Passless¶
Introduction¶
Passless is a toolkit for setting up a security layer to protect private services. It based on Yingbo Gu’s Shadowproxy project and comes with two components, a plugin of Slowdown server and a client.
For example, in most cases you have to run a ssh service at least. If you are having a Slowdown server, you can force users to access this ssh service only via the working Slowdown server (by forbidden non-local connections to the ssh service). All private services can be protected under the Slowdown server who is know as Bastion Host.
Installation¶
Passless are published on the Python Package Index , and can be installed with the following command.
$ pip install -U passless
You can also install Passless directly from a clone of the Git repository .
$ git clone https://github.com/wilhelmshen/passless
$ cd passless
$ pip install .
or
$ pip install git+https://github.com/wilhelmshen/passless
Server¶
Server creation¶
First, you need to create a Slowdown server.
$ virtualenv --python=/usr/bin/python3 myserver
$ myserver/bin/pip3 install passless
$ myserver/bin/slowdown --init
Initialize a project in /PATH/TO/myserver? [Y/n]: Y
Creating myserver/bin ... exists
Creating myserver/etc ... exists
Creating myserver/var ... done
Creating myserver/pkgs ... done
Creating myserver/var/log ... done
Creating myserver/bin/slowdown ... exists
Creating myserver/etc/slowdown.conf ... done
DONE! Completed all initialization steps.
Configuration¶
Next, edit the profile. The config file of the slowdown server called
slowdown.conf
is placed in the etc
folder. Here’s an example:
# URL Routing based on regular expression.
<routers>
<router ALL>
# A regular expression to match hosts
# Group name must be uppercased
#
pattern ^(?P<EXAMPLE>example\.com)$$
<host EXAMPLE>
# A reqular expression to match PATH_INFO
#
pattern ^/passless(?P<PASSLESS>/.*)$$
<path PASSLESS>
handler passless
cipher aes-128-cfb
password PASSWORD
# The forwarding server (optional)
#
#via passless://CIPHER:PASSWD@BRIDGE.SERVER/HOST/PATH/
# Ad block list (optional)
#
#adblk /PATH/TO/AD/BLOCK.conf
# If the direct connection fails, use the forwarding
# server instead. The default is "no".
#
#autoswitch no
# Deny access to the local ip, the default is "no"
# If you want a Bastion Host, this option must be
# setted to "no".
#
#globalonly no
#accesslog $LOGS/access-%Y%m.log
#errorlog $LOGS/error-%Y%m.log
</path>
</host>
# More hosts ..
#
#<host HOSTNAME>...</host>
</router>
</routers>
<servers>
<http MY_HTTP_SERVER>
address 0.0.0.0:8080
router ALL
</http>
</servers>
Start the server:
$ myserver/bin/slowdown -vv
2020-09-14 17:45:49 INFO slowdown/{__version__}
2020-09-14 17:45:49 INFO Serving HTTP on 0.0.0.0 port 8080 ...
In this case, Passless service is available on
pass://aes-128-cfb:PASSWORD@example.com:80/example.com/passless/
.
More details are documented at Slowdown project.
Client¶
passless¶
The passless command can start the Passless client side server that support the socks5 and http protocol.
usage: bin/passless [-h] [-u USER] [-v | -vv | -q] SERVERS
Examples:
$ sudo bin/passless -vv -u nobody "socks://127.0.0.1:1080/?via=passless://aes-128-cfb:PASSWORD@example.com:8080/example.com:8080/passless/&autoswitch=no&globalonly=no" "http://127.0.0.1:8118/?via=passless://aes-128-cfb:PASSWORD@example.com:8080/example.com:8080/passless/&adblk=my_ad_block.conf"
$ bin/passless "127.0.0.1:1080?via=aes-128-cfb:PASSWORD@example.com/example.com/passless/"
With this socks/http server, you can access private services of the remote server that running the Slowdown server with the Passless plugin.
Note
The default scheme is socks://, the default via scheme is passless:// .
proxychains¶
This script is based on Adam Hamsik’s proxychains project. It automatically starts a temporary local socks server configured to the remote Bastion Host, and bridge the network traffic of the specified program, just as the original proxychains does.
Example:
$ bin/proxychains "pass://aes-128-cfb:PASSWORD@example.com:8080/example.com:8080/passles/&autoswitch=no" ssh user@example.com
$ bin/proxychains "aes-128-cfb:PASSWORD@example.com/example.com/passles/" bash
Detect that you have entered bash in proxy mode, use "exit" to leave later.
$ exit
exit
Note
The default socks port is 1080
,
the default passless port is 80
.
Ad block¶
You can specify an ad block list for servers and clients (see the case ablove). The file of the ad block list is very simple, as shown below:
domain1 REJECT
domain2 REJECT
...
domain1 PROXY
domain2 PROXY
...
Example:
com.baidu.adscdn REJECT
com.my-server PROXY