By EbraSha

Author: ebrasha

Critical configuration files/users.json

@@ -5,7 +5,9 @@
     "role": "admin",
     "blocked_domains": [],
     "blocked_ips": [],
-    "log": "no"
+    "log": "no",
+    "max_sessions": 1,
+    "session_ttl_seconds": 300
   },
   {
     "username": "user1",
@@ -24,7 +26,9 @@
       "10.0.0.*",
       "172.16.*.*"
     ],
-    "log": "yes"
+    "log": "yes",
+    "max_sessions": 2,
+    "session_ttl_seconds": 300
   },
   {
     "username": "user2",
@@ -40,6 +44,8 @@
       "192.168.10.1",
       "10.10.10.10"
     ],
-    "log": "yes"
+    "log": "yes",
+    "max_sessions": 5,
+    "session_ttl_seconds": 300
   }
 ]

README.fa.md

@@ -45,6 +45,14 @@
 - **مدیریت تنظیمات**: تنظیمات سرور مبتنی بر JSON
 - **سیستم ثبت**: ثبت جامع اتصالات و حملات
 
+## 🧾 قابلیت های اکانتینگ
+- **کنترل داخلی سشن‌ها**: مدیر می‌تواند حداکثر تعداد سشن‌های فعال همزمان برای هر حساب را تنظیم کند تا میزان اتصال کاربران کنترل شود.
+- **انقضای خودکار سشن‌ها**: برای هر سشن مدت زمان اعتبار (TTL) تعریف می‌شود تا پس از پایان آن، سشن منقضی شده و منابع آزاد شوند.
+- **مدیریت پویا در زمان محدودیت**: وقتی تعداد سشن‌ها به حد مجاز برسد، اتصال‌های جدید می‌توانند رد شوند یا در صف انتظار قرار گیرند (قابل تنظیم توسط مدیر).
+- **نظارت لحظه‌ای بر سشن‌ها**: سیستم وضعیت سشن‌های فعال را به‌صورت زنده ثبت کرده و برای حسابرسی و تحلیل ذخیره می‌کند.
+
+
+
 ## 📋 نیازمندی‌ها
 
 - Go 1.19 یا بالاتر
@@ -92,7 +100,9 @@
     "role": "admin",
     "blocked_domains": [],
     "blocked_ips": [],
-    "log": "no"
+    "log": "no",
+    "max_sessions": 1,
+    "session_ttl_seconds": 300
   },
   {
     "username": "user1",
@@ -111,7 +121,9 @@
       "10.0.0.*",
       "172.16.*.*"
     ],
-    "log": "yes"
+    "log": "yes",
+    "max_sessions": 2,
+    "session_ttl_seconds": 300
   },
   {
     "username": "user2",
@@ -127,7 +139,9 @@
       "192.168.10.1",
       "10.10.10.10"
     ],
-    "log": "yes"
+    "log": "yes",
+    "max_sessions": 5,
+    "session_ttl_seconds": 300
   }
 ]
 

README.md

@@ -41,6 +41,13 @@ A high-performance SSH-based tunneling server designed for secure internet acces
 - **Configuration Management**: JSON-based server configuration
 - **Logging System**: Comprehensive logging of connections and attacks
 
+### 🧾 Accounting Features
+- **Built-in Session Control**: Administrators can define how many concurrent sessions each account can open at the same time.
+- **Automatic Session Expiration**: Each session has a defined Time To Live (TTL). Expired sessions are automatically terminated to free resources.
+- **Dynamic Connection Handling**: When the session limit is reached, new connections can be rejected or queued — fully configurable.
+- **Real-time Session Monitoring**: Tracks and logs all active sessions in real time for auditing and analytics.
+
+
 ## 📋 Requirements
 
 - Go 1.19 or higher
@@ -89,7 +96,9 @@ A high-performance SSH-based tunneling server designed for secure internet acces
     "role": "admin",
     "blocked_domains": [],
     "blocked_ips": [],
-    "log": "no"
+    "log": "no",
+    "max_sessions": 1,
+    "session_ttl_seconds": 300
   },
   {
     "username": "user1",
@@ -108,7 +117,9 @@ A high-performance SSH-based tunneling server designed for secure internet acces
       "10.0.0.*",
       "172.16.*.*"
     ],
-    "log": "yes"
+    "log": "yes",
+    "max_sessions": 2,
+    "session_ttl_seconds": 300
   },
   {
     "username": "user2",
@@ -124,7 +135,9 @@ A high-performance SSH-based tunneling server designed for secure internet acces
       "192.168.10.1",
       "10.10.10.10"
     ],
-    "log": "yes"
+    "log": "yes",
+    "max_sessions": 5,
+    "session_ttl_seconds": 300
   }
 ]
 

go.mod

@@ -4,11 +4,8 @@ go 1.24
 
 require (
 	github.com/UserExistsError/conpty v0.1.4
+	github.com/creack/pty v1.1.24
+	go.etcd.io/bbolt v1.3.10
 	golang.org/x/crypto v0.39.0
-)
-
-require (
-	github.com/creack/pty v1.1.24 // indirect
-	golang.org/x/sys v0.33.0 // indirect
-	golang.org/x/term v0.32.0 // indirect
+	golang.org/x/sys v0.33.0
 )

go.sum

@@ -2,10 +2,22 @@ github.com/UserExistsError/conpty v0.1.4 h1:+3FhJhiqhyEJa+K5qaK3/w6w+sN3Nh9O9VbJ
 github.com/UserExistsError/conpty v0.1.4/go.mod h1:PDglKIkX3O/2xVk0MV9a6bCWxRmPVfxqZoTG/5sSd9I=
 github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s=
 github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+go.etcd.io/bbolt v1.3.10 h1:+BqfJTcCzTItrop8mq/lbzL8wSGtj94UO/3U31shqG0=
+go.etcd.io/bbolt v1.3.10/go.mod h1:bK3UQLPJZly7IlNmV7uVHJDxfe5aK9Ll93e/74Y9oEQ=
 golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM=
 golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U=
+golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
+golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
 golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg=
 golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

main.go

@@ -36,6 +36,9 @@ import (
 var trafficMap sync.Map // key: username, value: *TrafficStats
 var activeConnections sync.Map // key: connection ID, value: connection info
 
+// Session metadata storage: sessionID -> connection metadata for session management
+var sessionMetadata sync.Map // key: sessionID, value: sessionInfo (username, ip, etc.)
+
 // SetExecutableDir changes current working directory to exe dir and returns it.
 func SetExecutableDir() (string, error) {
 	exePath, err := os.Executable()
@@ -94,12 +97,14 @@ type TrafficStats struct {
 
 // User structure with role-based access control, domain/IP blocking, and logging
 type User struct {
-	Username       string   `json:"username"`
-	Password       string   `json:"password"`
-	Role           string   `json:"role"`            // "user" or "admin"
-	BlockedDomains []string `json:"blocked_domains"` // List of blocked domains/IPs with wildcard support
-	BlockedIPs     []string `json:"blocked_ips"`     // List of blocked IPs with wildcard support
-	Log            string   `json:"log"`             // "yes" or "no" - enable/disable user access logging
+	Username          string   `json:"username"`
+	Password          string   `json:"password"`
+	Role              string   `json:"role"`                   // "user" or "admin"
+	BlockedDomains    []string `json:"blocked_domains"`        // List of blocked domains/IPs with wildcard support
+	BlockedIPs        []string `json:"blocked_ips"`             // List of blocked IPs with wildcard support
+	Log               string   `json:"log"`                    // "yes" or "no" - enable/disable user access logging
+	MaxSessions       int      `json:"max_sessions"`           // Maximum number of concurrent sessions (default: 2)
+	SessionTTLSeconds int      `json:"session_ttl_seconds"`     // Session TTL in seconds (default: 300)
 }
 
 var users map[string]User
@@ -139,6 +144,13 @@ func loadUsers(path string) {
 		// New format: array of User objects
 		users = make(map[string]User)
 		for _, user := range userList {
+			// Set default values if not specified
+			if user.MaxSessions <= 0 {
+				user.MaxSessions = 2 // Default max sessions
+			}
+			if user.SessionTTLSeconds <= 0 {
+				user.SessionTTLSeconds = 300 // Default TTL: 5 minutes (300 seconds)
+			}
 			users[user.Username] = user
 		}
 		log.Printf("✅ Loaded %d users with role-based access control", len(users))
@@ -155,9 +167,11 @@ func loadUsers(path string) {
 	users = make(map[string]User)
 	for username, password := range oldUserPass {
 		users[username] = User{
-			Username: username,
-			Password: password,
-			Role:     "user", // Default role for backward compatibility
+			Username:          username,
+			Password:          password,
+			Role:              "user",     // Default role for backward compatibility
+			MaxSessions:       2,           // Default max sessions
+			SessionTTLSeconds: 300,         // Default TTL: 5 minutes
 		}
 	}
 	log.Printf("✅ Loaded %d users from legacy format (all set to 'user' role)", len(users))
@@ -371,8 +385,33 @@ func createSSHConfig() *ssh.ServerConfig {
 
 			if user, ok := users[c.User()]; ok && user.Password == string(pass) {
 				delete(failedAttempts, ip) // reset count
-				log.Printf("✅ User %s (%s) authenticated from %s", c.User(), user.Role, ip)
-				return nil, nil
+				
+				// Get session manager
+				sm := GetSessionManager()
+				
+				// Get client version (before handshake, we don't have full metadata yet)
+				// We'll use IP and username for now, and update with client version in handleConnection
+				clientVersion := "SSH-2.0-Unknown" // Will be updated in handleConnection
+				
+				// Create session
+				sessionID, err := sm.CreateSession(c.User(), ip, clientVersion)
+				if err != nil {
+					log.Printf("⚠️ Failed to create session for %s: %v", c.User(), err)
+					return nil, fmt.Errorf("session creation failed")
+				}
+				
+				// Store sessionID in memory for later use in handleConnection
+				sessionMetadata.Store(c.User()+"|"+ip, sessionID)
+				
+				log.Printf("✅ User %s (%s) authenticated from %s [Session: %s]", c.User(), user.Role, ip, sessionID[:16]+"...")
+				
+				// Return sessionID in permissions for later retrieval
+				perms := &ssh.Permissions{
+					Extensions: map[string]string{
+						"session_id": sessionID,
+					},
+				}
+				return perms, nil
 			}
 
 			logInvalidLogin(c.User(), string(pass), ip, clientPort, serverPort)
@@ -482,7 +521,7 @@ func handleSession(channel ssh.Channel, requests <-chan *ssh.Request, username s
 ██████╔╝███████╗██║░░██║░░╚██╔╝░░███████╗██║░░██║
 ╚═════╝░╚══════╝╚═╝░░╚═╝░░░╚═╝░░░╚══════╝╚═╝░░╚═╝
 
-🛡️  Welcome to Abdal 4iProto Server ver 5.10
+🛡️  Welcome to Abdal 4iProto Server ver 6.2
 🧠  Developed by: Ebrahim Shafiei (EbraSha)
 ✉️ Prof.Shafiei@Gmail.com
 
@@ -515,14 +554,89 @@ func handleConnection(conn net.Conn, config *ssh.ServerConfig) {
 	}
 	defer sshConn.Close()
 
+	// Get session manager
+	sm := GetSessionManager()
+	
+	// Extract sessionID from permissions (set during PasswordCallback)
+	username := sshConn.User()
+	userIP, _, _ := net.SplitHostPort(sshConn.RemoteAddr().String())
+	clientVersionBytes := sshConn.ClientVersion()
+	clientVersion := string(clientVersionBytes)
+	
+	var sessionID string
+	// Try to get sessionID from permissions first
+	perms := sshConn.Permissions
+	if perms != nil && perms.Extensions != nil {
+		if sid, ok := perms.Extensions["session_id"]; ok {
+			sessionID = sid
+		}
+	}
+	
+	// If not found in permissions, try to get from memory (fallback)
+	if sessionID == "" {
+		if sid, ok := sessionMetadata.Load(username + "|" + userIP); ok {
+			sessionID = sid.(string)
+		}
+	}
+	
+	// Validate session if sessionID exists
+	if sessionID != "" {
+		// Check if session is valid
+		if !sm.IsSessionValid(sessionID) {
+			log.Printf("🔒 Invalid or expired session for user %s from %s, closing connection", username, userIP)
+			return // Connection will be closed by defer
+		}
+		
+		// Register connection with session manager
+		sm.RegisterConnection(sessionID, sshConn)
+		
+		// Update client version (was unknown during PasswordCallback)
+		if err := sm.UpdateSessionClientVersion(sessionID, clientVersion); err != nil {
+			log.Printf("⚠️ Failed to update session client version: %v", err)
+		}
+		
+		// Update last seen
+		if err := sm.UpdateSessionLastSeen(sessionID); err != nil {
+			log.Printf("⚠️ Failed to update session last seen: %v", err)
+		}
+		
+		// Unregister on connection close
+		defer func() {
+			sm.UnregisterConnection(sessionID)
+			sm.CloseSession(sessionID)
+		}()
+		
+		log.Printf("🔐 Session validated: %s for user %s from %s", sessionID[:16]+"...", username, userIP)
+	} else {
+		log.Printf("⚠️ No sessionID found for user %s from %s, connection may not be tracked", username, userIP)
+	}
+
 	// Track active connection
 	connID := fmt.Sprintf("%s-%d", sshConn.RemoteAddr().String(), time.Now().UnixNano())
 	activeConnections.Store(connID, sshConn.RemoteAddr().String())
 	defer activeConnections.Delete(connID)
 
-	log.Printf("New SSH connection from %s (%s)", sshConn.RemoteAddr(), sshConn.ClientVersion())
+	log.Printf("New SSH connection from %s (%s)", sshConn.RemoteAddr(), clientVersion)
 	go ssh.DiscardRequests(reqs)
 
+	// Start periodic session last seen update if session exists
+	if sessionID != "" {
+		go func() {
+			ticker := time.NewTicker(30 * time.Second) // Update every 30 seconds
+			defer ticker.Stop()
+			for range ticker.C {
+				if !sm.IsSessionValid(sessionID) {
+					log.Printf("🔒 Session expired for user %s, stopping updates", username)
+					return
+				}
+				if err := sm.UpdateSessionLastSeen(sessionID); err != nil {
+					log.Printf("⚠️ Failed to update session last seen: %v", err)
+					return
+				}
+			}
+		}()
+	}
+
 	for newChannel := range chans {
 
 		// Accessing username and IP address
@@ -962,6 +1076,10 @@ func startServer() {
 
 	// Load existing traffic files to preserve traffic statistics across restarts
 	loadExistingTrafficFiles()
+	
+	// Initialize session manager and start cleanup routine
+	sm := GetSessionManager()
+	sm.StartCleanupRoutine()
 
 	for _, port := range serverConfig.Ports {
 		go func(p int) {