Эмм что? При веб скане не прилетают абузы. Потому что веб сканер просто получает контент через http запросы и локально его изучает, это со стороны ничем не отличается от обычного юзера который серфит сайт в интернете.
-
XSS.stack #1 – первый литературный журнал от юзеров форума
VPN, TOR настройка, мануалы (все темы)
- Автор темы r_as
- Дата начала
ну акунетикс как минимум грузит параметры sql запросами и за это вроде как прилетают, мне на овх приходило на почту
или вот как пример от азура
Reported Source: 4.233.90.105
· Date/Time of Activity: 11/27/2023 9:06:52 AM
· Description: External reports of Brute Force traffic from your resource were received
· Evidence Gathered: Traffic analysis confirmed Brute Force traffic was present
Reported Source: 4.233.90.105
· Date/Time of Activity: 11/27/2023 9:06:52 AM
· Description: External reports of Brute Force traffic from your resource were received
· Evidence Gathered: Traffic analysis confirmed Brute Force traffic was present
Хз ни разу не сталкивался с таким. Найди другую впску/дедик, или поставь любой впн
да вроде почти все провайдеры впсок не оч любят сканы и подобное, а вот про впн я уже в шапке написал, может он как то недостаточно скрывает реальный айпи от сайта или же акунетикс как то обходит его
Никак он не обходит его если основной адаптер отключен, а траффик идет через виртуальный адаптер впна. И я не понял как у тебя кто то видит sql запросы допустим в post запросах в зашифрованном ssl трафике
не настолько глубоко знаком с работой впн поэтому даже уточнил какой клиент и протокол использовал, вдруг знающий человек подскажет что делал не так
биржа байбит блокирует трафик с тора,кто знает как обойти блокировку?
VPN после TOR.
Можно что-то типа бесплатного PlanetVPN в браузере даже.
Можно что-то типа бесплатного PlanetVPN в браузере даже.
Xray Configuration
Configuration of Wireguard obfuscated with Xray, Tor and SSH tunnel chain. This setup assumes the reader has basic knowledge and is running multiple public servers, preferably more than five.
Three physical devices are in this setup, a flashed modem with IMEI modification option via AT commands, Mikrotik router acting as firewall and a device running QEMU hypervisor.
Xray is a platform that implements tunneling protocols and traffic obfuscation techniques.
A local virtual machine under QEMU hypervisor acts as a gateway for other virtual machines and is composed of strict firewall rules, Xray, Wireguard and Tor process. Since the setup involves running Wireguard within Xray within Wireguard, the user must take care of MTU for each transport layer otherwise network disruptions will occur and will likely be presented in form of packet loss when more data is sent. The Mikrotik router has Wireguard connection to a public VPN to prevent traffic isolation by destination IP address, this is the outer Wireguard layer. The traffic within uses Xray VMess protocol encapsulating WebSocket transport with TLS which is the outbound security layer of the Xray client, and inside we have the private Wireguard. The traffic arrives to the nginx web server which offers the TLS certificate to the Xray and forwards the traffic to the inbound Xray port. It is recommended to have various traffic on the nginx web server. The inner Wireguard is not decrypted, only the protocol encapsulating is changed to Trojan with a new TLS certificate to make traffic correlation harder. The traffic is sent to the next server which when decrypted is sent to self-hosted Tor entry node or Tor bridge, then to self-hosted Tor middle relay, then Tor exit node either self-hosted or public from where we connect to a chain of SSH tunnels with a rotating proxy handled by 3proxy.
All servers are Tor nodes, I2P peers, and run web servers, mail servers, open resolvers and other services. The firewall rules on the virtual machine should drop all traffic except specific IP, Port and protocol to prevent leaking. Add IP address and domain used in Xray to `/etc/hosts' instead of Xray resolving the domain. The domain should be used for TLS certificate verification inside the Xray configuration, issued by CA. The Xray configuration routing rules define inbound and outbound protocol by tagging. Implement Trojan encapsulation hard-coded TLS key verification or use a different encapsulation protocol. If running an open resolver, if i recall correctly Shadowsocks traffic looks like MDNS but the checksum is incorrect. Trojan looks like HTTP. The Shadowsocks uses specific password format for different encryption methods, refer to the official documentation. Investigate other encapsulation protocols and encryption layers, read the official documentation; https://xtls.github.io/en/ Another version is to use a CDN instead of public VPN which is possible with Xray, this depends on who the user trusts less. However, had no success in making Wireguard over WSS through CDN, only WSS over CDN. The Xray Wireguard implementation can be used instead of dokodemo-door. I2P can be used instead Tor, due to it's scheme because each peer is also a routing relay, but the speeds were not good for I2P tunnels.
# Client configuration
# Server 1 configuration
# Server 2 configuration
The SNAT rule routes traffic to the outside world. The source IP is the public IP of the server that is initiating the connection to the internet.
DNAT can be used to forward traffic from specific IP to specific port to a different internal port. The security downside is hardcoded IP or subnet.
If you encounter Xray connection problems, debug;
The SSH tunneling chain is implemented with a simple shell script. The chain length has no limit, and the connection speed is the speed of the slowest tunnel. It works well with a chain of nine tunnels. Make sure to have all dependencies.
Unlike proxychains4, 3proxy supports local binding. The first proxy cannot be used for resolving DNS requests in a chain, the last proxy must be used by defining 'socks5+'. In this case the last proxy is a rotating proxy. Some rotating proxies block outgoing port 22, so simply change the SSH daemon port to 443.
Other virtual machines connect to gateway virtual machine to Tor SOCKSPort or to local tunnel not as default routing gateway.
Configuration of Wireguard obfuscated with Xray, Tor and SSH tunnel chain. This setup assumes the reader has basic knowledge and is running multiple public servers, preferably more than five.
Three physical devices are in this setup, a flashed modem with IMEI modification option via AT commands, Mikrotik router acting as firewall and a device running QEMU hypervisor.
Xray is a platform that implements tunneling protocols and traffic obfuscation techniques.
A local virtual machine under QEMU hypervisor acts as a gateway for other virtual machines and is composed of strict firewall rules, Xray, Wireguard and Tor process. Since the setup involves running Wireguard within Xray within Wireguard, the user must take care of MTU for each transport layer otherwise network disruptions will occur and will likely be presented in form of packet loss when more data is sent. The Mikrotik router has Wireguard connection to a public VPN to prevent traffic isolation by destination IP address, this is the outer Wireguard layer. The traffic within uses Xray VMess protocol encapsulating WebSocket transport with TLS which is the outbound security layer of the Xray client, and inside we have the private Wireguard. The traffic arrives to the nginx web server which offers the TLS certificate to the Xray and forwards the traffic to the inbound Xray port. It is recommended to have various traffic on the nginx web server. The inner Wireguard is not decrypted, only the protocol encapsulating is changed to Trojan with a new TLS certificate to make traffic correlation harder. The traffic is sent to the next server which when decrypted is sent to self-hosted Tor entry node or Tor bridge, then to self-hosted Tor middle relay, then Tor exit node either self-hosted or public from where we connect to a chain of SSH tunnels with a rotating proxy handled by 3proxy.
All servers are Tor nodes, I2P peers, and run web servers, mail servers, open resolvers and other services. The firewall rules on the virtual machine should drop all traffic except specific IP, Port and protocol to prevent leaking. Add IP address and domain used in Xray to `/etc/hosts' instead of Xray resolving the domain. The domain should be used for TLS certificate verification inside the Xray configuration, issued by CA. The Xray configuration routing rules define inbound and outbound protocol by tagging. Implement Trojan encapsulation hard-coded TLS key verification or use a different encapsulation protocol. If running an open resolver, if i recall correctly Shadowsocks traffic looks like MDNS but the checksum is incorrect. Trojan looks like HTTP. The Shadowsocks uses specific password format for different encryption methods, refer to the official documentation. Investigate other encapsulation protocols and encryption layers, read the official documentation; https://xtls.github.io/en/ Another version is to use a CDN instead of public VPN which is possible with Xray, this depends on who the user trusts less. However, had no success in making Wireguard over WSS through CDN, only WSS over CDN. The Xray Wireguard implementation can be used instead of dokodemo-door. I2P can be used instead Tor, due to it's scheme because each peer is also a routing relay, but the speeds were not good for I2P tunnels.
# Client configuration
Код:
bash-5.2# cat /etc/xray/config.json
{
"inbounds": [
{
"tag": "wireguard",
"port": 51820,
"protocol": "dokodemo-door",
"settings": {
"address": "127.0.0.1",
"port": 51820,
"network": "udp"
}
}
],
"outbounds": [
{
"tag":"wss",
"protocol": "vmess",
"settings": {
"vnext": [
{
"address": "example.net",
"port": 443,
"users": [
{
"id": "03f404d9-e742-4f55-a455-494f9e15d49b",
"encryption": "ChaCha20-Poly1305",
"alterId": 64
}
]
}
]
},
"streamSettings": {
"network": "ws",
"security": "tls",
"wsSettings": {
"path": "/wss/"
}
}
},
{
"tag": "trojan",
"protocol": "trojan",
"settings": {
"servers": [
{
"address": "example.net",
"port": 443,
"email": "5f5b88d4d605dc988d64703c@0f0f9587",
"password": "gn3XK7Dl1urCAH3MNlopN4BUrBbiPyQ",
"level": 0
}
]
},
"streamSettings": {
"network": "tcp",
"security": "tls",
"tlsSettings": {
"serverName": "example.net",
"allowInsecure": false
}
}
},
{
"tag": "vmess",
"protocol": "vmess",
"settings": {
"vnext": [
{
"address": "example.net",
"port": 443,
"users": [
{
"id": "128af692-0a58-4d3b-9336-4c1c44d48d90",
"alterId": 0,
"security": "chacha20-poly1305",
"level": 0
}
]
}
]
},
"streamSettings": {
"network": "tcp",
"security": "tls",
"tlsSettings": {
"serverName": "example.net",
"allowInsecure": false
}
}
}
],
"routing":{
"rules":[
{
"type":"field",
"inboundTag":[
"wireguard"
],
"outboundTag":"wss"
}
]
}
}
Bash:
bash-5.2# cat /etc/wireguard/wg0.conf
[Interface]
PrivateKey =
Address = 10.0.80.1/32
MTU = xxxx
[Peer]
PublicKey =
AllowedIPs = 10.0.80.2/32, tor entry/bridge
Endpoint = 127.0.0.1:51820
PersistentKeepalive = 45# Server 1 configuration
Код:
{
"inbounds": [
{
"tag": "wss",
"port": 10000,
"listen":"127.0.0.1",
"protocol": "vmess",
"settings": {
"clients": [
{
"id": "03f404d9-e742-4f55-a455-494f9e15d49b",
"encryption": "ChaCha20-Poly1305",
"alterId": 64
}
]
},
"streamSettings": {
"network": "ws",
"wsSettings": {
"path": "/wss/"
}
}
}
],
"outbounds": [
{
"tag": "shadowsocks",
"protocol": "shadowsocks",
"settings": {
"servers": [
{
"address": "ip.ip.ip.ip",
"port": 53,
"method": "2022-blake3-chacha20-poly1305",
"password": "1m3/6upxi/AIcWe47bBF6P8zfpiHrPF2kcY36yUFxGA="
}
]
}
},
{
"tag": "trojan",
"protocol": "trojan",
"settings": {
"servers": [
{
"address": "ip.ip.ip.ip",
"port": 8080,
"email": "5f5b88d4d605dc988d64703c@0f0f9587",
"password": "1f4ac9f4-ed94-4dce-b4bf-a0cf3e45b530",
"level": 0
}
]
},
"streamSettings": {
"network": "tcp",
"security": "tls",
"tlsSettings": {
"serverName": "ip.ip.ip.ip",
"allowInsecure": true
}
}
}
],
"routing":{
"rules":[
{
"type":"field",
"inboundTag":[
"wss"
],
"outboundTag":"trojan"
}
]
}
}
NGINX:
server {
listen 80;
server_name example.net www.example.net;
return 301 https://example.net$request_uri;
}
server {
listen 443 ssl;
server_name example.net www.example.net;
location /wss {
if ($http_upgrade != "websocket") {
return 404;
}
proxy_redirect off;
proxy_pass http://127.0.0.1:10000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
ssl_certificate /etc/nginx/certs/example.net/fullchain.pem;
ssl_certificate_key /etc/nginx/certs/example.net/key.pem;
ssl_trusted_certificate /etc/nginx/certs/example.net/fullchain.pem;
}# Server 2 configuration
Код:
bash-5.2# cat /etc/xray/config.json
{
"inbounds": [
{
"port": 53,
"protocol": "shadowsocks",
"settings": {
"method": "2022-blake3-chacha20-poly1305",
"password": "1m3/6upxi/AIcWe47bBF6P8zfpiHrPF2kcY36yUFxGA=",
"network": "tcp,udp"
}
},
{
"port": 8080,
"listen": "0.0.0.0",
"protocol": "trojan",
"settings": {
"clients": [
{
"email": "5f5b88d4d605dc988d64703c@0f0f9587",
"password": "1f4ac9f4-ed94-4dce-b4bf-a0cf3e45b530"
}
]
},
"streamSettings": {
"network": "tcp",
"security": "tls",
"tlsSettings": {
"certificates": [
{
"certificate": [
"-----BEGIN CERTIFICATE-----",
"",
"",
"",
"",
"",
"",
"",
"",
"-----END CERTIFICATE-----"
],
"key": [
"-----BEGIN RSA PRIVATE KEY-----",
"",
"",
"",
"-----END RSA PRIVATE KEY-----"
]
}
]
}
}
}
],
"outbounds": [
{
"protocol": "freedom"
}
]
}
Bash:
bash-5.2# cat /etc/wireguard/wg0.conf
[Interface]
PrivateKey =
Address = 10.0.80.2/32
ListenPort = 51820
[Peer]
PublicKey =
AllowedIPs = 10.0.80.1/32The SNAT rule routes traffic to the outside world. The source IP is the public IP of the server that is initiating the connection to the internet.
Bash:
iptables -t nat -A POSTROUTING -s 10.0.80.0/24 -j SNAT --to-source ip.ip.ip.ipDNAT can be used to forward traffic from specific IP to specific port to a different internal port. The security downside is hardcoded IP or subnet.
Bash:
iptables -t nat -A PREROUTING -p tcp -s ip.ip.ip.ip --dport 9001 -j DNAT --to-destination :8080If you encounter Xray connection problems, debug;
Код:
"log": {
"access": "/tmp/a",
"error": "/tmp/e",
"loglevel": "debug"
}The SSH tunneling chain is implemented with a simple shell script. The chain length has no limit, and the connection speed is the speed of the slowest tunnel. It works well with a chain of nine tunnels. Make sure to have all dependencies.
Bash:
#!/bin/bash
TUNNEL=("ip1.ip1.ip1.ip1:port1:user1:pass1:country1" "ip2.ip2.ip2.ip2:port2:user2:pass2:country2" "ip3.ip3.ip3.ip3:port3:user3:pass3:country3")
OPTS="-o PreferredAuthentications=password -o StrictHostKeyChecking=no -o KexAlgorithms=+diffie-hellman-group1-sha1 -o HostKeyAlgorithms=+ssh-rsa -o ServerAliveInterval=30 -o ServerAliveCountMax=30 -o PermitLocalCommand=no -o ExitOnForwardFailure=yes"
LPORT=6200
! tmux has-session -t "tunnel" 2>/dev/null && tmux new-session -s "tunnel" -d
for i in ${!TUNNEL[@]}; do
read -r HOST PORT USER PASS CC < <(awk -F':' '{print $1, $2, $3, $4, $5}' <<< ${TUNNEL[$i]})
printf "[+] %s -> %s [%s]\n" "${i}" "${HOST}" "${CC^^}"
if [ $i -eq 0 ]; then
tmux send-keys -t "tunnel:${i}" "torsocks -i sshpass -p ${PASS} ssh -v -p ${PORT} ${USER}@${HOST} -N -D 127.0.0.1:${LPORT} ${OPTS}; exit" C-m 2>/dev/null
else
tmux new-window -t "tunnel:${i}" -n "${CC^^}" \; send-keys -t "tunnel:${i}" "sshpass -p ${PASS} ssh -v -p ${PORT} ${USER}@${HOST} -N -D 127.0.0.1:$((${LPORT}+${i})) -o ProxyCommand=\"nc -x 127.0.0.1:$((${LPORT}+${i}-1)) -X 5 %h %p\" ${OPTS}; exit" C-m 2>/dev/null
fi
while ! tmux capture-pane -p -t "tunnel:${i}" | grep -q "Local forwarding listening" && [ $(($(date +%s) - $(date +%s))) -lt 60 ]; do
sleep 1
done
done
IP=$(curl -s -m 20 -x socks5h://127.0.0.1:$((${LPORT}+${i})) http://api.ipify.org/)
[ -z ${IP} ] && echo '[-] False' || { [ "${IP}" = "${HOST}" ] && echo "[+] True -> ${IP} (OK)" || echo "[+] True -> ${IP} (WARN)"; }Unlike proxychains4, 3proxy supports local binding. The first proxy cannot be used for resolving DNS requests in a chain, the last proxy must be used by defining 'socks5+'. In this case the last proxy is a rotating proxy. Some rotating proxies block outgoing port 22, so simply change the SSH daemon port to 443.
Код:
$ cat /etc/3proxy/3proxy.cfg
nscache 65536
stacksize 655360
daemon
timeouts 90 90 120 120 180 1800 60 120
auth iponly
fakeresolve
allow * * *
parent 1000 socks5 127.0.0.1 9208
parent 1000 socks5+ ip.ip.ip.ip port user password
socks -i127.0.0.1 -p9300Other virtual machines connect to gateway virtual machine to Tor SOCKSPort or to local tunnel not as default routing gateway.
Последнее редактирование модератором:
гайс, встретил такую проблему, что ресурсы позволяющие серфить по ним с ipv6 имеют каптчи на авторизациях/аутентификациях которые ipv6 не пропускают, как исправить данное недразумение?
работа идет из под контейнеров в браузере, которые проксируются через ipv6 - нецелесообразно соотвественно во время прохождения каптчи перескакивать на другой протокол ip во избежании фрода со стороны ресурса
работа идет из под контейнеров в браузере, которые проксируются через ipv6 - нецелесообразно соотвественно во время прохождения каптчи перескакивать на другой протокол ip во избежании фрода со стороны ресурса
гайс посоветуйте бомжовские носки расшареные гео: страны европы, южная америка/северная америка
в приоритете те, что можно брать в аренду на 3-7 дней
засраный пул? - да мне пох*й, фрод идет нах*й, мне онли для тестов ресурсов
есть хороший сервис вандаш(кто знаешь тот знает), там есть расшареные, но только на дойчленд и юкей, вот что-то похожее нужно на ворлдвайд/другие страны европы
в приоритете те, что можно брать в аренду на 3-7 дней
засраный пул? - да мне пох*й, фрод идет нах*й, мне онли для тестов ресурсов
есть хороший сервис вандаш(кто знаешь тот знает), там есть расшареные, но только на дойчленд и юкей, вот что-то похожее нужно на ворлдвайд/другие страны европы
Последнее редактирование модератором:
Is there a manual for setting up Wireguard on a Windows server as a VPN server and on Windows as a client?
I don't understand Linux, I'm afraid to get involved, I've tried thousands of instructions - there is a connection, but the Internet on the client doesn't work. What am I doing wrong? Has anyone set it up yet? Has anyone had this happen? How is this solved?
________________________
есть где-нибудь мануал настройки Wireguard на Windowsserver в качестве сервера VPN и на Windows в качестве клиента?
линукс не понимаю, боюсь лезть, тысячи инструкций перепробовала - соединение есть, а интернет на клиенте не работает. что я делаю не так? кто то настраивал его уже? было такое у кого ? как это решается?
I don't understand Linux, I'm afraid to get involved, I've tried thousands of instructions - there is a connection, but the Internet on the client doesn't work. What am I doing wrong? Has anyone set it up yet? Has anyone had this happen? How is this solved?
________________________
есть где-нибудь мануал настройки Wireguard на Windowsserver в качестве сервера VPN и на Windows в качестве клиента?
линукс не понимаю, боюсь лезть, тысячи инструкций перепробовала - соединение есть, а интернет на клиенте не работает. что я делаю не так? кто то настраивал его уже? было такое у кого ? как это решается?
да, я та еще извращенка. 
ну не понимаю я линукс.
пожалуйста!
я все сделала, и оно даже подключается, но интернет не работает. плиииз. нужна помощь.
__________________________
yes, I'm such a pervert. well I don't understand Linux.
please!
I did everything, and it even connects, but the internet doesn't work. pleeease. I need help.
ну не понимаю я линукс.пожалуйста!
я все сделала, и оно даже подключается, но интернет не работает. плиииз. нужна помощь.
__________________________
yes, I'm such a pervert.
well I don't understand Linux.please!
I did everything, and it even connects, but the internet doesn't work. pleeease. I need help.
Подскажите, как настроить маршрутизацию на впс. Клиент—впн—сокс5 чтобы трафф процесса впн на впс тунелировался в сокс5 и чтобы у клиента был внешний IP proxy а не впн. нужно для использования на Андройде. Уже убился с попытками настройки ip tables. либо нет трафа вовсе либо IP остается от сервера.
Е
Thank you for your great job done! May be you can help to config VPS where I created Amnezia VPN and now I want to tunnel all that traffic through Socks5 proxy with auth. so Client-vpn-proxy.
Есть скрипт автоинсталляции openvpn-socks5 (tcp) и openvpn-tor, платно в пм
Как сделать так, чтобы хостовая машина осталась полностью без интернета? Нужно чтобы интернет шел с роутера сразу в виртуальную машину, а хостовая оставалась без интернета. Фаервол не годится. Нужно ограничить интернет не программным способом, делая правила, а оставить хост наглухо без выхода в сеть. ОС: Линукс, гипервизор: QEMU (Это 100% возможно сделать, просто пока что не знаю как). Нужно настроить 1 виртуалку в качестве роутера, чтобы интернет шел напрямую с роутера в эту виртуалку, а сеть в других виртуалках работала от первой, которая является аналогом хоста. Но как это сделать на линукс? Не нашел адекватных гайдов.
Убери дефолтный шлюз у хоста