Compare commits
6 Commits
5717f0ad85
...
snow-scann
Author | SHA1 | Date | |
---|---|---|---|
605c4d3256
|
|||
3461c11ede
|
|||
36efcf03ac
|
|||
b331b598aa
|
|||
3d0f58dd07
|
|||
ef19081638
|
@ -153,3 +153,11 @@
|
||||
185.242.226.41
|
||||
162.216.18.113
|
||||
59.110.115.16
|
||||
87.120.120.31
|
||||
87.120.120.39
|
||||
87.120.120.50
|
||||
87.120.120.57
|
||||
45.143.95.76
|
||||
185.28.39.97
|
||||
202.131.82.140
|
||||
78.153.140.123
|
||||
|
@ -15,3 +15,4 @@
|
||||
217.169.88.0/21
|
||||
205.210.31.0/24
|
||||
94.102.61.0/24
|
||||
87.120.120.0/23
|
||||
|
@ -1,6 +1,6 @@
|
||||
[package]
|
||||
name = "snow-scanner"
|
||||
version = "0.1.0"
|
||||
version = "1.0.0"
|
||||
authors = ["William Desportes <williamdes@wdes.fr>"]
|
||||
edition = "2021"
|
||||
rust-version = "1.81.0" # MSRV
|
||||
@ -76,3 +76,31 @@ cidr = "0.3.0"
|
||||
serde = { version = "1.0.210", features = ["derive"] }
|
||||
serde_json = "1.0.128"
|
||||
weighted-rs = "0.1.3"
|
||||
|
||||
[package.metadata.deb]
|
||||
maintainer = "William Desportes <williamdes@wdes.fr>"
|
||||
copyright = "2022-2025, William Desportes <williamdes@wdes.fr>"
|
||||
license-file = ["../LICENSE"]
|
||||
extended-description = """\
|
||||
Find hidden IPs in the internet snow."""
|
||||
depends = "$auto"
|
||||
section = "rust"
|
||||
priority = "optional"
|
||||
assets = [
|
||||
{ source = "README.md", dest = "usr/share/doc/snow-scanner/README", mode = "644"},
|
||||
{ source = "../data/collections/*/*", dest = "usr/share/snow-scanner/data/collections", mode = "644"},
|
||||
{ source = "../data/scanners/*", dest = "usr/share/snow-scanner/data/scanners", mode = "644"},
|
||||
{ source = "target/release/snow-scanner", dest = "usr/bin/snow-scanner", mode = "777"},
|
||||
{ source = "target/release/snow-scanner-worker", dest = "usr/bin/snow-scanner-worker", mode = "777"},
|
||||
]
|
||||
|
||||
maintainer-scripts = "debian/"
|
||||
systemd-units = [
|
||||
{ unit-name = "snow-scanner", enable = true, start = false, restart-after-upgrade = true, stop-on-upgrade = true },
|
||||
{ unit-name = "snow-scanner-worker", enable = true, start = false, restart-after-upgrade = true, stop-on-upgrade = true }
|
||||
]
|
||||
|
||||
conf-files = [
|
||||
"/etc/snow-scanner/.env",
|
||||
"/etc/snow-scanner/worker.env"
|
||||
]
|
||||
|
77
snow-scanner/debian/snow-scanner-worker.service
Normal file
77
snow-scanner/debian/snow-scanner-worker.service
Normal file
@ -0,0 +1,77 @@
|
||||
[Unit]
|
||||
Description=Snow scanner worker
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
User=snow-scanner
|
||||
Group=snow-scanner
|
||||
EnvironmentFile=/etc/snow-scanner/worker.env
|
||||
|
||||
RemoveIPC=true
|
||||
ProtectHome=true
|
||||
NoNewPrivileges=true
|
||||
|
||||
PrivateTmp=false
|
||||
ProtectSystem=strict
|
||||
ProtectControlGroups=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelTunables=true
|
||||
RestrictAddressFamilies=AF_INET AF_INET6
|
||||
RestrictNamespaces=true
|
||||
RestrictRealtime=true
|
||||
RestrictSUIDSGID=true
|
||||
MemoryDenyWriteExecute=true
|
||||
LockPersonality=true
|
||||
# sets up a new /dev/ mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random to it,
|
||||
# but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others.
|
||||
# This is useful to turn off physical device access by the executed process
|
||||
PrivateDevices=true
|
||||
# allows access to standard pseudo devices including /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom
|
||||
DevicePolicy=closed
|
||||
ProtectProc=invisible
|
||||
ProtectClock=true
|
||||
ProcSubset=pid
|
||||
ProtectHostname=true
|
||||
ProtectKernelLogs=true
|
||||
# This will fail icmp pingers if set to true
|
||||
PrivateUsers=false
|
||||
|
||||
SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete
|
||||
SystemCallFilter=~@privileged @raw-io @reboot @resources @swap @keyring
|
||||
SystemCallFilter=~@pkey @ipc
|
||||
|
||||
# to return when the system call filter configured with SystemCallFilter= is triggered, instead of terminating the process immediately.
|
||||
SystemCallErrorNumber=EPERM
|
||||
|
||||
# See: https://www.opensourcerers.org/2022/04/25/optimizing-a-systemd-service-for-security/
|
||||
# Run: systemd-analyze security snow-scanner
|
||||
# Add this one for ports < 1024
|
||||
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
||||
#CapabilityBoundingSet=CAP_NET_RAW
|
||||
|
||||
SystemCallArchitectures=native
|
||||
|
||||
# Allow icmp
|
||||
#AmbientCapabilities=CAP_NET_RAW
|
||||
|
||||
# sets up a new /dev/ mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random to it,
|
||||
# but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others.
|
||||
# This is useful to turn off physical device access by the executed process
|
||||
PrivateDevices=true
|
||||
# allows access to standard pseudo devices including /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom
|
||||
DevicePolicy=closed
|
||||
|
||||
# No devices (except clock: ProtectClock)
|
||||
# See: https://github.com/systemd/systemd/issues/23185
|
||||
DeviceAllow=
|
||||
|
||||
BindReadOnlyPaths=/usr/share/snow-scanner
|
||||
|
||||
ExecStart=/usr/bin/snow-scanner-worker
|
||||
Restart=on-failure
|
||||
|
||||
LimitNOFILE=infinity
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
77
snow-scanner/debian/snow-scanner.service
Normal file
77
snow-scanner/debian/snow-scanner.service
Normal file
@ -0,0 +1,77 @@
|
||||
[Unit]
|
||||
Description=Snow scanner server
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
User=snow-scanner
|
||||
Group=snow-scanner
|
||||
EnvironmentFile=/etc/snow-scanner/.env
|
||||
|
||||
RemoveIPC=true
|
||||
ProtectHome=true
|
||||
NoNewPrivileges=true
|
||||
|
||||
PrivateTmp=false
|
||||
ProtectSystem=strict
|
||||
ProtectControlGroups=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelTunables=true
|
||||
RestrictAddressFamilies=AF_INET AF_INET6
|
||||
RestrictNamespaces=true
|
||||
RestrictRealtime=true
|
||||
RestrictSUIDSGID=true
|
||||
MemoryDenyWriteExecute=true
|
||||
LockPersonality=true
|
||||
# sets up a new /dev/ mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random to it,
|
||||
# but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others.
|
||||
# This is useful to turn off physical device access by the executed process
|
||||
PrivateDevices=true
|
||||
# allows access to standard pseudo devices including /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom
|
||||
DevicePolicy=closed
|
||||
ProtectProc=invisible
|
||||
ProtectClock=true
|
||||
ProcSubset=pid
|
||||
ProtectHostname=true
|
||||
ProtectKernelLogs=true
|
||||
# This will fail icmp pingers if set to true
|
||||
PrivateUsers=false
|
||||
|
||||
SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete
|
||||
SystemCallFilter=~@privileged @raw-io @reboot @resources @swap @keyring
|
||||
SystemCallFilter=~@pkey @ipc
|
||||
|
||||
# to return when the system call filter configured with SystemCallFilter= is triggered, instead of terminating the process immediately.
|
||||
SystemCallErrorNumber=EPERM
|
||||
|
||||
# See: https://www.opensourcerers.org/2022/04/25/optimizing-a-systemd-service-for-security/
|
||||
# Run: systemd-analyze security snow-scanner
|
||||
# Add this one for ports < 1024
|
||||
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
||||
#CapabilityBoundingSet=CAP_NET_RAW
|
||||
|
||||
SystemCallArchitectures=native
|
||||
|
||||
# Allow icmp
|
||||
#AmbientCapabilities=CAP_NET_RAW
|
||||
|
||||
# sets up a new /dev/ mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random to it,
|
||||
# but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others.
|
||||
# This is useful to turn off physical device access by the executed process
|
||||
PrivateDevices=true
|
||||
# allows access to standard pseudo devices including /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom
|
||||
DevicePolicy=closed
|
||||
|
||||
# No devices (except clock: ProtectClock)
|
||||
# See: https://github.com/systemd/systemd/issues/23185
|
||||
DeviceAllow=
|
||||
|
||||
BindReadOnlyPaths=/usr/share/snow-scanner
|
||||
|
||||
ExecStart=/usr/bin/snow-scanner
|
||||
Restart=on-failure
|
||||
|
||||
LimitNOFILE=infinity
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
26
snow-scanner/debian/upload.sh
Executable file
26
snow-scanner/debian/upload.sh
Executable file
@ -0,0 +1,26 @@
|
||||
#!/bin/sh
|
||||
|
||||
user=$(git config github.user)
|
||||
token=$(git config github.token)
|
||||
|
||||
|
||||
if [ -z "$token" ]; then
|
||||
echo 'Token is empty. Please run git config --add github.token "ChangeMe"';
|
||||
exit 1;
|
||||
fi
|
||||
|
||||
if [ -z "$user" ]; then
|
||||
echo 'User is empty. Please run git config --add github.user "ChangeMe"';
|
||||
exit 1;
|
||||
fi
|
||||
|
||||
if [ -z "$1" ]; then
|
||||
echo 'Package file is missing, please provide a .deb file';
|
||||
exit 1;
|
||||
fi
|
||||
|
||||
curl --user $user:$token \
|
||||
--upload-file "$1" \
|
||||
-v \
|
||||
-# \
|
||||
https://git.wdes.eu/api/packages/wdes/debian/pool/bookworm/main/upload
|
Reference in New Issue
Block a user