chhans · February 16, 2023 08:30
diff --git a/deploy-vm.sh b/deploy-vm.sh
 #!/bin/bash

 if [ $# -ne 3 ]; then
 	echo "No argument supplied. Usage: $0 <name_to_take_over> <zone> <subscription>"
 	exit
 fi


 if [ -f "$HOME/.ssh/id_rsa.pub" ]; then
 	SSH_KEY="$HOME/.ssh/id_rsa.pub"
 else
 	echo "RSA SSH key not found in $HOME/.ssh"
 	exit -1
 fi

 # Create a resource group
 az group create --name $1 --location $2 --subscription $3

 # # Create a small VM
 az vm create \
 	--resource-group $1 \
 	--name $1 \
 	--subscription $3 \
 	--image UbuntuLTS \
 	--size Standard_B1ls \
 	--admin-username binsec \
 	--ssh-key-value $SSH_KEY

 # # Update DNS 
 az network public-ip update -g $1 -n "$1PublicIP" --dns-name $1 --subscription $3

 # # Open up firewall for 80 and 443 from anywhere
 az network nsg rule create -g "$1" --nsg-name "$1NSG" -n AllowAllInternetTraffic \
 	--priority 500 --source-address-prefixes Internet --destination-port-ranges "*" \
 	--access Allow --protocol "*" --description "Allow Internet Traffic" --subscription $3

 # Do various post-deploy setup
 # Install and start Nginx server
 az vm run-command invoke --command-id RunShellScript -g $1 -n $1 --script @post-deploy.sh --parameters "$1 $2"
diff --git a/post-deploy.sh b/post-deploy.sh
 #!/bin/bash

 # Install Nginx
 apt update -y -q && apt install nginx -y -q

 # Nginx Config
 cat << 'EOF' > /etc/nginx/nginx.conf
 user www-data;
 worker_processes auto;
 pid /run/nginx.pid;
 include /etc/nginx/modules-enabled/*.conf;

 events {
 	worker_connections 768;
 }

 http {
 	##
 	# Basic Settings
 	##

 	# Rate limit 5 request per minute
 	limit_req_zone $server_name zone=perserver:1m rate=5r/m;

 	# Needed for certbot to work
 	server_names_hash_bucket_size 128;

 	# Block requests that does not have a Host header with letters
 	server {
 		listen 80;
 		server_name "(!?[a-zA-Z])"
 					"*.ipip.net"
 					"*.sogou.com";
 		return 444;
 	}

 	server {

 		listen       80 default_server;

 		location = /robots.txt {
 			add_header Content-Type text/plain;
 			return 200 "User-agent: *\nDisallow: /\n";
 		}

 		location / {
 			if ($host !~ "[a-zA-Z]+" ) {
 				return 444;
 			}

 			if ($server_protocol ~* "HTTP/1.0") {
 				return 444;
 			}

 			if ($http_user_agent ~* "Azure Traffic Manager Endpoint Monitor") {
 				return 200;
 			}

 			set $allow_origin '*';

 			if ($http_origin) {
 				set $allow_origin $http_origin;
 			}

 			if ($request_method = 'OPTIONS') {
 				add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization';
 				add_header 'Access-Control-Max-Age' 1728000;
 				add_header 'Content-Type' 'text/plain; charset=utf-8';
 				add_header 'Content-Length' 0;
 				add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, PATCH, DELETE';
 				add_header 'Access-Control-Allow-Credentials' 'true';
 				add_header 'Access-Control-Allow-Origin' $allow_origin;
 				return 204;
 			}

 			limit_req zone=perserver;

 			rewrite /(.*) /ping?id=$1  break;
 			proxy_pass https://<your-callback-server>;
 			proxy_set_header Host <your-callback-server>;
 			proxy_ssl_server_name on;
 			proxy_ssl_name <your-callback-server>;
 			proxy_set_header X-Real-IP $remote_addr;
 			proxy_set_header X-Original-Request $request;
 			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 			proxy_set_header X-Original-Host $host;
 		}
 	}

 	sendfile on;
 	tcp_nopush on;
 	tcp_nodelay on;
 	keepalive_timeout 65;
 	types_hash_max_size 2048;
 	server_tokens off;

 	include /etc/nginx/mime.types;
 	default_type application/octet-stream;

 	##
 	# SSL Settings
 	##

 	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
 	ssl_prefer_server_ciphers on;

 	##
 	# Logging Settings
 	##
 	access_log /var/log/nginx/access.log;
 	error_log /var/log/nginx/error.log;

 	##
 	# Gzip Settings
 	##
 	gzip on;

 	##
 	# Virtual Host Configs
 	##
 	include /etc/nginx/conf.d/*.conf;
 }
 EOF

 # Reload configuration
 /etc/init.d/nginx reload

 # Redirect all ports to our webserver
 # iptables -t nat -A PREROUTING -p tcp --dport 10000:65535 -j REDIRECT --to-ports 80
 iptables -t nat -A PREROUTING -p tcp --dport 500:65535 -j REDIRECT --to-ports 80
 iptables -t nat -A PREROUTING -p tcp --dport 81:442 -j REDIRECT --to-ports 80

 # Block Internet scanners
 # 1. Censys.io
 iptables -A INPUT -s 192.35.168.0/23,162.142.125.0/24,74.120.14.0/24,167.248.133.0/24 -j DROP

 # Annoying scanners
 iptables -A INPUT -s 23.98.148.135 -j DROP

 # Let's encrypt
 snap install core
 snap refresh core
 snap install --classic certbot
 ln -s /snap/bin/certbot /usr/bin/certbot
 certbot --nginx --no-redirect --non-interactive --agree-tos --register-unsafely-without-email -d "$1.$2.cloudapp.azure.com"
	#!/bin/bash

	if [ $# -ne 3 ]; then
	echo "No argument supplied. Usage: $0 <name_to_take_over> <zone> <subscription>"
	exit
	fi


	if [ -f "$HOME/.ssh/id_rsa.pub" ]; then
	SSH_KEY="$HOME/.ssh/id_rsa.pub"
	else
	echo "RSA SSH key not found in $HOME/.ssh"
	exit -1
	fi

	# Create a resource group
	az group create --name $1 --location $2 --subscription $3

	# # Create a small VM
	az vm create \
	--resource-group $1 \
	--name $1 \
	--subscription $3 \
	--image UbuntuLTS \
	--size Standard_B1ls \
	--admin-username binsec \
	--ssh-key-value $SSH_KEY

	# # Update DNS
	az network public-ip update -g $1 -n "$1PublicIP" --dns-name $1 --subscription $3

	# # Open up firewall for 80 and 443 from anywhere
	az network nsg rule create -g "$1" --nsg-name "$1NSG" -n AllowAllInternetTraffic \
	--priority 500 --source-address-prefixes Internet --destination-port-ranges "*" \
	--access Allow --protocol "*" --description "Allow Internet Traffic" --subscription $3

	# Do various post-deploy setup
	# Install and start Nginx server
	az vm run-command invoke --command-id RunShellScript -g $1 -n $1 --script @post-deploy.sh --parameters "$1 $2"
	#!/bin/bash

	# Install Nginx
	apt update -y -q && apt install nginx -y -q

	# Nginx Config
	cat << 'EOF' > /etc/nginx/nginx.conf
	user www-data;
	worker_processes auto;
	pid /run/nginx.pid;
	include /etc/nginx/modules-enabled/*.conf;

	events {
	worker_connections 768;
	}

	http {
	##
	# Basic Settings
	##

	# Rate limit 5 request per minute
	limit_req_zone $server_name zone=perserver:1m rate=5r/m;

	# Needed for certbot to work
	server_names_hash_bucket_size 128;

	# Block requests that does not have a Host header with letters
	server {
	listen 80;
	server_name "(!?[a-zA-Z])"
	"*.ipip.net"
	"*.sogou.com";
	return 444;
	}

	server {

	listen 80 default_server;

	location = /robots.txt {
	add_header Content-Type text/plain;
	return 200 "User-agent: *\nDisallow: /\n";
	}

	location / {
	if ($host !~ "[a-zA-Z]+" ) {
	return 444;
	}

	if ($server_protocol ~* "HTTP/1.0") {
	return 444;
	}

	if ($http_user_agent ~* "Azure Traffic Manager Endpoint Monitor") {
	return 200;
	}

	set $allow_origin '*';

	if ($http_origin) {
	set $allow_origin $http_origin;
	}

	if ($request_method = 'OPTIONS') {
	add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization';
	add_header 'Access-Control-Max-Age' 1728000;
	add_header 'Content-Type' 'text/plain; charset=utf-8';
	add_header 'Content-Length' 0;
	add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, PATCH, DELETE';
	add_header 'Access-Control-Allow-Credentials' 'true';
	add_header 'Access-Control-Allow-Origin' $allow_origin;
	return 204;
	}

	limit_req zone=perserver;

	rewrite /(.*) /ping?id=$1 break;
	proxy_pass https://<your-callback-server>;
	proxy_set_header Host <your-callback-server>;
	proxy_ssl_server_name on;
	proxy_ssl_name <your-callback-server>;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Original-Request $request;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Original-Host $host;
	}
	}

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	server_tokens off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;

	##
	# Logging Settings
	##
	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##
	gzip on;

	##
	# Virtual Host Configs
	##
	include /etc/nginx/conf.d/*.conf;
	}
	EOF

	# Reload configuration
	/etc/init.d/nginx reload

	# Redirect all ports to our webserver
	# iptables -t nat -A PREROUTING -p tcp --dport 10000:65535 -j REDIRECT --to-ports 80
	iptables -t nat -A PREROUTING -p tcp --dport 500:65535 -j REDIRECT --to-ports 80
	iptables -t nat -A PREROUTING -p tcp --dport 81:442 -j REDIRECT --to-ports 80

	# Block Internet scanners
	# 1. Censys.io
	iptables -A INPUT -s 192.35.168.0/23,162.142.125.0/24,74.120.14.0/24,167.248.133.0/24 -j DROP

	# Annoying scanners
	iptables -A INPUT -s 23.98.148.135 -j DROP

	# Let's encrypt
	snap install core
	snap refresh core
	snap install --classic certbot
	ln -s /snap/bin/certbot /usr/bin/certbot
	certbot --nginx --no-redirect --non-interactive --agree-tos --register-unsafely-without-email -d "$1.$2.cloudapp.azure.com"