Skip to content

v1.2.0 — Enterprise Commercial & Shield Suite, Next-Gen Anti-DPI & DevOps Clustering

Latest

Choose a tag to compare

@SamNet-dev SamNet-dev released this 01 Jul 01:11

✨ What's New in MTProxyMax v1.2.0

MTProxyMax v1.2.0 represents the most extensive feature expansion in the project's history. This release transforms the core script into a full-scale Enterprise Proxy Management Platform featuring commercial voucher automation, role-based Telegram governance, automated hostile threat blacklisting, proactive Anti-DPI forensics, kernel-level bandwidth shaping, load balancer clustering, daily briefing dispatches, smart user onboarding, and hardware-aware performance auto-tuners.


🏢 Enterprise Commercial Suite

  • Commercial Voucher & Gift Code System (mtproxymax voucher)

    • Batch Generation: Generate secure batches of gift codes (mtproxymax voucher create <count> <quota> <days>) formatted as MTP-XXXX-XXXX with custom data ceilings (e.g., 10G, 50G, or unlimited) and validity durations stored cleanly in ${INSTALL_DIR}/vouchers.conf.
    • Self-Service & Bot Redemption: Users or distributors can redeem voucher codes locally (mtproxymax voucher redeem <code> [label]) or remotely via Telegram bot (/redeem <code>), instantly provisioning a dedicated proxy secret with exact quota and connection limits enforced.
    • Full Audit Trail: Track every voucher's status (ACTIVE, REDEEMED, REVOKED), creation timestamp, and associated account label.
  • Role-Based Access Control (RBAC) & Telegram Admin Tiers (mtproxymax admin)

    • Multi-Tier Authorization Governed in admins.conf:
      • superadmin: Unrestricted access to all 21 remote Telegram bot commands, including destructive engine restarts (/mp_restart), emergency panic lockdowns (/mp_lockdown), script self-updates (/mp_update), and bot removals (/mp_remove).
      • reseller: Delegated operational access restricted strictly to voucher batch creation (/mp_voucher create), voucher auditing (/mp_voucher list), voucher redemption (/redeem), and user statistics queries (/mp_status, /mp_secrets). Destructive server commands are automatically blocked with security violation logging.
  • Decoupled Self-Service Web Status Portal (mtproxymax portal)

    • Zero-Dependency Static HTML Dashboard: Generates a responsive, dark-mode glassmorphism HTML interface (index.html) stored in /opt/mtproxymax/portal/.
    • Automated Background JSON Metrics: During periodic engine sweeps (sweep()), MTProxyMax automatically exports real-time server health (status.json) and anonymized user quota leaderboards (users.json).
    • Client Self-Service: Users can check live proxy uptime, server bandwidth consumption, active connection counts, and individual data consumption directly from any browser without exposing internal administrative interfaces or running backend scripts.

🛡️ Automated Hostile Threat Scanner Shield

  • Proactive Shodan & Censys Threat Blocking (mtproxymax scanner-shield)
    • High-Speed Kernel Memory Hash Sets: Initializes high-performance Linux kernel memory sets (ipset table mtproxymax-scanners) with capacity for up to 65,536 network CIDRs.
    • Automated Threat Feed Import: Automatically imports and blacklists well-known hostile mass scanning subnets (including Shodan, Censys, and Shadowserver probe networks such as 162.142.125.0/24, 167.94.138.0/24, 71.6.135.0/24).
    • Pre-Application Drop: Incoming packets from hostile scanner subnets are silently dropped at the Netfilter kernel boundary before reaching Docker container sockets or triggering SYN cookie thresholds, keeping your proxy invisible to Internet-wide discovery feeds.

🔬 Advanced Anti-DPI & Emergency Defenses

  • Active DPI Forensics Inspector (mtproxymax dpi-inspect)
    • Performs a 5-step heuristic scan evaluating SYN cookie state, TLS fingerprint parity, SNI routing reachability, conntrack replay cache depth, and MSS clamping to compute an interactive Anti-DPI Hardening Score out of 100.
  • Self-Healing Cover Watchdog (mtproxymax cover-watchdog)
    • Background watchdog probing primary cover domain health every 60 seconds. Automatically rotates to backup SNI pool candidates upon censorship interception or consecutive HTTP 5xx failures.
  • Emergency Panic Lockdown Switch (mtproxymax lockdown [on|off])
    • Instant posture hardening switch enabling kernel SYN tarpits, Ultra-Stealth conntrack replay protection, and TCP MSS clamping via CLI or remote Telegram bot command (/mp_lockdown).
  • Multi-Port Listener Pool (mtproxymax port-pool [add|remove|list])
    • Listens on multiple fallback TCP ports simultaneously (e.g., 443, 8443, 2053) via automated kernel iptables NAT redirection without extra container runtime overhead.
  • Dynamic FakeTLS Padding & Jitter (mtproxymax tls-pad [auto|off|rotate])
    • Randomizes FakeTLS certificate payload lengths dynamically (fake_cert_len) to prevent active DPI packet sizing heuristics from identifying MTProto handshake packets.
  • Active Probe Decoy Redirection (mtproxymax honeypot [on|off|status])
    • Intercepts unauthorized active scanners and redirects unauthenticated probes to realistic decoy web endpoints.

🏎️ Bandwidth Shaping & Quota Intelligence

  • Linux Kernel QoS Traffic Shaping (mtproxymax qos [set <mbps>|off|status])
    • Enforces per-IP upload and download rate ceilings using Linux tc (Traffic Control) hierarchical token buckets and iptables hashlimit rules to prevent aggressive clients from saturating server links.
  • Happy Hours Quota Exclusions (mtproxymax happy-hours [set <win>|off])
    • Configures unmetered schedule windows (e.g., 02:00-08:00) where client traffic bypasses monthly quota accounting.
  • Proactive Telegram Expiry Reminders (mtproxymax notify-expiry)
    • Scans user accounts and dispatches automated direct Telegram reminders 7 days, 3 days, and 24 hours prior to account expiration.
  • Multi-IP Subscription Anomaly Scanner (mtproxymax leak-scan [thresh])
    • Inspects real-time connection logs to detect credential leaks and abnormal simultaneous IP sharing across proxy secrets.

📡 Operations, Briefings & Onboarding Suite

  • Telegram Backup Push (mtproxymax backup send-tg [file])
    • Compresses the server configuration and secrets database into an encrypted .tar.gz archive and pushes it directly as a document attachment to the superadmin Telegram bot chat.
  • Scheduled Executive Morning Briefings (mtproxymax daily-report [on|off|run])
    • Configures automated daily cron summaries sent directly to Telegram detailing 24-hour traffic volume, peak connection counts, and upcoming account expirations.
  • SSH Brute-Force Intrusion Shield (mtproxymax ssh-shield [on|off|status])
    • Automatically configures fail2ban rules and kernel firewall jails protecting host SSH ports against automated dictionary attack bots.
  • International Network Grade Benchmarker (mtproxymax net-grade)
    • Performs comprehensive TCP ping and routing stability evaluations against global transit nodes, scoring server network quality with an A+/A/B/C letter grade.
  • Interactive Smart Onboarding Wizard (mtproxymax onboard [label])
    • Step-by-step interactive administrative wizard guiding operators through creating accounts with custom bandwidth limits, connection caps, expiration dates, and immediate QR code outputs.
  • SSL/TLS Cover Domain Inspector (mtproxymax cert-check [domain])
    • Audits cover domains via OpenSSL to verify certificate issuer chains, cipher suites, and days until TLS expiration.

🌐 DevOps Clustering & Automation Suite

  • Layer-4 Load Balancer Exporter (mtproxymax export-lb [haproxy|nginx])
    • Generates production-ready HAProxy (haproxy.cfg) and Nginx Stream (nginx.conf) configuration snippets configured for Layer-4 TCP proxying and PROXY Protocol v2.
  • Cloudflare Dynamic DNS Updater (mtproxymax ddns [set|run|status|off])
    • Automatically queries Cloudflare API v4 and updates domain A records whenever public IP changes are detected.
  • Point-in-Time Snapshots (mtproxymax snapshot [create|restore]) & Forensics Bundle (mtproxymax diag-dump)
    • Creates self-contained .tar.gz configuration backups with one-click restoration and packages comprehensive system diagnostics for auditing.
  • Instant Server Replication & Bootstrapping (mtproxymax clone-link & bootstrap <base64>)
    • Generates a one-line Base64 export bundle containing server configuration parameters that can be instantly bootstrapped onto a fresh secondary node.

🚀 Performance & Self-Healing Suite

  • TCP BBR & Fast Open Booster (mtproxymax tcp-boost [on|off|status])
    • Activates Google's BBR congestion control algorithm and TCP Fast Open (TFO) to drastically reduce latency over high-packet-loss networks.
  • Aggressive Mobile Socket Reaper (mtproxymax tcp-clean [on|off|status])
    • Tunes kernel fin_timeout and keepalive_probes to rapidly purge orphaned mobile client sockets caused by sudden cellular drops.
  • Ultra-Low Latency Socket Queue Booster (mtproxymax socket-boost [on|off])
    • Expands somaxconn and network device backlog limits to handle thousands of concurrent connection bursts without packet drops.
  • Automated Memory & Socket Self-Healer (mtproxymax heal & auto-heal [on|off|status])
    • Background self-healer that automatically flushes kernel buffer caches and reaps zombie connections when RAM thresholds drop below critical limits.
  • TCP Fast-Path Window Scaling & MTU Probing (mtproxymax tcp-fastpath [on|off])
    • Optimizes RFC-compliant TCP window scaling (tcp_window_scaling=1), Selective Acknowledgments (tcp_sack=1), and Path MTU discovery (tcp_mtu_probing=1).
  • Dynamic RAM Auto-Tuning (mtproxymax ram-tune [auto|off])
    • Hardware-aware scaling of TCP memory buffers (rmem_max/wmem_max) across Small (≤1GB), Medium (1-4GB), and Large (>4GB) server tiers.
  • Dynamic Port Range Shadowing (mtproxymax port-hop [add|remove|list])
    • Redirects multi-port NAT blocks (<start>:<end>) to the primary listen port via iptables or nftables. Includes overlap shielding against the proxy port.
  • Multi-Core IRQ Packet Spreading (mtproxymax cpu-tune [on|off|status])
    • Spreads encrypted packet processing across available CPU cores via Receive Packet Steering (RPS/RFS) with container read-only sandbox detection.
  • Interactive TUI Control Centers
    • Dedicated ASCII menus (show_enterprise_menu under option [e] and show_performance_menu under option [p]) enabling real-time configuration and live status verification.

🏁 Upgrade

mtproxymax update

Pinned Engine: telemt v3.4.19 (987c53c)