6 Commits

6 changed files with 218 additions and 1 deletions

View File

@ -153,3 +153,11 @@
185.242.226.41 185.242.226.41
162.216.18.113 162.216.18.113
59.110.115.16 59.110.115.16
87.120.120.31
87.120.120.39
87.120.120.50
87.120.120.57
45.143.95.76
185.28.39.97
202.131.82.140
78.153.140.123

View File

@ -15,3 +15,4 @@
217.169.88.0/21 217.169.88.0/21
205.210.31.0/24 205.210.31.0/24
94.102.61.0/24 94.102.61.0/24
87.120.120.0/23

View File

@ -1,6 +1,6 @@
[package] [package]
name = "snow-scanner" name = "snow-scanner"
version = "0.1.0" version = "1.0.0"
authors = ["William Desportes <williamdes@wdes.fr>"] authors = ["William Desportes <williamdes@wdes.fr>"]
edition = "2021" edition = "2021"
rust-version = "1.81.0" # MSRV rust-version = "1.81.0" # MSRV
@ -76,3 +76,31 @@ cidr = "0.3.0"
serde = { version = "1.0.210", features = ["derive"] } serde = { version = "1.0.210", features = ["derive"] }
serde_json = "1.0.128" serde_json = "1.0.128"
weighted-rs = "0.1.3" weighted-rs = "0.1.3"
[package.metadata.deb]
maintainer = "William Desportes <williamdes@wdes.fr>"
copyright = "2022-2025, William Desportes <williamdes@wdes.fr>"
license-file = ["../LICENSE"]
extended-description = """\
Find hidden IPs in the internet snow."""
depends = "$auto"
section = "rust"
priority = "optional"
assets = [
{ source = "README.md", dest = "usr/share/doc/snow-scanner/README", mode = "644"},
{ source = "../data/collections/*/*", dest = "usr/share/snow-scanner/data/collections", mode = "644"},
{ source = "../data/scanners/*", dest = "usr/share/snow-scanner/data/scanners", mode = "644"},
{ source = "target/release/snow-scanner", dest = "usr/bin/snow-scanner", mode = "777"},
{ source = "target/release/snow-scanner-worker", dest = "usr/bin/snow-scanner-worker", mode = "777"},
]
maintainer-scripts = "debian/"
systemd-units = [
{ unit-name = "snow-scanner", enable = true, start = false, restart-after-upgrade = true, stop-on-upgrade = true },
{ unit-name = "snow-scanner-worker", enable = true, start = false, restart-after-upgrade = true, stop-on-upgrade = true }
]
conf-files = [
"/etc/snow-scanner/.env",
"/etc/snow-scanner/worker.env"
]

View File

@ -0,0 +1,77 @@
[Unit]
Description=Snow scanner worker
After=network.target
[Service]
Type=simple
User=snow-scanner
Group=snow-scanner
EnvironmentFile=/etc/snow-scanner/worker.env
RemoveIPC=true
ProtectHome=true
NoNewPrivileges=true
PrivateTmp=false
ProtectSystem=strict
ProtectControlGroups=true
ProtectKernelModules=true
ProtectKernelTunables=true
RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
MemoryDenyWriteExecute=true
LockPersonality=true
# sets up a new /dev/ mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random to it,
# but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others.
# This is useful to turn off physical device access by the executed process
PrivateDevices=true
# allows access to standard pseudo devices including /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom
DevicePolicy=closed
ProtectProc=invisible
ProtectClock=true
ProcSubset=pid
ProtectHostname=true
ProtectKernelLogs=true
# This will fail icmp pingers if set to true
PrivateUsers=false
SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete
SystemCallFilter=~@privileged @raw-io @reboot @resources @swap @keyring
SystemCallFilter=~@pkey @ipc
# to return when the system call filter configured with SystemCallFilter= is triggered, instead of terminating the process immediately.
SystemCallErrorNumber=EPERM
# See: https://www.opensourcerers.org/2022/04/25/optimizing-a-systemd-service-for-security/
# Run: systemd-analyze security snow-scanner
# Add this one for ports < 1024
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
#CapabilityBoundingSet=CAP_NET_RAW
SystemCallArchitectures=native
# Allow icmp
#AmbientCapabilities=CAP_NET_RAW
# sets up a new /dev/ mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random to it,
# but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others.
# This is useful to turn off physical device access by the executed process
PrivateDevices=true
# allows access to standard pseudo devices including /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom
DevicePolicy=closed
# No devices (except clock: ProtectClock)
# See: https://github.com/systemd/systemd/issues/23185
DeviceAllow=
BindReadOnlyPaths=/usr/share/snow-scanner
ExecStart=/usr/bin/snow-scanner-worker
Restart=on-failure
LimitNOFILE=infinity
[Install]
WantedBy=multi-user.target

View File

@ -0,0 +1,77 @@
[Unit]
Description=Snow scanner server
After=network.target
[Service]
Type=simple
User=snow-scanner
Group=snow-scanner
EnvironmentFile=/etc/snow-scanner/.env
RemoveIPC=true
ProtectHome=true
NoNewPrivileges=true
PrivateTmp=false
ProtectSystem=strict
ProtectControlGroups=true
ProtectKernelModules=true
ProtectKernelTunables=true
RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
MemoryDenyWriteExecute=true
LockPersonality=true
# sets up a new /dev/ mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random to it,
# but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others.
# This is useful to turn off physical device access by the executed process
PrivateDevices=true
# allows access to standard pseudo devices including /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom
DevicePolicy=closed
ProtectProc=invisible
ProtectClock=true
ProcSubset=pid
ProtectHostname=true
ProtectKernelLogs=true
# This will fail icmp pingers if set to true
PrivateUsers=false
SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete
SystemCallFilter=~@privileged @raw-io @reboot @resources @swap @keyring
SystemCallFilter=~@pkey @ipc
# to return when the system call filter configured with SystemCallFilter= is triggered, instead of terminating the process immediately.
SystemCallErrorNumber=EPERM
# See: https://www.opensourcerers.org/2022/04/25/optimizing-a-systemd-service-for-security/
# Run: systemd-analyze security snow-scanner
# Add this one for ports < 1024
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
#CapabilityBoundingSet=CAP_NET_RAW
SystemCallArchitectures=native
# Allow icmp
#AmbientCapabilities=CAP_NET_RAW
# sets up a new /dev/ mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random to it,
# but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others.
# This is useful to turn off physical device access by the executed process
PrivateDevices=true
# allows access to standard pseudo devices including /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom
DevicePolicy=closed
# No devices (except clock: ProtectClock)
# See: https://github.com/systemd/systemd/issues/23185
DeviceAllow=
BindReadOnlyPaths=/usr/share/snow-scanner
ExecStart=/usr/bin/snow-scanner
Restart=on-failure
LimitNOFILE=infinity
[Install]
WantedBy=multi-user.target

26
snow-scanner/debian/upload.sh Executable file
View File

@ -0,0 +1,26 @@
#!/bin/sh
user=$(git config github.user)
token=$(git config github.token)
if [ -z "$token" ]; then
echo 'Token is empty. Please run git config --add github.token "ChangeMe"';
exit 1;
fi
if [ -z "$user" ]; then
echo 'User is empty. Please run git config --add github.user "ChangeMe"';
exit 1;
fi
if [ -z "$1" ]; then
echo 'Package file is missing, please provide a .deb file';
exit 1;
fi
curl --user $user:$token \
--upload-file "$1" \
-v \
-# \
https://git.wdes.eu/api/packages/wdes/debian/pool/bookworm/main/upload