vbatts
/
shadowsocks
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
Page: Securing Public Shadowsocks Server
Pages
Ban Brute Force Crackers Block Connection to localhost Change Server on the Fly Configuration via Config File Configure Multiple Users Configure Shadowsocks with Supervisor Connect to OpenVPN over Shadowsocks Convert Shadowsocks into an HTTP proxy Encryption Feature Comparison across Different Versions Forcing Chrome to Use Socks5 Proxy Generate QR Code for Android or iOS Clients Gentoo overlay Graceful shutdown and restart Home Install Shadowsocks Server on Windows Manage Multiple Users Objective Optimizing Shadowsocks Ports and Clients Salsa20 Securing Public Shadowsocks Server Setting Up Shadowsocks on Linode Setup a Shadowsocks relay Shadowsocks 使用说明 TCP Fast Open Troubleshooting Using Shadowsocks with Command Line Tools Workers 优化 Shadowsocks 回复模版 在 Linode 上快速搭建 Shadowsocks 用 Supervisor 运行 Shadowsocks
5 Securing Public Shadowsocks Server
clowwindy edited this page 2015-08-16 22:11:46 +08:00

If you share your server with strangers, you need to be careful. The numbers used below are just examples.

  1. Optimize your server

  2. Limit bandwidth

     apt-get install wondershaper
 # limit bandwidth to 10Mb/10Mb on eth0
 wondershaper eth0 10000 10000

  3. Limit connections

     iptables -A INPUT -p tcp --syn --dport ${SHADOWSOCKS_PORT} -m connlimit --connlimit-above 32 -j REJECT --reject-with tcp-reset

  4. Prevent ssh password cracking

     apt-get install denyhosts

  5. Prevent Shadowsocks password cracking

  6. Block connection to localhost

  7. Run Shadowsocks server as nonroot user

     sudo useradd ssuser
 sudo ssserver [other options] --user ssuser

  8. Block traffic to non-HTTP port

     iptables -t filter -m owner --uid-owner ssuser -A OUTPUT -p tcp --dport 80 -j ACCEPT
 iptables -t filter -m owner --uid-owner ssuser -A OUTPUT -p tcp --dport 443 -j ACCEPT
 iptables -t filter -m owner --uid-owner ssuser -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset

  9. Block BitTorrent trackers

     apt-get install nginx

    Edit nginx configuration:

     server {
     listen 0.0.0.0:3128;
     resolver 8.8.8.8;
     location / {
         set $upstream_host $host;
     if ($request_uri ~ "^/announce.*") {
             return 403;
         }
         if ($request_uri ~ "^.*torrent.*") {
             return 403;
         }
         proxy_set_header Host $upstream_host;
         proxy_pass http://$upstream_host;
         proxy_buffering off;
     }
 }

Redirect 80 port to nginx:

    iptables -t nat -m owner --uid-owner ssuser -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128
Download Tutorial Wiki Troubleshooting