feat: 添加 VShell 攻击防御模块，支持 WebSocket 升级请求、版本握手和命令模式检测，更新配置文件示例

Author: Randark-JMT

config.go

@@ -17,11 +17,26 @@ type Config struct {
 
 // GlobalConfig 全局配置
 type GlobalConfig struct {
-	BufferSize   int              `toml:"buffer_size"`
-	LogLevel     string           `toml:"log_level"`
-	LogFile      string           `toml:"log_file"` // 日志文件路径，为空则只输出到控制台
-	GeoIP        GeoIPConfig      `toml:"geoip"`
-	TimeWindow   TimeWindowConfig `toml:"time_window"`
+	BufferSize    int                 `toml:"buffer_size"`
+	LogLevel      string              `toml:"log_level"`
+	LogFile       string              `toml:"log_file"` // 日志文件路径，为空则只输出到控制台
+	GeoIP         GeoIPConfig         `toml:"geoip"`
+	TimeWindow    TimeWindowConfig    `toml:"time_window"`
+	VShellDefense VShellDefenseConfig `toml:"vshell_defense"` // VShell 攻击防御配置
+}
+
+// VShellDefenseConfig VShell 防御配置
+type VShellDefenseConfig struct {
+	Enabled                bool     `toml:"enabled"`                  // 是否启用 VShell 防御
+	BlockWebSocketUpgrade  bool     `toml:"block_websocket_upgrade"`  // 拦截可疑的 WebSocket 升级请求
+	BlockVersionHandshake  bool     `toml:"block_version_handshake"`  // 拦截 VShell 版本握手
+	BlockCommandPatterns   bool     `toml:"block_command_patterns"`   // 拦截 VShell 命令模式
+	BlockEncryptedPayloads bool     `toml:"block_encrypted_payloads"` // 拦截可疑的加密载荷
+	BlockVkeyPatterns      bool     `toml:"block_vkey_patterns"`      // 拦截 Vkey 哈希模式
+	BlockSuspiciousPaths   bool     `toml:"block_suspicious_paths"`   // 拦截可疑路径
+	CustomBlockPaths       []string `toml:"custom_block_paths"`       // 自定义拦截路径
+	BlockedVkeys           []string `toml:"blocked_vkeys"`            // 已知恶意 Vkey 黑名单
+	LogAttempts            bool     `toml:"log_attempts"`             // 记录攻击尝试
 }
 
 // GeoIPConfig GeoIP 配置
@@ -70,13 +85,13 @@ type TCPProcessorConfig struct {
 
 // Processor 处理器规则
 type Processor struct {
-	Path       interface{} `toml:"path"`      // string 或 []string
-	MatchMode  string      `toml:"match_mode"` // prefix (前缀), exact (精确), regex (正则)
-	Action     string      `toml:"action"`     // allow, drop, rewrite, file, proxy
-	Response   string      `toml:"response"`   // 404, 403, 502, close (用于 drop)
-	RewriteTo  string      `toml:"rewrite_to"` // 路径重写目标 (用于 rewrite)
-	File       string      `toml:"file"`       // 文件路径 (用于 file)
-	ProxyTo    string      `toml:"proxy_to"`   // 代理目标 (用于 proxy)
+	Path      interface{} `toml:"path"`       // string 或 []string
+	MatchMode string      `toml:"match_mode"` // prefix (前缀), exact (精确), regex (正则)
+	Action    string      `toml:"action"`     // allow, drop, rewrite, file, proxy
+	Response  string      `toml:"response"`   // 404, 403, 502, close (用于 drop)
+	RewriteTo string      `toml:"rewrite_to"` // 路径重写目标 (用于 rewrite)
+	File      string      `toml:"file"`       // 文件路径 (用于 file)
+	ProxyTo   string      `toml:"proxy_to"`   // 代理目标 (用于 proxy)
 }
 
 // RouteRule 路由规则（兼容旧配置）
@@ -173,11 +188,11 @@ func (c *Config) Validate() error {
 			return fmt.Errorf("listener[%d]: backend_addr is required", i)
 		}
 
-	// 检查协议类型
-	validProtocols := map[string]bool{"tcp": true}
-	if !validProtocols[listener.Protocol] {
-		return fmt.Errorf("listener[%d]: protocol must be: tcp", i)
-	}		// 检查超时配置
+		// 检查协议类型
+		validProtocols := map[string]bool{"tcp": true}
+		if !validProtocols[listener.Protocol] {
+			return fmt.Errorf("listener[%d]: protocol must be: tcp", i)
+		} // 检查超时配置
 		if listener.Timeout.InitialRead < 0 {
 			return fmt.Errorf("listener[%d]: timeout.initial_read cannot be negative", i)
 		}
@@ -226,15 +241,15 @@ func (c *Config) Validate() error {
 func validateProcessor(proc Processor, listenerIdx int, processorType string, procIdx int) error {
 	validActions := map[string]bool{"allow": true, "drop": true, "rewrite": true, "file": true, "proxy": true}
 	if !validActions[proc.Action] {
-		return fmt.Errorf("listener[%d].%s.processor[%d]: action must be one of: allow, drop, rewrite, file, proxy", 
+		return fmt.Errorf("listener[%d].%s.processor[%d]: action must be one of: allow, drop, rewrite, file, proxy",
 			listenerIdx, processorType, procIdx)
 	}
 
 	// 验证匹配模式
 	if proc.MatchMode != "" {
 		validModes := map[string]bool{"prefix": true, "exact": true, "regex": true}
 		if !validModes[proc.MatchMode] {
-			return fmt.Errorf("listener[%d].%s.processor[%d]: match_mode must be one of: prefix, exact, regex", 
+			return fmt.Errorf("listener[%d].%s.processor[%d]: match_mode must be one of: prefix, exact, regex",
 				listenerIdx, processorType, procIdx)
 		}
 	}
@@ -244,22 +259,22 @@ func validateProcessor(proc Processor, listenerIdx int, processorType string, pr
 	case "drop":
 		validResponses := map[string]bool{"404": true, "403": true, "502": true, "close": true}
 		if proc.Response != "" && !validResponses[proc.Response] {
-			return fmt.Errorf("listener[%d].%s.processor[%d]: response must be one of: 404, 403, 502, close", 
+			return fmt.Errorf("listener[%d].%s.processor[%d]: response must be one of: 404, 403, 502, close",
 				listenerIdx, processorType, procIdx)
 		}
 	case "rewrite":
 		if proc.RewriteTo == "" {
-			return fmt.Errorf("listener[%d].%s.processor[%d]: rewrite_to is required for rewrite action", 
+			return fmt.Errorf("listener[%d].%s.processor[%d]: rewrite_to is required for rewrite action",
 				listenerIdx, processorType, procIdx)
 		}
 	case "file":
 		if proc.File == "" {
-			return fmt.Errorf("listener[%d].%s.processor[%d]: file is required for file action", 
+			return fmt.Errorf("listener[%d].%s.processor[%d]: file is required for file action",
 				listenerIdx, processorType, procIdx)
 		}
 	case "proxy":
 		if proc.ProxyTo == "" {
-			return fmt.Errorf("listener[%d].%s.processor[%d]: proxy_to is required for proxy action", 
+			return fmt.Errorf("listener[%d].%s.processor[%d]: proxy_to is required for proxy action",
 				listenerIdx, processorType, procIdx)
 		}
 	}
@@ -355,27 +370,27 @@ func validateTimeWindowConfig(tw *TimeWindowConfig) error {
 	if tw.Timezone == "" {
 		return fmt.Errorf("timezone is required")
 	}
-	
+
 	// 验证时区
 	if _, err := time.LoadLocation(tw.Timezone); err != nil {
 		return fmt.Errorf("invalid timezone '%s': %w", tw.Timezone, err)
 	}
-	
+
 	if tw.StartTime == "" {
 		return fmt.Errorf("start_time is required")
 	}
 	if tw.EndTime == "" {
 		return fmt.Errorf("end_time is required")
 	}
-	
+
 	// 验证时间格式
 	if _, err := time.Parse("15:04", tw.StartTime); err != nil {
 		return fmt.Errorf("invalid start_time format '%s', expected HH:MM", tw.StartTime)
 	}
 	if _, err := time.Parse("15:04", tw.EndTime); err != nil {
 		return fmt.Errorf("invalid end_time format '%s', expected HH:MM", tw.EndTime)
 	}
-	
+
 	return nil
 }
 
@@ -384,26 +399,26 @@ func (tw *TimeWindowConfig) IsInTimeWindow() (bool, error) {
 	if !tw.Enabled {
 		return true, nil
 	}
-	
+
 	// 加载时区
 	loc, err := time.LoadLocation(tw.Timezone)
 	if err != nil {
 		return false, fmt.Errorf("failed to load timezone: %w", err)
 	}
-	
+
 	// 获取当前时间（在指定时区）
 	now := time.Now().In(loc)
 	currentHour := now.Hour()
 	currentMinute := now.Minute()
 	currentTimeInMinutes := currentHour*60 + currentMinute
-	
+
 	// 解析开始和结束时间
 	startTime, _ := time.Parse("15:04", tw.StartTime)
 	endTime, _ := time.Parse("15:04", tw.EndTime)
-	
+
 	startMinutes := startTime.Hour()*60 + startTime.Minute()
 	endMinutes := endTime.Hour()*60 + endTime.Minute()
-	
+
 	// 检查是否在时间窗口内
 	if startMinutes <= endMinutes {
 		// 正常情况：start_time < end_time (如 00:00 - 11:00)

config.toml.example

@@ -23,6 +23,20 @@ start_time = "00:00"     # 允许连接的开始时间 (HH:MM 格式)
 end_time = "11:00"       # 允许连接的结束时间 (HH:MM 格式)
                          # 窗口外时，现有连接保持，但新的 TCP 连接请求会被丢弃
 
+# VShell 攻击防御配置
+# VShell 是一款流行的C2/RAT工具，此模块可检测并拦截其攻击流量
+[global.vshell_defense]
+enabled = true                        # 是否启用 VShell 防御
+block_websocket_upgrade = true        # 拦截可疑的 WebSocket 升级请求 (VShell通过WebSocket通信)
+block_version_handshake = true        # 拦截 VShell 版本握手 (如 "4.9.3" 等版本号)
+block_command_patterns = true         # 拦截 VShell 命令模式 (conf, file, sucs 等)
+block_encrypted_payloads = true       # 拦截可疑的加密载荷 (AES-GCM 加密数据特征)
+block_vkey_patterns = true            # 拦截 Vkey 哈希模式 (MD5 哈希认证)
+block_suspicious_paths = true         # 拦截可疑路径 (/ws, /websocket, /beacon 等)
+custom_block_paths = ["/c2", "/shell", "/cmd"]  # 自定义拦截路径列表
+blocked_vkeys = []                    # 已知恶意 Vkey 黑名单 (可添加已知的 vkey 值)
+log_attempts = true                   # 记录所有攻击尝试到日志
+
 # 监听端口配置 - 可以配置多个
 [[listeners]]
 name = "http_proxy"              # 监听器名称

main.go

@@ -16,14 +16,17 @@ import (
 var (
 	configFile = flag.String("config", "config.toml", "配置文件路径")
 	version    = flag.Bool("version", false, "显示版本信息")
-	
+
 	// 版本信息 (通过 -ldflags 注入)
 	Version   = "dev"
 	BuildTime = "unknown"
 	GitCommit = "unknown"
-	
+
 	// 全局 GeoIP 管理器
 	geoipManager *GeoIPManager
+
+	// 全局 VShell 防御模块
+	vshellDefense *VShellDefense
 )
 
 func main() {
@@ -61,6 +64,12 @@ func main() {
 	}
 	defer geoipManager.Close()
 
+	// 初始化 VShell 防御模块
+	vshellDefense = NewVShellDefense(config.Global.VShellDefense)
+	if config.Global.VShellDefense.Enabled {
+		log.Println("VShell defense module enabled")
+	}
+
 	// 启动所有监听器
 	var wg sync.WaitGroup
 	for _, listenerConfig := range config.Listeners {
@@ -92,7 +101,7 @@ func setupLogging(logFilePath string) (*os.File, error) {
 	// 创建多重写入器：同时写入文件和控制台
 	multiWriter := io.MultiWriter(os.Stdout, logFile)
 	log.SetOutput(multiWriter)
-	
+
 	// 设置日志格式：包含日期和时间
 	log.SetFlags(log.LstdFlags | log.Lmicroseconds)
 
@@ -182,6 +191,43 @@ func handleConnection(clientConn net.Conn, cfg ListenerConfig, global GlobalConf
 		clientConn.SetReadDeadline(time.Time{}) // 移除超时，支持长连接
 	}
 
+	// VShell 防御检测
+	clientIP := getIPFromAddr(clientConn.RemoteAddr().String())
+	if vshellDefense != nil && vshellDefense.config.Enabled {
+		// 提取路径用于检测
+		path := ""
+		if isHTTPRequest(initialData) {
+			firstLineEnd := findFirstLine(initialData)
+			if firstLineEnd > 0 {
+				requestLine := string(initialData[:firstLineEnd])
+				path = extractHTTPPath(requestLine)
+			}
+		}
+
+		// 执行 VShell 检测
+		result := vshellDefense.CheckRequest(clientIP, initialData, path)
+		if result.IsBlocked {
+			if global.VShellDefense.LogAttempts {
+				LogVShellAttempt(clientIP, result.BlockReason, result.ThreatLevel, result.Details)
+			}
+			if global.LogLevel == "debug" || global.LogLevel == "info" {
+				log.Printf("[%s] VShell attack blocked from %s: %s (threat: %s)",
+					cfg.Name, clientIP, result.BlockReason, result.ThreatLevel)
+			}
+			// 发送适当的响应
+			if isHTTPRequest(initialData) {
+				sendErrorResponse(clientConn, "403")
+			}
+			return
+		}
+
+		// 检查连接是否可疑
+		isSuspicious, score := vshellDefense.IsConnectionSuspicious(clientIP)
+		if isSuspicious && global.LogLevel == "debug" {
+			log.Printf("[%s] Suspicious connection from %s (score: %d)", cfg.Name, clientIP, score)
+		}
+	}
+
 	// 检测是否为 HTTP 请求
 	isHTTP := isHTTPRequest(initialData)
 
@@ -264,18 +310,18 @@ func handleConnection(clientConn net.Conn, cfg ListenerConfig, global GlobalConf
 // forwardConnection 转发连接到后端
 func forwardConnection(clientConn net.Conn, reader *bufio.Reader, initialData []byte,
 	cfg ListenerConfig, global GlobalConfig, protocol string, processor *Processor) {
-	
+
 	// 连接后端
 	var backendConn net.Conn
 	var err error
-	
+
 	if cfg.Timeout.Enabled && cfg.Timeout.ConnectBackend > 0 {
 		backendConn, err = net.DialTimeout("tcp", cfg.BackendAddr,
 			time.Duration(cfg.Timeout.ConnectBackend)*time.Second)
 	} else {
 		backendConn, err = net.Dial("tcp", cfg.BackendAddr)
 	}
-	
+
 	if err != nil {
 		log.Printf("[%s] Failed to connect to backend %s: %v",
 			cfg.Name, cfg.BackendAddr, err)
@@ -314,7 +360,7 @@ func forwardConnection(clientConn net.Conn, reader *bufio.Reader, initialData []
 	go func() {
 		defer wg.Done()
 		buf := make([]byte, global.BufferSize)
-		
+
 		// 先读取 reader 缓冲中的剩余数据
 		for reader.Buffered() > 0 {
 			n, err := reader.Read(buf)
@@ -327,7 +373,7 @@ func forwardConnection(clientConn net.Conn, reader *bufio.Reader, initialData []
 				return
 			}
 		}
-		
+
 		// 然后直接从连接读取
 		io.CopyBuffer(backendConn, clientConn, buf)
 		if tcpConn, ok := backendConn.(*net.TCPConn); ok {
@@ -389,42 +435,42 @@ func rewriteHTTPPath(data []byte, fromPath, toPath string) []byte {
 			break
 		}
 	}
-	
+
 	if firstLineEnd < 0 {
 		return data
 	}
-	
+
 	requestLine := string(data[:firstLineEnd])
 	parts := strings.Split(requestLine, " ")
-	
+
 	// 检查是否需要重写路径
 	if len(parts) >= 3 {
 		path := parts[1]
-		
+
 		// 如果路径匹配 fromPath，则重写为 toPath
 		if strings.HasPrefix(path, fromPath) {
 			newPath := toPath + strings.TrimPrefix(path, fromPath)
 			parts[1] = newPath
-			
+
 			// 重新构造请求行
 			newRequestLine := strings.Join(parts, " ")
-			
+
 			// 构造新的请求数据
 			result := make([]byte, 0, len(data))
 			result = append(result, []byte(newRequestLine)...)
 			result = append(result, data[firstLineEnd:]...)
-			
+
 			return result
 		}
 	}
-	
+
 	return data
 }
 
 // sendErrorResponse 发送错误响应
 func sendErrorResponse(conn net.Conn, responseType string) {
 	var response string
-	
+
 	switch responseType {
 	case "404":
 		response = "HTTP/1.1 404 Not Found\r\n" +
@@ -450,7 +496,7 @@ func sendErrorResponse(conn net.Conn, responseType string) {
 	default:
 		return
 	}
-	
+
 	conn.Write([]byte(response))
 }