From e110354524568f4365078ca0a37d9b44d57596a6 Mon Sep 17 00:00:00 2001 From: Felix Richter Date: Thu, 19 May 2011 21:04:56 +0200 Subject: cleaned up the script mess README: added README files for the whole directory as well as the subdirs adv_graphgen/* : contains the graphgen files tinc_setup/* : contains the build script and the bootstrap script tinc_multicast/* : contains the multicast script --- .scripts/README | 31 +-- .scripts/adv_graphgen/README | 28 +++ .scripts/adv_graphgen/parse.py | 85 +++++++++ .scripts/adv_graphgen/sanitize.sh | 13 ++ .scripts/bootstrap.sh | 11 -- .scripts/build_arch.sh | 14 -- .scripts/build_debian.sh | 30 --- .scripts/build_debian_clean.sh | 31 --- .scripts/build_ec2.sh | 16 -- .scripts/build_no.de.sh | 1 - .scripts/install.sh | 68 ------- .scripts/parse.py | 85 --------- .scripts/retiolum.py | 300 ------------------------------ .scripts/sanitize.sh | 13 -- .scripts/tinc_multicast/retiolum.py | 300 ++++++++++++++++++++++++++++++ .scripts/tinc_setup/README | 18 ++ .scripts/tinc_setup/bootstrap.sh | 11 ++ .scripts/tinc_setup/build_arch.sh | 14 ++ .scripts/tinc_setup/build_debian.sh | 30 +++ .scripts/tinc_setup/build_debian_clean.sh | 31 +++ .scripts/tinc_setup/build_ec2.sh | 16 ++ .scripts/tinc_setup/build_no.de.sh | 1 + .scripts/tinc_setup/install.sh | 68 +++++++ 23 files changed, 631 insertions(+), 584 deletions(-) create mode 100644 .scripts/adv_graphgen/README create mode 100755 .scripts/adv_graphgen/parse.py create mode 100755 .scripts/adv_graphgen/sanitize.sh delete mode 100644 .scripts/bootstrap.sh delete mode 100755 .scripts/build_arch.sh delete mode 100755 .scripts/build_debian.sh delete mode 100755 .scripts/build_debian_clean.sh delete mode 100755 .scripts/build_ec2.sh delete mode 100644 .scripts/build_no.de.sh delete mode 100755 .scripts/install.sh delete mode 100755 .scripts/parse.py delete mode 100755 .scripts/retiolum.py delete mode 100755 .scripts/sanitize.sh create mode 100755 .scripts/tinc_multicast/retiolum.py create mode 100644 .scripts/tinc_setup/README create mode 100644 .scripts/tinc_setup/bootstrap.sh create mode 100755 .scripts/tinc_setup/build_arch.sh create mode 100755 .scripts/tinc_setup/build_debian.sh create mode 100755 .scripts/tinc_setup/build_debian_clean.sh create mode 100755 .scripts/tinc_setup/build_ec2.sh create mode 100644 .scripts/tinc_setup/build_no.de.sh create mode 100755 .scripts/tinc_setup/install.sh (limited to '.scripts') diff --git a/.scripts/README b/.scripts/README index 8d104179..4dbb42af 100644 --- a/.scripts/README +++ b/.scripts/README @@ -1,15 +1,16 @@ -This directory contains the build and install scripts for shack-retiolum - -1. build_arch - arch linux build script -2. build_debian - debian build script -3. build_debian_clean - debian script which builds a clean tinc daemon -4. build_ec2 - Amazon ec2 base instance build script -5. install.sh - configures the tinc daemon - $1 is the nickname - $2 is the ip-address -hosts.tar contains the currently available hosts +This Folder contains all the cool scripts created for tinc_retiolum + +currently the following functions are deployed: + +adv_graphgen/ - makefu + this folder contains a script suite which parses the interesting + parameters from the syslog file by sending SIGUSR2 to the tinc process + +tinc_multicast/ - Miefda,Lassulus + A tinc multicast script suite which provides automagic-discovery in a + local network by utilizing multicast + +tinc_setup/ - makefu (i am so sorry...) + A number of scripts which build and configure tinc on a local machine. + Core is the install.sh script which actually writes the configuration + and creates users as well as private/public keys diff --git a/.scripts/adv_graphgen/README b/.scripts/adv_graphgen/README new file mode 100644 index 00000000..082e0f2b --- /dev/null +++ b/.scripts/adv_graphgen/README @@ -0,0 +1,28 @@ +The folder contains a number of scripts which provide a convenient way to +generate advanced graphs from the SIGUSR2 output of tinc. + +it currently contains the following files: + +sanitize.sh: + wrapper arond parse.py which filters the syslog file for all tinc + related lines and removes the status informations: + this means that + + May 19 20:40:44 servarch dnsmasq[5382]: reading /etc/resolv.conf + May 19 20:41:38 servarch tinc.retiolum[4780]: Error looking up pa-sharepoint.informatik.ba-stuttgart.de port 655: Name or service not known + + becomes + + Error looking up pa-sharepoint.informatik.ba-stuttgart.de port 655: Name or service not known + + and so on. + It also provides a wrapper around graphviz which automagically + generates graphs from the produced graph file + +parse.py: + reads from stdin the sanitized syslog file and prints a valid dot file + from the given output. + The parser module may also produce any other output (e.g. for dns + entries and so on) you will need to actually read and modify the source + in order to be able to do this. ~May the source be with you~ + diff --git a/.scripts/adv_graphgen/parse.py b/.scripts/adv_graphgen/parse.py new file mode 100755 index 00000000..27fe3a99 --- /dev/null +++ b/.scripts/adv_graphgen/parse.py @@ -0,0 +1,85 @@ +#!/usr/bin/python2 + +import sys +""" TODO: Refactoring needed to pull the edges out of the node structures again, +it should be easier to handle both structures""" + +def write_digraph(nodes): + """ + writes the complete digraph in dot format + """ + print ('digraph retiolum {') + print (' node[shape=box,style=filled,fillcolor=grey]') + generate_stats(nodes) + merge_edges(nodes) + for k,v in nodes.iteritems(): + write_node(k,v) + print ('}') +def generate_stats(nodes): + """ Generates some statistics of the network and nodes + """ + for k,v in nodes.iteritems(): + v['num_conns'] = len(v.get('to',[])) + +def merge_edges(nodes): + """ merge back and forth edges into one + DESTRUCTS the current structure by deleting "connections" in the nodes + + """ + for k,v in nodes.iteritems(): + for con in v.get('to',[]): + for i,secon in enumerate(nodes[con['name']].get('to',[])): + if k == secon['name']: + del (nodes[con['name']]['to'][i]) + con['bidirectional'] = True + + +def write_node(k,v): + """ writes a single node and its edges """ + node = " "+k+"[label=\"" + node += k+"\\l" + node += "external:"+v['external-ip']+":"+v['external-port']+"\\l" + if v.has_key('num_conns'): + node += "Num Connects:"+str(v['num_conns'])+"\\l" + node += "internal:"+v['internal-ip']+"\\l\"" + if v['external-ip'] == "MYSELF": + node += ",fillcolor=steelblue1" + node += "]" + print (node) + for con in v.get('to',[]): + edge = " "+k+ " -> " +con['name'] + "[weight="+str(10/float(con['weight'])) + if con.get('bidirectional',False): + edge += ",dir=both" + edge += "]" + print edge +def parse_input(): + nodes={} + for line in sys.stdin: + line = line.replace('\n','') + if line == 'Nodes:': + nodes={} + for line in sys.stdin: + if line == 'End of nodes.\n': + break + l = line.replace('\n','').split() #TODO unhack me + nodes[l[0]]= { 'external-ip': l[2], 'external-port' : l[4] } + if line == 'Subnet list:': + for line in sys.stdin: + if line == 'End of subnet list.\n': + break + l = line.replace('\n','').split() + nodes[l[2]]['internal-ip'] = l[0].split('#')[0] + if line == 'Edges:': + edges = {} + for line in sys.stdin: + if line == 'End of edges.\n': + break + l = line.replace('\n','').split() + + if not nodes[l[0]].has_key('to') : + nodes[l[0]]['to'] = [] + nodes[l[0]]['to'].append( + {'name':l[2],'addr':l[4],'port':l[6],'weight' : l[10] }) + return nodes +nodes = parse_input() +write_digraph(nodes) diff --git a/.scripts/adv_graphgen/sanitize.sh b/.scripts/adv_graphgen/sanitize.sh new file mode 100755 index 00000000..88591b67 --- /dev/null +++ b/.scripts/adv_graphgen/sanitize.sh @@ -0,0 +1,13 @@ +GRAPH_SETTER1=dot +GRAPH_SETTER2=circo +LOG_FILE=/var/log/everything.log +OPENER=/bin/true + +sudo pkill -USR2 tincd +sudo sed -n '/tinc.retiolum/{s/.*tinc.retiolum\[[0-9]*\]: //gp}' $LOG_FILE |\ + ./parse.py > retiolum.dot + +$GRAPH_SETTER1 -Tpng -o $1retiolum_1.png retiolum.dot +$GRAPH_SETTER2 -Tpng -o $1retiolum_2.png retiolum.dot +$OPENER retiolum_1.png &>/dev/null +rm retiolum.dot diff --git a/.scripts/bootstrap.sh b/.scripts/bootstrap.sh deleted file mode 100644 index 32919e7d..00000000 --- a/.scripts/bootstrap.sh +++ /dev/null @@ -1,11 +0,0 @@ -if [ ! `id -u` -eq "0" ] -then - echo "not root, trying sudo" - exec sudo "$0" "$@" -fi - -mkdir -p /etc/tinc/retiolum/ -git clone git://github.com/miefda/retiolum.git /etc/tinc/retiolum/hosts -cd /etc/tinc/retiolum/hosts/.scripts - -echo "use the build script of your choice from /etc/tinc/retiolum/hosts/.scripts" diff --git a/.scripts/build_arch.sh b/.scripts/build_arch.sh deleted file mode 100755 index 5ef5d765..00000000 --- a/.scripts/build_arch.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/sh -set -e -sudo pacman -S openssl gcc lzo -curl http://www.tinc-vpn.org/packages/tinc-1.0.13.tar.gz | tar xz -cd tinc-1.0.13 -./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var -make -sudo make install -cd .. - -echo "overwriting python to python2" -sed 's/\/usr\/bin\/python/\/usr\/bin\/python2/g' install.sh >install2.sh -mv install2.sh install.sh - diff --git a/.scripts/build_debian.sh b/.scripts/build_debian.sh deleted file mode 100755 index ddc63aed..00000000 --- a/.scripts/build_debian.sh +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/bash -set -x -if [ ! "$MYIP" ] -then - MYIP=10.0.7.7.55 -fi -if [ ! "$MYHOSTNAME" ] -then - MYHOSTNAME="penis" -fi - -if [ "$MYHOSTNAME" = "penis" ]; -then - read -n1 -p "name is penis, are u sure? [yN]" - if [[ "$REPLY" != [yY] ]] - then - echo "then better RTFC" - echo "bailing out" - exit 0 - fi -fi -apt-get install tinc git curl python - -./install.sh "$MYHOSTNAME" "$MYIP" - -# for autostart -sed -i '/retiolum/d' /etc/tinc/nets.boot -echo "retiolum" >> /etc/tinc/nets.boot -sed -i '/EXTRA/d' /etc/tinc/nets.boot -echo "EXTRA=\"\"" >> /etc/default/tinc diff --git a/.scripts/build_debian_clean.sh b/.scripts/build_debian_clean.sh deleted file mode 100755 index a7332f4e..00000000 --- a/.scripts/build_debian_clean.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/bash -set -xe -MYIP=10.0.7.7.55 - -apt-get install tinc git curl gcc gcc-dev build-essential libssl-dev python - -git clone https://github.com/makefu/shack-retiolum.git - -mkdir build -cd build -curl http://www.oberhumer.com/opensource/lzo/download/lzo-2.04.tar.gz | tar -xz -cd lzo-2.04 -./configure --prefix=/usr -make -sudo make install -cd .. -curl http://www.tinc-vpn.org/packages/tinc-1.0.13.tar.gz | tar xz -cd tinc-1.0.13 -./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var -make -sudo make install -cd ../.. - -cd shack-retiolum -./install.sh `hostname` $MYIP - -rm shack-retiolum -# for autostart -echo "retiolum" >> /etc/tinc/nets.boot -echo "EXTRA=\"--user=tincd --chroot\"" >> /etc/default/tinc diff --git a/.scripts/build_ec2.sh b/.scripts/build_ec2.sh deleted file mode 100755 index 79f2af28..00000000 --- a/.scripts/build_ec2.sh +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/sh -set -e -sudo yum install -y gcc openssl-devel -mkdir build -cd build -curl http://www.oberhumer.com/opensource/lzo/download/lzo-2.04.tar.gz | tar xz -cd lzo-2.04 -./configure --prefix=/usr -make -sudo make install -cd .. -curl http://www.tinc-vpn.org/packages/tinc-1.0.13.tar.gz | tar xz -cd tinc-1.0.13 -./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var -make -sudo make install diff --git a/.scripts/build_no.de.sh b/.scripts/build_no.de.sh deleted file mode 100644 index 2976d3a2..00000000 --- a/.scripts/build_no.de.sh +++ /dev/null @@ -1 +0,0 @@ -pkgin in lzo gcc-tools gcc-compiler gcc34 diff --git a/.scripts/install.sh b/.scripts/install.sh deleted file mode 100755 index 4b21bcd4..00000000 --- a/.scripts/install.sh +++ /dev/null @@ -1,68 +0,0 @@ -#! /bin/sh -# USE WITH GREAT CAUTION - -set -e -myname="${1:-dummy}" -rel_hostsfile=`dirname $0`/.. -hostsfile=`readlink -f $rel_hostsfile` -netname=retiolum -myipv4="${2:-10.7.7.56}" -mynet4=10.7.7.0 -CURR=`pwd` -# create configuration directory for $netname -mkdir -p /etc/tinc/$netname -cd /etc/tinc/$netname - -# get currently known hosts -cp -r $hostsfile hosts -echo "added known hosts:" -ls -1 | LC_ALL=C sort -echo "delete the nodes you do not trust!" - - -cat>tinc-up<tinc.conf< hosts/$myname -tincd -n $netname -K - -echo Writing Public Key to irc channel -cat>write_channel.py< " +con['name'] + "[weight="+str(10/float(con['weight'])) - if con.get('bidirectional',False): - edge += ",dir=both" - edge += "]" - print edge -def parse_input(): - nodes={} - for line in sys.stdin: - line = line.replace('\n','') - if line == 'Nodes:': - nodes={} - for line in sys.stdin: - if line == 'End of nodes.\n': - break - l = line.replace('\n','').split() #TODO unhack me - nodes[l[0]]= { 'external-ip': l[2], 'external-port' : l[4] } - if line == 'Subnet list:': - for line in sys.stdin: - if line == 'End of subnet list.\n': - break - l = line.replace('\n','').split() - nodes[l[2]]['internal-ip'] = l[0].split('#')[0] - if line == 'Edges:': - edges = {} - for line in sys.stdin: - if line == 'End of edges.\n': - break - l = line.replace('\n','').split() - - if not nodes[l[0]].has_key('to') : - nodes[l[0]]['to'] = [] - nodes[l[0]]['to'].append( - {'name':l[2],'addr':l[4],'port':l[6],'weight' : l[10] }) - return nodes -nodes = parse_input() -write_digraph(nodes) diff --git a/.scripts/retiolum.py b/.scripts/retiolum.py deleted file mode 100755 index 6f1064e2..00000000 --- a/.scripts/retiolum.py +++ /dev/null @@ -1,300 +0,0 @@ -#!/usr/bin/python2 -import sys, os, time, socket, subprocess, thread, random, Queue, binascii, logging, hashlib, urllib2 #these should all be in the stdlib -from optparse import OptionParser - -def pub_encrypt(netname, hostname_t, text): #encrypt data with public key - logging.debug("encrypt: " + text) - try: - enc_text = subprocess.os.popen("echo '" + text + "' | openssl rsautl -pubin -inkey /etc/tinc/" + netname + "/hosts/.pubkeys/" + hostname_t + " -encrypt | base64") - return(enc_text.read()) - except: - return(-1) - -def priv_decrypt(netname, enc_data): #decrypt data with private key - dec_text = subprocess.os.popen("echo '" + enc_data + "' | base64 -d | openssl rsautl -inkey /etc/tinc/" + netname + "/rsa_key.priv -decrypt") - return(dec_text.read()) - -def address2hostfile(netname, hostname, address): #adds address to hostsfile or restores it if address is empty - hostfile = "/etc/tinc/" + netname + "/hosts/" + hostname - addr_file = open(hostfile, "r") - addr_cache = addr_file.readlines() - addr_file.close() - if address != "": - addr_cache.insert(0, "Address = " + address + "\n") - addr_file = open(hostfile, "w") - addr_file.writelines(addr_cache) - addr_file.close - logging.info("sending ALRM to tinc deamon!") - tincd_ALRM = subprocess.call(["tincd -n " + netname + " --kill=HUP" ],shell=True) - else: - recover = subprocess.os.popen("tar xzf /etc/tinc/" + netname + "/hosts/hosts.tar.gz -C /etc/tinc/" + netname + "/hosts/ " + hostname) - -def findhostinlist(hostslist, hostname, ip): #finds host + ip in list - for line in xrange(len(hostslist)): - if hostname == hostslist[line][0] and ip == hostslist[line][1]: - return line - return -1 #nothing found - -def getHostname(netname): - tconf = open("/etc/tinc/" + netname + "/tinc.conf", "r") - feld = tconf.readlines() - tconf.close() - for x in feld: - if x.startswith("Name"): - return str(x.partition("=")[2].lstrip().rstrip("\n")) - - print("hostname not found!") - return -1 #nothing found - -def get_hostfiles(netname, url_files, url_md5sum): - try: - get_hosts_tar = urllib2.urlopen(url_files) - get_hosts_md5 = urllib2.urlopen(url_md5sum) - hosts_tar = get_hosts_tar.read() - hosts_md5 = get_hosts_md5.read() - - if str(hosts_md5) == str(hashlib.md5(hosts_tar).hexdigest() + " hosts.tar.gz\n"): - hosts = open("/etc/tinc/" + netname + "/hosts/hosts.tar.gz", "w") - hosts.write(hosts_tar) - hosts.close() - else: - logging.error("hosts.tar.gz md5sum check failed!") - except: - logging.error("hosts file download failed!") - - -####Thread functions - - -def sendthread(netname, hostname, sendfifo, ghostmode): #send to multicast, sends keep alive packets - while True: - try: - #{socket init start - ANY = "0.0.0.0" - SENDPORT = 23542 - MCAST_ADDR = "224.168.2.9" - MCAST_PORT = 1600 - - sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP) #initalize socket with udp - sock.bind((ANY,SENDPORT)) #now bound to Interface and Port - sock.setsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_TTL, 255) #activate multicast - #}socket init end - - if ghostmode == 0: - - i = 9 - - while True: - i += 1 - if not sendfifo.empty(): - sock.sendto(sendfifo.get(), (MCAST_ADDR,MCAST_PORT) ) - logging.info("send: sending sendfifo") - else: - time.sleep(1) - if i == 10: - sock.sendto("#Stage1#" + netname + "#" + hostname + "#", (MCAST_ADDR,MCAST_PORT) ) - logging.debug("send: sending keep alive") - i = 0 - else: - while True: - if not sendfifo.empty(): - sock.sendto(sendfifo.get(), (MCAST_ADDR,MCAST_PORT) ) - logging.info("send: sending sendfifo") - else: - time.sleep(1) - - except: - logging.error("send: socket init failed") - time.sleep(10) - - - -def recvthread(netname, hostname, timeoutfifo, authfifo): #recieves input from multicast, send them to timeout or auth - while True: - try: - ANY = "0.0.0.0" - MCAST_ADDR = "224.168.2.9" - MCAST_PORT = 1600 - - sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP) #create a UDP socket - sock.setsockopt(socket.SOL_SOCKET,socket.SO_REUSEADDR,1) #allow multiple sockets to use the same PORT number - sock.bind((ANY,MCAST_PORT)) #Bind to the port that we know will receive multicast data - sock.setsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_TTL, 255) #tell the kernel that we are a multicast socket - - - status = sock.setsockopt(socket.IPPROTO_IP, - socket.IP_ADD_MEMBERSHIP, #Tell the kernel that we want to add ourselves to a multicast group - socket.inet_aton(MCAST_ADDR) + socket.inet_aton(ANY)); #The address for the multicast group is the third param - - while True: - while True: - - try: - data, addr = sock.recvfrom(1024) - ip, port = addr - break - except socket.error, e: - pass - - logging.debug("recv: got data") - dataval = data.split("#") - if dataval[0] == "": - if dataval[2] == netname: - if dataval[1] == "Stage1": - if dataval[3] != hostname: - timeoutfifo.put(["tst", dataval[3], ip]) - logging.info("recv: got Stage1: writing data to timeout") - logging.debug("recv: ;tst;" + dataval[3] + ";" + ip) - if dataval[1] == "Stage2": - if dataval[3] == hostname: - authfifo.put([dataval[1], dataval[3], ip, dataval[4]]) - logging.info("recv: got Stage2: writing data to auth") - logging.debug("recv: ;" + dataval[1] + ";" + dataval[3] + ";" + ip + ";" + dataval[4]) - if dataval[1] == "Stage3": - if dataval[3] != hostname: - authfifo.put([dataval[1], dataval[3], ip, dataval[4]]) - logging.info("recv: got Stage3: writing data to auth") - logging.debug("recv: ;" + dataval[1] + ";" + dataval[3] + ";" + ip + ";" + dataval[4]) - except: - logging.error("recv: socket init failed") - time.sleep(10) - -def timeoutthread(netname, timeoutfifo, authfifo): #checks if the hostname is already in the list, deletes timeouted nodes - hostslist = [] #hostname, ip, timestamp - - while True: - if not timeoutfifo.empty(): - curhost = timeoutfifo.get() - if curhost[0] == "add": - hostslist.append([curhost[1], curhost[2], time.time()]) - address2hostfile(netname, curhost[1], curhost[2]) - logging.info("adding host to hostslist") - elif curhost[0] == "tst": - line = findhostinlist(hostslist, curhost[1], curhost[2]) - if line != -1: - hostslist[line][2] = time.time() - logging.debug("timeout: refreshing timestamp of " + hostslist[line][0]) - else: - authfifo.put(["Stage1", curhost[1], curhost[2]]) - logging.info("timeout: writing to auth") - - else: - i = 0 - while i < len(hostslist): - if time.time() - hostslist[i][2] > 60: - address2hostfile(netname, hostslist[i][0], "") - del hostslist[i] - logging.info("timeout: deleting dead host") - else: - i += 1 - time.sleep(2) - -def auththread(netname, hostname, authfifo, sendfifo, timeoutfifo): #manages authentication with clients (bruteforce sensitve, should be fixed) - authlist = [] #hostname, ip, Challenge, timestamp - - - while True: - try: - if not authfifo.empty(): - logging.debug("auth: authfifo is not empty") - curauth = authfifo.get() - if curauth[0] == "Stage1": - line = findhostinlist(authlist, curauth[1], curauth[2]) - if line == -1: - challengenum = random.randint(0,65536) - encrypted_message = pub_encrypt(netname, curauth[1], "#" + hostname + "#" + str(challengenum) + "#") - authlist.append([curauth[1], curauth[2], challengenum, time.time()]) - else: - encrypted_message = pub_encrypt(netname, authlist[line][0], "#" + hostname + "#" + str(authlist[line][2]) + "#") - if encrypted_message == -1: - logging.info("auth: RSA Encryption Error") - else: - sendtext = "#Stage2#" + netname + "#" + curauth[1] + "#" + encrypted_message + "#" - sendfifo.put(sendtext) - logging.info("auth: got Stage1 sending now Stage2") - logging.debug("auth: " + sendtext) - - if curauth[0] == "Stage2": - dec_message = priv_decrypt(netname, curauth[3]) - splitmes = dec_message.split("#") - if splitmes[0] == "": - encrypted_message = pub_encrypt(netname, splitmes[1], "#" + splitmes[2] + "#") - if encrypted_message == -1: - logging.error("auth: RSA Encryption Error") - else: - sendtext = "#Stage3#" + netname + "#" + curauth[1] + "#" + encrypted_message + "#" - sendfifo.put(sendtext) - logging.info("auth: got Stage2 sending now Stage3") - logging.debug("auth: " + sendtext) - - if curauth[0] == "Stage3": - line = findhostinlist(authlist, curauth[1], curauth[2]) - if line != -1: - dec_message = priv_decrypt(netname, curauth[3]) - splitmes = dec_message.split("#") - logging.info("auth: checking challenge") - if splitmes[0] == "": - if splitmes[1] == str(authlist[line][2]): - timeoutfifo.put(["add", curauth[1], curauth[2]]) - del authlist[line] - logging.info("auth: Stage3 checked, sending now to timeout") - else: logging.error("auth: challenge checking failed") - else: logging.error("auth: decryption failed") - - else: - i = 0 - while i < len(authlist): - if time.time() - authlist[i][3] > 120: - del authlist[i] - logging.info("auth: deleting timeoutet auth") - else: - i += 1 - time.sleep(1) - except: - logging.error("auth: thread crashed") - -#Program starts here! - -parser = OptionParser() -parser.add_option("-n", "--netname", dest="netname", help="the netname of the tinc network") -parser.add_option("-H", "--hostname", dest="hostname", default="default" , help="your nodename, if not given, it will try too read it from tinc.conf") -parser.add_option("-d", "--debug", dest="debug", default="0", help="debug level: 0,1,2,3 if empty debug level=0") -parser.add_option("-g", "--ghost", action="store_true", dest="ghost", default=False, help="deactivates active sending, keeps you anonymous in the public network") -(option, args) = parser.parse_args() - -if option.netname == None: - parser.error("Netname is required, use -h for help!") -if option.hostname == "default": - option.hostname = getHostname(option.netname) - -hostname = option.hostname -netname = option.netname - - -#Logging stuff -LEVELS = {'3' : logging.DEBUG, - '2' : logging.INFO, - '1' : logging.ERROR, - '0' : logging.CRITICAL} - -level_name = option.debug -level = LEVELS.get(level_name, logging.NOTSET) -logging.basicConfig(level=level) - -get_hostfiles(netname, "http://vpn.miefda.org/hosts.tar.gz", "http://vpn.miefda.org/hosts.md5") - -tar = subprocess.call(["tar -xzf /etc/tinc/" + netname + "/hosts/hosts.tar.gz -C /etc/tinc/" + netname + "/hosts/"], shell=True) -start_tincd = subprocess.call(["tincd -n " + netname ],shell=True) - -sendfifo = Queue.Queue() #sendtext -authfifo = Queue.Queue() #Stage{1, 2, 3} hostname ip enc_data -timeoutfifo = Queue.Queue() #State{tst, add} hostname ip - -thread_recv = thread.start_new_thread(recvthread, (netname, hostname, timeoutfifo, authfifo)) -thread_send = thread.start_new_thread(sendthread, (netname, hostname, sendfifo, option.ghost)) -thread_timeout = thread.start_new_thread(timeoutthread, (netname, timeoutfifo, authfifo)) -thread_auth = thread.start_new_thread(auththread, (netname, hostname, authfifo, sendfifo, timeoutfifo)) - -##dirty while function, SHOULD BE IMPROVED -while True: - time.sleep(10) diff --git a/.scripts/sanitize.sh b/.scripts/sanitize.sh deleted file mode 100755 index 88591b67..00000000 --- a/.scripts/sanitize.sh +++ /dev/null @@ -1,13 +0,0 @@ -GRAPH_SETTER1=dot -GRAPH_SETTER2=circo -LOG_FILE=/var/log/everything.log -OPENER=/bin/true - -sudo pkill -USR2 tincd -sudo sed -n '/tinc.retiolum/{s/.*tinc.retiolum\[[0-9]*\]: //gp}' $LOG_FILE |\ - ./parse.py > retiolum.dot - -$GRAPH_SETTER1 -Tpng -o $1retiolum_1.png retiolum.dot -$GRAPH_SETTER2 -Tpng -o $1retiolum_2.png retiolum.dot -$OPENER retiolum_1.png &>/dev/null -rm retiolum.dot diff --git a/.scripts/tinc_multicast/retiolum.py b/.scripts/tinc_multicast/retiolum.py new file mode 100755 index 00000000..6f1064e2 --- /dev/null +++ b/.scripts/tinc_multicast/retiolum.py @@ -0,0 +1,300 @@ +#!/usr/bin/python2 +import sys, os, time, socket, subprocess, thread, random, Queue, binascii, logging, hashlib, urllib2 #these should all be in the stdlib +from optparse import OptionParser + +def pub_encrypt(netname, hostname_t, text): #encrypt data with public key + logging.debug("encrypt: " + text) + try: + enc_text = subprocess.os.popen("echo '" + text + "' | openssl rsautl -pubin -inkey /etc/tinc/" + netname + "/hosts/.pubkeys/" + hostname_t + " -encrypt | base64") + return(enc_text.read()) + except: + return(-1) + +def priv_decrypt(netname, enc_data): #decrypt data with private key + dec_text = subprocess.os.popen("echo '" + enc_data + "' | base64 -d | openssl rsautl -inkey /etc/tinc/" + netname + "/rsa_key.priv -decrypt") + return(dec_text.read()) + +def address2hostfile(netname, hostname, address): #adds address to hostsfile or restores it if address is empty + hostfile = "/etc/tinc/" + netname + "/hosts/" + hostname + addr_file = open(hostfile, "r") + addr_cache = addr_file.readlines() + addr_file.close() + if address != "": + addr_cache.insert(0, "Address = " + address + "\n") + addr_file = open(hostfile, "w") + addr_file.writelines(addr_cache) + addr_file.close + logging.info("sending ALRM to tinc deamon!") + tincd_ALRM = subprocess.call(["tincd -n " + netname + " --kill=HUP" ],shell=True) + else: + recover = subprocess.os.popen("tar xzf /etc/tinc/" + netname + "/hosts/hosts.tar.gz -C /etc/tinc/" + netname + "/hosts/ " + hostname) + +def findhostinlist(hostslist, hostname, ip): #finds host + ip in list + for line in xrange(len(hostslist)): + if hostname == hostslist[line][0] and ip == hostslist[line][1]: + return line + return -1 #nothing found + +def getHostname(netname): + tconf = open("/etc/tinc/" + netname + "/tinc.conf", "r") + feld = tconf.readlines() + tconf.close() + for x in feld: + if x.startswith("Name"): + return str(x.partition("=")[2].lstrip().rstrip("\n")) + + print("hostname not found!") + return -1 #nothing found + +def get_hostfiles(netname, url_files, url_md5sum): + try: + get_hosts_tar = urllib2.urlopen(url_files) + get_hosts_md5 = urllib2.urlopen(url_md5sum) + hosts_tar = get_hosts_tar.read() + hosts_md5 = get_hosts_md5.read() + + if str(hosts_md5) == str(hashlib.md5(hosts_tar).hexdigest() + " hosts.tar.gz\n"): + hosts = open("/etc/tinc/" + netname + "/hosts/hosts.tar.gz", "w") + hosts.write(hosts_tar) + hosts.close() + else: + logging.error("hosts.tar.gz md5sum check failed!") + except: + logging.error("hosts file download failed!") + + +####Thread functions + + +def sendthread(netname, hostname, sendfifo, ghostmode): #send to multicast, sends keep alive packets + while True: + try: + #{socket init start + ANY = "0.0.0.0" + SENDPORT = 23542 + MCAST_ADDR = "224.168.2.9" + MCAST_PORT = 1600 + + sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP) #initalize socket with udp + sock.bind((ANY,SENDPORT)) #now bound to Interface and Port + sock.setsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_TTL, 255) #activate multicast + #}socket init end + + if ghostmode == 0: + + i = 9 + + while True: + i += 1 + if not sendfifo.empty(): + sock.sendto(sendfifo.get(), (MCAST_ADDR,MCAST_PORT) ) + logging.info("send: sending sendfifo") + else: + time.sleep(1) + if i == 10: + sock.sendto("#Stage1#" + netname + "#" + hostname + "#", (MCAST_ADDR,MCAST_PORT) ) + logging.debug("send: sending keep alive") + i = 0 + else: + while True: + if not sendfifo.empty(): + sock.sendto(sendfifo.get(), (MCAST_ADDR,MCAST_PORT) ) + logging.info("send: sending sendfifo") + else: + time.sleep(1) + + except: + logging.error("send: socket init failed") + time.sleep(10) + + + +def recvthread(netname, hostname, timeoutfifo, authfifo): #recieves input from multicast, send them to timeout or auth + while True: + try: + ANY = "0.0.0.0" + MCAST_ADDR = "224.168.2.9" + MCAST_PORT = 1600 + + sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP) #create a UDP socket + sock.setsockopt(socket.SOL_SOCKET,socket.SO_REUSEADDR,1) #allow multiple sockets to use the same PORT number + sock.bind((ANY,MCAST_PORT)) #Bind to the port that we know will receive multicast data + sock.setsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_TTL, 255) #tell the kernel that we are a multicast socket + + + status = sock.setsockopt(socket.IPPROTO_IP, + socket.IP_ADD_MEMBERSHIP, #Tell the kernel that we want to add ourselves to a multicast group + socket.inet_aton(MCAST_ADDR) + socket.inet_aton(ANY)); #The address for the multicast group is the third param + + while True: + while True: + + try: + data, addr = sock.recvfrom(1024) + ip, port = addr + break + except socket.error, e: + pass + + logging.debug("recv: got data") + dataval = data.split("#") + if dataval[0] == "": + if dataval[2] == netname: + if dataval[1] == "Stage1": + if dataval[3] != hostname: + timeoutfifo.put(["tst", dataval[3], ip]) + logging.info("recv: got Stage1: writing data to timeout") + logging.debug("recv: ;tst;" + dataval[3] + ";" + ip) + if dataval[1] == "Stage2": + if dataval[3] == hostname: + authfifo.put([dataval[1], dataval[3], ip, dataval[4]]) + logging.info("recv: got Stage2: writing data to auth") + logging.debug("recv: ;" + dataval[1] + ";" + dataval[3] + ";" + ip + ";" + dataval[4]) + if dataval[1] == "Stage3": + if dataval[3] != hostname: + authfifo.put([dataval[1], dataval[3], ip, dataval[4]]) + logging.info("recv: got Stage3: writing data to auth") + logging.debug("recv: ;" + dataval[1] + ";" + dataval[3] + ";" + ip + ";" + dataval[4]) + except: + logging.error("recv: socket init failed") + time.sleep(10) + +def timeoutthread(netname, timeoutfifo, authfifo): #checks if the hostname is already in the list, deletes timeouted nodes + hostslist = [] #hostname, ip, timestamp + + while True: + if not timeoutfifo.empty(): + curhost = timeoutfifo.get() + if curhost[0] == "add": + hostslist.append([curhost[1], curhost[2], time.time()]) + address2hostfile(netname, curhost[1], curhost[2]) + logging.info("adding host to hostslist") + elif curhost[0] == "tst": + line = findhostinlist(hostslist, curhost[1], curhost[2]) + if line != -1: + hostslist[line][2] = time.time() + logging.debug("timeout: refreshing timestamp of " + hostslist[line][0]) + else: + authfifo.put(["Stage1", curhost[1], curhost[2]]) + logging.info("timeout: writing to auth") + + else: + i = 0 + while i < len(hostslist): + if time.time() - hostslist[i][2] > 60: + address2hostfile(netname, hostslist[i][0], "") + del hostslist[i] + logging.info("timeout: deleting dead host") + else: + i += 1 + time.sleep(2) + +def auththread(netname, hostname, authfifo, sendfifo, timeoutfifo): #manages authentication with clients (bruteforce sensitve, should be fixed) + authlist = [] #hostname, ip, Challenge, timestamp + + + while True: + try: + if not authfifo.empty(): + logging.debug("auth: authfifo is not empty") + curauth = authfifo.get() + if curauth[0] == "Stage1": + line = findhostinlist(authlist, curauth[1], curauth[2]) + if line == -1: + challengenum = random.randint(0,65536) + encrypted_message = pub_encrypt(netname, curauth[1], "#" + hostname + "#" + str(challengenum) + "#") + authlist.append([curauth[1], curauth[2], challengenum, time.time()]) + else: + encrypted_message = pub_encrypt(netname, authlist[line][0], "#" + hostname + "#" + str(authlist[line][2]) + "#") + if encrypted_message == -1: + logging.info("auth: RSA Encryption Error") + else: + sendtext = "#Stage2#" + netname + "#" + curauth[1] + "#" + encrypted_message + "#" + sendfifo.put(sendtext) + logging.info("auth: got Stage1 sending now Stage2") + logging.debug("auth: " + sendtext) + + if curauth[0] == "Stage2": + dec_message = priv_decrypt(netname, curauth[3]) + splitmes = dec_message.split("#") + if splitmes[0] == "": + encrypted_message = pub_encrypt(netname, splitmes[1], "#" + splitmes[2] + "#") + if encrypted_message == -1: + logging.error("auth: RSA Encryption Error") + else: + sendtext = "#Stage3#" + netname + "#" + curauth[1] + "#" + encrypted_message + "#" + sendfifo.put(sendtext) + logging.info("auth: got Stage2 sending now Stage3") + logging.debug("auth: " + sendtext) + + if curauth[0] == "Stage3": + line = findhostinlist(authlist, curauth[1], curauth[2]) + if line != -1: + dec_message = priv_decrypt(netname, curauth[3]) + splitmes = dec_message.split("#") + logging.info("auth: checking challenge") + if splitmes[0] == "": + if splitmes[1] == str(authlist[line][2]): + timeoutfifo.put(["add", curauth[1], curauth[2]]) + del authlist[line] + logging.info("auth: Stage3 checked, sending now to timeout") + else: logging.error("auth: challenge checking failed") + else: logging.error("auth: decryption failed") + + else: + i = 0 + while i < len(authlist): + if time.time() - authlist[i][3] > 120: + del authlist[i] + logging.info("auth: deleting timeoutet auth") + else: + i += 1 + time.sleep(1) + except: + logging.error("auth: thread crashed") + +#Program starts here! + +parser = OptionParser() +parser.add_option("-n", "--netname", dest="netname", help="the netname of the tinc network") +parser.add_option("-H", "--hostname", dest="hostname", default="default" , help="your nodename, if not given, it will try too read it from tinc.conf") +parser.add_option("-d", "--debug", dest="debug", default="0", help="debug level: 0,1,2,3 if empty debug level=0") +parser.add_option("-g", "--ghost", action="store_true", dest="ghost", default=False, help="deactivates active sending, keeps you anonymous in the public network") +(option, args) = parser.parse_args() + +if option.netname == None: + parser.error("Netname is required, use -h for help!") +if option.hostname == "default": + option.hostname = getHostname(option.netname) + +hostname = option.hostname +netname = option.netname + + +#Logging stuff +LEVELS = {'3' : logging.DEBUG, + '2' : logging.INFO, + '1' : logging.ERROR, + '0' : logging.CRITICAL} + +level_name = option.debug +level = LEVELS.get(level_name, logging.NOTSET) +logging.basicConfig(level=level) + +get_hostfiles(netname, "http://vpn.miefda.org/hosts.tar.gz", "http://vpn.miefda.org/hosts.md5") + +tar = subprocess.call(["tar -xzf /etc/tinc/" + netname + "/hosts/hosts.tar.gz -C /etc/tinc/" + netname + "/hosts/"], shell=True) +start_tincd = subprocess.call(["tincd -n " + netname ],shell=True) + +sendfifo = Queue.Queue() #sendtext +authfifo = Queue.Queue() #Stage{1, 2, 3} hostname ip enc_data +timeoutfifo = Queue.Queue() #State{tst, add} hostname ip + +thread_recv = thread.start_new_thread(recvthread, (netname, hostname, timeoutfifo, authfifo)) +thread_send = thread.start_new_thread(sendthread, (netname, hostname, sendfifo, option.ghost)) +thread_timeout = thread.start_new_thread(timeoutthread, (netname, timeoutfifo, authfifo)) +thread_auth = thread.start_new_thread(auththread, (netname, hostname, authfifo, sendfifo, timeoutfifo)) + +##dirty while function, SHOULD BE IMPROVED +while True: + time.sleep(10) diff --git a/.scripts/tinc_setup/README b/.scripts/tinc_setup/README new file mode 100644 index 00000000..11d6f6e9 --- /dev/null +++ b/.scripts/tinc_setup/README @@ -0,0 +1,18 @@ +This directory contains the build and install scripts for shack-retiolum + +1. build_arch + arch linux build script +2. build_debian + debian build script +3. build_debian_clean + debian script which builds a clean tinc daemon +4. build_ec2 + Amazon ec2 base instance build script +5. install.sh + configures the tinc daemon + $1 is the nickname + $2 is the ip-address + also writes a python file inside the tinc/retiolum folder which posts + the public key into the IRC:freenode/#tincspasm +6. build_no.de + nonfunct no.de smartmachine build script diff --git a/.scripts/tinc_setup/bootstrap.sh b/.scripts/tinc_setup/bootstrap.sh new file mode 100644 index 00000000..32919e7d --- /dev/null +++ b/.scripts/tinc_setup/bootstrap.sh @@ -0,0 +1,11 @@ +if [ ! `id -u` -eq "0" ] +then + echo "not root, trying sudo" + exec sudo "$0" "$@" +fi + +mkdir -p /etc/tinc/retiolum/ +git clone git://github.com/miefda/retiolum.git /etc/tinc/retiolum/hosts +cd /etc/tinc/retiolum/hosts/.scripts + +echo "use the build script of your choice from /etc/tinc/retiolum/hosts/.scripts" diff --git a/.scripts/tinc_setup/build_arch.sh b/.scripts/tinc_setup/build_arch.sh new file mode 100755 index 00000000..5ef5d765 --- /dev/null +++ b/.scripts/tinc_setup/build_arch.sh @@ -0,0 +1,14 @@ +#!/bin/sh +set -e +sudo pacman -S openssl gcc lzo +curl http://www.tinc-vpn.org/packages/tinc-1.0.13.tar.gz | tar xz +cd tinc-1.0.13 +./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var +make +sudo make install +cd .. + +echo "overwriting python to python2" +sed 's/\/usr\/bin\/python/\/usr\/bin\/python2/g' install.sh >install2.sh +mv install2.sh install.sh + diff --git a/.scripts/tinc_setup/build_debian.sh b/.scripts/tinc_setup/build_debian.sh new file mode 100755 index 00000000..ddc63aed --- /dev/null +++ b/.scripts/tinc_setup/build_debian.sh @@ -0,0 +1,30 @@ +#!/bin/bash +set -x +if [ ! "$MYIP" ] +then + MYIP=10.0.7.7.55 +fi +if [ ! "$MYHOSTNAME" ] +then + MYHOSTNAME="penis" +fi + +if [ "$MYHOSTNAME" = "penis" ]; +then + read -n1 -p "name is penis, are u sure? [yN]" + if [[ "$REPLY" != [yY] ]] + then + echo "then better RTFC" + echo "bailing out" + exit 0 + fi +fi +apt-get install tinc git curl python + +./install.sh "$MYHOSTNAME" "$MYIP" + +# for autostart +sed -i '/retiolum/d' /etc/tinc/nets.boot +echo "retiolum" >> /etc/tinc/nets.boot +sed -i '/EXTRA/d' /etc/tinc/nets.boot +echo "EXTRA=\"\"" >> /etc/default/tinc diff --git a/.scripts/tinc_setup/build_debian_clean.sh b/.scripts/tinc_setup/build_debian_clean.sh new file mode 100755 index 00000000..a7332f4e --- /dev/null +++ b/.scripts/tinc_setup/build_debian_clean.sh @@ -0,0 +1,31 @@ +#!/bin/bash +set -xe +MYIP=10.0.7.7.55 + +apt-get install tinc git curl gcc gcc-dev build-essential libssl-dev python + +git clone https://github.com/makefu/shack-retiolum.git + +mkdir build +cd build +curl http://www.oberhumer.com/opensource/lzo/download/lzo-2.04.tar.gz | tar +xz +cd lzo-2.04 +./configure --prefix=/usr +make +sudo make install +cd .. +curl http://www.tinc-vpn.org/packages/tinc-1.0.13.tar.gz | tar xz +cd tinc-1.0.13 +./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var +make +sudo make install +cd ../.. + +cd shack-retiolum +./install.sh `hostname` $MYIP + +rm shack-retiolum +# for autostart +echo "retiolum" >> /etc/tinc/nets.boot +echo "EXTRA=\"--user=tincd --chroot\"" >> /etc/default/tinc diff --git a/.scripts/tinc_setup/build_ec2.sh b/.scripts/tinc_setup/build_ec2.sh new file mode 100755 index 00000000..79f2af28 --- /dev/null +++ b/.scripts/tinc_setup/build_ec2.sh @@ -0,0 +1,16 @@ +#!/bin/sh +set -e +sudo yum install -y gcc openssl-devel +mkdir build +cd build +curl http://www.oberhumer.com/opensource/lzo/download/lzo-2.04.tar.gz | tar xz +cd lzo-2.04 +./configure --prefix=/usr +make +sudo make install +cd .. +curl http://www.tinc-vpn.org/packages/tinc-1.0.13.tar.gz | tar xz +cd tinc-1.0.13 +./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var +make +sudo make install diff --git a/.scripts/tinc_setup/build_no.de.sh b/.scripts/tinc_setup/build_no.de.sh new file mode 100644 index 00000000..2976d3a2 --- /dev/null +++ b/.scripts/tinc_setup/build_no.de.sh @@ -0,0 +1 @@ +pkgin in lzo gcc-tools gcc-compiler gcc34 diff --git a/.scripts/tinc_setup/install.sh b/.scripts/tinc_setup/install.sh new file mode 100755 index 00000000..4b21bcd4 --- /dev/null +++ b/.scripts/tinc_setup/install.sh @@ -0,0 +1,68 @@ +#! /bin/sh +# USE WITH GREAT CAUTION + +set -e +myname="${1:-dummy}" +rel_hostsfile=`dirname $0`/.. +hostsfile=`readlink -f $rel_hostsfile` +netname=retiolum +myipv4="${2:-10.7.7.56}" +mynet4=10.7.7.0 +CURR=`pwd` +# create configuration directory for $netname +mkdir -p /etc/tinc/$netname +cd /etc/tinc/$netname + +# get currently known hosts +cp -r $hostsfile hosts +echo "added known hosts:" +ls -1 | LC_ALL=C sort +echo "delete the nodes you do not trust!" + + +cat>tinc-up<tinc.conf< hosts/$myname +tincd -n $netname -K + +echo Writing Public Key to irc channel +cat>write_channel.py<