我的Vultr VPS设置
之前都是用美国的VPS,这次换了相对物美价廉的Vultr,体验了一番日本数据中心的低延迟。V2上关于锐速展开了一番讨论,站在相对公平和相对安全的角度,还是弃用锐速了。
PS:如果有TX也准备用vultrl的VPS,不妨用我的优惠连接,你和我都会得到相应的优惠~
我新用户$20的优惠貌似是一个月有效,我开了个最低配的CentOS6 i686的,简单记录一下初始化完成之后做的工作:
Shadowsocks-libev
这个不多说,时下最流行的科学上网工具,安装编译环境和Git
yum install build-essential autoconf libtool openssl-devel gcc git -y
Git拉取最新Shadowsocks-libev源码,编译安装,再创建一个Shadowsocks的开机启动脚本
git clone https://github.com/madeye/shadowsocks-libev.git
cd shadowsocks-libev
./configure
make && make install
echo "nohup /usr/local/bin/ss-server -s 0.0.0.0 -p 80 -k yourpassword -m rc4-md5 --fast-open > /var/log/ss & " > ~/soft/ss
chmod u+x ~/soft/ss
echo "/root/soft/ss" >> /etc/rc.local
其中yourpassword请改成自己的密码,选项--fast-open要新内核才支持,默认2.x不支持,我已经自己升级了内核,客户端也要配置的才有效。如何优化SS,放在后面吧~
Nginx
这个主要用来反代的,由于要用到几个第三方module-ngx_http_substitutions_filter_module,所以需要自己编译安装
yum install make perl perl-devel perl-ExtUtils-Embed apr* autoconf automake curl-devel gcc gcc-c++ zlib-devel openssl openssl-devel pcre-devel gd kernel keyutils patch perl kernel-headers compat* mpfr cpp glibc libgomp libstdc++-devel ppl cloog-ppl keyutils-libs-devel libcom_err-devel libsepol-devel libselinux-devel krb5-devel zlib-devel libXpm* freetype libjpeg* libpng* php-common php-gd ncurses* libtool* libxml2 libxml2-devel patch
cd ~/soft
git clone git://github.com/yaoweibin/ngx_http_substitutions_filter_module.git
wget http://nginx.org/download/nginx-1.6.2.tar.gz
tar xvf nginx-1.6.2.tar.gz
cd nginx-1.6.2
./configure --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/var/run/nginx.pid --lock-path=/var/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_stub_status_module --with-http_perl_module --with-mail --with-mail_ssl_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=atom -fasynchronous-unwind-tables' --with-ld-opt=-Wl,-E --add-module=/root/soft/ngx_http_substitutions_filter_module/ --with-http_spdy_module
make && make install
接下来开始配置nginx,直接贴配置文件了
/etc/nginx.conf
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log crit;
pid /var/run/nginx.pid;
events {
use epoll;
worker_connections 10240;
multi_accept on;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
server_names_hash_bucket_size 256;
client_header_buffer_size 16k;
client_body_buffer_size 2M;
large_client_header_buffers 2 16k;
client_max_body_size 8M;
server_tokens off;
## Start: Timeouts ##
client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 15;
send_timeout 30;
## End: Timeouts ##
server_name_in_redirect off;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
gzip on;
gzip_disable "msie6";
gzip_proxied any;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
gzip_comp_level 4;
gzip_vary on;
gzip_http_version 1.1;
# Load config files from the /etc/nginx/conf.d directory
# The default server is in conf.d/default.conf
include /etc/nginx/conf.d/*.conf;
}
/etc/nginx/conf.d/default.conf
proxy_cache_path /data/nginx/ levels=1:2 keys_zone=cache_one:64m inactive=12h max_size=8m ;
server {
listen 443 ssl spdy;
server_name id.holmesian.org;
ssl on;
ssl_certificate /root/key/id.holmesian.crt;
ssl_certificate_key /root/key/id.holmesian.key;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_protocols SSLv3 TLSv1; #Not safe!!
#ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!DSS:!PKS;
#ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:2m;
ssl_session_timeout 30m;
location /robots.txt {
alias /data/www/robots.txt;
access_log off;
error_log off;
}
location / {
auth_basic "secret";
auth_basic_user_file /data/passwd.db; #The password is test
proxy_cache cache_one;
proxy_cache_valid 200 304 12h;
proxy_cache_key $host$uri$is_args$args;
proxy_redirect https://www.google.com/ /;
proxy_cookie_domain google.com id.holmesian.org;
proxy_pass https://www.google.com;
proxy_set_header Host "www.google.com";
proxy_set_header Accept-Encoding "";
proxy_set_header User-Agent $http_user_agent;
proxy_set_header Accept-Language "zh-CN";
proxy_set_header Cookie "PREF=ID=798233ca25b8f3e7:FF=2:LD=zh-CN:NW=1:TM=1414228652:LM=1414228652:GM=1:SG=2:S=Pyy5DHOfFDgN3Lh_;NID=67=MDk4wPqtURIfBEaTNu3xt5kAsvNJjFJox_uz9CgTKAtcEdkN_722KynIAQKnuPymBmiEmssCBGGOc1QfntwwrVqSvODVxL3oW0Dz3zIbHDJykfG_cnr510o9Y3FN71hz";
subs_filter www.google.com id.holmesian.org;
subs_filter //ssl.gstatic.com "/gstatic";
subs_filter id.google.com id.holmesian.org;
subs_filter "google.timers.load.t.xjsls" "#"
expires 1d;
}
location /www/ {
alias /data/www/;
index index.html index.htm;
# access_log off;
error_log off;
}
}
上面是一个id.holmesian.org的例子,需要自己先创建一个/data目录,自备SSL证书,其他的反代配置就不贴了,nginx -t无误后就把nignx加入自启动了。
PPTP
网上现成的很多,随便贴一下
# cat /etc/pptpd.conf |grep -v ^#
option /etc/ppp/options.pptpd
logwtmp
connections 10
localip 10.168.0.1
remoteip 10.168.0.234-238,10.168.0.245
# cat /etc/ppp/options.pptpd |grep -v ^#
name holmesianjp
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 8.8.8.8
ms-dns 8.8.4.4
proxyarp
lock
nobsdcomp
novj
novjccomp
nologfd
/etc/ppp/chap-secrets的密码就自己设置了~
iptables
直接上结果,#Open for service,其中8.8.8.8为DNS地址
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 3389 -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 47 -j ACCEPT
iptables -A INPUT -s 8.8.8.8/32 -j ACCEPT
iptables -A INPUT -p gre -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
#Default rules
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
# For PPTP NAT and MTU faster
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
service iptables save
80给ss,443给nginx,1723和gre给pptp,3389给sshd。
最后两条一条是给PPTPNAT上网用的,一条是统一MTU在一些情况下加速用的。
service iptables save保存,service iptables restart生效。
Fail2ban
从yum源安装好,然后修改一些配置
yum -y install fail2ban
# cat /etc/fail2ban/fail2ban.conf |grep -v ^#
[Definition]
loglevel = 2
logtarget = /var/log/fail2ban.log
socket = /var/run/fail2ban/fail2ban.sock
pidfile = /var/run/fail2ban/fail2ban.pid
/etc/fail2ban/jail.conf里面有几个重点
[DEFAULT] #全局设置
ignoreip = 127.0.0.1 #忽略的IP列表,不受设置限制(白名单)
bantime = 600 #屏蔽时间,单位:秒
findtime = 600 #这个时间段内超过规定次数会被ban掉
maxretry = 3 #最大尝试次数
backend = auto #日志修改检测机制(gamin、polling和auto这三种)
[ssh-iptables] #针对各服务的检查配置,如设置bantime、findtime、maxretry和全局冲突,服务优先级大于全局设置
enabled = true #是否激活此项(true/false)
filter = sshd #过滤规则filter的名字,对应filter.d目录下的sshd.conf
action = iptables[name=SSH, port=ssh, protocol=tcp] #动作的相关参数,这里port的值等于ssh的端口号,如改过ssh端口要相应修改。
sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com] #触发报警的收件人
logpath = /var/log/secure #检测的系统的登陆日志文件
[ssh-ddos]
enabled = true
filter = sshd-ddos
action = iptables[name=SSHDDOS, port=3389, protocol=tcp]
logpath = /var/log/secure
[nginx-http-40x]
enabled = true
filter = nginx-401 #这个是自定义的filter,对应filter.d目录下的nginx-401.conf,下面类似
action = iptables-multiport[name=nginx-401,port="443"]
logpath = /var/log/nginx/access.log
[ss-fail]
enabled = true
filter = ss-fail
action = iptables-multiport[name=ss-fail,port="80,443,4869"]
logpath = /var/log/messages
[anyconnect-fail]
enabled = true
filter = anyconnect-fail
action = iptables-multiport[name=anyconnect-fail,port="80,443,4869"]
logpath = /var/log/messages
修改/etc/fail2ban/filter.d/sshd.conf,在规则里添加一项^%(__prefix_line)sBad protocol version identification . from <HOST>s$,因为我把ssh端口改成了3389,扫描器会用错误的协议尝试访问,通过这个提示也ban掉扫描器。
#cat nginx-401.conf
[Definition]
failregex = <HOST> -.*- .*HTTP/1.* 401 .*$
<HOST> -.*- .*HTTP/1.* 404 .*$
ignoreregex =
# cat anyconnect-fail.conf
[Definition]
failregex = worker: (:\d+)? tlslib.c:372: error verifying client certificate: No certificate was found.
ignoreregex =
#cat ss-fail.conf
[Definition]
failregex = failed to handshake with $
ignoreregex =
全部搞定之后,service fail2ban restart,然后iptables -L -n -v看看是否生效。 6、其他配置 无论用sshd还是dropbear,改端口和禁止root登陆是必须的,新建一个普通帐号然后加入sudo里是良好的习惯。如果上网设备固定可以考虑证书登陆和禁用PAM,UseDNS no可以加快ssh登陆
内核调优
/etc/sysctl.conf
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1
# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1
# Disable netfilter on bridges.
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
# Controls the default maxmimum size of a mesage queue
kernel.msgmnb = 65536
# Controls the maximum size of a message, in bytes
kernel.msgmax = 65536
# Controls the maximum shared segment size, in bytes
kernel.shmmax = 4294967295
# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 268435456
#This is for shadowsocks
fs.file-max = 51200
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.ip_local_port_range = 10000 65000
net.ipv4.tcp_max_syn_backlog = 10240
net.ipv4.tcp_max_tw_buckets = 5000
# increase TCP max buffer size settable using setsockopt()
net.core.rmem_max = 67108864
net.core.wmem_max = 67108864
# increase Linux autotuning TCP buffer limit
#net.ipv4.tcp_mem = 25600 51200 102400
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_wmem = 4096 65536 67108864
# increase the length of the processor input queue
net.core.netdev_max_backlog = 30000
# recommended for hosts with jumbo frames enabled
net.ipv4.tcp_mtu_probing=1
net.ipv4.tcp_fastopen=3
net.ipv4.tcp_congestion_control=htcp
#net.ipv4.tcp_congestion_control = hybla
sysctl -p立即生效,这里可以分别做一个hybla和一个htcp的配置文件,放在crontab里根据时间来切换,记得切换之后重启一下SS。
关闭邮件
由于vultrl默认是不让发邮件的,要发邮件的话要自己转发到其他支持SSL的SMTP上去发,我暂时用不到,就干脆关掉了
service postfix stop
chkconfig postfix off
额外的安全设置
想继续折腾的TX为了安全期间,Shadowsocks还是不要用root账户运行,但是非root权限默认不能启用1024以下的端口,这里就要用到setcap了。先创建一个无密码不能登陆的用户,用它启动ss再专门赋予权限:
adduser --no-create-home shadowsocks
nohup su - shadowsocks -c "/usr/local/bin/ss-server -s 0.0.0.0 -p 80 -k yourpassword -m rc4-md5 &" > /var/log/ss
然后配置iptables,添加一个SHADOWSOCKS的表,用来匹配控制SHADOWSOCKS规则,
iptables -N SHADOWSOCKS
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 127.0.0.0/8 -j REJECT
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 169.254.0.0/16 -j REJECT
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 172.16.0.0/12 -j REJECT
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 192.168.0.0/16 -j REJECT
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 10.168.0.0/24 -j REJECT
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 0.0.0.0/0 -j ACCEPT
iptables -A OUTPUT -j SHADOWSOCKS
我这里是禁止shadowsocks访问本地有关的地址,还可以做重定向啦,后端nginx/squid缓存之类的,这在要把shadowsocks共享出去的情况下非常有用。