在成功安装配置了shadowsocks-libev之后,我又重新修改了设置,比如端口和加密方式
配置端口转发:在新的生产环境需要新的端口,所以对应的,也需要在新的路由器上配置端口转发规则,比如 公网IP地址:25 #转发到内网IP#192.168.1.***:2525
修改加密方式:之前的加密方式选的是aes-256-gcm,可是尴尬的是手机的终端app上只有aes-256-cfb的选项(不知道升级app后会不会有gcm的支持,但是服务的宗旨是稳定和可靠,所以不必要的升级,不要)
接下来才是重点:
- 配置开机启动shadowsocks-libev(多余,所以证明了一下它的多余)
- 更新shadowsocks版本
- 安装FAIL2BAN防攻击软件
- 开启xxx(cgf什么鬼的)
- 优化吞吐量(负载)
- 开启BBR加速
配置shadowsocks-libev开机启动: (其实时候发现我的shadowsocks-libev本来就是开机启动的,因为我重启服务器后,服务也自然地就上来了)
sudo vim /etc/rc.local //编写rc.local 在最低端添加如下,根据自己的安装目录修改,我的都cd进去看多了 /usr/local/bin/sslocal -c /etc/init.d/shadowsocks-libev start
pi@raspberrypi:~ $ /etc/init.d/shadowsocks-libev status //查看重启后shadowsocks-libev的运行状态 Shadowsocks-libev (pid 458) is running...//本来就启动了,服务就自然地上来了 pi@raspberrypi:~ $
对于有些文档里面写的是/usr/local/bin/sslocal -c /etc/shadowsocks.json -d start,显然在我的安装地址中,没有shadowsocks.json,因为本次是一键安装的,所以配置文件是/etc/shadowsocks-libev/config.json,所以有时这些文章试用性很低,需要自己仔细检查和区别。
再想想,可能也就是因为是一件安装的,在脚本里面可能本来就配置了开机启动shadowsocks-libev,所以呢回去找找秋水逸冰的脚本(等我一下,马上回来)
在附录中是秋水逸冰的源脚本,在下面我截选的在代码的228行,确实针对不同的系统,设定了开机启动:
if [ -f /usr/bin/ssserver ] || [ -f /usr/local/bin/ssserver ]; then
chmod +x /etc/init.d/shadowsocks
# Add run on system start up 看到没?这里设定为开机启动
if [ "$OS" == 'CentOS' ]; then
chkconfig --add shadowsocks
chkconfig shadowsocks on
else
update-rc.d -f shadowsocks defaults
fi更新shadowsocks-libev版本
pip install -U shadowsocks //安装一段时间之后还能通过这个指令无害升级 reboot -h now //升级完后,重启一下
附录(秋水逸冰的一键四版安装的脚本原件):
#! /bin/bash
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
export PATH
#=================================================================#
# System Required: CentOS 6+, Debian 7+, Ubuntu 12+ #
# Description: One click Install Shadowsocks-Python server #
# Author: Teddysun <i@teddysun.com> #
# Thanks: @clowwindy <https://twitter.com/clowwindy> #
# Intro: https://teddysun.com/342.html #
#=================================================================#
clear
echo
echo "#############################################################"
echo "# One click Install Shadowsocks-Python server #"
echo "# Intro: https://teddysun.com/342.html #"
echo "# Author: Teddysun <i@teddysun.com> #"
echo "# Thanks: @clowwindy <https://twitter.com/clowwindy> #"
echo "#############################################################"
echo
# Make sure only root can run our script
function rootness(){
if [[ $EUID -ne 0 ]]; then
echo "Error:This script must be run as root!" 1>&2
exit 1
fi
}
# Check OS
function checkos(){
if [ -f /etc/redhat-release ];then
OS=CentOS
elif [ ! -z "`cat /etc/issue | grep bian`" ];then
OS=Debian
elif [ ! -z "`cat /etc/issue | grep Ubuntu`" ];then
OS=Ubuntu
else
echo "Not support OS, Please reinstall OS and retry!"
exit 1
fi
}
# Get version
function getversion(){
if [[ -s /etc/redhat-release ]];then
grep -oE "[0-9.]+" /etc/redhat-release
else
grep -oE "[0-9.]+" /etc/issue
fi
}
# CentOS version
function centosversion(){
local code=$1
local version="`getversion`"
local main_ver=${version%%.*}
if [ $main_ver == $code ];then
return 0
else
return 1
fi
}
# Disable selinux
function disable_selinux(){
if [ -s /etc/selinux/config ] && grep 'SELINUX=enforcing' /etc/selinux/config; then
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
setenforce 0
fi
}
# Pre-installation settings
function pre_install(){
# Not support CentOS 5
if centosversion 5; then
echo "Not support CentOS 5, please change to CentOS 6+ or Debian 7+ or Ubuntu 12+ and try again."
exit 1
fi
# Set shadowsocks config password
echo "Please input password for shadowsocks-python:"
read -p "(Default password: teddysun.com):" shadowsockspwd
[ -z "$shadowsockspwd" ] && shadowsockspwd="teddysun.com"
echo
echo "---------------------------"
echo "password = $shadowsockspwd"
echo "---------------------------"
echo
# Set shadowsocks config port
while true
do
echo -e "Please input port for shadowsocks-python [1-65535]:"
read -p "(Default port: 8989):" shadowsocksport
[ -z "$shadowsocksport" ] && shadowsocksport="8989"
expr $shadowsocksport + 0 &>/dev/null
if [ $? -eq 0 ]; then
if [ $shadowsocksport -ge 1 ] && [ $shadowsocksport -le 65535 ]; then
echo
echo "---------------------------"
echo "port = $shadowsocksport"
echo "---------------------------"
echo
break
else
echo "Input error! Please input correct numbers."
fi
else
echo "Input error! Please input correct numbers."
fi
done
get_char(){
SAVEDSTTY=`stty -g`
stty -echo
stty cbreak
dd if=/dev/tty bs=1 count=1 2> /dev/null
stty -raw
stty echo
stty $SAVEDSTTY
}
echo
echo "Press any key to start...or Press Ctrl+C to cancel"
char=`get_char`
#Install necessary dependencies
if [ "$OS" == 'CentOS' ]; then
yum install -y wget unzip openssl-devel gcc swig python python-devel python-setuptools autoconf libtool libevent
yum install -y automake make curl curl-devel zlib-devel perl perl-devel cpio expat-devel gettext-devel which
else
apt-get -y update
apt-get -y install python python-dev python-pip python-setuptools curl wget unzip gcc swig automake make perl cpio
fi
# Get IP address
echo "Getting Public IP address, Please wait a moment..."
IP=$(curl -s -4 icanhazip.com)
if [[ "$IP" = "" ]]; then
IP=$(curl -s -4 ipinfo.io/ip)
fi
echo -e "Your main public IP is\t\033[32m$IP\033[0m"
echo
#Current folder
cur_dir=`pwd`
cd $cur_dir
}
# Download files
function download_files(){
if [ "$OS" == 'CentOS' ]; then
# Download shadowsocks chkconfig file
if ! wget --no-check-certificate https://raw.githubusercontent.com/teddysun/shadowsocks_install/master/shadowsocks -O /etc/init.d/shadowsocks; then
echo "Failed to download shadowsocks chkconfig file!"
exit 1
fi
else
if ! wget --no-check-certificate https://raw.githubusercontent.com/teddysun/shadowsocks_install/master/shadowsocks-debian -O /etc/init.d/shadowsocks; then
echo "Failed to download shadowsocks chkconfig file!"
exit 1
fi
fi
}
# Config shadowsocks
function config_shadowsocks(){
cat > /etc/shadowsocks.json<<-EOF
{
"server":"0.0.0.0",
"server_port":${shadowsocksport},
"local_address":"127.0.0.1",
"local_port":1080,
"password":"${shadowsockspwd}",
"timeout":300,
"method":"aes-256-cfb",
"fast_open":false
}
EOF
}
# firewall set
function firewall_set(){
echo "firewall set start..."
if centosversion 6; then
/etc/init.d/iptables status > /dev/null 2>&1
if [ $? -eq 0 ]; then
iptables -L -n | grep '${shadowsocksport}' | grep 'ACCEPT' > /dev/null 2>&1
if [ $? -ne 0 ]; then
iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport ${shadowsocksport} -j ACCEPT
iptables -I INPUT -m state --state NEW -m udp -p udp --dport ${shadowsocksport} -j ACCEPT
/etc/init.d/iptables save
/etc/init.d/iptables restart
else
echo "port ${shadowsocksport} has been set up."
fi
else
echo "WARNING: iptables looks like shutdown or not installed, please manually set it if necessary."
fi
elif centosversion 7; then
systemctl status firewalld > /dev/null 2>&1
if [ $? -eq 0 ];then
firewall-cmd --permanent --zone=public --add-port=${shadowsocksport}/tcp
firewall-cmd --permanent --zone=public --add-port=${shadowsocksport}/udp
firewall-cmd --reload
else
echo "Firewalld looks like not running, try to start..."
systemctl start firewalld
if [ $? -eq 0 ];then
firewall-cmd --permanent --zone=public --add-port=${shadowsocksport}/tcp
firewall-cmd --permanent --zone=public --add-port=${shadowsocksport}/udp
firewall-cmd --reload
else
echo "WARNING: Try to start firewalld failed. please enable port ${shadowsocksport} manually if necessary."
fi
fi
fi
echo "firewall set completed..."
}
# Install Shadowsocks
function install_ss(){
which pip > /dev/null 2>&1
if [ $? -ne 0 ]; then
if [ "$OS" == 'CentOS' ]; then
which easy_install > /dev/null 2>&1
if [ $? -eq 0 ]; then
easy_install pip
else
echo "easy_install command not found. please check it and try again."
exit 1
fi
fi
fi
if [ -f /usr/bin/pip ]; then
if centosversion 6; then
# Fix swig failed error by install old version
pip install M2Crypto==0.22.3
else
pip install M2Crypto
fi
pip install greenlet
pip install gevent
pip install shadowsocks
if [ -f /usr/bin/ssserver ] || [ -f /usr/local/bin/ssserver ]; then
chmod +x /etc/init.d/shadowsocks
# Add run on system start up
if [ "$OS" == 'CentOS' ]; then
chkconfig --add shadowsocks
chkconfig shadowsocks on
else
update-rc.d -f shadowsocks defaults
fi
# Run shadowsocks in the background
/etc/init.d/shadowsocks start
else
echo
echo "Shadowsocks install failed! Please visit https://teddysun.com/342.html and contact."
exit 1
fi
clear
echo
echo "Congratulations, shadowsocks install completed!"
echo -e "Your Server IP: \033[41;37m ${IP} \033[0m"
echo -e "Your Server Port: \033[41;37m ${shadowsocksport} \033[0m"
echo -e "Your Password: \033[41;37m ${shadowsockspwd} \033[0m"
echo -e "Your Local IP: \033[41;37m 127.0.0.1 \033[0m"
echo -e "Your Local Port: \033[41;37m 1080 \033[0m"
echo -e "Your Encryption Method: \033[41;37m aes-256-cfb \033[0m"
echo
echo "Welcome to visit:https://teddysun.com/342.html"
echo "Enjoy it!"
echo
exit 0
else
echo
echo "pip install failed! Please visit https://teddysun.com/342.html and contact."
exit 1
fi
}
# Uninstall Shadowsocks
function uninstall_shadowsocks(){
printf "Are you sure uninstall Shadowsocks? (y/n) "
printf "\n"
read -p "(Default: n):" answer
if [ -z $answer ]; then
answer="n"
fi
if [ "$answer" = "y" ]; then
ps -ef | grep -v grep | grep -v ps | grep -i "ssserver" > /dev/null 2>&1
if [ $? -eq 0 ]; then
/etc/init.d/shadowsocks stop
fi
checkos
if [ "$OS" == 'CentOS' ]; then
chkconfig --del shadowsocks
else
update-rc.d -f shadowsocks remove
fi
# delete config file
rm -f /etc/shadowsocks.json
rm -f /var/run/shadowsocks.pid
rm -f /etc/init.d/shadowsocks
pip uninstall -y shadowsocks
if [ $? -eq 0 ]; then
echo "Shadowsocks uninstall success!"
else
echo "Shadowsocks uninstall failed!"
fi
else
echo "uninstall cancelled, Nothing to do"
fi
}
# Install Shadowsocks-python
function install_shadowsocks(){
checkos
rootness
disable_selinux
pre_install
download_files
config_shadowsocks
if [ "$OS" == 'CentOS' ]; then
firewall_set
fi
install_ss
}
# Initialization step
action=$1
[ -z $1 ] && action=install
case "$action" in
install)
install_shadowsocks
;;
uninstall)
uninstall_shadowsocks
;;
*)
echo "Arguments error! [${action} ]"
echo "Usage: `basename $0` {install|uninstall}"
;;
esac安装一个放置被攻击的,主要是设置ssh登录错5次,就冻结10分钟,这个程序叫做FAIL2BAN,很直白的名字:
i@raspberrypi:~ $ sudo apt install fail2ban Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: python3-systemd whois Suggested packages: mailx monit sqlite3 The following NEW packages will be installed: fail2ban python3-systemd whois 0 upgraded, 3 newly installed, 0 to remove and 15 not upgraded. Need to get 487 kB of archives. After this operation, 2,276 kB of additional disk space will be used. Do you want to continue? [Y/n] //这里我选择y Get:1 http://mirror.nus.edu.sg/raspbian/raspbian buster/main armhf whois armhf 5.4.3 [68.6 kB] Get:2 http://mirror.nus.edu.sg/raspbian/raspbian buster/main armhf fail2ban all 0.10.2-2.1 [385 kB] Get:3 http://mirror.rise.ph/raspbian/raspbian buster/main armhf python3-systemd armhf 234-2+b1 [34.1 kB] Fetched 487 kB in 3s (181 kB/s) Selecting previously unselected package whois. (Reading database ... 97726 files and directories currently installed.) Preparing to unpack .../archives/whois_5.4.3_armhf.deb ... Unpacking whois (5.4.3) ... Selecting previously unselected package fail2ban. Preparing to unpack .../fail2ban_0.10.2-2.1_all.deb ... Unpacking fail2ban (0.10.2-2.1) ... Selecting previously unselected package python3-systemd. Preparing to unpack .../python3-systemd_234-2+b1_armhf.deb ... Unpacking python3-systemd (234-2+b1) ... Setting up whois (5.4.3) ... Setting up fail2ban (0.10.2-2.1) ... Created symlink /etc/systemd/system/multi-user.target.wants/fail2ban.service → /lib/systemd/system/fail2ban.service. [fail2ban-tmpfiles.conf:1] Line references path below legacy directory /var/run/, updating /var/run/fail2ban → /run/fail2ban; please update the tmpfiles.d/ drop-in file accordingly. Setting up python3-systemd (234-2+b1) ... Processing triggers for man-db (2.8.5-2) ... Processing triggers for systemd (241-7~deb10u4+rpi1) ... pi@raspberrypi:~ $ //完成
在 /etc/fail2ban/jail.conf这里我们来调整FAIL2BAN的设置
sudo vim /etc/fail2ban/jail.conf
#
# WARNING: heavily refactored in 0.9.0 release. Please review and
# customize settings for your setup.
#
# Changes: in most of the cases you should not modify this
# file, but provide customizations in jail.local file,
# or separate .conf files under jail.d/ directory, e.g.:
#
# HOW TO ACTIVATE JAILS:
#
# YOU SHOULD NOT MODIFY THIS FILE.
#
# It will probably be overwritten or improved in a distribution update.
#
# Provide customizations in a jail.local file or a jail.d/customisation.local.
# For example to change the default bantime for all jails and to enable the
# ssh-iptables jail the following (uncommented) would appear in the .local file.
# See man 5 jail.conf for details.
#
# [DEFAULT]
# bantime = 1h
#
# [sshd]
# enabled = true
#
# See jail.conf(5) man page for more information
# Comments: use '#' for comment lines and ';' (following a space) for inline comments
[INCLUDES]
#before = paths-distro.conf
before = paths-debian.conf
# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
[DEFAULT]
#
# MISCELLANEOUS OPTIONS
#
# "ignorself" specifies whether the local resp. own IP addresses should be ignored
# (default is true). Fail2ban will not ban a host which matches such addresses.
ignorself = true
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = 47.88.49.91/8 ::1
# External command that will take an tagged arguments to ignore, e.g. <ip>,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command <ip>
ignorecommand =
# "bantime" is the number of seconds that a host is banned.
bantime = 10m
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 10m
# "maxretry" is the number of failures before a host get banned.
maxretry = 5
# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
# This option can be overridden in each jail as well.
#
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
# If pyinotify is not installed, Fail2ban will use auto.
# gamin: requires Gamin (a file alteration monitor) to be installed.
# If Gamin is not installed, Fail2ban will use auto.
# polling: uses a polling algorithm which does not require external libraries.
# systemd: uses systemd python library to access the systemd journal.
# Specifying "logpath" is not valid for this backend.
# See "journalmatch" in the jails associated filter config
# auto: will try to use the following backends, in order:
# pyinotify, gamin, polling.
#
70,1 7%
59,1 4%