From 1204730924436ef9e1c7c49c9557837f9a5ed0e8 Mon Sep 17 00:00:00 2001 From: clarkzjw Date: Wed, 8 Feb 2023 00:40:09 -0800 Subject: fork https://github.com/mattsta/mailweb --- ansible/roles/common/files/ffdhe2048.pem | 8 + ansible/roles/common/files/ffdhe3072.pem | 11 + ansible/roles/common/files/ffdhe4096.pem | 13 + ansible/roles/common/files/inputrc | 61 +++++ ansible/roles/common/files/net-listeners.py | 334 ++++++++++++++++++++++++ ansible/roles/common/files/ssh-transfer-only.sh | 11 + ansible/roles/common/files/vimrc.local | 25 ++ 7 files changed, 463 insertions(+) create mode 100644 ansible/roles/common/files/ffdhe2048.pem create mode 100644 ansible/roles/common/files/ffdhe3072.pem create mode 100644 ansible/roles/common/files/ffdhe4096.pem create mode 100644 ansible/roles/common/files/inputrc create mode 100755 ansible/roles/common/files/net-listeners.py create mode 100755 ansible/roles/common/files/ssh-transfer-only.sh create mode 100644 ansible/roles/common/files/vimrc.local (limited to 'ansible/roles/common/files') diff --git a/ansible/roles/common/files/ffdhe2048.pem b/ansible/roles/common/files/ffdhe2048.pem new file mode 100644 index 0000000..9b182b7 --- /dev/null +++ b/ansible/roles/common/files/ffdhe2048.pem @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== +-----END DH PARAMETERS----- diff --git a/ansible/roles/common/files/ffdhe3072.pem b/ansible/roles/common/files/ffdhe3072.pem new file mode 100644 index 0000000..fb31ccd --- /dev/null +++ b/ansible/roles/common/files/ffdhe3072.pem @@ -0,0 +1,11 @@ +-----BEGIN DH PARAMETERS----- +MIIBiAKCAYEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3 +7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32 +nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZsYu +N///////////AgEC +-----END DH PARAMETERS----- diff --git a/ansible/roles/common/files/ffdhe4096.pem b/ansible/roles/common/files/ffdhe4096.pem new file mode 100644 index 0000000..3cf0fcb --- /dev/null +++ b/ansible/roles/common/files/ffdhe4096.pem @@ -0,0 +1,13 @@ +-----BEGIN DH PARAMETERS----- +MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3 +7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32 +nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e +8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx +iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K +zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI= +-----END DH PARAMETERS----- diff --git a/ansible/roles/common/files/inputrc b/ansible/roles/common/files/inputrc new file mode 100644 index 0000000..47e7275 --- /dev/null +++ b/ansible/roles/common/files/inputrc @@ -0,0 +1,61 @@ +# do not bell on tab-completion +#set bell-style none + +set meta-flag on +set input-meta on +set convert-meta off +set output-meta on + +# Completed names which are symbolic links to +# directories have a slash appended. +set mark-symlinked-directories on + +$if mode=emacs + +# for linux console and RH/Debian xterm +"\e[1~": beginning-of-line +"\e[4~": end-of-line +# commented out keymappings for pgup/pgdown to reach begin/end of history +#"\e[5~": beginning-of-history +#"\e[6~": end-of-history +"\e[5~": history-search-backward +"\e[6~": history-search-forward +"\e[3~": delete-char +"\e[2~": quoted-insert +"\e[5C": forward-word +"\e[5D": backward-word +"\e[1;5C": forward-word +"\e[1;5D": backward-word + +# for rxvt +"\e[8~": end-of-line +"\eOc": forward-word +"\eOd": backward-word + +# for non RH/Debian xterm, can't hurt for RH/DEbian xterm +"\eOH": beginning-of-line +"\eOF": end-of-line + +# for freebsd console +"\e[H": beginning-of-line +"\e[F": end-of-line +$endif + +# cd d will match documents or Documents +set completion-ignore-case on + +# front-of-command up and down completion +"\e[A":history-search-backward +"\e[B":history-search-forward + +# This is the magic command. +# Enables sane tcsh-like ctrl-d completion showing. +Control-d:delete-char-or-list + +# oddly, menu-complete makes the menu *not* appear +# just cycle through each option +Tab:menu-complete + +# stop asking if I "Really want to see 102 completions" +set completion-query-items 350 +set page-completions off diff --git a/ansible/roles/common/files/net-listeners.py b/ansible/roles/common/files/net-listeners.py new file mode 100755 index 0000000..f8b39cd --- /dev/null +++ b/ansible/roles/common/files/net-listeners.py @@ -0,0 +1,334 @@ +#!/usr/bin/env python3 + +""" Output a colorized list of listening addresses with owners. + +This tool parses files in /proc directly to obtain the list +of IPv4 and IPv6 addresses listening on tcp, tcp6, udp, and udp6 ports +also with pids of processes responsible for the listening. + +Due to permission restrictions on Linux, script must be run as root +to determine which pids match which listening sockets. + +This is also something like: + osqueryi "select po.pid, rtrim(p.cmdline), po.family, po.local_address, po.local_port from process_open_sockets as po JOIN processes as p ON po.pid=p.pid WHERE po.state='LISTEN';" + +""" + +import collections +import subprocess +import codecs +import socket +import struct +import glob +import sys +import re +import os + +TERMINAL_WIDTH = "/usr/bin/tput cols" # could also be "stty size" + +ONLY_LOWEST_PID = False + +# oooh, look, a big dirty global dict collecting all our data without being +# passed around! call the programming police! +inodes = {} + + +class Color: + HEADER = '\033[95m' + OKBLUE = '\033[94m' + OKGREEN = '\033[92m' + WARNING = '\033[93m' + FAIL = '\033[91m' + BOLD = '\033[1m' + UNDERLINE = '\033[4m' + END = '\033[0m' + + +COLOR_HEADER = Color.HEADER +COLOR_OKAY = Color.OKBLUE +COLOR_WARNING = Color.FAIL +COLOR_END = Color.END + +# This should capture: +# 127.0.0.0/8 +# 192.168.0.0/16 +# 10.0.0.0/8 +# 169.254.0.0/16 +# 172.16.0.0/12 +# ::1 +# fe80::/10 +# fc00::/7 +# fd00::/8 +NON_ROUTABLE_REGEX = r"""^((127\.) | + (192\.168\.) | + (10\.) | + (169\.254\.) | + (172\.1[6-9]\.) | + (172\.2[0-9]\.) | + (172\.3[0-1]\.) | + (::1) | + ([fF][eE]80) + ([fF][cCdD]))""" +likelyLocalOnly = re.compile(NON_ROUTABLE_REGEX, re.VERBOSE) + + +def run(thing): + """ Run any string as an async command invocation. """ + # We don't use subprocess.check_output because we want to run all + # processes async + return subprocess.Popen(thing.split(), stdout=subprocess.PIPE) + + +def readOutput(ranCommand): + """ Return array of rows split by newline from previous invocation. """ + stdout, stderr = ranCommand.communicate() + return stdout.decode('utf-8').strip().splitlines() + + +def procListeners(): + """ Wrapper to parse all IPv4 tcp udp, and, IPv6 tcp6 udp6 listeners. """ + + def processProc(name): + """ Process IPv4 and IPv6 versions of listeners based on ``name``. + + ``name`` is either 'udp' or 'tcp' so we parse, for each ``name``: + - /proc/net/[name] + - /proc/net/[name]6 + + As in: + - /proc/net/tcp + - /proc/net/tcp6 + - /proc/net/udp + - /proc/net/udp6 + """ + + def ipv6(addr): + """ Convert /proc IPv6 hex address into standard IPv6 notation. """ + # turn ASCII hex address into binary + addr = codecs.decode(addr, "hex") + + # unpack into 4 32-bit integers in big endian / network byte order + addr = struct.unpack('!LLLL', addr) + + # re-pack as 4 32-bit integers in system native byte order + addr = struct.pack('@IIII', *addr) + + # now we can use standard network APIs to format the address + addr = socket.inet_ntop(socket.AF_INET6, addr) + return addr + + def ipv4(addr): + """ Convert /proc IPv4 hex address into standard IPv4 notation. """ + # Instead of codecs.decode(), we can just convert a 4 byte hex + # string to an integer directly using python radix conversion. + # Basically, int(addr, 16) EQUALS: + # aOrig = addr + # addr = codecs.decode(addr, "hex") + # addr = struct.unpack(">L", addr) + # assert(addr == (int(aOrig, 16),)) + addr = int(addr, 16) + + # system native byte order, 4-byte integer + addr = struct.pack("=L", addr) + addr = socket.inet_ntop(socket.AF_INET, addr) + return addr + + isUDP = name == "udp" + + # Iterate four files: /proc/net/{tcp,udp}{,6} + # ipv4 has no prefix, while ipv6 has 6 appended. + for ver in ["", "6"]: + with open(f"/proc/net/{name}{ver}", 'r') as proto: + proto = proto.read().splitlines() + proto = proto[1:] # drop header row + + for cxn in proto: + cxn = cxn.split() + + # /proc/net/udp{,6} uses different constants for LISTENING + if isUDP: + # These constants are based on enum offsets inside + # the Linux kernel itself. They aren't likely to ever + # change since they are hardcoded in utilities. + isListening = cxn[3] == "07" + else: + isListening = cxn[3] == "0A" + + # Right now this is a single-purpose tool so if process is + # not listening, we avoid further processing of this row. + if not isListening: + continue + + ip, port = cxn[1].split(':') + if ver: + ip = ipv6(ip) + else: + ip = ipv4(ip) + + port = int(port, 16) + inode = cxn[9] + + # We just use a list here because creating a new sub-dict + # for each entry was noticably slower than just indexing + # into lists. + inodes[int(inode)] = [ip, port, f"{name}{ver}"] + + processProc("tcp") + processProc("udp") + + +def appendToInodePidMap(fd, inodePidMap): + """ Take a full path to /proc/[pid]/fd/[fd] for reading. + + Populates both pid and full command line of pid owning an inode we + are interested in. + + Basically finds if any inodes on this pid is a listener we previously + recorded into our ``inodes`` dict. """ + _, _, pid, _, _ = fd.split('/') + try: + target = os.readlink(fd) + except FileNotFoundError: + # file vanished, can't do anything else + return + + if target.startswith("socket"): + ostype, inode = target.split(':') + # strip brackets from fd string (it looks like: [fd]) + inode = int(inode[1:-1]) + inodePidMap[inode].append(int(pid)) + + +def addProcessNamesToInodes(): + """ Loop over every fd in every process in /proc. + + The only way to map an fd back to a process is by looking + at *every* processes fd and extracting backing inodes. + + It's basically like a big awkward database join where you don't + have an index on the field you want. + + Also, due to Linux permissions (and Linux security concerns), + only the root user can read fd listing of processes not owned + by the current user. """ + + # glob glob glob it all + allFDs = glob.iglob("/proc/*/fd/*") + inodePidMap = collections.defaultdict(list) + + for fd in allFDs: + appendToInodePidMap(fd, inodePidMap) + + for inode in inodes: + if inode in inodePidMap: + for pid in inodePidMap[inode]: + try: + with open(f"/proc/{pid}/cmdline", 'r') as cmd: + # /proc command line arguments are delimited by + # null bytes, so undo that here... + cmdline = cmd.read().split('\0') + inodes[inode].append((pid, cmdline)) + except BaseException: + # files can vanish on us at any time (and that's okay!) + # But, since the file is gone, we want the entire fd + # entry gone too: + pass # del inodes[inode] + + +def checkListenersProc(): + terminalWidth = run(TERMINAL_WIDTH) + + procListeners() + addProcessNamesToInodes() + tried = inodes + + try: + cols = readOutput(terminalWidth)[0] + cols = int(cols) + except BaseException: + cols = 80 + + # Print our own custom output header... + proto = "Proto" + addr = "Listening" + pid = "PID" + process = "Process" + print(f"{COLOR_HEADER}{proto:^5} {addr:^25} {pid:>5} {process:^30}") + + # Could sort by anything: ip, port, proto, pid, command name + # (or even the fd integer if that provided any insight whatsoever) + def compareByPidOrPort(what): + k, v = what + # v = [ip, port, proto, pid, cmd] + # - OR - + # v = [ip, port, proto] + + # If we're not running as root we can't pid and command mappings for + # the processes of other users, so sort the pids we did find at end + # of list and show UNKNOWN entries first + # (because the lines will be shorter most likely so the bigger visual + # weight should be lower in the display table) + try: + # Pid available! Sort by first pid, subsort by IP then port. + return (1, v[3], v[0], v[1]) + except BaseException: + # No pid available! Sort by port number then IP then... port again. + return (0, v[1], v[0], v[1]) + + # Sort results by pid... + for name, vals in sorted(tried.items(), key=compareByPidOrPort): + attachedPids = vals[3:] + if attachedPids: + desc = [f"{pid:5} {' '.join(cmd)}" for pid, cmd in vals[3:]] + else: + # If not running as root, we won't have pid or process, so use + # defaults + desc = ["UNKNOWN (must be root for global pid mappings)"] + + port = vals[1] + try: + # Convert port integer to service name if possible + port = socket.getservbyport(port) + except BaseException: + # If no match, just use port number directly. + pass + + addr = f"{vals[0]}:{port}" + proto = vals[2] + + # If IP address looks like it could be visible to the world, + # throw up a color. + # Note: due to port forwarding and NAT and other issues, + # this clearly isn't exhaustive. + if re.match(likelyLocalOnly, addr): + colorNotice = COLOR_OKAY + else: + colorNotice = COLOR_WARNING + + isFirstLine = True + for line in desc: + if isFirstLine: + output = f"{colorNotice}{proto:5} {addr:25} {line}" + isFirstLine = False + else: + output = f"{' ':31} {line}" + + # Be a polite terminal citizen by limiting our width to user's width + # (colors take up non-visible space, so add it to our col count) + print(output[:cols + (len(colorNotice) if isFirstLine else 0)]) + + if ONLY_LOWEST_PID: + break + + print(COLOR_END) + + +if __name__ == "__main__": + # cheap hack garbage way of setting one option + # if we need more options, obviously pull in argparse + if len(sys.argv) > 1: + ONLY_LOWEST_PID = True + else: + ONLY_LOWEST_PID = False + + checkListenersProc() diff --git a/ansible/roles/common/files/ssh-transfer-only.sh b/ansible/roles/common/files/ssh-transfer-only.sh new file mode 100755 index 0000000..c1f0624 --- /dev/null +++ b/ansible/roles/common/files/ssh-transfer-only.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash + +# Only allow ssh commands starting with 'scp' or 'rsync' +case $SSH_ORIGINAL_COMMAND in + scp*) + $SSH_ORIGINAL_COMMAND ;; + rsync*) + $SSH_ORIGINAL_COMMAND ;; + *) + echo "Not allowed with this key: $SSH_ORIGINAL_COMMAND" ;; +esac diff --git a/ansible/roles/common/files/vimrc.local b/ansible/roles/common/files/vimrc.local new file mode 100644 index 0000000..378d91e --- /dev/null +++ b/ansible/roles/common/files/vimrc.local @@ -0,0 +1,25 @@ +set encoding=utf-8 + +set ignorecase +set smartcase + +set title + +set backupdir=~/.vim-tmp,/tmp +set directory=~/.vim-tmp,/tmp + +set ruler + +filetype plugin indent on + +set ai +set expandtab +set tabstop=4 +set shiftwidth=4 + +autocmd BufEnter * :syntax sync fromstart + +set hlsearch +colorscheme peachpuff + +set wildignore+=*/tmp/*,*.so,*.swp,*.zip,*.o,*.dSYM,tags -- cgit v1.2.3