chhans/deploy-vm.sh

## deploy-vm.sh
#!/bin/bash

if [ $# -ne 3 ]; then
	echo "No argument supplied. Usage: $0 <name_to_take_over> <zone> <subscription>"
	exit
fi


if [ -f "$HOME/.ssh/id_rsa.pub" ]; then
	SSH_KEY="$HOME/.ssh/id_rsa.pub"
else
	echo "RSA SSH key not found in $HOME/.ssh"
	exit -1
fi

# Create a resource group
az group create --name $1 --location $2 --subscription $3

# # Create a small VM
az vm create \
	--resource-group $1 \
	--name $1 \
	--subscription $3 \
	--image UbuntuLTS \
	--size Standard_B1ls \
	--admin-username binsec \
	--ssh-key-value $SSH_KEY

# # Update DNS
az network public-ip update -g $1 -n "$1PublicIP" --dns-name $1 --subscription $3

# # Open up firewall for 80 and 443 from anywhere
az network nsg rule create -g "$1" --nsg-name "$1NSG" -n AllowAllInternetTraffic \
	--priority 500 --source-address-prefixes Internet --destination-port-ranges "*" \
	--access Allow --protocol "*" --description "Allow Internet Traffic" --subscription $3

# Do various post-deploy setup
# Install and start Nginx server
az vm run-command invoke --command-id RunShellScript -g $1 -n $1 --script @post-deploy.sh --parameters "$1 $2"

## post-deploy.sh
#!/bin/bash

# Install Nginx
apt update -y -q && apt install nginx -y -q

# Nginx Config
cat << 'EOF' > /etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
	worker_connections 768;
}

http {
	##
	# Basic Settings
	##

	# Rate limit 5 request per minute
	limit_req_zone $server_name zone=perserver:1m rate=5r/m;

	# Needed for certbot to work
	server_names_hash_bucket_size 128;

	# Block requests that does not have a Host header with letters
	server {
		listen 80;
		server_name "(!?[a-zA-Z])"
					"*.ipip.net"
					"*.sogou.com";
		return 444;
	}

	server {

		listen       80 default_server;

		location = /robots.txt {
			add_header Content-Type text/plain;
			return 200 "User-agent: *\nDisallow: /\n";
		}

		location / {
			if ($host !~ "[a-zA-Z]+" ) {
				return 444;
			}

			if ($server_protocol ~* "HTTP/1.0") {
				return 444;
			}

			if ($http_user_agent ~* "Azure Traffic Manager Endpoint Monitor") {
				return 200;
			}

			set $allow_origin '*';

			if ($http_origin) {
				set $allow_origin $http_origin;
			}

			if ($request_method = 'OPTIONS') {
				add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization';
				add_header 'Access-Control-Max-Age' 1728000;
				add_header 'Content-Type' 'text/plain; charset=utf-8';
				add_header 'Content-Length' 0;
				add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, PATCH, DELETE';
				add_header 'Access-Control-Allow-Credentials' 'true';
				add_header 'Access-Control-Allow-Origin' $allow_origin;
				return 204;
			}

			limit_req zone=perserver;

			rewrite /(.*) /ping?id=$1  break;
			proxy_pass https://<your-callback-server>;
			proxy_set_header Host <your-callback-server>;
			proxy_ssl_server_name on;
			proxy_ssl_name <your-callback-server>;
			proxy_set_header X-Real-IP $remote_addr;
			proxy_set_header X-Original-Request $request;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_set_header X-Original-Host $host;
		}
	}

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	server_tokens off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;

	##
	# Logging Settings
	##
	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##
	gzip on;

	##
	# Virtual Host Configs
	##
	include /etc/nginx/conf.d/*.conf;
}
EOF

# Reload configuration
/etc/init.d/nginx reload

# Redirect all ports to our webserver
# iptables -t nat -A PREROUTING -p tcp --dport 10000:65535 -j REDIRECT --to-ports 80
iptables -t nat -A PREROUTING -p tcp --dport 500:65535 -j REDIRECT --to-ports 80
iptables -t nat -A PREROUTING -p tcp --dport 81:442 -j REDIRECT --to-ports 80

# Block Internet scanners
# 1. Censys.io
iptables -A INPUT -s 192.35.168.0/23,162.142.125.0/24,74.120.14.0/24,167.248.133.0/24 -j DROP

# Annoying scanners
iptables -A INPUT -s 23.98.148.135 -j DROP

# Let's encrypt
snap install core
snap refresh core
snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/certbot
certbot --nginx --no-redirect --non-interactive --agree-tos --register-unsafely-without-email -d "$1.$2.cloudapp.azure.com"
	#!/bin/bash

	if [ $# -ne 3 ]; then
	echo "No argument supplied. Usage: $0 <name_to_take_over> <zone> <subscription>"
	exit
	fi


	if [ -f "$HOME/.ssh/id_rsa.pub" ]; then
	SSH_KEY="$HOME/.ssh/id_rsa.pub"
	else
	echo "RSA SSH key not found in $HOME/.ssh"
	exit -1
	fi

	# Create a resource group
	az group create --name $1 --location $2 --subscription $3

	# # Create a small VM
	az vm create \
	--resource-group $1 \
	--name $1 \
	--subscription $3 \
	--image UbuntuLTS \
	--size Standard_B1ls \
	--admin-username binsec \
	--ssh-key-value $SSH_KEY

	# # Update DNS
	az network public-ip update -g $1 -n "$1PublicIP" --dns-name $1 --subscription $3

	# # Open up firewall for 80 and 443 from anywhere
	az network nsg rule create -g "$1" --nsg-name "$1NSG" -n AllowAllInternetTraffic \
	--priority 500 --source-address-prefixes Internet --destination-port-ranges "*" \
	--access Allow --protocol "*" --description "Allow Internet Traffic" --subscription $3

	# Do various post-deploy setup
	# Install and start Nginx server
	az vm run-command invoke --command-id RunShellScript -g $1 -n $1 --script @post-deploy.sh --parameters "$1 $2"
	#!/bin/bash

	# Install Nginx
	apt update -y -q && apt install nginx -y -q

	# Nginx Config
	cat << 'EOF' > /etc/nginx/nginx.conf
	user www-data;
	worker_processes auto;
	pid /run/nginx.pid;
	include /etc/nginx/modules-enabled/*.conf;

	events {
	worker_connections 768;
	}

	http {
	##
	# Basic Settings
	##

	# Rate limit 5 request per minute
	limit_req_zone $server_name zone=perserver:1m rate=5r/m;

	# Needed for certbot to work
	server_names_hash_bucket_size 128;

	# Block requests that does not have a Host header with letters
	server {
	listen 80;
	server_name "(!?[a-zA-Z])"
	"*.ipip.net"
	"*.sogou.com";
	return 444;
	}

	server {

	listen 80 default_server;

	location = /robots.txt {
	add_header Content-Type text/plain;
	return 200 "User-agent: *\nDisallow: /\n";
	}

	location / {
	if ($host !~ "[a-zA-Z]+" ) {
	return 444;
	}

	if ($server_protocol ~* "HTTP/1.0") {
	return 444;
	}

	if ($http_user_agent ~* "Azure Traffic Manager Endpoint Monitor") {
	return 200;
	}

	set $allow_origin '*';

	if ($http_origin) {
	set $allow_origin $http_origin;
	}

	if ($request_method = 'OPTIONS') {
	add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization';
	add_header 'Access-Control-Max-Age' 1728000;
	add_header 'Content-Type' 'text/plain; charset=utf-8';
	add_header 'Content-Length' 0;
	add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, PATCH, DELETE';
	add_header 'Access-Control-Allow-Credentials' 'true';
	add_header 'Access-Control-Allow-Origin' $allow_origin;
	return 204;
	}

	limit_req zone=perserver;

	rewrite /(.*) /ping?id=$1 break;
	proxy_pass https://<your-callback-server>;
	proxy_set_header Host <your-callback-server>;
	proxy_ssl_server_name on;
	proxy_ssl_name <your-callback-server>;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Original-Request $request;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Original-Host $host;
	}
	}

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	server_tokens off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;

	##
	# Logging Settings
	##
	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##
	gzip on;

	##
	# Virtual Host Configs
	##
	include /etc/nginx/conf.d/*.conf;
	}
	EOF

	# Reload configuration
	/etc/init.d/nginx reload

	# Redirect all ports to our webserver
	# iptables -t nat -A PREROUTING -p tcp --dport 10000:65535 -j REDIRECT --to-ports 80
	iptables -t nat -A PREROUTING -p tcp --dport 500:65535 -j REDIRECT --to-ports 80
	iptables -t nat -A PREROUTING -p tcp --dport 81:442 -j REDIRECT --to-ports 80

	# Block Internet scanners
	# 1. Censys.io
	iptables -A INPUT -s 192.35.168.0/23,162.142.125.0/24,74.120.14.0/24,167.248.133.0/24 -j DROP

	# Annoying scanners
	iptables -A INPUT -s 23.98.148.135 -j DROP

	# Let's encrypt
	snap install core
	snap refresh core
	snap install --classic certbot
	ln -s /snap/bin/certbot /usr/bin/certbot
	certbot --nginx --no-redirect --non-interactive --agree-tos --register-unsafely-without-email -d "$1.$2.cloudapp.azure.com"