|
|
@@ -9,90 +9,121 @@ import itertools
|
|
|
import os
|
|
|
import ssl
|
|
|
|
|
|
-# ==============================================================================
|
|
|
-# CONFIGURACIÓN MAESTRA
|
|
|
-# ==============================================================================
|
|
|
+# --- CONFIGURACIÓN BASE ---
|
|
|
LISTENING_PORT = int(sys.argv[1]) if len(sys.argv) > 1 else 443
|
|
|
SSH_HOST = '127.0.0.1'
|
|
|
-SSH_PORT = 22 # Puerto de Dropbear u OpenSSH
|
|
|
+SSH_PORT = 22
|
|
|
+LOG_FILE = "/root/proxy-ssl.log"
|
|
|
+MAX_LOG_SIZE = 10 * 1024 * 1024
|
|
|
+
|
|
|
+# --- CONFIGURACIÓN SSL/TLS ---
|
|
|
CERT_FILE = "/root/cert.pem"
|
|
|
KEY_FILE = "/root/key.pem"
|
|
|
-LOG_FILE = "/root/proxy-ssl.log"
|
|
|
|
|
|
-# SEGURIDAD
|
|
|
-MAX_CONNECTIONS = 150
|
|
|
+# --- SEGURIDAD ---
|
|
|
+MAX_CONNECTIONS = 200 # Aumentado para mayor capacidad
|
|
|
CONNECTION_COOLDOWN = 0.5
|
|
|
-AUTO_BAN_STRIKES = 3
|
|
|
-BAN_TIME = 3600 # 1 hora
|
|
|
BUFLEN = 16384
|
|
|
-
|
|
|
-# ESTADO GLOBAL
|
|
|
-banned_ips = {}
|
|
|
+AUTO_BAN_STRIKES = 3
|
|
|
+BAN_TIME = 3600
|
|
|
+banned_ips_memory = {}
|
|
|
ip_strikes = {}
|
|
|
-active_connections = 0
|
|
|
-conn_lock = threading.Lock()
|
|
|
|
|
|
-# FAKE WEB (Para evadir detección de ISP/Firewalls)
|
|
|
-FAKE_WEB = (b"HTTP/1.1 200 OK\r\nServer: nginx/1.24.0\r\nContent-Type: text/html\r\n"
|
|
|
- b"Connection: close\r\n\r\n"
|
|
|
- b"<html><head><title>Welcome</title></head><body>"
|
|
|
- b"<h1>404 Not Found</h1><hr><address>nginx/1.24.0</address></body></html>")
|
|
|
-
|
|
|
-# MENSAJES ROTATIVOS
|
|
|
-MENSAJES = ["🚀 TLS ESTABLECIDO", "🛡️ CIFRADO ACTIVO", "🌐 ACCESO SEGURO"]
|
|
|
+# --- RESPUESTA FAKE WEB (Tus cambios aplicados) ---
|
|
|
+# Usar "400 OK" como técnica de evasión personalizada
|
|
|
+FAKE_WEB_RESPONSE = (
|
|
|
+ b"HTTP/1.1 400 OK\r\n"
|
|
|
+ b"Server: nginx/1.21.0\r\n"
|
|
|
+ b"Content-Type: text/html; charset=UTF-8\r\n"
|
|
|
+ b"Connection: close\r\n\r\n"
|
|
|
+ b"<html><head><title>Error</title></head>"
|
|
|
+ b"<body><center><h1>400 Bad Request</h1></center></body></html>"
|
|
|
+)
|
|
|
+
|
|
|
+# --- CUSTOM HEADERS ---
|
|
|
+CUSTOM_HEADERS = {
|
|
|
+ "Server": "nginx/1.21.0",
|
|
|
+ "X-Proxy-Agent": "Gemini-Ultra-Robust-v6-TLS",
|
|
|
+ "Proxy-Connection": "keep-alive"
|
|
|
+}
|
|
|
+
|
|
|
+MENSAJES = [
|
|
|
+ "🚀 CONEXION TLS ESTABLECIDA",
|
|
|
+ "🛡️ CIFRADO MILITAR ACTIVO",
|
|
|
+ "🔋 MODO SIGILO SSL OK",
|
|
|
+ "Pfsense",
|
|
|
+ "OPNsense",
|
|
|
+ "VyOS",
|
|
|
+ "Claro",
|
|
|
+ "Windows Server",
|
|
|
+ "BSD Free",
|
|
|
+ "VyOS",
|
|
|
+ "Altice",
|
|
|
+ "Viva",
|
|
|
+ "Google",
|
|
|
+ "VyOS",
|
|
|
+ "TNSR",
|
|
|
+ "🌐 BYPASS DE FIREWALL OK"
|
|
|
+]
|
|
|
mensaje_cycle = itertools.cycle(MENSAJES)
|
|
|
cycle_lock = threading.Lock()
|
|
|
|
|
|
-def write_log(msg, addr=None):
|
|
|
+def log(msg, addr=None):
|
|
|
try:
|
|
|
+ if os.path.exists(LOG_FILE) and os.path.getsize(LOG_FILE) > MAX_LOG_SIZE:
|
|
|
+ with open(LOG_FILE, 'w') as f: f.write("--- LOG REINICIADO ---\n")
|
|
|
ts = time.strftime("%Y-%m-%d %H:%M:%S")
|
|
|
ip = f" [{addr[0]}]" if addr else ""
|
|
|
- with open(LOG_FILE, 'a') as f:
|
|
|
- f.write(f"[{ts}]{ip} {msg}\n")
|
|
|
+ entry = f"[{ts}]{ip} {msg}\n"
|
|
|
+ with open(LOG_FILE, 'a') as f: f.write(entry)
|
|
|
+ print(entry.strip())
|
|
|
except: pass
|
|
|
|
|
|
-class TunnelHandler(threading.Thread):
|
|
|
+active_connections = 0
|
|
|
+conn_lock = threading.Lock()
|
|
|
+
|
|
|
+class ConnectionHandler(threading.Thread):
|
|
|
def __init__(self, client, addr):
|
|
|
super().__init__(daemon=True)
|
|
|
self.client = client
|
|
|
self.addr = addr
|
|
|
self.target = None
|
|
|
- self.tx = 0
|
|
|
- self.rx = 0
|
|
|
|
|
|
def run(self):
|
|
|
global active_connections
|
|
|
client_ip = self.addr[0]
|
|
|
|
|
|
try:
|
|
|
- # 1. Verificar si está baneado
|
|
|
- if client_ip in banned_ips:
|
|
|
- if time.time() < banned_ips[client_ip]: return
|
|
|
- else: del banned_ips[client_ip]
|
|
|
+ # Control de baneo
|
|
|
+ if client_ip in banned_ips_memory:
|
|
|
+ if time.time() < banned_ips_memory[client_ip]: return
|
|
|
+ else: del banned_ips_memory[client_ip]
|
|
|
|
|
|
- # 2. Leer petición inicial
|
|
|
- self.client.settimeout(2.5)
|
|
|
+ # Recibir payload
|
|
|
+ self.client.settimeout(3.0)
|
|
|
try:
|
|
|
payload = self.client.recv(BUFLEN)
|
|
|
except: payload = b""
|
|
|
|
|
|
- # 3. Análisis de tráfico
|
|
|
- if b"HTTP/" in payload and b"Upgrade" not in payload:
|
|
|
- self.client.sendall(FAKE_WEB)
|
|
|
+ # Detección de Probing / Escáneres
|
|
|
+ if payload and b"HTTP/" in payload and b"Upgrade" not in payload:
|
|
|
+ self.client.sendall(FAKE_WEB_RESPONSE)
|
|
|
return
|
|
|
|
|
|
- # 4. Conectar a SSH
|
|
|
+ # Conexión al destino
|
|
|
self.target = socket.create_connection((SSH_HOST, SSH_PORT), timeout=5)
|
|
|
|
|
|
if payload:
|
|
|
if payload.startswith(b"SSH-"):
|
|
|
self.target.sendall(payload)
|
|
|
else:
|
|
|
- with cycle_lock: msg = next(mensaje_cycle)
|
|
|
- resp = f"HTTP/1.1 101 {msg}\r\nServer: nginx\r\nUpgrade: websocket\r\n\r\n"
|
|
|
+ with cycle_lock: status = next(mensaje_cycle)
|
|
|
+ resp = f"HTTP/1.1 101 {status}\r\n"
|
|
|
+ for k,v in CUSTOM_HEADERS.items(): resp += f"{k}: {v}\r\n"
|
|
|
+ resp += "Connection: Upgrade\r\nUpgrade: websocket\r\n\r\n"
|
|
|
self.client.sendall(resp.encode())
|
|
|
|
|
|
- # 5. Túnel bidireccional
|
|
|
+ # Túnel
|
|
|
self.client.settimeout(None)
|
|
|
self.target.settimeout(None)
|
|
|
sockets = [self.client, self.target]
|
|
|
@@ -102,21 +133,14 @@ class TunnelHandler(threading.Thread):
|
|
|
for s in r:
|
|
|
data = s.recv(BUFLEN)
|
|
|
if not data: return
|
|
|
- if s is self.client:
|
|
|
- self.target.sendall(data)
|
|
|
- self.tx += len(data)
|
|
|
- else:
|
|
|
- self.client.sendall(data)
|
|
|
- self.rx += len(data)
|
|
|
+ (self.target if s is self.client else self.client).sendall(data)
|
|
|
+
|
|
|
except: pass
|
|
|
finally:
|
|
|
with conn_lock: active_connections -= 1
|
|
|
self.cleanup()
|
|
|
|
|
|
def cleanup(self):
|
|
|
- total = (self.tx + self.rx) / (1024*1024)
|
|
|
- if total > 0.1:
|
|
|
- write_log(f"Cierre de sesión. Tráfico: {total:.2f} MB", self.addr)
|
|
|
for s in [self.client, self.target]:
|
|
|
if s:
|
|
|
try: s.close()
|
|
|
@@ -124,45 +148,42 @@ class TunnelHandler(threading.Thread):
|
|
|
|
|
|
def main():
|
|
|
global active_connections
|
|
|
- context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
|
|
|
+
|
|
|
+ # Preparar SSL
|
|
|
+ context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
|
|
|
context.load_cert_chain(certfile=CERT_FILE, keyfile=KEY_FILE)
|
|
|
|
|
|
- server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
|
|
+ # Socket Dual-Stack
|
|
|
+ server = socket.socket(socket.AF_INET6, socket.SOCK_STREAM)
|
|
|
server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
|
|
|
+ try:
|
|
|
+ server.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, 0)
|
|
|
+ except: pass
|
|
|
+
|
|
|
server.bind(('', LISTENING_PORT))
|
|
|
- server.listen(500)
|
|
|
+ server.listen(500) # Tu cambio aplicado: mayor cola de espera
|
|
|
|
|
|
- print(f"🔥 Proxy Ultimate v8 Activo en puerto {LISTENING_PORT}")
|
|
|
+ log(f"=====================================================")
|
|
|
+ log(f"🛡️ VERSION 6 TLS PERSONALIZADA - PUERTO {LISTENING_PORT}")
|
|
|
+ log(f"🔥 BACKLOG: 500 | FAKE-WEB: 400 OK")
|
|
|
+ log(f"=====================================================")
|
|
|
|
|
|
while True:
|
|
|
try:
|
|
|
raw_c, addr = server.accept()
|
|
|
-
|
|
|
- # Control de inundación (Anti-Flood)
|
|
|
- now = time.time()
|
|
|
- last_t = ip_strikes.get(addr[0], {}).get('t', 0)
|
|
|
- if (now - last_t) < CONNECTION_COOLDOWN:
|
|
|
- strikes = ip_strikes.get(addr[0], {}).get('s', 0) + 1
|
|
|
- ip_strikes[addr[0]] = {'t': now, 's': strikes}
|
|
|
- if strikes >= AUTO_BAN_STRIKES:
|
|
|
- banned_ips[addr[0]] = now + BAN_TIME
|
|
|
- write_log("IP Baneada por abuso", addr)
|
|
|
- raw_c.close()
|
|
|
- continue
|
|
|
- ip_strikes[addr[0]] = {'t': now, 's': 0}
|
|
|
-
|
|
|
try:
|
|
|
- client = context.wrap_socket(raw_c, server_side=True)
|
|
|
+ # Envolver en SSL inmediatamente
|
|
|
+ c = context.wrap_socket(raw_c, server_side=True)
|
|
|
with conn_lock:
|
|
|
if active_connections >= MAX_CONNECTIONS:
|
|
|
- client.close()
|
|
|
+ c.close()
|
|
|
continue
|
|
|
active_connections += 1
|
|
|
- TunnelHandler(client, addr).start()
|
|
|
+ ConnectionHandler(c, addr).start()
|
|
|
except:
|
|
|
raw_c.close()
|
|
|
except:
|
|
|
- time.sleep(0.05)
|
|
|
+ time.sleep(0.1)
|
|
|
|
|
|
if __name__ == "__main__":
|
|
|
main()
|
