feat: [v3.5.2] 终极安全与逻辑闭环补丁

1. 升级军工级 HMAC 签名:将数据负载 (Base64) 卷入哈希,封死中间人篡改路径。
2. 引入高熵复合密钥:结合 CHAT_ID 与 TG_TOKEN,大幅提升抗暴力破解强度。
3. 实现全自动改名闭环:Master 确认 Agent 修改成功后自动同步数据库,彻底告别手动复制。
This commit is contained in:
hotyue
2026-04-16 03:14:12 +00:00
parent 9768bed637
commit dc7d1c0f40
2 changed files with 38 additions and 33 deletions

View File

@@ -83,15 +83,19 @@ import time
PORT = int(sys.argv[1])
# 🛡️ 提取全局鉴权 Token (利用 CHAT_ID 作为 PSK 预共享密钥)
# 🛡️ [军工级升级] 提取全局复合鉴权 Token
AUTH_TOKEN = ""
TG_TOKEN = ""
if os.path.exists('/opt/ip_sentinel/config.conf'):
with open('/opt/ip_sentinel/config.conf', 'r') as f:
for line in f:
line = line.strip()
if line.startswith('CHAT_ID='):
AUTH_TOKEN = line.split('=', 1)[1].strip('"\'')
break
elif line.startswith('TG_TOKEN='):
TG_TOKEN = line.split('=', 1)[1].strip('"\'')
# 构建高熵密钥
SECRET_KEY = f"{AUTH_TOKEN}:{TG_TOKEN}"
class AgentHandler(http.server.BaseHTTPRequestHandler):
def do_GET(self):
@@ -123,9 +127,14 @@ class AgentHandler(http.server.BaseHTTPRequestHandler):
self.end_headers()
return
# 校验 3HMAC 数据完整性与身份合法性校验
msg = f"{req_path}:{req_t}".encode('utf-8')
expected_sign = hmac.new(AUTH_TOKEN.encode('utf-8'), msg, hashlib.sha256).hexdigest()
# 校验 3HMAC 数据完整性与身份合法性校验 (全参数卷入)
msg_str = f"{req_path}:{req_t}"
b64_alias = query.get('b64', [''])[0]
if b64_alias:
msg_str += f":{b64_alias}"
msg = msg_str.encode('utf-8')
expected_sign = hmac.new(SECRET_KEY.encode('utf-8'), msg, hashlib.sha256).hexdigest()
# 使用 compare_digest 防御时序攻击
if not hmac.compare_digest(expected_sign, req_sign):
@@ -276,23 +285,7 @@ class AgentHandler(http.server.BaseHTTPRequestHandler):
with open(config_path, 'w', encoding='utf-8') as f:
f.writelines(lines)
# 4. 绕过 WAF交由系统底层 curl 异步发包
region = config_dict.get('REGION_CODE', 'UNKNOWN')
node_name = config_dict.get('NODE_NAME', 'UNKNOWN')
agent_ip = config_dict.get('PUBLIC_IP', '127.0.0.1')
agent_port = config_dict.get('AGENT_PORT', '9527')
chat_id = config_dict.get('CHAT_ID', '')
tg_url = config_dict.get('TG_API_URL', '')
if tg_url and chat_id:
reg_msg = f"#REGISTER#|{region}|{node_name}|{agent_ip}|{agent_port}|{safe_alias}"
subprocess.Popen([
'curl', '-s', '-m', '10', '-X', 'POST', tg_url,
'-d', f'chat_id={chat_id}',
'-d', f'text={reg_msg}'
])
self.send_response(200)
self.send_header("Content-type", "text/plain")
self.end_headers()