fix anti honeypot detector

hugefiver · Dec 7, 2021 · dd156ba · dd156ba
1 parent 3a2e504
commit dd156ba
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 14 deletions.
diff --git a/third/crypto/ssh/server.go b/third/crypto/ssh/server.go
@@ -249,29 +249,40 @@ func (s *connection) serverHandshake(config *ServerConfig) (*Permissions, error)
 	} else {
 		s.clientVersion, err = exchangeVersions(s.sshConn.conn, s.serverVersion)
 	}
-	if err != nil {
-		return nil, err
-	}
-
-	// precheck version string
-	var major, minor int
-	n, err := fmt.Sscanf(string(s.clientVersion), "SSH-%d.%d", &major, &minor)
-	if err != nil || n != 2 {
+	// if unexpect character in version string
+	if err == errInvalidChar {
 		s.sshConn.conn.Write([]byte("Invalid SSH identification string.\r\n"))
 		err := s.sshConn.Close()
 		if err == nil {
 			err = errors.New("client version format invalid")
 		}
 		return nil, err
-	} else if major != 2 && minor != 0 {
-		s.sshConn.conn.Write([]byte("Protocol major versions differ.\r\n"))
-		err := s.sshConn.Close()
-		if err == nil {
-			err = errors.New("client major version don't match")
-		}
+	}
+	if err != nil {
 		return nil, err
 	}
 
+	// openssh: precheck version string
+	if config.AsOpenSSH {
+		var major, minor int
+		n, err := fmt.Sscanf(string(s.clientVersion), "SSH-%d.%d", &major, &minor)
+		if err != nil || n != 2 {
+			s.sshConn.conn.Write([]byte("Invalid SSH identification string.\r\n"))
+			err := s.sshConn.Close()
+			if err == nil {
+				err = errors.New("client version format invalid")
+			}
+			return nil, err
+		} else if major != 2 && minor != 0 {
+			s.sshConn.conn.Write([]byte("Protocol major versions differ.\r\n"))
+			err := s.sshConn.Close()
+			if err == nil {
+				err = errors.New("client major version don't match")
+			}
+			return nil, err
+		}
+	}
+
 	if config.CheckClientVersion != nil && !config.CheckClientVersion(s.clientVersion) {
 		// s.sshConn.conn.Write([]byte("Invalid SSH identification string.\r\n"))
 		s.sshConn.conn.Write([]byte("Protocol mismatch.\r\n"))

diff --git a/third/crypto/ssh/transport.go b/third/crypto/ssh/transport.go
@@ -371,6 +371,8 @@ func readVersion(r io.Reader) ([]byte, error) {
 	return versionString, nil
 }
 
+var errInvalidChar = errors.New("invalid character in version string")
+
 func readVersionOpenSSH(rw io.ReadWriter) ([]byte, error) {
 	versionString := make([]byte, 0, 64)
 	var ok bool
@@ -402,6 +404,10 @@ func readVersionOpenSSH(rw io.ReadWriter) ([]byte, error) {
 				break loop
 			}
 
+			if buf[0] < 32 {
+				return nil, errInvalidChar
+			}
+
 			// if last char is '\r', it's not allowed
 			if lastCR {
 				rw.Write([]byte("Protocol mismatch.\r\n"))