看到所用的ssh代理服务供应商开始在server上部署和测试Obfuscation功能,以抵御某怪物干扰用户正常使用ssh代理。
1. 原理
以下是ISP提供的说明:
那何为Obfuscation?
查了下Wikipedia:
In cryptography, obfuscation refers to encoding the input data before it is sent to
a hash function or other encryption scheme. This technique helps to make brute force
attacks unfeasible, as it is difficult to determine the correct cleartext.
从密码学角度上讲,Obfuscation(混淆)指的是在将所输入的数据发送至哈希公式或者其他加密公式
前对其进行编码,该技术使得暴利破解难以见效,因为要确认正确的明文非常困难。
概念蛮绕口的,实际上就是将handshake易容,这样怪物就看不出来数据传输是在使用ssh协议了.
2. 解决方案
牛人Bruce Leidl为openssh写了个很给力的补丁。它可以在创建加密SSH连接时将握手信号(handshake)进行混淆处理。这样一个加密的握手信号就可以骗过怪物所用的深度包检测设备,顺利完成使命,进而保证了网络的安全性与稳定性。
(1)准备
你需要有一台位于境外的Linux服务器,然后在服务器上配置好Obfuscated-openssh补丁。
Obfuscated-openssh点此下载: http://socks.nihilex.com/brl-obfuscated-openssh-7288432890c63dc228afe6c61e6343b72ef30962.tar.gz,然后执行下述命令编译安装:
./configure
make
make install
建议将其与常规的SSH守护进程分开安装。
(2)配置
作为SSH代理的话,没有必要让用户通过ssh登陆服务器,因此需要将此部分权限给限制掉,让用户只能使用SOCKS代理。要做到这点,需要创建专用的用户账号。
以下即为添加一个名为“golengssh"用户的命令,该用户无法远程登入服务器:
useradd -s /usr/sbin/nologin golengssh
下面为大家提供一个sshd_config文件供参考使用,使用此配置文件后,只允许用户“golengssh”连接服务器。
Linux桌面系统下,连接服务器的命令是:
ssh -Nfx -D 7070 -z yuanjin golengssh@ur-host.com -p 443
这里的“yuanjin”就是在配置文件中的ObfuscateKeyword,ssh的服务器端口为443,最后设置浏览器的SOCKS代理为127.0.0.1:7070
SSHD_config
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
#
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
# This ssh daemon is meant to be run separately from the regular
# non-obfuscated sshd. A single user account is enough for this purpose.
# You should make sure this user does not have shell access, by changing
# the shell to /usr/sbin/nologin.
# sudo useradd -s /usr/sbin/nologin golengssh
#
AllowUsers golengssh
# To set up a SOCKS proxy, execute an obfuscated-openssh client like so:
# The client will now be running a SOCKS proxy on localhost:7070 and forwarding
# all traffic to the ssh server port 443. User will need to configure web browsers and
# such to use the SOCKS proxy.
#
Protocol 2
ObfuscatedPort 443
ObfuscateKeyword yuanjin
#Port 22
SyslogFacility AUTH
LogLevel ERROR
LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 6
MaxSessions 10
PermitEmptyPasswords no
AllowAgentForwarding no
AllowTcpForwarding yes
PrintLastLog no
TCPKeepAlive yes
ClientAliveInterval 60
ClientAliveCountMax 3
PidFile /var/run/obf_sshd.pid
#MaxStartups 10
#PermitTunnel no
ChrootDirectory /home/golengssh
# no default banner path
#Banner none
参考文章:
[1]Secret Handshake for Iran http://nihilex.com/obfuscated-openssh
[2]Obfuscation http://en.wikipedia.org/wiki/Obfuscation
------------------------------------------------
在中国的审查机器和互联网用户的猫捉老鼠的游戏中,政府看来正在测试一种新的“捕鼠器”了——它被设计为通过防火长城探测并封锁加密通道,哪怕这种通道连接的是鲜为人知的计算机,并已经过加密。
最近几个月,本来设计了通过加密连接服务让用户安全地连接到远程计算机的管理员们观察到来自中国大陆的奇怪网络活动:当一个国内用户试图登录国外服务器时,在他/她连接到该网站之前,一串看似随机的数据已经先抵达目的地,有时这个用户的连接接着就神秘地被切断了。
例如,反审查和匿名服务提供商Tor就发现许多他们的“网桥节点”——用来帮助用户重定路由的位于世界各地的私人服务器——对中国用户来说,在几个 小时内甚至几分钟内就失效了。Tor项目的执行主任安德鲁‧鲁曼(Andrew Lewman)说用户告诉他,其他翻墙软件如无界浏览(Ultrasurf)和自由门(Freegate)也出现了类似的问题。“有人试图接入,接着出现 一个奇怪的扫瞄,然后节点就失效了,”鲁曼说:“我们经常观察到奇怪的现象,但这个却是个不平衡的怪现象,而且只来自于中国。”
鲁曼认为中国互联网服务公司可能正在测试一个新系统,不仅仅是阻挡IP地址或者某些网页,而是通过一个类似探头的东西在用户试图连接到加密网络之前 确认用户要接入什么服务。“就好像我告诉太太要和朋友去打保龄球,她事先给保龄球馆打电话来监视我到底在干什么,”鲁曼这样比喻道。“它在证实你要访问的 是不是你正在请求访问的地址。”
但是鲁曼说Tor程序开发员们目前还无法确定这个探头如何能区分用户是在加密登入Tor服务器还是加密登入某银行或电子商务网站,因为理论上两者都 是把网络信息流打乱成无法辨认的加密信息。鲁曼指出:无论如何中国政府无法阻挡所有的加密连接,比如大公司的虚拟专用网(VPN),“如果富士康和苹果断 了线,那可就是大问题了。”
同时,只有一小部分Tor的中国用户遇到这个问题,鲁曼说这意味着可能只有部分中国宽带网络公司在试验这个工具。
中共政府不止嗅探通往美国的加密连接,据位于林雪平大学中心(Linkoping University)的瑞典国家超级计算机中心的IT安全管理员列夫‧尼克松(Leif Nixon)说,他一年之前就在其服务器上独立地发现了这个现象——当中国学生或研究人员试图通过SSH加密隧道登录该中心的系统时会引来奇怪的网络扫 瞄。本月初他将自己的发现贴在了博客上。
“我不知道这个(数据)探头想达到什么目的,”他这样写道:“我只能猜是那个政府在寻找一些它不认可的服务,如开放代理或者Tor中继服务。如果留下精确指纹代价太大,于是他们就采取类似模糊测试的调查方法,即向服务器扔一段随机数据,看看有什么反应。”
“这也符合中国政府强加给其公民的人尽皆知的审查制度的所作所为,”他补充道:“我极端厌恶这种看似是中国政府在探测我们系统的行为。”
另一位要求不透露姓名的美国计算机安全工程师说,他观察到有20%来自中国用户的连接遭遇这种异常行为。“我们起初以为这是一种攻击行为。但是现在它更像是在探测这些是不是它要过滤的信息,"这位工程师说:"我还从来没有见过类似的东西。”
自从建国60大庆和与谷歌公开翻脸以来,中共一直在追捕翻墙工具。但是鲁曼指出,中国先前的过滤系统都是以阻挡IP地址为基础的,而世界各地不断有新的服务器以新IP地址来帮助中国民众绕开防火长城。
2009年伊朗政府也曾试图从各种加密信息流中鉴别接入Tor网桥节点的连接,鲁曼说,Tor想方设法让它的加密连接看起来更像其他网络服务,例如调整Tor的SSL认证的频率。
鲁曼不认为中国政府会在全国、针对数亿网民实施这个探测系统,但表示Tor工作人员希望永远领先于中共网络监控之前,“我们正在想办法,”他说:“这很令人好奇。"
------------------------------------------
很快就发现Obfuscated ssh就是一个现成成熟的方法。首先下载Obfuscated ssh,登录到境外linux服务器上后,下载:
当然,缺省这个配置文件是不能用的,基本内容全都注释掉了,为了简单起见,我们可以在标准sshd的配置的基础上改改就行了。
我们复制一份支持混淆的sshd到标准sshd的目录下,再复制一份标准sshd的配置给这个支持混淆的sshd用。
然后运行测试一下:
一切正常后,就可以在服务器上把sshd_ofc的启动命令简单加入到rc.local开机自动启动即可。
通过几小时的测试,使用Obfuscated ssh后,我这本地的体验又恢复到没被干扰前的状态了。
---------------------------------------------------------------------------------------------------
1. 原理
以下是ISP提供的说明:
那何为Obfuscation?
查了下Wikipedia:
In cryptography, obfuscation refers to encoding the input data before it is sent to
a hash function or other encryption scheme. This technique helps to make brute force
attacks unfeasible, as it is difficult to determine the correct cleartext.
从密码学角度上讲,Obfuscation(混淆)指的是在将所输入的数据发送至哈希公式或者其他加密公式
前对其进行编码,该技术使得暴利破解难以见效,因为要确认正确的明文非常困难。
概念蛮绕口的,实际上就是将handshake易容,这样怪物就看不出来数据传输是在使用ssh协议了.
2. 解决方案
牛人Bruce Leidl为openssh写了个很给力的补丁。它可以在创建加密SSH连接时将握手信号(handshake)进行混淆处理。这样一个加密的握手信号就可以骗过怪物所用的深度包检测设备,顺利完成使命,进而保证了网络的安全性与稳定性。
(1)准备
你需要有一台位于境外的Linux服务器,然后在服务器上配置好Obfuscated-openssh补丁。
Obfuscated-openssh点此下载: http://socks.nihilex.com/brl-obfuscated-openssh-7288432890c63dc228afe6c61e6343b72ef30962.tar.gz,然后执行下述命令编译安装:
./configure
make
make install
建议将其与常规的SSH守护进程分开安装。
(2)配置
作为SSH代理的话,没有必要让用户通过ssh登陆服务器,因此需要将此部分权限给限制掉,让用户只能使用SOCKS代理。要做到这点,需要创建专用的用户账号。
以下即为添加一个名为“golengssh"用户的命令,该用户无法远程登入服务器:
useradd -s /usr/sbin/nologin golengssh
下面为大家提供一个sshd_config文件供参考使用,使用此配置文件后,只允许用户“golengssh”连接服务器。
Linux桌面系统下,连接服务器的命令是:
ssh -Nfx -D 7070 -z yuanjin golengssh@ur-host.com -p 443
这里的“yuanjin”就是在配置文件中的ObfuscateKeyword,ssh的服务器端口为443,最后设置浏览器的SOCKS代理为127.0.0.1:7070
SSHD_config
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
#
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
# This ssh daemon is meant to be run separately from the regular
# non-obfuscated sshd. A single user account is enough for this purpose.
# You should make sure this user does not have shell access, by changing
# the shell to /usr/sbin/nologin.
# sudo useradd -s /usr/sbin/nologin golengssh
#
AllowUsers golengssh
# To set up a SOCKS proxy, execute an obfuscated-openssh client like so:
# The client will now be running a SOCKS proxy on localhost:7070 and forwarding
# all traffic to the ssh server port 443. User will need to configure web browsers and
# such to use the SOCKS proxy.
#
Protocol 2
ObfuscatedPort 443
ObfuscateKeyword yuanjin
#Port 22
SyslogFacility AUTH
LogLevel ERROR
LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 6
MaxSessions 10
PermitEmptyPasswords no
AllowAgentForwarding no
AllowTcpForwarding yes
PrintLastLog no
TCPKeepAlive yes
ClientAliveInterval 60
ClientAliveCountMax 3
PidFile /var/run/obf_sshd.pid
#MaxStartups 10
#PermitTunnel no
ChrootDirectory /home/golengssh
# no default banner path
#Banner none
参考文章:
[1]Secret Handshake for Iran http://nihilex.com/obfuscated-openssh
[2]Obfuscation http://en.wikipedia.org/wiki/Obfuscation
------------------------------------------------
中国防火长城测试对加密链接神秘扫描
在中国的审查机器和互联网用户的猫捉老鼠的游戏中,政府看来正在测试一种新的“捕鼠器”了——它被设计为通过防火长城探测并封锁加密通道,哪怕这种通道连接的是鲜为人知的计算机,并已经过加密。
最近几个月,本来设计了通过加密连接服务让用户安全地连接到远程计算机的管理员们观察到来自中国大陆的奇怪网络活动:当一个国内用户试图登录国外服务器时,在他/她连接到该网站之前,一串看似随机的数据已经先抵达目的地,有时这个用户的连接接着就神秘地被切断了。
例如,反审查和匿名服务提供商Tor就发现许多他们的“网桥节点”——用来帮助用户重定路由的位于世界各地的私人服务器——对中国用户来说,在几个 小时内甚至几分钟内就失效了。Tor项目的执行主任安德鲁‧鲁曼(Andrew Lewman)说用户告诉他,其他翻墙软件如无界浏览(Ultrasurf)和自由门(Freegate)也出现了类似的问题。“有人试图接入,接着出现 一个奇怪的扫瞄,然后节点就失效了,”鲁曼说:“我们经常观察到奇怪的现象,但这个却是个不平衡的怪现象,而且只来自于中国。”
鲁曼认为中国互联网服务公司可能正在测试一个新系统,不仅仅是阻挡IP地址或者某些网页,而是通过一个类似探头的东西在用户试图连接到加密网络之前 确认用户要接入什么服务。“就好像我告诉太太要和朋友去打保龄球,她事先给保龄球馆打电话来监视我到底在干什么,”鲁曼这样比喻道。“它在证实你要访问的 是不是你正在请求访问的地址。”
但是鲁曼说Tor程序开发员们目前还无法确定这个探头如何能区分用户是在加密登入Tor服务器还是加密登入某银行或电子商务网站,因为理论上两者都 是把网络信息流打乱成无法辨认的加密信息。鲁曼指出:无论如何中国政府无法阻挡所有的加密连接,比如大公司的虚拟专用网(VPN),“如果富士康和苹果断 了线,那可就是大问题了。”
同时,只有一小部分Tor的中国用户遇到这个问题,鲁曼说这意味着可能只有部分中国宽带网络公司在试验这个工具。
中共政府不止嗅探通往美国的加密连接,据位于林雪平大学中心(Linkoping University)的瑞典国家超级计算机中心的IT安全管理员列夫‧尼克松(Leif Nixon)说,他一年之前就在其服务器上独立地发现了这个现象——当中国学生或研究人员试图通过SSH加密隧道登录该中心的系统时会引来奇怪的网络扫 瞄。本月初他将自己的发现贴在了博客上。
“我不知道这个(数据)探头想达到什么目的,”他这样写道:“我只能猜是那个政府在寻找一些它不认可的服务,如开放代理或者Tor中继服务。如果留下精确指纹代价太大,于是他们就采取类似模糊测试的调查方法,即向服务器扔一段随机数据,看看有什么反应。”
“这也符合中国政府强加给其公民的人尽皆知的审查制度的所作所为,”他补充道:“我极端厌恶这种看似是中国政府在探测我们系统的行为。”
另一位要求不透露姓名的美国计算机安全工程师说,他观察到有20%来自中国用户的连接遭遇这种异常行为。“我们起初以为这是一种攻击行为。但是现在它更像是在探测这些是不是它要过滤的信息,"这位工程师说:"我还从来没有见过类似的东西。”
自从建国60大庆和与谷歌公开翻脸以来,中共一直在追捕翻墙工具。但是鲁曼指出,中国先前的过滤系统都是以阻挡IP地址为基础的,而世界各地不断有新的服务器以新IP地址来帮助中国民众绕开防火长城。
2009年伊朗政府也曾试图从各种加密信息流中鉴别接入Tor网桥节点的连接,鲁曼说,Tor想方设法让它的加密连接看起来更像其他网络服务,例如调整Tor的SSL认证的频率。
鲁曼不认为中国政府会在全国、针对数亿网民实施这个探测系统,但表示Tor工作人员希望永远领先于中共网络监控之前,“我们正在想办法,”他说:“这很令人好奇。"
------------------------------------------
通过Obfuscated ssh避免ssh连接不畅的问题
wget -O ofcssh.tar.gz https://github.com/brl/obfuscated-openssh/tarball/master解压
tar zxvf ofcssh.tar.gz进入
cd brl-obfuscated-openssh-ca93a2c配置
./configure编译安装
make安装完成后,可以看到输出信息中最后类似如下:
make install
......这就安装成功了,上面一句就是直接运行的命令,其实也就是提示了Obfuscated ssh的安装位置以及配置文件的位置。
/usr/local/sbin/sshd -t -f /usr/local/etc/sshd_config
当然,缺省这个配置文件是不能用的,基本内容全都注释掉了,为了简单起见,我们可以在标准sshd的配置的基础上改改就行了。
我们复制一份支持混淆的sshd到标准sshd的目录下,再复制一份标准sshd的配置给这个支持混淆的sshd用。
cp /usr/local/sbin/sshd /usr/sbin/sshd_ofc就是直接使用标准sshd的配置,但将原配置中的端口及UsePAM注释掉,增加支持混淆的sshd的端口为2201,混淆密码为 yourkeyword 。当然这里这个端口不要与已经在运行的标准sshd的端口一样。
cp /etc/ssh/sshd_config /etc/ssh/sshd_ofc_config
sed -i "s/Port /#Port /g" /etc/ssh/sshd_ofc_config
sed -i "s/UsePAM /#UsePAM /g" /etc/ssh/sshd_ofc_config
echo "ObfuscatedPort 2201" >> /etc/ssh/sshd_ofc_config
echo "ObfuscateKeyword yourkeyword" >> /etc/ssh/sshd_ofc_config
然后运行测试一下:
/usr/sbin/sshd_ofc -f /etc/ssh/sshd_ofc_config然后,在本地的Windows下使用putty设置进行ssh tunnel,结果发现putty不支持Obfuscated ssh。这里我们还得去下一个支持Obfuscated ssh的putty版本--potty,在这里下载:
http://www.mrhinkydink.com/potty.htm下载后,可以解压到putty目录下,然后运行类似这样的命令:
(http://mrhinkydink.blogspot.com/p/about-potty.html)
c:\tools\putty\potty -N -ssh UserName@Server -P 2201 -pw password -C -z -Z yourkeyword -D 127.0.0.1:6060这样,我们就可以通过127.0.0.1:6060的sock5来冲浪了。
一切正常后,就可以在服务器上把sshd_ofc的启动命令简单加入到rc.local开机自动启动即可。
通过几小时的测试,使用Obfuscated ssh后,我这本地的体验又恢复到没被干扰前的状态了。
---------------------------------------------------------------------------------------------------
Obfuscated ssh
Since the performance of Great LAN is so frustrating, I have to use some new approaches to evade censorship.
Although with ssh I can circumvent most of the censorship, but the DPI equipment interferes my ssh connection all the day. This is terribly annoying.
Rather than reconnect ssh without cease, I finally deployed a obfuscated ssh and enjoying it now.
Here is obfuscated ssh deploy instructions for debian/ubuntu.
If you are using debian, here is self-starting method for debian.
If you are using ubuntu, here is self-starting method for ubuntu.
Some notable security information:
1. Vulnerability Summary for CVE-2012-2110
2. OpenSSL ASN.1 vulnerability: sshd not affected
The following is settings of client (For Windows)
You can simply download the PoTTY client for windows, and use the following command to connect your obfuscated ssh server.
Usually the above command is work.
Since the obfuscated ssh client PoTTY has not yet auto-reconnect feature.
I can only use batch to implement this feature.
Place following 4 batch files to the PoTTY directory.
(Of course you need to fill out the highlighted lines)
CheckConn.bat keeps checking the tcp connection status in order to confirm whether the ssh connection is disconnected.
So, run CheckConn.bat , then PoTTY will reconnect on connection failure.
At last. Compared with regular ssh's handshake, the obfuscated ssh's is apparently different.
regular ssh handshake:
obfuscated ssh handshake:
Although with ssh I can circumvent most of the censorship, but the DPI equipment interferes my ssh connection all the day. This is terribly annoying.
Rather than reconnect ssh without cease, I finally deployed a obfuscated ssh and enjoying it now.
Here is obfuscated ssh deploy instructions for debian/ubuntu.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
#update system, install compiler and other dependent.
apt-get update
apt-get -y upgrade
apt-get -y install gcc
apt-get -y install build-essential
apt-get -y install zlib1g-dev
apt-get -y install libssl-dev
#compile.
wget -O ofcssh.tar.gz https://github.com/brl/obfuscated-openssh/tarball/master
tar zxvf ofcssh.tar.gz
cd brl-obfuscated-openssh-ca93a2c
./configure
make
make install
#If no error occurred, then you might get
#the ssh daemon in /usr/local/sbin/sshd
#the ssh client will be in /usr/local/bin/ssh
#the config files will be in /usr/local/etc/
#configuration.
#I assume that you are using port 22 as normal ssh port.
#then we install new obfuscated ssh separately from regular ssh daemon.
#We assign port 1234 to new obfuscated ssh daemon.
mv /usr/local/sbin/sshd /usr/sbin/sshd_ofc
cp /etc/ssh/sshd_config /etc/ssh/sshd_ofc_config
#Port 22 is handled by regular ssh daemon, so Port option is not required.
sed -i "s/Port /#Port /g" /etc/ssh/sshd_ofc_config
#obfuscated-openssh does not support UsePAM option.
sed -i "s/UsePAM /#UsePAM /g" /etc/ssh/sshd_ofc_config
#Add two additional configuration options.
echo "ObfuscatedPort 1234" >> /etc/ssh/sshd_ofc_config
echo "ObfuscateKeyword yourkeyword" >> /etc/ssh/sshd_ofc_config
#Note that "ObfuscatedPort 1234" will listens all the IPs on VPS.
#If you just want sshd_ofc to listens a certain IP, then you can add this
#echo "ListenAddress x.x.x.x" >> /etc/ssh/sshd_ofc_config
#(replace x.x.x.x with your IP)
#finally, run it and set it to self-starting
/usr/sbin/sshd_ofc -f /etc/ssh/sshd_ofc_config
#If no error occurred, run "netstat -an", then you might see
#sshd_ofc binding to the port 1234
|
If you are using debian, here is self-starting method for debian.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
echo '#! /bin/sh
### BEGIN INIT INFO
# Provides: sshd_ofc
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop:
# Short-Description: OpenBSD Secure Shell server (ofc)
### END INIT INFO
case "$1" in
start)
/usr/sbin/sshd_ofc -f /etc/ssh/sshd_ofc_config
;;
stop)
killall /usr/sbin/sshd_ofc
;;
restart|force-reload)
$0 stop
sleep 1
$0 start
;;
*)
echo "Usage: $0 start|stop|restart"
exit 1
esac
exit 0
' > /etc/init.d/ssh_ofc
chmod +x /etc/init.d/ssh_ofc
insserv -v -d /etc/init.d/ssh_ofc
|
If you are using ubuntu, here is self-starting method for ubuntu.
1
2
3
|
echo "/usr/sbin/sshd_ofc -f /etc/ssh/sshd_ofc_config" > /etc/init.d/ssh_ofc
chmod +x /etc/init.d/ssh_ofc
ln -s /etc/init.d/ssh_ofc /etc/rcS.d/S42ssh_ofc
|
Some notable security information:
1. Vulnerability Summary for CVE-2012-2110
2. OpenSSL ASN.1 vulnerability: sshd not affected
The following is settings of client (For Windows)
You can simply download the PoTTY client for windows, and use the following command to connect your obfuscated ssh server.
1
|
PoTTY.exe -N -ssh User@Server -P Port -pw Pass -C -z -Z yourkeyword -D 127.0.0.1:1080
|
Usually the above command is work.
Since the obfuscated ssh client PoTTY has not yet auto-reconnect feature.
I can only use batch to implement this feature.
Place following 4 batch files to the PoTTY directory.
(Of course you need to fill out the highlighted lines)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
@echo off
goto profile1
:profile1
set ServerIP=1.2.3.4
set Port=1234
set User=
set Pass=
set ObfuscatedKeyword=yourkeyword
goto end
:profile2
set ServerIP=
set Port=
set User=
set Pass=
set ObfuscatedKeyword=
goto end
:end
|
1
2
3
4
|
@echo off
call Config.bat
start PoTTY.exe -N -ssh %User%@%ServerIP% -P %Port% -pw %Pass% -C -z -Z %ObfuscatedKeyword% -D 127.0.0.1:1080
exit
|
1
2
|
taskkill /f /im "PoTTY.exe"
Connect.bat
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
call Config.bat
set Conn=%ServerIP%:%Port%
@echo off&setlocal enabledelayedexpansion
:Repeat
set ReConn=1
for /f "tokens=4 delims= " %%a in ('netstat -ano^|find "%Conn%"') do (
echo %%a %time%
if "%%a" equ "ESTABLISHED" (
set ReConn=0
Goto Break
)
)
:Break
if %ReConn% == 1 start /b Reconnect.bat
ping -n 6 127.0.0.1>nul
Goto Repeat
pause
|
CheckConn.bat keeps checking the tcp connection status in order to confirm whether the ssh connection is disconnected.
So, run CheckConn.bat , then PoTTY will reconnect on connection failure.
At last. Compared with regular ssh's handshake, the obfuscated ssh's is apparently different.
regular ssh handshake:
obfuscated ssh handshake:
# /usr/sbin/sshd_ofc -f /etc/ssh/sshd_ofc_config
结果出现以下错误:
PEM_read_PrivateKey: mismatch or unknown EVP_PKEY save_type 408
Could not load host key: /etc/ssh/ssh_host_ecdsa_key
是什么情况?
我确定编译安装都没问题,配置也都是按照你的Sample来的,系统是 Ubuntu 12.10
you need to create new ecdsa key with following command
ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N ''
then restart the sshd service
service ssh restart
However, if you get 'unknown key type ecdsa' when using ssh-keygen. Then your ssh probably not support ecdsa algorithm...
Try to use rsa algorithm instead.
yum update
yum -y install gcc
yum -y install make
#yum -y install zlib-devel #CentOS x86
yum -y install zlib-devel.x86_64 #CentOS x64
#yum -y install openssl-devel #CentOS x86
yum -y install openssl-devel.x86_64 #CentOS x64
wget -O ofcssh.tar.gz https://github.com/brl/obfuscated-openssh/tarball/master
tar zxvf ofcssh.tar.gz
cd brl-obfuscated-openssh-ca93a2c
./configure
make
make install
Configuration is the same as Debian/Ubuntu.
Step # 1: Delete old ssh host keys
Login as the root and type the following command:
# /bin/rm /etc/ssh/ssh_host_*
Step # 2: Reconfigure OpenSSH Server
Now create a new set of keys, enter:
# dpkg-reconfigure openssh-server
Sample output:
Creating SSH2 RSA key; this may take some time ...
Creating SSH2 DSA key; this may take some time ...
Restarting OpenBSD Secure Shell server: sshd
---------------
Did you install some services that it is very easy to identify by GoGoFireWork on the same IP? Like pptp vpn.
Obfuscated SSH is theoretically a private protocol, as long as the ObfuscateKeyword is not compromised.
"overcome this" ...... change your VPS IP?
Or...change your port to a SSL service port, like 563,636 ...
Details: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
I've fixed it by switching my node's IP, say goodbye to Japan and say hello to the world
By the way, there is another version of ofc-ssh on github at "https://github.com/aligo/obfuscated-openssh", does this version work?
The aligo version of ofc-ssh is based on OpenSSH6.1p1, which is newer than brls.
And as mentioned in his blog
http://aligo.me/2013/01/13/obfuscate-six-stucked-hogs/
and his post
http://www.v2ex.com/t/52105
, that version supports MAC.
But I have not tested that version.
Fight for freedom, and thank you DZF & aligo, you're bravo!
I don't have a Mac, so I don't know how to use SSH on Mac.
But, on Linux, there are many ways to run SSH proxy. You can install proxychains and obfuscated ssh and autossh, etc.
sudo apt-get update
sudo apt-get install proxychains
sudo sed -i '/^socks4/d' /etc/proxychains.conf
sudo sed -i '/^socks5/d' /etc/proxychains.conf
sudo sed -i '$a socks5 127.0.0.1 1080' /etc/proxychains.conf
ssh -N $User@$ServerIP -p $Port -v -i id_rsa -C -D 1080 -z -Z yourkeyword
proxychains firefox
Hope it helps more people.
Thanks for your great blog 1st.
But I am facing one problem, when i try to run the connect using Potty.
I am getting an "server unexpectedly closed connection" message.
What should I do
Thanks in advance
If not yet, the following link may helps you,
http://winscp.net/eng/docs/message_unexpected_close
ssh -p 1234 -vvv ip
OpenSSH_5.9p1, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /usr/local/etc/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to 127.0.0.1 [127.0.0.1] port 1234.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
ssh_exchange_identification: Connection closed by remote host
Please note that my /etc/hosts.allow has the following entry sshd: ALL
and /etc/hosts.deny has none but the default values.
We don't want the public key thing we just want to login with username and password like you have explained in this blog.
My system is Debian 6-64bit.
Please suggest me what should I do to make the server working.
Thanks in advance.
Regards
Aaviskaar
aaviskaar. You probably still use system's ssh client, which dose not supports obfuscation. And obviously you have not add the -z parameter. So, ssh handshake is unsuccessful. You need to use a new ssh client that supports obfuscation.
Again I am adding some new information please look at them and help us in resolving the issue.
We used PoTTY with the following command.
PoTTY.exe -N -ssh user@ip -P 1234 -pw password -C -z -Z keyword -D 127.0.0.1:9998
We changed the port number to 9998( also tried with 1080)
Now the problems are-
Sometimes the server works I mean a connection is established,but very rarely I have been able to do so for once only. During that time socks proxy 2 127.0.0.1:9998 worked fine.
Most of the time, the PoTTY window opens with nothing and after a few minutes one error message is being showed saying "Server unexpectedly closed network connection"
The problem should not be an ISP or firewall issue because using the same ISP and firewall we are able to setup Tunneling once from the same PC.
We have also tried with different ISPs and from different countries but again we failed and got the same error message.
The 1234 port is open in the server for outside access.
What should be the problem and what to do for fixing it?
Again thanks in advance for your kind help.
Regards
Aaviskaar
Can you get reply by using the Ping command? If so, then telnet to your server by running "telnet ServerIP 1234" command. If telnet is successful, then the obfuscated ssh server may work properly.
Otherwise, your obfuscated ssh server or your network between server and client should be something wrong.
Thank you for your reply. We have fixed the issue. Though it is not a valid reason, but it worked with plonk.exe without any issues and we are currently using it. Thank you for your kind help.
We are using the following command now
plonk -P 1234 -l user -D 1080 -N -z -Z keyword xx.xx.xx.xx
it asks for the password for a the user, we type it and it works fine. Though I want to ask you that is there any way to embed the password in the plonk command like you have used with PoTTY? I have searched for plonk manual but didn't found it anywhere.
Secondly I want to create the tunnel from a LAN gateway(Maybe windows or Linux) so that the gateway accepts requests from all ports and sends it through the tunnel. Is it possible? Linux or Windows, both solutions are OK.
If possible please help us in doing it.
Thanks for your great blog again, this is the only one blog available for step by step obfuscated ssh support.
Regards
Neelim
C:\>plonk
PoTTY Link: command-line connection utility
Mr. Hinky Dink's build, Aug 26 2011 23:23:10
Usage: plonk [options] [user@]host [command]
("host" can also be a PuTTY saved session name)
Options:
-V print version information and exit
-pgpfp print PGP key fingerprints and exit
-v show verbose messages
-load sessname Load settings from saved session
-ssh -telnet -rlogin -raw -serial
force use of a particular protocol
-P port connect to specified port
-l user connect with specified username
-batch disable all interactive prompts
The following options only apply to SSH connections:
-pw passw login with specified password
-D [listen-IP:]listen-port
Dynamic SOCKS-based port forwarding
-L [listen-IP:]listen-port:host:port
Forward local port to remote address
-R [listen-IP:]listen-port:host:port
Forward remote port to local address
-X -x enable / disable X11 forwarding
-A -a enable / disable agent forwarding
-t -T enable / disable pty allocation
-1 -2 force use of particular protocol version
-4 -6 force use of IPv4 or IPv6
-C enable compression
-i key private key file for authentication
-noagent disable use of Pogeant
-agent enable use of Pogeant
-m file read remote command(s) from file
-s remote command is an SSH subsystem (SSH-2 only)
-N don't start a shell/command (SSH-2 only)
-nc host:port
open tunnel in place of session (SSH-2 only)
-z obfuscate key exchange (SSH-2 only)
-Z keywd obfuscate with keyword (SSH-2 only)
-sercfg configuration-string (e.g. 19200,8,n,1,X)
Specify the serial configuration (serial only)
------------------------------------------------------------------------
So, -pw parameter will meet your demand.
2.
Do you mean that you want to use SSH like using VPN?
If so, there are some ways to do it.
In Windows, you can use Proxifier to proxy any ports and any applications you want, and even global proxy.
In Linux, usually use ProxyChain.
sudo apt-get install proxychains
sudo sed -i '/^socks4/d' /etc/proxychains.conf
sudo sed -i '/^socks5/d' /etc/proxychains.conf
sudo sed -i '$a socks5 127.0.0.1 1080' /etc/proxychains.conf
ssh -N $User@$ServerIP -p $Port -v -i id_rsa -C -D 1080 -z -Z yourkeyword
proxychains firefox
Thanks for your great reply.
First one worked for us. Thanks again.
Secondly, we don't need an VPN exactly, Actually what we want is that, for our LAN, it is not a good idea to allow the users to connect from their PC's as they are not technically so much good.
What we want to do is that,we will have a local gateway with internet connection. in one interface it will listen to requests from all ports and in the other interface it will create a obfuscated SSH tunnel, using that tunnel it will send all network traffic received from the other hosts.
We can use windows or Linux.
Will proxychain work in this configuration or I have to use something else. Please answer this question.
Thanks
Aaviskaar
Do you mean that all LAN users use that local gateway to connect your local server first, and then the local server run a obfuscated ssh client and setup a NAT service?
I never done that before.
But, a alternative method is running a obfuscated ssh client( -D 0.0.0.0:1080 ) in your local server, then all LAN users connect the server's socks proxy. LAN users can use Proxifier(Windows) or Proxychains(Linux) to proxy applications without proxy setting options.
Yes all LAN users use that local gateway to connect my local server first, and then the local server run a obfuscated ssh client and setup a NAT service. This is exactly what I want.
Theoretically it is possible with iptables, but I do not know it will work or not. However with the -D 0.0.0.0:1080 option i will try to setup a local proxy and then I will use NAT to redirect all traffics to that server.
I will let you know if it works or not.
I have some VOIP devices that can not use a proxy so I have to setup a gateway.
However if you have any suggestions please suggest me.
You have helped us very much.
Thanks Again
We have successfully installed the SSH+using your guide in Debian 6.07 and using it now. But when we tried to install it in Debian 6.05 and Ubuntu 12.04 we got some issues. We installed all dependencies and configured as you have said. But when we try to start the server using the command
/usr/local/sbin/sshd -f /usr/local/etc/sshd_config
It works perfectly with Debian 6.07, it do not show any output but the port starts listening and we can do SSH+ tunneling
But when we use the same command with Debian 6.07 and Ubuntu 12.04 we do not get any output like the above one but the SSH+ service is not started. We have also done port scanning but the port for SSH+ is not opened.
What should we do to solve this issue.
Thanks Again
Amir
run "netstat -an", can you see sshd_ofc binding to the port 1234?
If so, then the SSH+ service is working properly. you need to check the firewall and iptables settings if they block the port 1234.
SSH+ server is working with ports starting from 1025 to 1234 but when we try to use any port after 1234 it do not work. The netstat -an or nmap do not show any open port for SSH+
When we start the server with any port exceeding 1234 as Obfuscated port then the server starts without any error but the port is not opened. Though it is not a firewall issue as far as I know,I have tried with opening the port on firewall then started the server. the port is opened as per nmap scan result but the server didn't listened on the port.
please help us in fixing the issue.
I have deployed many obfuscated SSH services on several VPS and routers, I used the port from 9xx to 3xxxx, and they are working properly so far.
I have another question for you, suppose I have a SSH+ and SSH server running in the same system. How can I find the active SSH+ users in a particular moment?
I also want to know the failed login attempts of SSH+, the IP details of logged in users etc.
Thanks in advance
Regards
Amir
netstat -an|grep :22
w
who
Failed login attempts of SSH(SSH+):
Redhat/Fedora:
cat /var/log/secure|awk '/Failed/{print $(NF-3)}'|sort|uniq -c|awk '{print $2"="$1;}'
Debian/Ubuntu/other:
cat /var/log/auth.log|awk '/Failed/{print $(NF-3)}'|sort|uniq -c|awk '{print $2"="$1;}'
I am able to setup some SSH+ servers for my friend who lives in a country where everything is blocked, the credit goes to your blog.
But unfortunately for last few days we are facing connection drop issues on SSH+. After a 2-5 minutes session the ssh+ connection drops saying FATAL ERROR: NETWORK ERROR: SOFTWARE CLOSED CONNECTION ABORT.
However we are able to use ssh+ from my country without any problem and connection drop issue. I think the government has found some way to detect ssh+ packets. At the same time Psiphon 3 is also not working. We have played with ports but that didn't worked. Even we changed ssh+ to 22 and ssh to something else. It is working from my country but not from his country. I think the firewall inspects the packet pattern not the port.
What will be our next step to fool the new inspection technique.
Your help will be greatly appreciated.
Thanks in Advance
John
Psiphon is blocked in many country because too many people use Psiphon.
SSH+ is theoretically a private protocol, as long as the ObfuscateKeyword is not compromised.
You can change your port to a SSL service port, such as 443,563,636 ...
Details: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
Or you could consider using obfsproxy, ShadowSocks, etc.
Of course, no matter what technology you use, if your proxy services have too many users or too much traffic, your proxy services will be blocked. It's just a matter of time.
I have added SELinux support and set 'UsePAM yes" for my obfuscate openssh, because I think it would provide as much as security of official openssh-server.
But I suffered error like "Sep 16 16:30:53 xxx sshd_ofc[11002]: Failed publickey for user from xxx.xx.xxx.xx port 6287 ssh2" and selinux error "Sep 16 17:03:47 xxx sshd_ofc[11188]: fatal: ssh_selinux_getctxbyname: Failed to get default SELinux security context for user (in enforcing mode)" from /var/log/secure
I want to secure my obfuscate ssh server as much as possible, rather than giving up most security feature (selinux, pam, etc) just for obfuscated ssh connection.
Do you have any idea how to achieve it ? I'm looking forward to any hints on how to do that.
Thank you!
I have been quite busy over the past few months.
When run ./configure, there are some pam options disabled.
./configure | grep pam
checking pam/pam_appl.h usability... no
checking pam/pam_appl.h presence... no
checking for pam/pam_appl.h... no
checking security/pam_appl.h usability... yes
checking security/pam_appl.h presence... yes
checking for security/pam_appl.h... yes
PAM support: no
Then I read some source code, I found this
/* Define to 1 if you have the header file. */
#undef HAVE_SECURITY_PAM_APPL_H
/* Define to 1 if you have the header file. */
#define HAVE_PAM_PAM_APPL_H 1
in "config.h.in" file.
And the pam_appl.h is missing.
To get pam_appl.h, just run "apt-get install libpam0g-dev" in debian or "yum install pam-devel" in centos, then you can get it in /usr/include/security/pam_appl.h
Then add pam_appl.h to brl-obfuscated-openssh-ca93a2c/security/pam_appl.h
and
brl-obfuscated-openssh-ca93a2c/pam/pam_appl.h
and
#define HAVE_SECURITY_PAM_APPL_H 1
#define HAVE_PAM_PAM_APPL_H 1
Hope this may help you.
# /usr/sbin/sshd_ofc -f /etc/ssh/sshd_ofc_config
PEM_read_PrivateKey: mismatch or unknown EVP_PKEY save_type 408
Could not load host key: /etc/ssh/ssh_host_ecdsa_key
Could not load host key: /etc/ssh/ssh_host_ed25519_key
Comment these lines in your sshd_config.
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
At first I would like to thank you for your great blog the instructions are clear and very helpful.
I have tried to make a ssh+ connection on two different ISPs
The first one Potty gives a black screen for 1 minute then it says: Software caused connection abort
Plonk is the same: FATAL ERROR: Network error: Software caused connection abort
When trying to ping in that ISP we get an ip address but no received packages so I guess that the DNS is working fine.
-The second ISP, potty connects successfully then after a while a message pops up :
“server sent disconnect message
type 2 (protocole error):
received oclose for nonexistent channel 3145224”
When I checked the auth.log that time I get:
“channel_by_id: 0: bad id: channel free
Disconnecting: Received oclose for nonexistent channel 0.”
Could you please tell me what to do to solve these problems?
Thanks in advance
For the first case, when you running "netstat -an" on your first VPS, can you see
sshd_ofc binding to the port 1234(or the port you specified) ?
if not, your configuration on server side may have some errors.
if so, since you got "Software caused connection abort" and "no received packages", I think the network between your client and VPS may be unstable.
(Or network is interfered by your Internet Service Provider? )
The second case, that's some weird. I think you have to check your configurations, including server side and client side.
How can I imporve the speed?
After change port to a regular one and enable compression explicitly.
Speed improved.
FROM http://blog.slpo.net/?p=1234
---------------------------------
obfuscate six stucked hogs
这是去年“18大”期间我改了用来翻「那个不能说的东西」的openssh,因为「那个不能言说之物」升级了某些特性可以模糊识别协议的内容并且进行阻 断,其中就包括S(ix) S(tucked) H(ogs)协议。six stucked hogs其实一开始并不是为了-D出一个socket用来翻「说了就会被和谐之物」,只不过有这样的附加功能,但是一旦被X我很多正常工作都不能进行。于 是才有了obfuscate six stucked hogs协议来迷惑「被我找到了之后我要用一根棒球棍使劲把它砸碎的那个东西」。
obfuscate six stucked hogs的协议最早出自brl(https://github.com/brl/obfuscated-openssh),不过基于是5.2版本的openssh。因为那个版本不能在最新的ML(应该是从Lion开始就不行了)下编译了,于是我拿了最新的6.1p1比照着改了一份,所用协议格式和原来相同,可以互相连接。
包含客户端和服务端。
服务端可以在sshd_config里设置ObfuscatedPort和ObfuscateKeyword,分别即是混淆的端口号和混淆用的字符 串。其中混淆的端口号默认和原来ssh指定的相同,或者可以另外配置。混淆用的字符串要与客户端设置相同。然后照常配置ssh剩下的部分即可。
客户端连接通过参数-Z后面加上混淆用的字符串。也可以在配置文件里使用
ObfuscateHandshake yes
ObfuscateKeyword 混淆用的字符串
关于协议具体格式可以参考brl的README,除了混淆消息内容,还在tcp包中加了迷惑性的random padding用于防止流量分析识别,应该算是一种比较可持续使用的方式。
我喜欢通过openssh客户端直接登入。Mac下可以选择的客户端还有secret-socks,支持相同的混淆协议,Win下也有x-wall可用 。
之前很多人一直问这个,还是不敢把这事说得太细,最近被「那个神经病一样阻挠我正常工作的东西」惹烦了,顶风作案一回。要河蟹就来吧。Fuck。
10 Comments
Thanks for this but i have problem on login. After install, when i want to login i get this error “Server’s host key did not match the signature supplied”. I use Potty for login. Can you please explain what i should do exactly!? For quckly i did:
#./configure
#make
#make install
#echo “ObfuscatedPort 2222″ >> /usr/local/etc/sshd_config
#echo “ObfuscateKeyword keyword” >> /usr/local/etc/sshd_config
#/usr/local/sbin/sshd -f /usr/local/etc/sshd_config
Everything went ok and sshd ran without problem
Thanks
I can’t try potty to login cause i dont have a windows now.
Could you try the patched openssh client to login, if you complied it from my code, `/usr/local/bin/ssh -Z keyword …` should works. Also you can pass `-v` to get more debug info.
Thx for your comment, waiting for your message.
Ok. I installed the obf ssh on another server and did as you told:
# /usr/local/bin/ssh -Z mykeyword root@xx.xx.xxx.xxx -p 6200
The authenticity of host ‘[xx.xx.xxx.xxx]:6200 ([xx.xx.xxx.xxx]:6200)’ can’t be established.
ECDSA key fingerprint is e7:15:14:51:b9:8f:fa:89:08:41:c3:b2:83:f8:d8:68.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘[xx.xx.xxx.xxx]:6200′ (ECDSA) to the list of known hosts.
key_verify failed for server_host_key
#
This error seems that is look like the same error that happened in Potty
# /usr/local/bin/ssh -v -Z mykeyword root@xx.xx.xxx.xxx -p 6200
OpenSSH_6.1p1, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /usr/local/etc/ssh_config
debug1: Connecting to xx.xx.xxx.xxx [xx.xx.xxx.xxx] port 6200.
debug1: Connection established.
debug1: Obfuscation enabled
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.1
debug1: match: OpenSSH_6.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA e7:15:14:51:b9:8f:fa:89:08:41:c3:b2:83:f8:d8:68
debug1: checking without port identifier
The authenticity of host ‘[xx.xx.xxx.xxx]:6200 ([xx.xx.xxx.xxx]:6200)’ can’t be established.
ECDSA key fingerprint is e7:15:14:51:b9:8f:fa:89:08:41:c3:b2:83:f8:d8:68.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘[xx.xx.xxx.xxx]:6200′ (ECDSA) to the list of known hosts.
debug1: ssh_ecdsa_verify: signature incorrect
key_verify failed for server_host_key
Sorry for the silly mistake i made, it is fixed now, please repull it from github, and let me know the result.
I tested with PoTTY and it ran too
Thanks for fixing the problem
Whats up man
I saw that openssh is updated to 6.2. You don’t want to update this package to the new version?
Thank you
Has been busy and snifu last few months, sorry for reply you so late.
No chance to follow up new version yet, and now 6.3 is out,I will just up it direct to 6.3 soon. T_T
And if you use obfuscated ssh for setting a tunnel proxy, there is shadowsocks(www.shadowsocks.org)
FROM http://aligo.me/2013/01/13/obfuscate-six-stucked-hogs/