|
|
@@ -1,9 +1,9 @@
|
|
|
/*
|
|
|
* =====================================================================================
|
|
|
- * PROXY VPN DUAL (TCP + TLS) - ULTIMATE BARE-METAL EDITION V9
|
|
|
- * Correcciones:
|
|
|
- * 1. Bugfix de OpenSSL Internal Buffer (SSL_pending) para NetMod.
|
|
|
- * 2. Anti-Flood calibrado para evitar auto-baneos por hilos múltiples de VPN.
|
|
|
+ * PROXY VPN DUAL (TCP + TLS) - ULTIMATE BARE-METAL EDITION V10
|
|
|
+ * Correcciones Finales:
|
|
|
+ * 1. Anti-Flood reprogramado: Reseteo por segundo para permitir Navegadores/VPNs.
|
|
|
+ * 2. SSL_pending afinado para conexiones SSH directas.
|
|
|
* Compilación: gcc -O3 -o proxy_dual proxy_dual.c -lssl -lcrypto -lpthread
|
|
|
* =====================================================================================
|
|
|
*/
|
|
|
@@ -32,11 +32,10 @@
|
|
|
#define CERT_FILE "/root/cert.pem"
|
|
|
#define KEY_FILE "/root/key.pem"
|
|
|
|
|
|
-// --- CONFIGURACIÓN DE SEGURIDAD (ANTI-FLOOD & BAN) ---
|
|
|
+// --- SEGURIDAD ANTI-FLOOD (Afiliado a la perfección) ---
|
|
|
#define MAX_TRACKED_IPS 200
|
|
|
-#define AUTO_BAN_STRIKES 15 // Aumentado a 15 para soportar los hilos de NetMod
|
|
|
-#define BAN_TIME 3600 // 1 Hora
|
|
|
-#define COOLDOWN_SEC 1 // Ventana de 1 segundo
|
|
|
+#define AUTO_BAN_STRIKES 20 // 20 conexiones permitidas POR SEGUNDO
|
|
|
+#define BAN_TIME 3600 // Castigo de 1 hora
|
|
|
|
|
|
typedef struct {
|
|
|
char ip[INET6_ADDRSTRLEN];
|
|
|
@@ -52,7 +51,6 @@ pthread_mutex_t ip_db_mutex = PTHREAD_MUTEX_INITIALIZER;
|
|
|
const char *FAKE_WEB_TCP = "HTTP/1.1 400 Bad Request\r\nServer: nginx/1.24.0\r\nContent-Type: text/html\r\nConnection: close\r\n\r\n<html><body><center><h1>400 Bad Request</h1></center><hr><center>nginx/1.24.0</center></body></html>\r\n";
|
|
|
const char *FAKE_WEB_TLS = "HTTP/1.1 400 OK\r\nServer: nginx/1.21.0\r\nContent-Type: text/html\r\nConnection: close\r\n\r\n<html><body><center><h1>400 Bad Request</h1></center></body></html>\r\n";
|
|
|
|
|
|
-// --- MENSAJES ROTATIVOS ---
|
|
|
const char *MENSAJES[] = {"🚀 CONEXION ESTABLECIDA", "🛡️ CIFRADO MILITAR ACTIVO", "🔋 MODO SIGILO SSL OK", "Pfsense", "OPNsense", "VyOS", "Claro", "Google", "TNSR", "🌐 BYPASS OK"};
|
|
|
#define NUM_MENSAJES (sizeof(MENSAJES) / sizeof(MENSAJES[0]))
|
|
|
int mensaje_idx = 0;
|
|
|
@@ -69,7 +67,7 @@ typedef struct {
|
|
|
SSL_CTX *ssl_ctx;
|
|
|
} client_data_t;
|
|
|
|
|
|
-// --- FUNCIONES DE SOPORTE ---
|
|
|
+// --- REGISTRO LOG ---
|
|
|
void write_log(const char *ip, const char *proto, const char *msg) {
|
|
|
pthread_mutex_lock(&log_mutex);
|
|
|
FILE *f = fopen(LOG_FILE, "a");
|
|
|
@@ -85,7 +83,7 @@ void write_log(const char *ip, const char *proto, const char *msg) {
|
|
|
pthread_mutex_unlock(&log_mutex);
|
|
|
}
|
|
|
|
|
|
-// --- MOTOR DE SEGURIDAD ---
|
|
|
+// --- NUEVO MOTOR ANTI-FLOOD (Tolerante a Navegadores) ---
|
|
|
int check_and_update_ip(const char *ip) {
|
|
|
pthread_mutex_lock(&ip_db_mutex);
|
|
|
time_t now = time(NULL);
|
|
|
@@ -98,18 +96,17 @@ int check_and_update_ip(const char *ip) {
|
|
|
found = 1;
|
|
|
if (ip_database[i].ban_until > now) {
|
|
|
pthread_mutex_unlock(&ip_db_mutex);
|
|
|
- return 0; // Sigue baneado
|
|
|
+ return 0; // Baneado
|
|
|
}
|
|
|
- if (now - ip_database[i].last_connect <= COOLDOWN_SEC) {
|
|
|
+ if (now == ip_database[i].last_connect) {
|
|
|
ip_database[i].strikes++;
|
|
|
- ip_database[i].last_connect = now;
|
|
|
- if (ip_database[i].strikes >= AUTO_BAN_STRIKES) {
|
|
|
+ if (ip_database[i].strikes > AUTO_BAN_STRIKES) {
|
|
|
ip_database[i].ban_until = now + BAN_TIME;
|
|
|
pthread_mutex_unlock(&ip_db_mutex);
|
|
|
- return -1; // Acaba de ser baneado
|
|
|
+ return -1; // Nuevo Ban
|
|
|
}
|
|
|
} else {
|
|
|
- ip_database[i].strikes = 1;
|
|
|
+ ip_database[i].strikes = 1; // Un segundo nuevo, reseteamos el contador
|
|
|
ip_database[i].last_connect = now;
|
|
|
}
|
|
|
break;
|
|
|
@@ -170,17 +167,12 @@ void *connection_handler(void *arg) {
|
|
|
|
|
|
const char *proto_name = is_tls ? "TLS" : "TCP";
|
|
|
|
|
|
- // --- FILTRO DE SEGURIDAD ---
|
|
|
int sec_status = check_and_update_ip(client_ip);
|
|
|
if (sec_status == 0) {
|
|
|
- close(client_sock);
|
|
|
- pthread_mutex_lock(&conn_mutex); active_connections--; pthread_mutex_unlock(&conn_mutex);
|
|
|
- pthread_exit(NULL);
|
|
|
+ close(client_sock); pthread_mutex_lock(&conn_mutex); active_connections--; pthread_mutex_unlock(&conn_mutex); pthread_exit(NULL);
|
|
|
} else if (sec_status == -1) {
|
|
|
- write_log(client_ip, proto_name, "⛔ IP Baneada (Flood/Spam detectado)");
|
|
|
- close(client_sock);
|
|
|
- pthread_mutex_lock(&conn_mutex); active_connections--; pthread_mutex_unlock(&conn_mutex);
|
|
|
- pthread_exit(NULL);
|
|
|
+ write_log(client_ip, proto_name, "⛔ IP Baneada (Flood de >20 req/s)");
|
|
|
+ close(client_sock); pthread_mutex_lock(&conn_mutex); active_connections--; pthread_mutex_unlock(&conn_mutex); pthread_exit(NULL);
|
|
|
}
|
|
|
|
|
|
SSL *ssl = NULL;
|
|
|
@@ -194,17 +186,12 @@ void *connection_handler(void *arg) {
|
|
|
}
|
|
|
}
|
|
|
|
|
|
- // =========================================================================
|
|
|
- // BUGFIX: REVISAR LA MEMORIA INTERNA DE OPENSSL ANTES DE ESPERAR EN EL CABLE
|
|
|
- // =========================================================================
|
|
|
fd_set init_fds; FD_ZERO(&init_fds); FD_SET(client_sock, &init_fds);
|
|
|
struct timeval init_tv = {3, 0};
|
|
|
char buffer[BUFLEN];
|
|
|
int bytes_read = 0;
|
|
|
|
|
|
int ssl_has_data = is_tls ? SSL_pending(ssl) : 0;
|
|
|
-
|
|
|
- // Si SSL ya secuestró el paquete, lo leemos de inmediato. Si no, esperamos 3 seg.
|
|
|
if (ssl_has_data > 0 || select(client_sock + 1, &init_fds, NULL, NULL, &init_tv) > 0) {
|
|
|
if (is_tls) bytes_read = SSL_read(ssl, buffer, sizeof(buffer)-1);
|
|
|
else bytes_read = recv(client_sock, buffer, sizeof(buffer)-1, 0);
|
|
|
@@ -226,12 +213,11 @@ void *connection_handler(void *arg) {
|
|
|
if (strncmp(buffer, "SSH-", 4) == 0) {
|
|
|
send(target_sock, buffer, bytes_read, 0);
|
|
|
} else if (strstr(buffer, "HTTP/") != NULL && strstr(buffer, "Upgrade: websocket") == NULL) {
|
|
|
- write_log(client_ip, proto_name, "🕵️ Escáner detectado. Fake Web (400 OK).");
|
|
|
+ write_log(client_ip, proto_name, "🕵️ Escáner detectado. Fake Web OK.");
|
|
|
if (is_tls) SSL_write(ssl, FAKE_WEB_TLS, strlen(FAKE_WEB_TLS));
|
|
|
else send(client_sock, FAKE_WEB_TCP, strlen(FAKE_WEB_TCP), 0);
|
|
|
goto cleanup;
|
|
|
} else {
|
|
|
- // --- ENCABEZADOS EXTENDIDOS RECUPERADOS ---
|
|
|
pthread_mutex_lock(&msg_mutex);
|
|
|
const char *status_msg = MENSAJES[mensaje_idx];
|
|
|
mensaje_idx = (mensaje_idx + 1) % NUM_MENSAJES;
|
|
|
@@ -251,8 +237,6 @@ void *connection_handler(void *arg) {
|
|
|
|
|
|
if (is_tls) SSL_write(ssl, response, strlen(response));
|
|
|
else send(client_sock, response, strlen(response), 0);
|
|
|
-
|
|
|
- write_log(client_ip, proto_name, "✅ Túnel Inyectado OK");
|
|
|
}
|
|
|
} else {
|
|
|
struct sockaddr_in t_addr;
|
|
|
@@ -261,7 +245,6 @@ void *connection_handler(void *arg) {
|
|
|
t_addr.sin_port = htons(SSH_PORT);
|
|
|
inet_pton(AF_INET, SSH_HOST, &t_addr.sin_addr);
|
|
|
if (connect(target_sock, (struct sockaddr *)&t_addr, sizeof(t_addr)) != 0) goto cleanup;
|
|
|
- write_log(client_ip, proto_name, "✅ Túnel Modo Silencioso");
|
|
|
}
|
|
|
|
|
|
int max_fd = (client_sock > target_sock) ? client_sock : target_sock;
|
|
|
@@ -302,18 +285,17 @@ int main(int argc, char **argv) {
|
|
|
int port_tcp = DEFAULT_PORT_TCP, port_tls = DEFAULT_PORT_TLS;
|
|
|
if (argc >= 3) { port_tcp = atoi(argv[1]); port_tls = atoi(argv[2]); }
|
|
|
|
|
|
- // Limpiar base de datos de IPs al inicio
|
|
|
memset(ip_database, 0, sizeof(ip_database));
|
|
|
-
|
|
|
signal(SIGPIPE, SIG_IGN);
|
|
|
+
|
|
|
SSL_CTX *ctx = create_ssl_context();
|
|
|
int server_tcp = create_server_socket(port_tcp);
|
|
|
int server_tls = create_server_socket(port_tls);
|
|
|
|
|
|
if (server_tcp < 0 || server_tls < 0) exit(1);
|
|
|
|
|
|
- write_log(NULL, "SISTEMA", "🚀 PROXY DUAL BARE-METAL INICIADO (Ultimate Edition V9)");
|
|
|
- write_log(NULL, "SISTEMA", "🛡️ Módulos cargados: Anti-Flood (15/s), Auto-Ban, SSL_pending Fix, Full Headers");
|
|
|
+ write_log(NULL, "SISTEMA", "🚀 PROXY DUAL BARE-METAL INICIADO (Ultimate V10)");
|
|
|
+ write_log(NULL, "SISTEMA", "🛡️ Módulos: Anti-Flood Tolerante, IPv4/IPv6, Multi-hilo, Headers OK");
|
|
|
|
|
|
int max_server_fd = (server_tcp > server_tls) ? server_tcp : server_tls;
|
|
|
|
