip'].append(l[0].split('#')[0]) + except KeyError: + pass # node does not exist (presumably) + pedges = subprocess.check_output(["tincctl","-n",TINC_NETWORK,"dump","edges"]) + for line in pedges.split('\n'): + if not line: continue + l = line.split() + try: + if not nodes[l[0]].has_key('to') : + nodes[l[0]]['to'] = [] + nodes[l[0]]['to'].append( + {'name':l[2],'addr':l[4],'port':l[6],'weight' : l[10] }) + except KeyError: + pass #node does not exist + return nodes + def parse_input(log_data): nodes={} for line in log_data: @@ -68,7 +106,6 @@ def parse_input(log_data): if END_EDGES in line : break l = line.replace('\n','').split() - if not nodes[l[0]].has_key('to') : nodes[l[0]]['to'] = [] nodes[l[0]]['to'].append( @@ -78,6 +115,10 @@ def parse_input(log_data): if __name__ == '__main__': import subprocess,time - subprocess.call(["pkill","-SIGUSR2", "tincd"]) - time.sleep(1) - print json.dumps(parse_input((get_tinc_block(SYSLOG_FILE)))) + if is_legacy: + subprocess.call(["pkill","-SIGUSR2", "tincd"]) + time.sleep(1) + print json.dumps(parse_input((get_tinc_block(SYSLOG_FILE)))) + else: + print json.dumps(parse_new_input()) + diff --git a/retiolum/scripts/github_listener/INSTALL b/retiolum/scripts/github_listener/INSTALL new file mode 100644 index 00000000..20c0845c --- /dev/null +++ b/retiolum/scripts/github_listener/INSTALL @@ -0,0 +1,13 @@ +# HowTo + + useradd -r tinc + mkdir -p /opt/ + git init github_listener + git remote add -f origin https://github.com/krebscode/painload.git + git config core.sparsecheckout true + echo retiolum/hosts/ >> .git/info/sparse-checkout + git pull origin master + ln -s $static_painload/retiolum/{scripts,bin} retiolum/ + cp scripts/github_listener/github_listener.conf /etc/supervisor/conf.d/ + cd .. + chown tinc:tinc -R github_listener diff --git a/retiolum/scripts/github_listener/README b/retiolum/scripts/github_listener/README new file mode 100644 index 00000000..57c30896 --- /dev/null +++ b/retiolum/scripts/github_listener/README @@ -0,0 +1,22 @@ +GITHUB_LISTENER +=============== + +The github listener is an application which listens for github post-receive +hook calls and runs a script each time currently the github listener is +used to create a tarball of all nodes in the retiolum darknet. the current +tarball can be retrieved at http://euer.krebsco.de/retiolum/hosts.tar + +listen script +============= + +the listen script is a quick hack which runs netcat in an e-loop together +with a "logger" command to signalise successful tarball generation. + + +github_listener.conf +=================== +the supervisor config file + +References +========== +also see //retiolum/doc/git_checkout_only_hosts diff --git a/retiolum/scripts/github_listener/github_listener.conf b/retiolum/scripts/github_listener/github_listener.conf new file mode 100644 index 00000000..c4f0a8b6 --- /dev/null +++ b/retiolum/scripts/github_listener/github_listener.conf @@ -0,0 +1,5 @@ +[program:github_listener] +command=nc -lvv -p 5432 -c "./handle_request /opt/github_listener/retiolum/hosts /var/www/euer.krebsco.de/retiolum/" +user=tinc +directory=/krebs/retiolum/scripts/github_listener/ +autorestart=true diff --git a/retiolum/scripts/github_listener/handle_request b/retiolum/scripts/github_listener/handle_request new file mode 100755 index 00000000..5b42524a --- /dev/null +++ b/retiolum/scripts/github_listener/handle_request @@ -0,0 +1,23 @@ +#!/bin/sh +# Possible Shell Vars +# WEBDIR +# HOSTFOLDER +set -euf +if [ "x${2:-}" = x ];then + echo "usage: $0 HOSTDIRECTORY WEBDIRECTORY" + exit 1 +fi +export HOSTDIR=${1:-../../hosts} +WEBDIR=${2:-/var/www/euer.krebsco.de/retiolum/} +echo "sorry for keeping you waiting, please be patient" + +cd $(dirname $(readlink -f $0)) + +cd "$HOSTDIR" +git pull origin master >&2 +echo "First step done" +cd - >&2 +../../bin/create-supernode-tar $WEBDIR +echo "almost done..." +../../bin/create-host-tar $WEBDIR +echo "Thank you for your patience!" diff --git a/retiolum/scripts/tinc_multicast/retiolum b/retiolum/scripts/tinc_multicast/retiolum deleted file mode 100755 index 1d6b775f..00000000 --- a/retiolum/scripts/tinc_multicast/retiolum +++ /dev/null @@ -1,34 +0,0 @@ -#!/bin/bash - -. /etc/rc.conf -. /etc/rc.d/functions - -TINCNAME='retiolum' -case "$1" in - start) - stat_busy "Starting retiolum Daemon" - success=0 - /home/death/git/retiolum/.scripts/tinc_multicast/retiolum.py -n retiolum -T & - sleep 2 - if [ $success -eq 0 ]; then - add_daemon retiolum - stat_done - else - stat_fail - fi - ;; - stop) - stat_busy "Stopping retiolum Daemon" - kill `cat /var/lock/retiolum.retiolum` - rm_daemon retiolum - stat_done - ;; - restart) - $0 stop - sleep 4 - $0 start - ;; - *) - echo "usage $0 {start¦stop¦restart}" -esac -exit 0 diff --git a/retiolum/scripts/tinc_multicast/retiolum.py b/retiolum/scripts/tinc_multicast/retiolum.py deleted file mode 100755 index 8cf57471..00000000 --- a/retiolum/scripts/tinc_multicast/retiolum.py +++ /dev/null @@ -1,349 +0,0 @@ -#!/usr/bin/python2 -import sys, os, time, signal, socket, subprocess, thread, random, Queue, binascii, logging, hashlib, urllib2 #these should all be in the stdlib -from optparse import OptionParser - -def pub_encrypt(hostname_t, text): #encrypt data with public key - logging.debug("encrypt: " + text) - if hostname_t.find("`") != -1: return(-1) - try: - enc_text = subprocess.os.popen("echo '" + text + "' | openssl rsautl -pubin -inkey /etc/tinc/" + netname + "/hosts/.pubkeys/" + hostname_t + " -encrypt | base64 -w0") - return(enc_text.read()) - except: - return(-1) - -def priv_decrypt(enc_data): #decrypt data with private key - if enc_data.find("`") != -1: return(-1) - dec_text = subprocess.os.popen("echo '" + enc_data + "' | base64 -d | openssl rsautl -inkey /etc/tinc/" + netname + "/rsa_key.priv -decrypt") - return(dec_text.read()) - -def address2hostfile(hostname, address): #adds address to hostsfile or restores it if address is empty - hostfile = "/etc/tinc/" + netname + "/hosts/" + hostname - addr_file = open(hostfile, "r") - addr_cache = addr_file.readlines() - addr_file.close() - if address != "": - addr_cache.insert(0, "Address = " + address + "\n") - addr_file = open(hostfile, "w") - addr_file.writelines(addr_cache) - addr_file.close - logging.info("sending SIGHUP to tinc deamon!") - tincd_ALRM = subprocess.call(["tincd -n " + netname + " --kill=HUP" ],shell=True) - else: - recover = subprocess.os.popen("tar xzf /etc/tinc/" + netname + "/hosts/hosts.tar.gz -C /etc/tinc/" + netname + "/hosts/ " + hostname) - -def findhostinlist(hostslist, hostname, ip): #finds host + ip in list - for line in xrange(len(hostslist)): - if hostname == hostslist[line][0] and ip == hostslist[line][1]: - return line - return -1 #nothing found - -def getHostname(netname): - tconf = open("/etc/tinc/" + netname + "/tinc.conf", "r") - feld = tconf.readlines() - tconf.close() - for x in feld: - if x.startswith("Name"): - return str(x.partition("=")[2].lstrip().rstrip("\n")) - - print("hostname not found!") - return -1 #nothing found - -def get_hostfiles(url_files, url_md5sum): - try: - get_hosts_tar = urllib2.urlopen(url_files) - get_hosts_md5 = urllib2.urlopen(url_md5sum) - hosts_tar = get_hosts_tar.read() - hosts_md5 = get_hosts_md5.read() - - if str(hosts_md5) == str(hashlib.md5(hosts_tar).hexdigest() + " hosts.tar.gz\n"): - hosts = open("/etc/tinc/" + netname + "/hosts/hosts.tar.gz", "w") - hosts.write(hosts_tar) - hosts.close() - else: - logging.error("hosts.tar.gz md5sum check failed!") - except: - logging.error("hosts file download failed!") - - -####Thread functions - - -def sendthread(sendfifo, ghostmode): #send to multicast, sends keep alive packets - while True: - try: - #{socket init start - ANY = "0.0.0.0" - SENDPORT = 23542 - MCAST_ADDR = "224.168.2.9" - MCAST_PORT = 1600 - - sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP) #initalize socket with udp - sock.bind((ANY,SENDPORT)) #now bound to Interface and Port - sock.setsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_TTL, 255) #activate multicast - #}socket init end - - if ghostmode == 0: - - i = 9 - - while True: - i += 1 - if not sendfifo.empty(): - sock.sendto(sendfifo.get(), (MCAST_ADDR,MCAST_PORT) ) - logging.info("send: sending sendfifo") - else: - time.sleep(1) - if i == 10: - sock.sendto("#Stage1#" + netname + "#" + hostname + "#", (MCAST_ADDR,MCAST_PORT) ) - logging.debug("send: sending keep alive") - i = 0 - else: - while True: - if not sendfifo.empty(): - sock.sendto(sendfifo.get(), (MCAST_ADDR,MCAST_PORT) ) - logging.info("send: sending sendfifo") - else: - time.sleep(1) - - except: - logging.error("send: socket init failed") - time.sleep(10) - - - -def recvthread(timeoutfifo, authfifo): #recieves input from multicast, send them to timeout or auth - while True: - try: - ANY = "0.0.0.0" - MCAST_ADDR = "224.168.2.9" - MCAST_PORT = 1600 - - sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP) #create a UDP socket - sock.setsockopt(socket.SOL_SOCKET,socket.SO_REUSEADDR,1) #allow multiple sockets to use the same PORT number - sock.bind((ANY,MCAST_PORT)) #Bind to the port that we know will receive multicast data - sock.setsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_TTL, 255) #tell the kernel that we are a multicast socket - - - status = sock.setsockopt(socket.IPPROTO_IP, - socket.IP_ADD_MEMBERSHIP, #Tell the kernel that we want to add ourselves to a multicast group - socket.inet_aton(MCAST_ADDR) + socket.inet_aton(ANY)); #The address for the multicast group is the third param - - while True: - while True: - - try: - data, addr = sock.recvfrom(1024) - ip, port = addr - break - except socket.error, e: - pass - - logging.debug("recv: got data") - dataval = data.split("#") - if dataval[0] == "": - if dataval[2] == netname: - if dataval[1] == "Stage1": - if dataval[3] != hostname: - timeoutfifo.put(["tst", dataval[3], ip]) - logging.info("recv: got Stage1: writing data to timeout") - logging.debug("recv: ;tst;" + dataval[3] + ";" + ip) - if dataval[1] == "Stage2": - if dataval[3] == hostname: - authfifo.put([dataval[1], dataval[3], ip, dataval[4]]) - logging.info("recv: got Stage2: writing data to auth") - logging.debug("recv: ;" + dataval[1] + ";" + dataval[3] + ";" + ip + ";" + dataval[4]) - if dataval[1] == "Stage3": - if dataval[3] != hostname: - authfifo.put([dataval[1], dataval[3], ip, dataval[4]]) - logging.info("recv: got Stage3: writing data to auth") - logging.debug("recv: ;" + dataval[1] + ";" + dataval[3] + ";" + ip + ";" + dataval[4]) - except: - logging.error("recv: socket init failed") - time.sleep(10) - -def timeoutthread(timeoutfifo, authfifo): #checks if the hostname is already in the list, deletes timeouted nodes -# hostslist = [] #hostname, ip, timestamp - - while True: - if not timeoutfifo.empty(): - curhost = timeoutfifo.get() - if curhost[0] == "add": - with hostslock: - hostslist.append([curhost[1], curhost[2], time.time()]) - address2hostfile(curhost[1], curhost[2]) - logging.info("adding host to hostslist") - elif curhost[0] == "tst": - with hostslock: - line = findhostinlist(hostslist, curhost[1], curhost[2]) - if line != -1: - hostslist[line][2] = time.time() - logging.debug("timeout: refreshing timestamp of " + hostslist[line][0]) - else: - authfifo.put(["Stage1", curhost[1], curhost[2]]) - logging.info("timeout: writing to auth") - - else: - i = 0 - with hostslock: - while i < len(hostslist): - if time.time() - hostslist[i][2] > 60: - address2hostfile(hostslist[i][0], "") - hostslist.remove(hostslist[i]) - logging.info("timeout: deleting dead host") - else: - i += 1 - time.sleep(2) - -def auththread(authfifo, sendfifo, timeoutfifo): #manages authentication with clients (bruteforce sensitve, should be fixed) - authlist = [] #hostname, ip, Challenge, timestamp - - - while True: - try: - if not authfifo.empty(): - logging.debug("auth: authfifo is not empty") - curauth = authfifo.get() - if curauth[0] == "Stage1": - line = findhostinlist(authlist, curauth[1], curauth[2]) - if line == -1: - challengenum = random.randint(0,65536) - encrypted_message = pub_encrypt(curauth[1], "#" + hostname + "#" + str(challengenum) + "#") - authlist.append([curauth[1], curauth[2], challengenum, time.time()]) - else: - encrypted_message = pub_encrypt(authlist[line][0], "#" + hostname + "#" + str(authlist[line][2]) + "#") - if encrypted_message == -1: - logging.info("auth: RSA Encryption Error") - else: - sendtext = "#Stage2#" + netname + "#" + curauth[1] + "#" + encrypted_message + "#" - sendfifo.put(sendtext) - logging.info("auth: got Stage1 sending now Stage2") - logging.debug("auth: " + sendtext) - - if curauth[0] == "Stage2": - dec_message = priv_decrypt(curauth[3]) - splitmes = dec_message.split("#") - if splitmes[0] == "": - encrypted_message = pub_encrypt(splitmes[1], "#" + splitmes[2] + "#") - if encrypted_message == -1: - logging.error("auth: RSA Encryption Error") - else: - sendtext = "#Stage3#" + netname + "#" + curauth[1] + "#" + encrypted_message + "#" - sendfifo.put(sendtext) - logging.info("auth: got Stage2 sending now Stage3") - logging.debug("auth: " + sendtext) - - if curauth[0] == "Stage3": - line = findhostinlist(authlist, curauth[1], curauth[2]) - if line != -1: - dec_message = priv_decrypt(curauth[3]) - splitmes = dec_message.split("#") - logging.info("auth: checking challenge") - if splitmes[0] == "": - if splitmes[1] == str(authlist[line][2]): - timeoutfifo.put(["add", curauth[1], curauth[2]]) - del authlist[line] - logging.info("auth: Stage3 checked, sending now to timeout") - else: logging.error("auth: challenge checking failed") - else: logging.error("auth: decryption failed") - - else: - i = 0 - while i < len(authlist): - if time.time() - authlist[i][3] > 120: - del authlist[i] - logging.info("auth: deleting timeoutet auth") - else: - i += 1 - time.sleep(1) - except: - logging.error("auth: thread crashed") - -def process_start(): #starting of the process - #download and untar hostfile - logging.info("downloading hostfiles") - get_hostfiles("http://vpn.miefda.org/hosts.tar.gz", "http://vpn.miefda.org/hosts.md5") #Currently Hardcoded, should be editable by config or parameter - tar = subprocess.call(["tar -xzf /etc/tinc/" + netname + "/hosts/hosts.tar.gz -C /etc/tinc/" + netname + "/hosts/"], shell=True) - - #initialize fifos - sendfifo = Queue.Queue() #sendtext - authfifo = Queue.Queue() #Stage{1, 2, 3} hostname ip enc_data - timeoutfifo = Queue.Queue() #State{tst, add} hostname ip - - #start threads - thread_recv = thread.start_new_thread(recvthread, (timeoutfifo, authfifo)) - thread_send = thread.start_new_thread(sendthread, (sendfifo, option.ghost)) - thread_timeout = thread.start_new_thread(timeoutthread, (timeoutfifo, authfifo)) - thread_auth = thread.start_new_thread(auththread, (authfifo, sendfifo, timeoutfifo)) - -def process_restart(signum, frame): - logging.error("root: restarting process") - with hostslock: - del hostslist[:] - #download and untar hostfile - logging.info("downloading hostfiles") - get_hostfiles("http://vpn.miefda.org/hosts.tar.gz", "http://vpn.miefda.org/hosts.md5") #Currently Hardcoded, should be editable by config or parameter - tar = subprocess.call(["tar -xzf /etc/tinc/" + netname + "/hosts/hosts.tar.gz -C /etc/tinc/" + netname + "/hosts/"], shell=True) - - logging.info("sending SIGHUP") - tincd_ALRM = subprocess.call(["tincd -n " + netname + " --kill=HUP" ],shell=True) - -def kill_process(signum, frame): - logging.error("got SIGINT/SIGTERM exiting now") - os.remove("/var/lock/retiolum." + netname) - if option.tinc != False: - stop_tincd = subprocess.call(["tincd -n " + netname + " -k"],shell=True) - sys.exit(0) - -#Program starts here! - -parser = OptionParser() -parser.add_option("-n", "--netname", dest="netname", help="the netname of the tinc network") -parser.add_option("-H", "--hostname", dest="hostname", default="default", help="your nodename, if not given, it will try too read it from tinc.conf") -parser.add_option("-t", "--timeout", dest="timeout", default=65536, help="timeout after retiolum gets restartet, default is 65536") -parser.add_option("-d", "--debug", dest="debug", default="0", help="debug level: 0,1,2,3 if empty debug level=0") -parser.add_option("-g", "--ghost", action="store_true", dest="ghost", default=False, help="deactivates active sending, keeps you anonymous in the public network") -parser.add_option("-T", "--Tinc", action="store_true", dest="tinc", default=False, help="starts tinc with this script") -(option, args) = parser.parse_args() - -if option.netname == None: - parser.error("Netname is required, use -h for help!") -if option.hostname == "default": - option.hostname = getHostname(option.netname) - -hostname = option.hostname -netname = option.netname -hostslist = [] -hostslock = thread.allocate_lock() - -#set process name -if not os.path.exists("/var/lock/retiolum." + netname): - pidfile = open("/var/lock/retiolum." + netname, "w") - pidfile.write(str(os.getpid())) - pidfile.close() -else: - logging.error("pidfile already exists") - sys.exit(0) - -#Logging stuff -LEVELS = {'3' : logging.DEBUG, - '2' : logging.INFO, - '1' : logging.ERROR, - '0' : logging.CRITICAL} - -level_name = option.debug -level = LEVELS.get(level_name, logging.NOTSET) -logging.basicConfig(level=level) - -#normally tinc doesnt start with retiolum -if option.tinc != False: - start_tincd = subprocess.call(["tincd -n " + netname ],shell=True) - -process_start() - -signal.signal(signal.SIGTERM, kill_process) -signal.signal(signal.SIGINT, kill_process) -signal.signal(signal.SIGUSR1, process_restart) - -while True: - time.sleep(float(option.timeout)) - process_restart(0, 0) diff --git a/retiolum/scripts/tinc_setup/bootstrap.sh b/retiolum/scripts/tinc_setup/bootstrap.sh deleted file mode 100644 index 32919e7d..00000000 --- a/retiolum/scripts/tinc_setup/bootstrap.sh +++ /dev/null @@ -1,11 +0,0 @@ -if [ ! `id -u` -eq "0" ] -then - echo "not root, trying sudo" - exec sudo "$0" "$@" -fi - -mkdir -p /etc/tinc/retiolum/ -git clone git://github.com/miefda/retiolum.git /etc/tinc/retiolum/hosts -cd /etc/tinc/retiolum/hosts/.scripts - -echo "use the build script of your choice from /etc/tinc/retiolum/hosts/.scripts" diff --git a/retiolum/scripts/tinc_setup/install.sh b/retiolum/scripts/tinc_setup/install.sh index a6b50b8a..a72d2b8b 100755 --- a/retiolum/scripts/tinc_setup/install.sh +++ b/retiolum/scripts/tinc_setup/install.sh @@ -45,7 +45,7 @@ then then printf 'select v4 subnet ip (1-255): ' read v4num - until $MYBIN/check-free-retiolum-v4 $v4num; do + until $MYBIN/check-free-retiolum-v4 10.243.0.$v4num; do echo "your're an idiot!" printf 'select unused v4 subnet ip (1-255): ' read v4num @@ -63,8 +63,8 @@ fi cat>tinc.conf<<EOF Name = $myname ConnectTo = euer -ConnectTo = oxb |