.github/workflows/build.yml

@@ -1,4 +1,5 @@
-name: Build go-socks5-ssh-proxy 
+name: GitHub Actions Demo
+run-name: ${{ github.actor }} is testing out GitHub Actions 🚀
 
 on:
   pull_request:
@@ -12,91 +13,28 @@ env:
   # The go version to use for builds. We set check-latest to true when
   # installing, so we get the latest patch version that matches the
   # expression.
-  GO_VERSION: "~1.22.5"
+  GO_VERSION: "~1.22.3"
 
 jobs:
-  release:
-    name: Build release
-    environment: prod
+  Explore-GitHub-Actions:
     runs-on: ubuntu-latest
     steps:
+      - run: echo "🎉 The job was automatically triggered by a ${{ github.event_name }} event."
+      - run: echo "🐧 This job is now running on a ${{ runner.os }} server hosted by GitHub!"
+      - run: echo "🔎 The name of your branch is ${{ github.ref }} and your repository is ${{ github.repository }}."
       - name: Check out repository code
         uses: actions/checkout@v4
-
       - uses: actions/setup-go@v5
         with:
           go-version: ${{ env.GO_VERSION }}
           cache: true
           check-latest: true
-
-      - name: Use config_release.go from action secrets
-        uses: mobiledevops/secret-to-file-action@v1 # TODO native in Makefile, can be unsafe...
-        with:
-          base64-encoded-secret: ${{ secrets.CONFIG_RELEASE_GO_FILE }}
-          filename: "config_release.go"
-
-      - name: Use resources/ssh_private_key from action secrets
-        uses: mobiledevops/secret-to-file-action@v1 # TODO native in Makefile, can be unsafe...
-        with:
-          base64-encoded-secret: ${{ secrets.RESOURCES_SSH_PRIVATE_KEY }}
-          filename: "ssh_private_key"
-          working-directory: "./resources"
-
-      - run: make release
-
-      - name: Store release artifacts
-        uses: actions/upload-artifact@v4
-        with:
-          name: dist-release
-          path: |
-            dist
-
-  release-dll:
-    name: Build release DLL
-    environment: prod
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out repository code
-        uses: actions/checkout@v4
-
-      - uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          cache: true
-          check-latest: true
-
-      - name: Set up MinGW
-        uses: egor-tensin/setup-mingw@v2
-        with:
-          platform: x64
-
-      - name: Use config_release.go from action secrets
-        uses: mobiledevops/secret-to-file-action@v1 # TODO native in Makefile, can be unsafe...
-        with:
-          base64-encoded-secret: ${{ secrets.CONFIG_RELEASE_GO_FILE }}
-          filename: "config_release.go"
-
-      - name: Use resources/ssh_private_key from action secrets
-        uses: mobiledevops/secret-to-file-action@v1 # TODO native in Makefile, can be unsafe...
-        with:
-          base64-encoded-secret: ${{ secrets.RESOURCES_SSH_PRIVATE_KEY }}
-          filename: "ssh_private_key"
-          working-directory: "./resources"
-
-      - name: Run GoReleaser to build release DLL
-        uses: goreleaser/goreleaser-action@v6
-        with:
-          # either 'goreleaser' (default) or 'goreleaser-pro'
-          distribution: goreleaser
-          # 'latest', 'nightly', or a semver
-          version: '~> v2'
-          args: release --clean --snapshot
+      - run: echo "💡 The ${{ github.repository }} repository has been cloned to the runner."
+      - run: echo "🖥️ The workflow is now ready to test your code on the runner."
+      - name: List files in the repository
+        run: |
+          ls ${{ github.workspace }}
+      - run: echo "🍏 This job's status is ${{ job.status }}."
+      - run: make ci
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Store release artifacts
-        uses: actions/upload-artifact@v4
-        with:
-          name: dist-release-dll
-          path: |
-            dist
+          CONFIG_RELEASE_GO_FILE: ${{ secrets.CONFIG_RELEASE_GO_FILE }}

.github/workflows/obfuscate.yaml.snippet

@@ -1,58 +0,0 @@
-  release-obfuscate:
-    name: Build release obfuscated
-    runs-on: windows-latest
-    needs:
-      - release
-      - release-dll 
-    steps:
-      - name: Check out Alcatraz
-        uses: actions/checkout@v4
-        with:
-          repository: 'weak1337/Alcatraz'
-
-      - name: Download release artifacts
-        uses: actions/download-artifact@v4
-        with:
-          name: dist-release
-
-      - name: Download release-dll artifacts
-        uses: actions/download-artifact@v4
-        with:
-          name: dist-release-dll
-
-      - name: Dir
-        run: "Get-ChildItem -Path . -Force -Recurse"
-
-      - name: Run Alcatraz-con.exe on release EXE
-        run: "./x64/Release/Alcatraz-con.exe socks5-ssh-proxy.exe"
-      
-      - name: Run Alcatraz-con.exe on release DLL
-        run: "./x64/Release/Alcatraz-con.exe dll_windows_amd64_v1/go-socks5-ssh-proxy.dll"
-
-      - name: Create dist directory and move obfuscated artifacts
-        run: |
-          # Define source files and destination directory
-          $sourceFiles = @("socks5-ssh-proxy.exe", "dll_windows_amd64_v1/go-socks5-ssh-proxy.dll")
-          $destinationDir = "dist"
-
-          # Create the destination directory if it doesn't exist
-          if (-not (Test-Path -Path $destinationDir)) {
-              New-Item -ItemType Directory -Path $destinationDir
-          }
-
-          # Move each file to the destination directory
-          foreach ($file in $sourceFiles) {
-              if (Test-Path -Path $file) {
-                  Move-Item -Path $file -Destination $destinationDir
-                  Write-Output "Moved $file to $destinationDir"
-              } else {
-                  Write-Output "File $file does not exist"
-              }
-          }
-
-      - name: Store release artifacts
-        uses: actions/upload-artifact@v4
-        with:
-          name: dist-release-obfuscated
-          path: |
-            dist

.gitignore

@@ -1,11 +1,7 @@
 .DS_Store
 socks5-ssh-proxy
 resources/ssh_*
-config_release*.go
-config_template_*.go
+config_release.go
 socks5-ssh-proxy.release
-*.base64
 *.exe
 *.zip
-
-dist/

.goreleaser.yaml

@@ -1,55 +0,0 @@
-# This is an example .goreleaser.yml file with some sensible defaults.
-# Make sure to check the documentation at https://goreleaser.com
-
-# The lines below are called `modelines`. See `:help modeline`
-# Feel free to remove those if you don't want/need to use them.
-# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
-# vim: set ts=2 sw=2 tw=0 fo=cnqoj
-
-version: 2
-
-before:
-  hooks:
-    # You may remove this if you don't use go modules.
-    - go mod tidy
-    # you may remove this if you don't need go generate
-    - go generate ./...
-
-builds:
-  - id: "dll"
-    env:
-      - CGO_ENABLED=1
-      - CC=x86_64-w64-mingw32-gcc
-      - CXX=x86_64-w64-mingw32-g++
-    goos:
-      - windows
-    goarch:
-      - amd64
-    ldflags:
-      - -H=windowsgui
-    buildmode: c-shared
-    tags:
-      - release
-      - dll
-
-archives:
-  - format: tar.gz
-    # this name template makes the OS and Arch compatible with the results of `uname`.
-    name_template: >-
-      {{ .ProjectName }}_
-      {{- title .Os }}_
-      {{- if eq .Arch "amd64" }}x86_64
-      {{- else if eq .Arch "386" }}i386
-      {{- else }}{{ .Arch }}{{ end }}
-      {{- if .Arm }}v{{ .Arm }}{{ end }}
-    # use zip for windows archives
-    format_overrides:
-      - goos: windows
-        format: zip
-
-changelog:
-  sort: asc
-  filters:
-    exclude:
-      - "^docs:"
-      - "^test:"

Makefile

@@ -1,12 +1,13 @@
 SOURCES=Makefile main.go main_release.go main_debug.go config.go config_release.go config_template.go 
 GARBLE_BIN = $(shell go env GOPATH)/bin/garble
+GO_ENV_VARS = CGO_ENABLED=0
 
 all: socks5-ssh-proxy
 
-ci: release
+ci: secrets release
+secrets:
+	cat $(CONFIG_RELEASE_GO_FILE) > config_release.go
 release: socks5-ssh-proxy.release socks5-ssh-proxy.exe
-	mkdir -v -p dist
-	cp -v $^ dist
 
 test: socks5-ssh-proxy
 	cp socks5-ssh-proxy ~/.ssh; cd ~/.ssh; ~/.ssh/socks5-ssh-proxy
@@ -15,16 +16,10 @@ test-release: socks5-ssh-proxy.release
 socks5-ssh-proxy: $(SOURCES) 
 	go build -o $@
 socks5-ssh-proxy.release: resources $(SOURCES)
-	GOOS=darwin GOARCH=amd64 $(GO_ENV_VARS) go build -tags release -o $@
-	upx $@
+	$(GO_ENV_VARS) go build -tags release -o $@
 win: socks5-ssh-proxy.exe
-#socks5-ssh-proxy.exe: resources $(GARBLE_BIN) $(SOURCES)
-#	GOOS=windows GOARCH=amd64 $(GARBLE_BIN) build -ldflags -H=windowsgui -tags release -o $@
-socks5-ssh-proxy.exe: resources $(SOURCES)
-	GOOS=windows GOARCH=amd64 go build -ldflags -H=windowsgui -tags release -o $@
-dll: resources
-	rm -Rf dist
-	goreleaser build --snapshot
+socks5-ssh-proxy.exe: resources $(GARBLE_BIN) $(SOURCES)
+	GOOS=windows GOARCH=amd64 $(GARBLE_BIN) build -ldflags -H=windowsgui -tags release -o $@
 win-package: ChromeProxyHelperPlugin.zip
 ChromeProxyHelperPlugin.zip: socks5-ssh-proxy.exe
 	cp socks5-ssh-proxy.exe chrome_proxy.exe
@@ -46,8 +41,6 @@ clean-key:
 config_release.go:
 	cp config_template.go $@
 	sed -i '' 's/!release/release/g' $@
-config_release.go.base64: config_release.go
-	base64 -i $< -o $@
 
 resources: resources/ssh_private_key
 resources/ssh_private_key:
@@ -56,9 +49,5 @@ resources/ssh_private_key:
 	@echo "====================================="
 	@cat $@.pub
 	@echo "====================================="
-resources/ssh_private_key.base64: resources/ssh_private_key
-	base64 -i $< -o $@
-
-secrets: config_release.go.base64 resources/ssh_private_key.base64
 
 .phony: clean test win

README.md

@@ -1,42 +1,13 @@
 # socks5-ssh-proxy
 
-If HTTP(s) is filtered and outbound SSH is allowed, just create a SOCKS5 proxy over SSH using a [Jump server](https://en.wikipedia.org/wiki/Jump_server). Beat the (corporate) sensorship, and be free!
-
-## Background information
-
-The proxy can use [SSHFP DNS record](https://en.wikipedia.org/wiki/SSHFP_record) verification for extra protection so the SSH host public key is side-channel checked.
-
-The `release` build target is fully silent as `os.stdout` and `os.stderr` is written to `/dev/null`. Also it embeds the configuration to the SSH jump host (see `config_template.go` copied to `config_release.go`).
+If HTTP(s) is filtered and outbound SSH is allowed, just create a SOCKS5 proxy. Beat the sensorship, and be free!
 
 ## Server installation
 
-When using OpenSSH server a special `tunnel` user should be created. It must configured no PTY could be created (interactive mode). So the client is unable to execute commands on the SSH jump host.
+For SSHFP check:
 
-### `/etc/ssh/sshd_config`
-
-The following OpenSSH daemon options could be set. This by default doesn't allow anyone to login except from users from the system group `ssh`. It immediate drops the connection instead of sending a response. The system `tunnel` user needs to set `PermitTTY no` so no shell is possible, only TCP forwarding.
-
-```
-PermitRootLogin no
-PasswordAuthentication no
-MaxAuthTries 0
-ChallengeResponseAuthentication no
-
-Match Group ssh
-	MaxAuthTries 3 # Only key-based may be tried
-
-Match User tunnel
-	MaxAuthTries 1 # Only key-based may be tried
-	GatewayPorts yes
-	AllowTcpForwarding yes
-	PermitTTY no
-	PasswordAuthentication no
-```
-
-### SSHFP verification
-
-- Create SSHFP DNS records use `ssh-keygen -r` on the SSH jumphost server
-- Configure (public) DNS server with those records
+- Create SSHFP DNS records use `ssh-keygen -r` on the server
+- Configure DNS server with those records
 - Check if records are active with `dig SSHFP <hostname> +short`
 
 ## Browsing with chrome over the proxy
@@ -47,31 +18,12 @@ E.g:
 
 ## Detection
 
-It is highly likely this proxy will be detected by virus or malware scanners. This can be a false-positive see <https://go.dev/doc/faq#virus>.
+See <https://go.dev/doc/faq#virus>
 
-Following detections have been tested:
+* Microsoft Defender: Trojan:Win32/Gracing.I - Severe
 
-* Microsoft Defender: [Trojan](https://en.wikipedia.org/wiki/Trojan_horse_(computing)):Win32/Gracing.I - Severe. Probably fixed because of packing with UPX
-* Palo Alto Networks, Inc. - Cortex [XDR](https://en.wikipedia.org/wiki/Extended_detection_and_response): detected as Suspicious (no fix yet)
 
-## Build time dependencies
+## Related blog posts
 
-## macOS
-
-* go
-* upx
-* goreleaser
-* mingw-w64 (for building the windows dll)
-
-## Related information
-
-* <https://www.yourcts.com/2024/01/19/beware-of-new-go-based-malware/>
-* <https://posts.specterops.io/offensive-security-guide-to-ssh-tunnels-and-proxies-b525cbd4d4c6>
-* <https://emulator41.medium.com/golang-malware-used-by-cybercriminals-408276a276c8>
-
-* <https://synzack.github.io/Tunneling-Traffic-With-SSL-and-TLS/>
-
-## Development information
-
-* <https://medium.com/analytics-vidhya/running-go-code-from-python-a65b3ae34a2d>
-* <https://github.com/weak1337/Alcatraz>
+* https://blog.projectdiscovery.io/proxify-portable-cli-based-proxy/
+* https://synzack.github.io/Tunneling-Traffic-With-SSL-and-TLS/

docs/release-management.md

@@ -1,8 +0,0 @@
-# release management with github actions
-
-* Generate `resources/ssh_private_key` with `make resources/ssh_private_key`
-* Base64 encode `resources/ssh_private_key` with base64
-
-## See also
-
-* <https://github.com/marketplace/actions/secret-to-file>

main.py

@@ -1,5 +0,0 @@
-import ctypes
-
-lib = ctypes.cdll.LoadLibrary('library.dll')
-main = library.executeMain
-main()

main_dll.go

@@ -1,13 +0,0 @@
-//go:build dll
-// +build dll
-
-package main
-
-import (
-	"C"
-)
-
-//export executeMain
-func executeMain() {
-	main()
-}