Page:
Securing Public Shadowsocks Server
Pages
Ban Brute Force Crackers
Block Connection to localhost
Change Server on the Fly
Configuration via Config File
Configure Multiple Users
Configure Shadowsocks with Supervisor
Connect to OpenVPN over Shadowsocks
Convert Shadowsocks into an HTTP proxy
Encryption
Feature Comparison across Different Versions
Forcing Chrome to Use Socks5 Proxy
Generate QR Code for Android or iOS Clients
Gentoo overlay
Graceful shutdown and restart
Home
Install Shadowsocks Server on Windows
Manage Multiple Users
Objective
Optimizing Shadowsocks
Ports and Clients
Salsa20
Securing Public Shadowsocks Server
Setting Up Shadowsocks on Linode
Setup a Shadowsocks relay
Shadowsocks 使用说明
TCP Fast Open
Troubleshooting
Using Shadowsocks with Command Line Tools
Workers
优化 Shadowsocks
回复模版
在 Linode 上快速搭建 Shadowsocks
用 Supervisor 运行 Shadowsocks
5
Securing Public Shadowsocks Server
clowwindy edited this page 2015-08-16 22:11:46 +08:00
If you share your server with strangers, you need to be careful. The numbers used below are just examples.
-
Limit bandwidth
apt-get install wondershaper # limit bandwidth to 10Mb/10Mb on eth0 wondershaper eth0 10000 10000
-
Limit connections
iptables -A INPUT -p tcp --syn --dport ${SHADOWSOCKS_PORT} -m connlimit --connlimit-above 32 -j REJECT --reject-with tcp-reset
-
Prevent ssh password cracking
apt-get install denyhosts
-
Run Shadowsocks server as nonroot user
sudo useradd ssuser sudo ssserver [other options] --user ssuser
-
Block traffic to non-HTTP port
iptables -t filter -m owner --uid-owner ssuser -A OUTPUT -p tcp --dport 80 -j ACCEPT iptables -t filter -m owner --uid-owner ssuser -A OUTPUT -p tcp --dport 443 -j ACCEPT iptables -t filter -m owner --uid-owner ssuser -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
-
Block BitTorrent trackers
apt-get install nginx
Edit nginx configuration:
server { listen 0.0.0.0:3128; resolver 8.8.8.8; location / { set $upstream_host $host; if ($request_uri ~ "^/announce.*") { return 403; } if ($request_uri ~ "^.*torrent.*") { return 403; } proxy_set_header Host $upstream_host; proxy_pass http://$upstream_host; proxy_buffering off; } }
Redirect 80 port to nginx:
iptables -t nat -m owner --uid-owner ssuser -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128