put ssh detection on full auto

This commit is contained in:
AJ ONeal 2018-06-01 02:45:38 -06:00
parent e85bd78905
commit 33063d3efe
2 changed files with 39 additions and 17 deletions

View File

@ -1,6 +1,7 @@
agree_tos: true # agree to the Telebit, Greenlock, and Let's Encrypt TOSes agree_tos: true # agree to the Telebit, Greenlock, and Let's Encrypt TOSes
community_member: true # receive infrequent relevant updates community_member: true # receive infrequent relevant updates
telemetry: true # contribute to project telemetric data telemetry: true # contribute to project telemetric data
ssh_auto: 22 # forward ssh-looking packets, from any connection, to port 22
remote_options: remote_options:
https_redirect: true # redirect http to https remotely (default) https_redirect: true # redirect http to https remotely (default)
local_ports: # ports to forward local_ports: # ports to forward

View File

@ -56,6 +56,16 @@ module.exports.assign = function (state, tun, cb) {
console.log('first message from', tun); console.log('first message from', tun);
var net = state.net || require('net'); var net = state.net || require('net');
function trySsh(tun, cb) {
// https://security.stackexchange.com/questions/43231/plausibly-deniable-ssh-does-it-make-sense?rq=1
// https://tools.ietf.org/html/rfc4253#section-4.2
if (false === state.config.ssh_auto || 'SSH-2.0-' !== tun.data.slice(0, 8).toString()) {
cb(null, false);
return;
}
cb(null, getNetConn(state.config.sshPort || 22));
}
var handlers = {}; var handlers = {};
handlers.http = function (socket) { handlers.http = function (socket) {
if (!state.greenlock) { if (!state.greenlock) {
@ -201,12 +211,31 @@ module.exports.assign = function (state, tun, cb) {
//console.log('[hit tls server]', tlsSocket.remoteFamily, tlsSocket.remoteAddress, tlsSocket.remotePort, tlsSocket.localPort); //console.log('[hit tls server]', tlsSocket.remoteFamily, tlsSocket.remoteAddress, tlsSocket.remotePort, tlsSocket.localPort);
//console.log(addr); //console.log(addr);
var conf = state.config.servernames[tlsSocket.servername]; var conf = state.config.servernames[tlsSocket.servername];
tlsSocket.once('data', function (firstChunk) {
tlsSocket.pause();
//tlsSocket.unshift(firstChunk);
tlsSocket._handle.onread(firstChunk.length, firstChunk);
trySsh({ data: firstChunk }, function (err, conn) {
process.nextTick(function () { tlsSocket.resume(); });
if (conn) {
conn.pipe(tlsSocket);
tlsSocket.pipe(conn);
return;
}
if (!conf || !conf.handler) { if (!conf || !conf.handler) {
console.log('https default handler');
handlers.https(tlsSocket); handlers.https(tlsSocket);
return; return;
} }
console.log('https invokeHandler');
invokeHandler(conf, tlsSocket, tun, id); invokeHandler(conf, tlsSocket, tun, id);
}); });
});
});
} }
//console.log('[hit tcp connection]', other.remoteFamily, other.remoteAddress, other.remotePort, other.localPort); //console.log('[hit tcp connection]', other.remoteFamily, other.remoteAddress, other.remotePort, other.localPort);
@ -284,19 +313,11 @@ module.exports.assign = function (state, tun, cb) {
return; return;
} }
function trySsh(tun) {
// https://security.stackexchange.com/questions/43231/plausibly-deniable-ssh-does-it-make-sense?rq=1
// https://tools.ietf.org/html/rfc4253#section-4.2
if ('SSH-2.0-' !== tun.data.slice(0, 8).toString()) {
return false;
}
cb(null, getNetConn(state.config.sshPort || 22));
return true;
}
if ('tcp' === tun.service) { if ('tcp' === tun.service) {
if (trySsh(tun)) { return; } trySsh(tun, function (err, conn) {
if (conn) { cb(null, conn); return; }
cb(new Error("No TCP handler")); cb(new Error("No TCP handler"));
});
} }
console.warn("Unknown service '" + tun.service + "'"); console.warn("Unknown service '" + tun.service + "'");