Compare commits
7 Commits
5717f0ad85
...
4d13491415
Author | SHA1 | Date | |
---|---|---|---|
4d13491415
|
|||
605c4d3256
|
|||
3461c11ede
|
|||
36efcf03ac
|
|||
b331b598aa
|
|||
3d0f58dd07
|
|||
ef19081638
|
@ -153,3 +153,11 @@
|
|||||||
185.242.226.41
|
185.242.226.41
|
||||||
162.216.18.113
|
162.216.18.113
|
||||||
59.110.115.16
|
59.110.115.16
|
||||||
|
87.120.120.31
|
||||||
|
87.120.120.39
|
||||||
|
87.120.120.50
|
||||||
|
87.120.120.57
|
||||||
|
45.143.95.76
|
||||||
|
185.28.39.97
|
||||||
|
202.131.82.140
|
||||||
|
78.153.140.123
|
||||||
|
@ -15,3 +15,4 @@
|
|||||||
217.169.88.0/21
|
217.169.88.0/21
|
||||||
205.210.31.0/24
|
205.210.31.0/24
|
||||||
94.102.61.0/24
|
94.102.61.0/24
|
||||||
|
87.120.120.0/23
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
[package]
|
[package]
|
||||||
name = "snow-scanner"
|
name = "snow-scanner"
|
||||||
version = "0.1.0"
|
version = "1.0.0"
|
||||||
authors = ["William Desportes <williamdes@wdes.fr>"]
|
authors = ["William Desportes <williamdes@wdes.fr>"]
|
||||||
edition = "2021"
|
edition = "2021"
|
||||||
rust-version = "1.81.0" # MSRV
|
rust-version = "1.81.0" # MSRV
|
||||||
@ -76,3 +76,31 @@ cidr = "0.3.0"
|
|||||||
serde = { version = "1.0.210", features = ["derive"] }
|
serde = { version = "1.0.210", features = ["derive"] }
|
||||||
serde_json = "1.0.128"
|
serde_json = "1.0.128"
|
||||||
weighted-rs = "0.1.3"
|
weighted-rs = "0.1.3"
|
||||||
|
|
||||||
|
[package.metadata.deb]
|
||||||
|
maintainer = "William Desportes <williamdes@wdes.fr>"
|
||||||
|
copyright = "2022-2025, William Desportes <williamdes@wdes.fr>"
|
||||||
|
license-file = ["../LICENSE"]
|
||||||
|
extended-description = """\
|
||||||
|
Find hidden IPs in the internet snow."""
|
||||||
|
depends = "$auto"
|
||||||
|
section = "rust"
|
||||||
|
priority = "optional"
|
||||||
|
assets = [
|
||||||
|
{ source = "README.md", dest = "usr/share/doc/snow-scanner/README", mode = "644"},
|
||||||
|
{ source = "../data/collections/*/*", dest = "usr/share/snow-scanner/data/collections", mode = "644"},
|
||||||
|
{ source = "../data/scanners/*", dest = "usr/share/snow-scanner/data/scanners", mode = "644"},
|
||||||
|
{ source = "target/release/snow-scanner", dest = "usr/bin/snow-scanner", mode = "777"},
|
||||||
|
{ source = "target/release/snow-scanner-worker", dest = "usr/bin/snow-scanner-worker", mode = "777"},
|
||||||
|
]
|
||||||
|
|
||||||
|
maintainer-scripts = "debian/"
|
||||||
|
systemd-units = [
|
||||||
|
{ unit-name = "snow-scanner", enable = true, start = false, restart-after-upgrade = true, stop-on-upgrade = true },
|
||||||
|
{ unit-name = "snow-scanner-worker", enable = true, start = false, restart-after-upgrade = true, stop-on-upgrade = true }
|
||||||
|
]
|
||||||
|
|
||||||
|
conf-files = [
|
||||||
|
"/etc/snow-scanner/.env",
|
||||||
|
"/etc/snow-scanner/worker.env"
|
||||||
|
]
|
||||||
|
80
snow-scanner/debian/snow-scanner-worker.service
Normal file
80
snow-scanner/debian/snow-scanner-worker.service
Normal file
@ -0,0 +1,80 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Snow scanner worker
|
||||||
|
After=network.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=simple
|
||||||
|
User=snow-scanner
|
||||||
|
Group=snow-scanner
|
||||||
|
EnvironmentFile=/etc/snow-scanner/worker.env
|
||||||
|
|
||||||
|
RemoveIPC=true
|
||||||
|
ProtectHome=true
|
||||||
|
NoNewPrivileges=true
|
||||||
|
|
||||||
|
PrivateTmp=false
|
||||||
|
ProtectSystem=strict
|
||||||
|
ProtectControlGroups=true
|
||||||
|
ProtectKernelModules=true
|
||||||
|
ProtectKernelTunables=true
|
||||||
|
RestrictAddressFamilies=AF_INET AF_INET6
|
||||||
|
RestrictNamespaces=true
|
||||||
|
RestrictRealtime=true
|
||||||
|
RestrictSUIDSGID=true
|
||||||
|
MemoryDenyWriteExecute=true
|
||||||
|
LockPersonality=true
|
||||||
|
# sets up a new /dev/ mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random to it,
|
||||||
|
# but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others.
|
||||||
|
# This is useful to turn off physical device access by the executed process
|
||||||
|
PrivateDevices=true
|
||||||
|
# allows access to standard pseudo devices including /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom
|
||||||
|
DevicePolicy=closed
|
||||||
|
ProtectProc=invisible
|
||||||
|
ProtectClock=true
|
||||||
|
ProcSubset=pid
|
||||||
|
ProtectHostname=true
|
||||||
|
ProtectKernelLogs=true
|
||||||
|
# This will fail icmp pingers if set to true
|
||||||
|
PrivateUsers=false
|
||||||
|
|
||||||
|
SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete
|
||||||
|
SystemCallFilter=~@privileged @raw-io @reboot @resources @swap @keyring
|
||||||
|
SystemCallFilter=~@pkey @ipc
|
||||||
|
|
||||||
|
# to return when the system call filter configured with SystemCallFilter= is triggered, instead of terminating the process immediately.
|
||||||
|
SystemCallErrorNumber=EPERM
|
||||||
|
|
||||||
|
# See: https://www.opensourcerers.org/2022/04/25/optimizing-a-systemd-service-for-security/
|
||||||
|
# Run: systemd-analyze security snow-scanner
|
||||||
|
# Add this one for ports < 1024
|
||||||
|
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
||||||
|
#CapabilityBoundingSet=CAP_NET_RAW
|
||||||
|
|
||||||
|
SystemCallArchitectures=native
|
||||||
|
|
||||||
|
# Allow icmp
|
||||||
|
#AmbientCapabilities=CAP_NET_RAW
|
||||||
|
|
||||||
|
# Add this one for ports < 1024
|
||||||
|
#AmbientCapabilities=CAP_NET_BIND_SERVICE
|
||||||
|
|
||||||
|
# sets up a new /dev/ mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random to it,
|
||||||
|
# but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others.
|
||||||
|
# This is useful to turn off physical device access by the executed process
|
||||||
|
PrivateDevices=true
|
||||||
|
# allows access to standard pseudo devices including /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom
|
||||||
|
DevicePolicy=closed
|
||||||
|
|
||||||
|
# No devices (except clock: ProtectClock)
|
||||||
|
# See: https://github.com/systemd/systemd/issues/23185
|
||||||
|
DeviceAllow=
|
||||||
|
|
||||||
|
BindReadOnlyPaths=/usr/share/snow-scanner
|
||||||
|
|
||||||
|
ExecStart=/usr/bin/snow-scanner-worker
|
||||||
|
Restart=on-failure
|
||||||
|
|
||||||
|
LimitNOFILE=infinity
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
80
snow-scanner/debian/snow-scanner.service
Normal file
80
snow-scanner/debian/snow-scanner.service
Normal file
@ -0,0 +1,80 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Snow scanner server
|
||||||
|
After=network.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=simple
|
||||||
|
User=snow-scanner
|
||||||
|
Group=snow-scanner
|
||||||
|
EnvironmentFile=/etc/snow-scanner/.env
|
||||||
|
|
||||||
|
RemoveIPC=true
|
||||||
|
ProtectHome=true
|
||||||
|
NoNewPrivileges=true
|
||||||
|
|
||||||
|
PrivateTmp=false
|
||||||
|
ProtectSystem=strict
|
||||||
|
ProtectControlGroups=true
|
||||||
|
ProtectKernelModules=true
|
||||||
|
ProtectKernelTunables=true
|
||||||
|
RestrictAddressFamilies=AF_INET AF_INET6
|
||||||
|
RestrictNamespaces=true
|
||||||
|
RestrictRealtime=true
|
||||||
|
RestrictSUIDSGID=true
|
||||||
|
MemoryDenyWriteExecute=true
|
||||||
|
LockPersonality=true
|
||||||
|
# sets up a new /dev/ mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random to it,
|
||||||
|
# but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others.
|
||||||
|
# This is useful to turn off physical device access by the executed process
|
||||||
|
PrivateDevices=true
|
||||||
|
# allows access to standard pseudo devices including /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom
|
||||||
|
DevicePolicy=closed
|
||||||
|
ProtectProc=invisible
|
||||||
|
ProtectClock=true
|
||||||
|
ProcSubset=pid
|
||||||
|
ProtectHostname=true
|
||||||
|
ProtectKernelLogs=true
|
||||||
|
# This will fail icmp pingers if set to true
|
||||||
|
PrivateUsers=false
|
||||||
|
|
||||||
|
SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete
|
||||||
|
SystemCallFilter=~@privileged @raw-io @reboot @resources @swap @keyring
|
||||||
|
SystemCallFilter=~@pkey @ipc
|
||||||
|
|
||||||
|
# to return when the system call filter configured with SystemCallFilter= is triggered, instead of terminating the process immediately.
|
||||||
|
SystemCallErrorNumber=EPERM
|
||||||
|
|
||||||
|
# See: https://www.opensourcerers.org/2022/04/25/optimizing-a-systemd-service-for-security/
|
||||||
|
# Run: systemd-analyze security snow-scanner
|
||||||
|
# Add this one for ports < 1024
|
||||||
|
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
||||||
|
#CapabilityBoundingSet=CAP_NET_RAW
|
||||||
|
|
||||||
|
SystemCallArchitectures=native
|
||||||
|
|
||||||
|
# Allow icmp
|
||||||
|
#AmbientCapabilities=CAP_NET_RAW
|
||||||
|
|
||||||
|
# Add this one for ports < 1024
|
||||||
|
#AmbientCapabilities=CAP_NET_BIND_SERVICE
|
||||||
|
|
||||||
|
# sets up a new /dev/ mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random to it,
|
||||||
|
# but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others.
|
||||||
|
# This is useful to turn off physical device access by the executed process
|
||||||
|
PrivateDevices=true
|
||||||
|
# allows access to standard pseudo devices including /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom
|
||||||
|
DevicePolicy=closed
|
||||||
|
|
||||||
|
# No devices (except clock: ProtectClock)
|
||||||
|
# See: https://github.com/systemd/systemd/issues/23185
|
||||||
|
DeviceAllow=
|
||||||
|
|
||||||
|
BindReadOnlyPaths=/usr/share/snow-scanner
|
||||||
|
|
||||||
|
ExecStart=/usr/bin/snow-scanner
|
||||||
|
Restart=on-failure
|
||||||
|
|
||||||
|
LimitNOFILE=infinity
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
26
snow-scanner/debian/upload.sh
Executable file
26
snow-scanner/debian/upload.sh
Executable file
@ -0,0 +1,26 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
user=$(git config github.user)
|
||||||
|
token=$(git config github.token)
|
||||||
|
|
||||||
|
|
||||||
|
if [ -z "$token" ]; then
|
||||||
|
echo 'Token is empty. Please run git config --add github.token "ChangeMe"';
|
||||||
|
exit 1;
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -z "$user" ]; then
|
||||||
|
echo 'User is empty. Please run git config --add github.user "ChangeMe"';
|
||||||
|
exit 1;
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -z "$1" ]; then
|
||||||
|
echo 'Package file is missing, please provide a .deb file';
|
||||||
|
exit 1;
|
||||||
|
fi
|
||||||
|
|
||||||
|
curl --user $user:$token \
|
||||||
|
--upload-file "$1" \
|
||||||
|
-v \
|
||||||
|
-# \
|
||||||
|
https://git.wdes.eu/api/packages/wdes/debian/pool/bookworm/main/upload
|
Reference in New Issue
Block a user