Document binding port 80

data/collections/wdes/bad-ips.txt

@@ -153,3 +153,11 @@
 185.242.226.41
 162.216.18.113
 59.110.115.16
+87.120.120.31
+87.120.120.39
+87.120.120.50
+87.120.120.57
+45.143.95.76
+185.28.39.97
+202.131.82.140
+78.153.140.123

data/collections/wdes/bad-networks.txt

@@ -15,3 +15,4 @@
 217.169.88.0/21
 205.210.31.0/24
 94.102.61.0/24
+87.120.120.0/23

snow-scanner/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "snow-scanner"
-version = "0.1.0"
+version = "1.0.0"
 authors = ["William Desportes <williamdes@wdes.fr>"]
 edition = "2021"
 rust-version = "1.81.0"  # MSRV
@@ -76,3 +76,31 @@ cidr = "0.3.0"
 serde = { version = "1.0.210", features = ["derive"] }
 serde_json = "1.0.128"
 weighted-rs = "0.1.3"
+
+[package.metadata.deb]
+maintainer = "William Desportes <williamdes@wdes.fr>"
+copyright = "2022-2025, William Desportes <williamdes@wdes.fr>"
+license-file = ["../LICENSE"]
+extended-description = """\
+Find hidden IPs in the internet snow."""
+depends = "$auto"
+section = "rust"
+priority = "optional"
+assets = [
+    { source = "README.md", dest = "usr/share/doc/snow-scanner/README", mode = "644"},
+    { source = "../data/collections/*/*", dest = "usr/share/snow-scanner/data/collections", mode = "644"},
+    { source = "../data/scanners/*", dest = "usr/share/snow-scanner/data/scanners", mode = "644"},
+    { source = "target/release/snow-scanner", dest = "usr/bin/snow-scanner", mode = "777"},
+    { source = "target/release/snow-scanner-worker", dest = "usr/bin/snow-scanner-worker", mode = "777"},
+]
+
+maintainer-scripts = "debian/"
+systemd-units = [
+    { unit-name = "snow-scanner", enable = true, start = false, restart-after-upgrade = true, stop-on-upgrade = true },
+    { unit-name = "snow-scanner-worker", enable = true, start = false, restart-after-upgrade = true, stop-on-upgrade = true }
+]
+
+conf-files = [
+    "/etc/snow-scanner/.env",
+    "/etc/snow-scanner/worker.env"
+]

snow-scanner/debian/snow-scanner-worker.service

@@ -0,0 +1,80 @@
+[Unit]
+Description=Snow scanner worker
+After=network.target
+
+[Service]
+Type=simple
+User=snow-scanner
+Group=snow-scanner
+EnvironmentFile=/etc/snow-scanner/worker.env
+
+RemoveIPC=true
+ProtectHome=true
+NoNewPrivileges=true
+
+PrivateTmp=false
+ProtectSystem=strict
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+MemoryDenyWriteExecute=true
+LockPersonality=true
+# sets up a new /dev/ mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random to it,
+# but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others.
+# This is useful to turn off physical device access by the executed process
+PrivateDevices=true
+# allows access to standard pseudo devices including /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom
+DevicePolicy=closed
+ProtectProc=invisible
+ProtectClock=true
+ProcSubset=pid
+ProtectHostname=true
+ProtectKernelLogs=true
+# This will fail icmp pingers if set to true
+PrivateUsers=false
+
+SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete
+SystemCallFilter=~@privileged @raw-io @reboot @resources @swap @keyring
+SystemCallFilter=~@pkey @ipc
+
+# to return when the system call filter configured with SystemCallFilter= is triggered, instead of terminating the process immediately.
+SystemCallErrorNumber=EPERM
+
+# See: https://www.opensourcerers.org/2022/04/25/optimizing-a-systemd-service-for-security/
+# Run: systemd-analyze security snow-scanner
+# Add this one for ports < 1024
+#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+#CapabilityBoundingSet=CAP_NET_RAW
+
+SystemCallArchitectures=native
+
+# Allow icmp
+#AmbientCapabilities=CAP_NET_RAW
+
+# Add this one for ports < 1024
+#AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+# sets up a new /dev/ mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random to it,
+# but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others.
+# This is useful to turn off physical device access by the executed process
+PrivateDevices=true
+# allows access to standard pseudo devices including /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom
+DevicePolicy=closed
+
+# No devices (except clock: ProtectClock)
+# See: https://github.com/systemd/systemd/issues/23185
+DeviceAllow=
+
+BindReadOnlyPaths=/usr/share/snow-scanner
+
+ExecStart=/usr/bin/snow-scanner-worker
+Restart=on-failure
+
+LimitNOFILE=infinity
+
+[Install]
+WantedBy=multi-user.target

snow-scanner/debian/snow-scanner.service

@@ -0,0 +1,80 @@
+[Unit]
+Description=Snow scanner server
+After=network.target
+
+[Service]
+Type=simple
+User=snow-scanner
+Group=snow-scanner
+EnvironmentFile=/etc/snow-scanner/.env
+
+RemoveIPC=true
+ProtectHome=true
+NoNewPrivileges=true
+
+PrivateTmp=false
+ProtectSystem=strict
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+MemoryDenyWriteExecute=true
+LockPersonality=true
+# sets up a new /dev/ mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random to it,
+# but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others.
+# This is useful to turn off physical device access by the executed process
+PrivateDevices=true
+# allows access to standard pseudo devices including /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom
+DevicePolicy=closed
+ProtectProc=invisible
+ProtectClock=true
+ProcSubset=pid
+ProtectHostname=true
+ProtectKernelLogs=true
+# This will fail icmp pingers if set to true
+PrivateUsers=false
+
+SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete
+SystemCallFilter=~@privileged @raw-io @reboot @resources @swap @keyring
+SystemCallFilter=~@pkey @ipc
+
+# to return when the system call filter configured with SystemCallFilter= is triggered, instead of terminating the process immediately.
+SystemCallErrorNumber=EPERM
+
+# See: https://www.opensourcerers.org/2022/04/25/optimizing-a-systemd-service-for-security/
+# Run: systemd-analyze security snow-scanner
+# Add this one for ports < 1024
+#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+#CapabilityBoundingSet=CAP_NET_RAW
+
+SystemCallArchitectures=native
+
+# Allow icmp
+#AmbientCapabilities=CAP_NET_RAW
+
+# Add this one for ports < 1024
+#AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+# sets up a new /dev/ mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random to it,
+# but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others.
+# This is useful to turn off physical device access by the executed process
+PrivateDevices=true
+# allows access to standard pseudo devices including /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom
+DevicePolicy=closed
+
+# No devices (except clock: ProtectClock)
+# See: https://github.com/systemd/systemd/issues/23185
+DeviceAllow=
+
+BindReadOnlyPaths=/usr/share/snow-scanner
+
+ExecStart=/usr/bin/snow-scanner
+Restart=on-failure
+
+LimitNOFILE=infinity
+
+[Install]
+WantedBy=multi-user.target

snow-scanner/debian/upload.sh

@@ -0,0 +1,26 @@
+#!/bin/sh
+
+user=$(git config github.user)
+token=$(git config github.token)
+
+
+if [ -z "$token" ]; then
+    echo 'Token is empty. Please run git config --add github.token "ChangeMe"';
+    exit 1;
+fi
+
+if [ -z "$user" ]; then
+    echo 'User is empty. Please run git config --add github.user "ChangeMe"';
+    exit 1;
+fi
+
+if [ -z "$1" ]; then
+    echo 'Package file is missing, please provide a .deb file';
+    exit 1;
+fi
+
+curl --user $user:$token \
+     --upload-file "$1" \
+     -v \
+     -# \
+     https://git.wdes.eu/api/packages/wdes/debian/pool/bookworm/main/upload