From 4ca781ca745341431400a8beb81589d809da0d82 Mon Sep 17 00:00:00 2001 From: clowwindy Date: Mon, 2 Feb 2015 17:06:43 +0800 Subject: [PATCH] Created Secure Public Shadowsocks Server (markdown) --- Secure-Public-Shadowsocks-Server.md | 54 +++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 Secure-Public-Shadowsocks-Server.md diff --git a/Secure-Public-Shadowsocks-Server.md b/Secure-Public-Shadowsocks-Server.md new file mode 100644 index 0000000..a306ac3 --- /dev/null +++ b/Secure-Public-Shadowsocks-Server.md @@ -0,0 +1,54 @@ +If you share your server with strangers, you need to be careful. + +1. Limit bandwidth + + apt-get install wondershaper + # limit bandwidth to 10Mb/10Mb on eth0 + wondershaper eth0 10000 10000 + +2. Prevent ssh password cracking + + apt-get install denyhosts + +3. [Prevent Shadowsocks password cracking](https://github.com/shadowsocks/shadowsocks/wiki/Ban-Brute-Force-Crackers) + +4. [Block connection to localhost](https://github.com/shadowsocks/shadowsocks/wiki/Block-Connection-to-localhost) + +5. Run Shadowsocks server as nonroot user + + sudo useradd ssuser + sudo ssserver [other options] --user ssuser + +6. Block traffic to non-HTTP port + + iptables -t filter -m owner --uid-owner ssuser -A OUTPUT -p tcp --dport 80 -j ACCEPT + iptables -t filter -m owner --uid-owner ssuser -A OUTPUT -p tcp --dport 443 -j ACCEPT + iptables -t filter -m owner --uid-owner ssuser -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset + +7. Block BitTorrent trackers + + apt-get install nginx + + Edit nginx configuration: + + server { + listen 127.0.0.1:3128; + resolver 8.8.8.8; + location / { + set $upstream_host $host; + if ($request_uri ~ "^/announce.*") { + return 403; + } + if ($request_uri ~ "^.*torrent.*") { + return 403; + } + proxy_set_header Host $upstream_host; + proxy_pass http://$upstream_host; + proxy_buffering off; + } + } + + Redirect 80 port to nginx: + + iptables -t nat -m owner --uid-owner http-ss -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128 +