簡要 Overview
這是一個給主機使用者做「協議自查」的腳本。它會先看本機正在監聽的端口,結合 Nmap、HTTP/HTTPS/TLS 探測、以及 OpenGFW 回放分析,最後把結果整理成一份很直觀的端口風險總覽,方便你決定哪些端口要封鎖,哪些端口要加白名單。
This tool is designed for server users who want to self-check whether their ports and traffic patterns look like proxy or VPN traffic. It checks local listening ports, combines Nmap, HTTP/HTTPS/TLS probing, and OpenGFW replay analysis, then builds a very clear port risk overview so you can decide what to block and what to whitelist.
理論基礎可以參考 傲盾特徵消息簡要
This is a tool based on Overview of Aodun VPN Detection
使用 Usage
一鍵脚本 Usage:
wget http://files.leikwanhost.com/self-detect.sh && chmod +x self-detect.sh && ./self-detect.sh功能 Functions
-
簡易掃描
快速列出端口、進程、判斷類型、風險等級。
適合先看全貌。
速度較快。 -
完整掃描
會做較完整的 Nmap 探測、HTTP/HTTPS/TLS 探測,並進一步做 OpenGFW 回放分析。
適合確認實際流量特徵。
如果你正在測速、跑代理、跑真實使用流量,這個模式最有參考價值。 -
systemd 服務管理
可以把腳本做成常駐服務。
適合長時間被動監測,讓系統持續累積結果,不必每次手動執行。 -
設定可信端口段
如果你已知某些端口段本來就是你自己的業務端口,可以在這裡設為可信,避免產生過多無意義提示。 -
掃描結果解讀與封鎖
這是最核心的操作頁。
會直接讀取最新結果檔,顯示端口、服務、進程、判斷類型、風險、OpenGFW 命中情況。
在這裡你可以:
封鎖指定端口
一鍵封鎖 HIGH
一鍵封鎖 HIGH + MEDIUM
對指定端口加白名單
對 HIGH 端口加白名單
對 HIGH + MEDIUM 端口加白名單
移除白名單
封鎖與白名單都可以選擇只作用於 IPv4、只作用於 IPv6、或 IPv4 + IPv6 一起作用。
-
Simple Scan
Fast overview of ports, processes, judgement type, and risk level.
Good for a quick check.
Faster mode. -
Complete Scan
Runs deeper Nmap probing, HTTP/HTTPS/TLS probing, and OpenGFW replay analysis.
Best when you want to confirm actual traffic behavior.
If real client traffic is passing through during testing, this mode is the most useful. -
systemd Service Management
Lets you run the script as a long-term service.
Useful for passive long-running monitoring without manual execution every time. -
Set Trusted Ports/Ranges
If you already know some ports or ranges are part of your own legitimate service, set them here to reduce unnecessary alerts. -
Review Results and Block
This is the main action page.
It reads the latest result file and shows port, service, process, judgement type, risk, and OpenGFW hit information.
From here you can:
Block selected ports
One-click block HIGH
One-click block HIGH + MEDIUM
Whitelist selected ports
Whitelist HIGH ports
Whitelist HIGH + MEDIUM ports
Remove whitelist
For both block and whitelist, you can choose IPv4 only, IPv6 only, or both.
説明 Information
如果你只是想快速看結果,看 latest-port-risk-overview.md 就可以。
如果你要做自動化處理、封鎖、白名單,腳本內部主要讀的是 latest-port-judgement.tsv。
目前常見審查形式
現在大陸的通報和風控,通常不是只看某一個協議名稱,而是看流量是不是符合某些高風險特徵。
首要是 FET
FET 可以理解成「看不出明顯明文內容,但整體像全加密代理流量」。
在很多場景裡,FET 常常會被直接理解成 Shadowsocks 類流量。
第二類 Trojan。
Trojan 屬於很典型的高風險非標代理流量。
如果被識別到,通常風險很高。
第三類 SOCKS4 / SOCKS5。
這類代理握手特徵明顯,也很容易被標成非標流量。
第四類 SNI mismatch。
這通常表示域名、證書、目標 IP 之間不自然。
常見於借殼、Reality 或相似場景。
如果被命中,也屬於高風險。
第五類 HTTP / HTTPS / TLS / SSL。
如果這些協議跑在奇怪端口,或看起來不像正常網站服務,也可能被認為是非標流量。
第六類是 WireGuard、OpenVPN、PPTP、L2TP 這類 VPN 或明顯隧道協議。
如果命中,也通常需要重視。
簡單理解
FET 常常會被當成 Shadowsocks
Trojan 是高風險
SOCKS4/SOCKS5 是明顯代理
SNI mismatch 常見於域名與實際目標不一致
HTTP/HTTPS/TLS/SSL 跑在非標端口也容易被通報
If you only want a quick human-readable summary, open latest-port-risk-overview.md.
If you want automation, blocking, or whitelisting, the script mainly reads latest-port-judgement.tsv.
Common review and reporting patterns today
In mainland China, reporting and traffic control usually do not only look at one protocol name.
They often focus on whether traffic matches certain high-risk patterns.
The most common one is FET.
FET means traffic that looks fully encrypted and proxy-like, even if the exact content is not obvious.
In many cases, FET is commonly treated as Shadowsocks-like traffic.
The second category is Trojan.
Trojan is a typical high-risk non-standard proxy pattern.
If it is detected, risk is usually high.
The third category is SOCKS4 / SOCKS5.
These have obvious proxy handshake characteristics and are often treated as non-standard traffic.
The fourth category is SNI mismatch.
This usually means the domain, certificate, and destination IP do not match naturally.
It is often associated with Reality-like or domain-fronting style setups.
If detected, it is usually considered high risk.
The fifth category is HTTP / HTTPS / TLS / SSL.
If these protocols run on unusual ports or do not behave like a normal public website service, they may also be treated as suspicious non-standard traffic.
The sixth category is VPN or tunnel protocols such as WireGuard, OpenVPN, PPTP, and L2TP.
If detected, they also usually deserve attention.
Simple summary
FET is often treated like Shadowsocks
Trojan is high risk
SOCKS4/SOCKS5 is an obvious proxy signature
SNI mismatch often means domain, certificate, and destination do not align naturally
HTTP/HTTPS/TLS/SSL on unusual ports can also trigger reporting
建議 Advice
如果只是先看主機狀態,先跑簡易掃描。
如果要做較準的判斷,跑完整掃描。
如果已經有結果,就直接進 8 掃描結果解讀與封鎖。
如果你的機器長期提供服務,建議配合 systemd 長時間運行,讓結果更穩定。
If you only want a quick status check, use Simple Scan first.
If you want a stronger judgement, use Complete Scan.
If you already have results, go directly to 8 Review results and block.
If the server runs long-term services, using systemd mode is recommended so the tool can monitor continuously and produce more stable results.
没有回复内容