Oracle Linux/Obfuscation

From r00tedvw.com wiki
Jump to: navigation, search

Obfuscation

OpenVPN with ProtonVPN

Go to https://protonvpn.com, create an account, select the free plan, goto downloads and select linux, tcp, and the free server configs.
Download one of the configuration files and share it with your server (scp).
Create a file with the username and password on first two lines.

~$ printf "$USERNAME\n$PASSWORD" > ~/login.conf

Connect to the VPN

~$ openvpn --auth-user-pass login.conf --config ./nl-free-01.protonvpn.com.tcp.ovpn

Create VPN Service

Since this is a long running application, we should create a service to manage it.

~$ sudo mkdir /opt/vpn
~$ sudo touch /opt/vpn/vpn.sh
~$ sudo chown root:root /opt/vpn/vpn.sh
~$ sudo chmod 750 /opt/vpn/vpn.sh
~$ sudo vim /opt/vpn/vpn.sh
#!/bin/bash
vpnauth=/opt/vpn/login.conf
vpnconfig=/opt/vpn/nl-free-01.protonvpn.com.tcp.ovpn

openvpn --config $vpnconfig --auth-user-pass $vpnauth 
~$ sudo touch /etc/systemd/system/vpn.service
~$ sudo chown root:root /etc/systemd/system/vpn.service
~$ sudo chmod 750 /etc/systemd/system/vpn.service 
~$ sudo vim /etc/systemd/system/vpn.service
[Unit]
Description=VPN

[Service]
Type=simple
ExecStart=/opt/vpn/vpn.sh
User=root

[Install]
WantedBy=multi-user.target
~$ sudo systemctl daemon-reload
~$ sudo systemctl start vpn.service

Create VPN Management Service

We also want a management service to make sure the VPN is always connected and if not, stop any reliant services.
The OpenVPN service may not die when the connection is terminated from the host end, as such I cant depend on the service state so I've opted to rely on the exposed IP address and compare it to a dynamic dns entry.

~$ sudo touch /opt/vpn/vpnmanager.sh
~$ sudo chown root:root /opt/vpn/vpnmanager.sh
~$ sudo chmod 750 /opt/vpn/vpnmanager.sh
~$ sudo vim /opt/vpn/vpnmanager.sh
#!/bin/bash

dyndns="dyndns.tld"
logfile="/var/log/vpnmanager/vpnmanager.log"
enableslack=true
slackwebhookurl="https://hooks.slack.com/services/<UUID>"
limit=10

if [ ! -d $(dirname $logfile) ]; then
    mkdir $(dirname $logfile)
fi
if (( $? != 0 )); then
    echo "ERROR:: Unable to create log directory"
    exit 1
fi
if ( ! touch $logfile ); then
    echo "ERROR:: Unable to write log file"
    exit 1
else
    touch $logfile
fi

#exec 3>&1 4>&2
#trap 'exec 2>&4 1>&3' 0 1 2 3
#exec 1>>$logfile 2>&1
# Everything below will go to the file $logfile :

printf "\n\n$(date)\n----------------------------\n" >> $logfile

dyndnsip=$(dig -t a +short $dyndns)

function slacksend {
        if [ "$enableslack" = true ]; then
                curl -X POST -H 'Content-type: application/json' --data '{"text":"'"$1"'"}' $slackwebhookurl
        fi
}

function checkip {
    if [[ $(curl --max-time 10 --max-filesize 1000 --no-buffer --silent checkip.amazonaws.com) =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
        ipaddr=$(curl --max-time 10 --max-filesize 1000 --no-buffer --silent checkip.amazonaws.com)
    else
        if [[ $(curl --max-time 10 --max-filesize 1000 --no-buffer --silent ifconfig.me) =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
            ipaddr=$(curl --max-time 10 --max-filesize 1000 --no-buffer --silent ifconfig.me)
        else
            if [[ $(curl --max-time 10 --max-filesize 1000 --no-buffer --silent ipinfo.io/ip) =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
                ipaddr=$(curl --max-time 10 --max-filesize 1000 --no-buffer --silent ipinfo.io/ip)
            else
                if [[ $(curl --max-time 10 --max-filesize 1000 --no-buffer --silent ident.me)  =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
                    ipaddr=$(curl --max-time 10 --max-filesize 1000 --no-buffer --silent ident.me)
                else
                    msg="$(date +%F"|"%R:%S) -- ERROR:: Unable to determine internet IP address."
                    echo "$msg" >> $logfile
                    if [[ $health -ge 3 ]]; then 
                        slacksend "$msg"
                    fi
                fi
            fi
        fi
    fi
}

function compareip {
    checkip
    if [ -z $ipaddr ] || [ $dyndnsip = $ipaddr ]; then
        msg="$(date +%F"|"%R:%S) -- ERROR:: VPN is down!!"
        echo "$msg" >> $logfile
        if [[ $health -ge 3 ]]; then
                slacksend "$msg"
        fi
        trap exit 1 SIGINT
        sleep 2
        msg="$(date +%F"|"%R:%S) -- Restarting VPN..."
        echo "$msg" >> $logfile
        if [[ $health -ge 3 ]]; then
                slacksend "$msg"
        fi
        systemctl restart vpn.service
        sleep 10
        limit=10
        ((health++))
        compareip
    else
        if [[ $limit -eq 10 ]]; then
                msg="$(date +%F"|"%R:%S) -- VPN appears up.  VPN IP: $ipaddr is not equal to dyndns IP: $dyndnsip"
                echo "$msg" >> $logfile
                unset limit
                if [[ $health -ge 3 ]]; then
                        slacksend "$msg"
                fi
        else
                ((limit++))
        fi
        trap exit 1 SIGINT
        sleep 10
        unset ipaddr health
        compareip
    fi
}

compareip
~$ sudo touch /etc/systemd/system/vpnmanager.service
~$ sudo chown root:root /etc/systemd/system/vpnmanager.service
~$ sudo chmod 750 /etc/systemd/system/vpnmanager.service
~$ sudo vim /etc/systemd/system/vpnmanager.service
[Unit]
Description=VPN Manager

[Service]
Type=simple
ExecStart=/opt/vpn/vpnmanager.sh
User=root

[Install]
WantedBy=multi-user.target 
~$ sudo systemctl daemon-reload
~$ sudo systemctl start vpnmanager.service
Personal tools
Namespaces

Variants
Actions
Navigation
Mediawiki
Confluence
DevOps Tools
Ubuntu
Oracle Linux
AWS
Windows
OpenVPN
Grafana
OwnCloud
Pivotal
osTicket
OTRS
phpBB
WordPress
VmWare ESXI 5.1
Crypto currencies
HTML
CSS
Python
Java Script
PHP
Raspberry Pi
Canvas LMS
Kaltura Media Server
Plex Media Server
MetaSploit
Zoneminder
Photoshop CS2
Fortinet
Uploaded
Certifications
General Info
Games
Meal Plans
NC Statutes
2020 Election
Volkswagen
Toolbox