From d4970cdeae054a4059681f31f683a0cb7abf3d93 Mon Sep 17 00:00:00 2001
From: Tobias Dam <is131003@fhstp.ac.at>
Date: Thu, 25 Oct 2018 15:17:37 +0200
Subject: [PATCH 1/9] set Router flag, for preserving router functions

---
 roles/arp/files/apate/lib/daemon_app.py     |  4 ++--
 roles/arp/files/apate/lib/daemon_process.py | 19 +++++++------------
 roles/arp/files/apate/lib/misc_thread.py    |  1 +
 roles/arp/files/apate/lib/sniff_thread.py   |  6 +++---
 4 files changed, 13 insertions(+), 17 deletions(-)

diff --git a/roles/arp/files/apate/lib/daemon_app.py b/roles/arp/files/apate/lib/daemon_app.py
index 80898d51..2e9dc283 100644
--- a/roles/arp/files/apate/lib/daemon_app.py
+++ b/roles/arp/files/apate/lib/daemon_app.py
@@ -255,7 +255,7 @@ def __init__(self, logger, interface, pidfile, stdout, stderr, dns_file):
 
     def exit(self, signal_number, stack_frame):
         """This method is called from the python-daemon when the daemon is stopping.
-        Threads are stopped and clients are despoofed via _return_to_normal().
+        Processes are stopped and clients are despoofed via the processes _return_to_normal().
         """
         if self.processv4:
             self.processv4.shutdown()
@@ -282,7 +282,7 @@ def run(self):
 
         # a child-process object has to be created in the same parent process as the process that wants to start the child
         # __init__ is called inside the initial process, whereas run() is called inside the newly created deamon process
-        # therefore create the process here
+        # therefore create the processes here
         if self.ipv4:
             self.processv4 = SelectiveIPv4Process(self.logger, self.interface, self.ipv4)
             self.processv4.start()
diff --git a/roles/arp/files/apate/lib/daemon_process.py b/roles/arp/files/apate/lib/daemon_process.py
index ef2a69c0..211c4cd6 100644
--- a/roles/arp/files/apate/lib/daemon_process.py
+++ b/roles/arp/files/apate/lib/daemon_process.py
@@ -148,10 +148,7 @@ def __init__(self, logger, interface, ipv6):
         Args:
             logger (logging.Logger): Used for logging messages.
             interface (str): The network interface which should be used. (e.g. eth0)
-            pidfile (str): Path of the pidfile, used by the daemon.
-            stdout (str): Path of stdout, used by the daemon.
-            stderr (str): Path of stderr, used by the daemon.
-            dns_file (str): Path of file containing the nameservers.
+            ipv6 (collection.namedtuple): collection of network information
 
         Raises:
             DaemonError: Signalises the failure of the daemon.
@@ -182,18 +179,16 @@ def __init__(self, logger, interface, ipv6):
 
     def _return_to_normal(self):
         """This method is called when the daemon is stopping.
-        First, sends a GARP broadcast request to all clients to tell them the real gateway.
-        Then ARP replies for existing clients are sent to the gateway.
-        If IPv6 is enabled, Apate tells the clients the real gateway via neighbor advertisements.
+        Apate tells the clients the real gateway via neighbor advertisements.
         """
-        # spoof clients with GARP broadcast request
+        # spoof clients with nd advertisements
         with self.sleeper:
             # check if the impersonation of the DNS server is necessary
             tgt = (self.ipv6.gateway, self.ipv6.dns_servers[0]) if util.is_spoof_dns(self.ipv6) else (self.ipv6.gateway,)
 
             for source in tgt:
                 sendp(Ether(dst=ETHER_BROADCAST) / IPv6(src=source, dst=MulticastPingDiscoveryThread._MULTICAST_DEST) /
-                      ICMPv6ND_NA(tgt=source, R=0, S=0) / ICMPv6NDOptDstLLAddr(lladdr=self.ipv6.gate_mac))
+                      ICMPv6ND_NA(tgt=source, R=1, S=0, O=1) / ICMPv6NDOptDstLLAddr(lladdr=self.ipv6.gate_mac))
 
     def shutdown(self):
         self.exit.set()
@@ -228,7 +223,7 @@ def run(self):
 
                 for source in tgt:
                     packets.extend([Ether(dst=dev[1]) / IPv6(src=source, dst=dev[0]) /
-                                    ICMPv6ND_NA(tgt=source, R=0, S=1) / ICMPv6NDOptDstLLAddr(lladdr=self.ipv6.mac)
+                                    ICMPv6ND_NA(tgt=source, R=1, S=1, O=1) / ICMPv6NDOptDstLLAddr(lladdr=self.ipv6.mac)
                                     for dev in self.ipv6.redis.get_devices_values(filter_values=True)])
 
                 sendp(packets)
@@ -257,7 +252,7 @@ def spoof_devices(ip, devs, logger):
             for source in tgt:
                 if not ip.redis.check_device_disabled(util.get_device_mac(entry)):
                     sendp([Ether(dst=dev_hw) / IPv6(src=source, dst=dev_ip) /
-                           ICMPv6ND_NA(tgt=source, R=0, S=1) / ICMPv6NDOptDstLLAddr(lladdr=ip.mac)])
+                           ICMPv6ND_NA(tgt=source, R=1, S=1) / ICMPv6NDOptDstLLAddr(lladdr=ip.mac)])
                 else:
                     sendp([Ether(dst=dev_hw) / IPv6(src=source, dst=dev_ip) /
-                           ICMPv6ND_NA(tgt=source, R=0, S=1) / ICMPv6NDOptDstLLAddr(lladdr=ip.gate_mac)])
+                           ICMPv6ND_NA(tgt=source, R=1, S=1) / ICMPv6NDOptDstLLAddr(lladdr=ip.gate_mac)])
diff --git a/roles/arp/files/apate/lib/misc_thread.py b/roles/arp/files/apate/lib/misc_thread.py
index e433d5dd..bfb0ab8a 100644
--- a/roles/arp/files/apate/lib/misc_thread.py
+++ b/roles/arp/files/apate/lib/misc_thread.py
@@ -122,6 +122,7 @@ class PubSubThread(threading.Thread):
     __SUBSCRIBE_TO = "__keyevent@{}__:expired"
     """Used to subscribe to the keyspace event expired."""
     __SUBSCRIBE_TOO = "__keyspace@{}__:{}"
+    """Used to subscribe to the keyspace event creation for a specific key."""
 
     def __init__(self, ip, logger, handler):
         """Initialises the thread.
diff --git a/roles/arp/files/apate/lib/sniff_thread.py b/roles/arp/files/apate/lib/sniff_thread.py
index a0aea33b..6462acb6 100644
--- a/roles/arp/files/apate/lib/sniff_thread.py
+++ b/roles/arp/files/apate/lib/sniff_thread.py
@@ -280,7 +280,7 @@ def _packet_handler(self, pkt):
             self.logger.exception(e)
 
     def _icmpv6_handler(self, pkt):
-        """"This method is called for each ICMPv6 echo reply packet or multicast listener report packet
+        """This method is called for each ICMPv6 echo reply packet or multicast listener report packet
         received through scapy's sniff function.
         Incoming packets are used to spoof involved devices and add new devices
         to the redis db.
@@ -293,7 +293,7 @@ def _icmpv6_handler(self, pkt):
         # impersonate gateway
         if not self.ip.redis.check_device_disabled(pkt[Ether].src):
             sendp(
-                Ether(dst=pkt[Ether].src) / IPv6(src=self.ip.gateway, dst=pkt[IPv6].src) / ICMPv6ND_NA(tgt=self.ip.gateway, R=0, S=1) /
+                Ether(dst=pkt[Ether].src) / IPv6(src=self.ip.gateway, dst=pkt[IPv6].src) / ICMPv6ND_NA(tgt=self.ip.gateway, R=1, S=1) /
                 ICMPv6NDOptDstLLAddr(lladdr=self.ip.mac)
             )
 
@@ -302,5 +302,5 @@ def _icmpv6_handler(self, pkt):
             if not self.ip.redis.check_device_disabled(pkt[Ether].src):
                 sendp(
                     Ether(dst=pkt[Ether].src) / IPv6(src=self.ip.dns_servers[0], dst=pkt[IPv6].src) /
-                    ICMPv6ND_NA(tgt=self.ip.dns_servers[0], R=0, S=1) / ICMPv6NDOptDstLLAddr(lladdr=self.ip.mac)
+                    ICMPv6ND_NA(tgt=self.ip.dns_servers[0], R=1, S=1) / ICMPv6NDOptDstLLAddr(lladdr=self.ip.mac)
                 )

From cef725be646196bedfc8d45ce7067bf11c0793f3 Mon Sep 17 00:00:00 2001
From: Markus Donko-Huber <markus@nysos.net>
Date: Sat, 3 Aug 2019 13:49:07 +0200
Subject: [PATCH 2/9] VPN server certificate renewal fixes #139

---
 roles/vpn/tasks/main.yml                   |  3 +++
 roles/vpn/templates/server-cert-renewal.sh | 12 ++++++++++++
 2 files changed, 15 insertions(+)
 create mode 100644 roles/vpn/templates/server-cert-renewal.sh

diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml
index 3be1c08c..ca31d9fc 100644
--- a/roles/vpn/tasks/main.yml
+++ b/roles/vpn/tasks/main.yml
@@ -136,6 +136,9 @@
     - restart openvpn
     - restart openvpn-su
 
+- name: deploy Server Certificate renewal cronjob
+  template: src=server-cert-renewal.sh dest=/etc/cron.weekly/openvpn-server-cert owner=root group=root mode=0755
+
 - name: deleting unused files
   file: path={{item}} state=absent
   with_items:
diff --git a/roles/vpn/templates/server-cert-renewal.sh b/roles/vpn/templates/server-cert-renewal.sh
new file mode 100644
index 00000000..02977608
--- /dev/null
+++ b/roles/vpn/templates/server-cert-renewal.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+days=60
+
+#Test if certificate expires in the next 60 days
+/usr/bin/openssl x509 -checkend $(($days * 24 * 3600)) -in /etc/openvpn/ca/serverCert.pem
+
+if [ $? -eq 1 ]
+then
+  openssl ca -in /etc/openvpn/ca/serverReq.pem -days 730 -batch -out /etc/openvpn/ca/serverCert.pem -notext -cert /etc/openvpn/ca/caCert.pem -keyfile /etc/openvpn/ca/caKey.pem
+  service openvpn-su restart
+fi

From 5a96eb866f1acb7d432dd814ccc74e8dc1ce2eb3 Mon Sep 17 00:00:00 2001
From: Markus Donko-Huber <markus@nysos.net>
Date: Sun, 11 Aug 2019 20:53:22 +0200
Subject: [PATCH 3/9] Reduce squid cache to improve mem usage

---
 roles/squid/templates/conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/squid/templates/conf b/roles/squid/templates/conf
index 04374f89..718b3931 100644
--- a/roles/squid/templates/conf
+++ b/roles/squid/templates/conf
@@ -53,7 +53,7 @@ http_port 3128 intercept
 #
 cache_peer 127.0.0.1 parent 8118 0 no-query default no-digest no-netdb-exchange
 cache_peer ::1 parent 8119 0 no-query default no-digest no-netdb-exchange
-cache_mem 128 MB
+cache_mem 64 MB
 
 logformat useragent_short %>eui;|;%>a;|;%"{User-Agent}>h;|;%ts.%tu
 access_log daemon:{{ default_settings.log.general.path }}/{{ default_settings.log.squid.subdir }}/{{ default_settings.log.squid.logfiles.logname }} useragent_short

From b65536f1440be9f06ed651b0cdc32561c09a8ac8 Mon Sep 17 00:00:00 2001
From: Markus Donko-Huber <markus@nysos.net>
Date: Tue, 27 Aug 2019 21:03:39 +0200
Subject: [PATCH 4/9] logrotate privoxy log file

---
 roles/privoxy/tasks/main.yml                 |  4 ++--
 roles/privoxy/templates/privoxy-logrotate.j2 | 13 +++++++++++++
 2 files changed, 15 insertions(+), 2 deletions(-)
 create mode 100644 roles/privoxy/templates/privoxy-logrotate.j2

diff --git a/roles/privoxy/tasks/main.yml b/roles/privoxy/tasks/main.yml
index 4f37718d..b6e57a28 100644
--- a/roles/privoxy/tasks/main.yml
+++ b/roles/privoxy/tasks/main.yml
@@ -58,5 +58,5 @@
   file: path={{other_env.default_settings.log.general.path}}/{{other_env.default_settings.log.privoxy.subdir}} state=absent
   when: res|changed
 
-- name: modify logrotate.d entry
-  file: path=/etc/logrotate.d/privoxy state=absent
+- name: create logrotate.d entry
+  template: src=privoxy-logrotate.j2 dest=/etc/logrotate.d/privoxy
diff --git a/roles/privoxy/templates/privoxy-logrotate.j2 b/roles/privoxy/templates/privoxy-logrotate.j2
new file mode 100644
index 00000000..3e555568
--- /dev/null
+++ b/roles/privoxy/templates/privoxy-logrotate.j2
@@ -0,0 +1,13 @@
+{{default_settings.log.general.path}}/{{default_settings.log.privoxy.subdir}}/{{ default_settings.log.privoxy.logfiles.logname }}
+{
+  su root tmp-logger
+  rotate 0
+  daily
+  missingok
+  notifempty
+  maxsize 10M
+  sharedscripts
+  postrotate
+        /etc/init.d/privoxy restart > /dev/null
+  endscript
+}
\ No newline at end of file

From 4eabe4b71f717546cb614d198e1b8420ef00f765 Mon Sep 17 00:00:00 2001
From: Markus Donko-Huber <markus@nysos.net>
Date: Tue, 27 Aug 2019 21:04:30 +0200
Subject: [PATCH 5/9] Disable swap file

---
 roles/common/tasks/main.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 5e27b0aa..c74bcd1e 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -21,6 +21,10 @@
   file: path=/var/log/log state=directory owner=root group=tmp-logger mode=0771
   when: env == "development"
 
+- name: try to disable swapfile
+  service: name=dphys-swapfile state=stopped enabled=no
+  ignore_errors: yes
+
 - name: create tmpfs for logging
   lineinfile:
     dest: /etc/fstab

From d24ea0bb5a0e7ef7a41f43f909118db665ee4da7 Mon Sep 17 00:00:00 2001
From: Markus Donko-Huber <markus@nysos.net>
Date: Wed, 28 Aug 2019 14:32:29 +0200
Subject: [PATCH 6/9] improvements for rsyslog rotation

---
 roles/common/templates/logrotate_rsyslog | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/roles/common/templates/logrotate_rsyslog b/roles/common/templates/logrotate_rsyslog
index 42cc35be..9a40e89a 100644
--- a/roles/common/templates/logrotate_rsyslog
+++ b/roles/common/templates/logrotate_rsyslog
@@ -3,11 +3,12 @@
     su root tmp-logger
 	rotate 0
 	daily
-    maxsize 10M
+    maxsize 5M
 	missingok
 	notifempty
 	postrotate
-		invoke-rc.d rsyslog rotate > /dev/null
+		service rsyslog rotate > /dev/null
+		service rsyslog restart > /dev/null
 	endscript
 }
 
@@ -32,6 +33,7 @@
     maxsize 10M
 	sharedscripts
 	postrotate
-		invoke-rc.d rsyslog rotate > /dev/null
+		service rsyslog rotate > /dev/null
+		service rsyslog restart > /dev/null
 	endscript
 }

From 7bfbd680859f9d0480ac193cfe9700e6132ffac5 Mon Sep 17 00:00:00 2001
From: Markus Donko-Huber <markus@nysos.net>
Date: Wed, 28 Aug 2019 14:49:45 +0200
Subject: [PATCH 7/9] Upgrade scapy due to CVE-2019-1010142

---
 roles/arp/files/apate/requirements.txt                | 2 +-
 roles/fingerprinting/files/registrar/requirements.txt | 2 +-
 roles/upri_config/files/upri-config/requirements.txt  | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/roles/arp/files/apate/requirements.txt b/roles/arp/files/apate/requirements.txt
index e27c1f78..12f75655 100644
--- a/roles/arp/files/apate/requirements.txt
+++ b/roles/arp/files/apate/requirements.txt
@@ -3,5 +3,5 @@ netaddr==0.7.19
 netifaces==0.10.5
 python-daemon==2.1.2
 redis==2.10.5
-scapy==2.3.3
+scapy==2.4.3
 dnspython==1.15.0
diff --git a/roles/fingerprinting/files/registrar/requirements.txt b/roles/fingerprinting/files/registrar/requirements.txt
index 779bfde4..70364564 100644
--- a/roles/fingerprinting/files/registrar/requirements.txt
+++ b/roles/fingerprinting/files/registrar/requirements.txt
@@ -1,5 +1,5 @@
 python-daemon==2.1.2
-scapy==2.3.3
+scapy==2.4.3
 netaddr==0.7.19
 http-parser==0.8.3
 xmltodict==0.11.0
diff --git a/roles/upri_config/files/upri-config/requirements.txt b/roles/upri_config/files/upri-config/requirements.txt
index 1b6bc25d..a3a1ae98 100644
--- a/roles/upri_config/files/upri-config/requirements.txt
+++ b/roles/upri_config/files/upri-config/requirements.txt
@@ -4,6 +4,6 @@ redis==2.10.5
 netifaces==0.10.5
 netaddr==0.7.19
 argcomplete==1.8.2
-scapy==2.3.3
+scapy==2.4.3
 requests[security]==2.20.0
 miniupnpc==1.9

From 92fb59357c67460a9de99bcb155edf4435196379 Mon Sep 17 00:00:00 2001
From: Markus Donko-Huber <markus@nysos.net>
Date: Thu, 29 Aug 2019 08:21:56 +0200
Subject: [PATCH 8/9] Improved Web UI load time

---
 roles/nginx/templates/sites-available/upri_interface | 9 +++++++--
 upribox_interface/www/templates/base.html            | 4 ++--
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/roles/nginx/templates/sites-available/upri_interface b/roles/nginx/templates/sites-available/upri_interface
index e0234ec4..05c602a8 100644
--- a/roles/nginx/templates/sites-available/upri_interface
+++ b/roles/nginx/templates/sites-available/upri_interface
@@ -14,8 +14,8 @@ server {
     # the port your site will be served on
     listen 80;
     listen [::]:80;
-    listen 4300 ssl;
-    listen [::]:4300 ssl;
+    listen 4300 ssl http2;
+    listen [::]:4300 ssl http2;
     ssl_certificate     /etc/ssl/certs/interfaceCert.pem;
     ssl_certificate_key /etc/ssl/private/interfaceKey.pem;
     ssl_protocols TLSv1.2;
@@ -33,6 +33,11 @@ server {
     error_log {{default_settings.log.general.path}}/{{default_settings.log.nginx.logfiles.interface_error}} error;
 
     location /static {
+        gzip on;
+        gzip_vary on;
+        gzip_min_length 10240;
+        gzip_types text/plain text/css text/javascript application/javascript;
+        gzip_disable "MSIE [1-6]\.";
         alias /usr/local/static/upribox_interface/; # your Django project's static files - amend as required
     }
 
diff --git a/upribox_interface/www/templates/base.html b/upribox_interface/www/templates/base.html
index b55db409..e4595d0f 100644
--- a/upribox_interface/www/templates/base.html
+++ b/upribox_interface/www/templates/base.html
@@ -99,7 +99,7 @@ <h1>
 		<!--<script type="text/javascript" src="{% static "js/vendor/chartist.min.js" %}"></script>
 		<script type="text/javascript" src="{% static "js/vendor/chartist-plugin-fill-donut.min.js" %}"></script>-->
 
-		<script type="text/javascript" src="{% static "js/vendor/plotly_customized.js" %}"></script>
+		<script async type="text/javascript" src="{% static "js/vendor/plotly_customized.js" %}"></script>
 		<!--
             there are two things customized in ploty.js.
              For this two changes, three (very small) parts in the code have been added and one line has been slightly changed.
@@ -112,7 +112,7 @@ <h1>
 		<script type="text/javascript" src="{% static "js/vendor/zxcvbn.js" %}"></script>
 
         <script type="text/javascript" src="{% static "js/vendor/js-cookie-2.0.2.js" %}"></script>
-        <script type="text/javascript" src="{% static "js/vendor/qrcode.min.js" %}"></script>
+        <script async type="text/javascript" src="{% static "js/vendor/qrcode.min.js" %}"></script>
 
         {% block mainjs %}
 		      <script type="text/javascript" src="{% static "js/main.js" %}"></script>

From 0d2b46fde550f32422f74ce648fc820130bb4a53 Mon Sep 17 00:00:00 2001
From: Markus Donko-Huber <markus@nysos.net>
Date: Thu, 29 Aug 2019 21:16:04 +0200
Subject: [PATCH 9/9] normalize mac address from scapy

---
 roles/arp/files/apate/lib/apate_redis.py                | 3 ++-
 roles/fingerprinting/files/registrar/lib/misc_thread.py | 6 ++++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/roles/arp/files/apate/lib/apate_redis.py b/roles/arp/files/apate/lib/apate_redis.py
index 086ed272..fdc96593 100644
--- a/roles/arp/files/apate/lib/apate_redis.py
+++ b/roles/arp/files/apate/lib/apate_redis.py
@@ -267,13 +267,14 @@ def check_device_disabled(self, mac):
         """
         # True if devices is disabled
         # return self.redis.get(self._get_device_name(mac, network or self.network, enabled=False)) is not None
-        return self.redis.sismember(self.get_excluded_key(), mac)
+        return self.redis.sismember(self.get_excluded_key(), str(mac).lower())
 
     def _toggle_device(self, mac, ip, network, enabled):
         # add new device first and delete old device afterwards
         # this is done to avoid race conditions
         # self.add_device(mac, self.get_device_ip(mac, network, enabled=not enabled), network, enabled=enabled, force=True)
         # self.remove_device(mac, network, enabled=not enabled)
+        mac = str(mac).lower()
         if not enabled:
             self.redis.sadd(self.get_excluded_key(), mac)
         else:
diff --git a/roles/fingerprinting/files/registrar/lib/misc_thread.py b/roles/fingerprinting/files/registrar/lib/misc_thread.py
index c90fde16..67d93774 100644
--- a/roles/fingerprinting/files/registrar/lib/misc_thread.py
+++ b/roles/fingerprinting/files/registrar/lib/misc_thread.py
@@ -63,8 +63,10 @@ def run(self):
                         if devices:
                             ans, unans = arping(devices, iface=None, verbose=0)
                             for device in ans:
-                                if check_preconditions(device[1][ARP].psrc, device[1][ARP].hwsrc):
-                                    insert_or_update_fingerprint(self.conn, ip=device[1][ARP].psrc, mac=device[1][ARP].hwsrc)
+                                ip_addr = device[1][ARP].psrc
+                                mac_addr = str(device[1][ARP].hwsrc).lower()
+                                if check_preconditions(ip_addr, mac_addr):
+                                    insert_or_update_fingerprint(self.conn, ip=ip_addr, mac=mac_addr)
 
                         self.logger.info("checked no mode devices: " + str(devices))