我的Vultr VPS设置

2015-01-25T16:46:00

之前都是用美国的VPS,这次换了相对物美价廉的Vultr,体验了一番日本数据中心的低延迟。V2上关于锐速展开了一番讨论,站在相对公平和相对安全的角度,还是弃用锐速了。

PS:如果有TX也准备用vultrl的VPS,不妨用我的优惠连接,你和我都会得到相应的优惠~

我新用户$20的优惠貌似是一个月有效,我开了个最低配的CentOS6 i686的,简单记录一下初始化完成之后做的工作:

Shadowsocks-libev

这个不多说,时下最流行的科学上网工具,安装编译环境和Git

    yum install build-essential autoconf libtool openssl-devel gcc git -y

Git拉取最新Shadowsocks-libev源码,编译安装,再创建一个Shadowsocks的开机启动脚本


    git clone https://github.com/madeye/shadowsocks-libev.git
    cd shadowsocks-libev
    ./configure
    make && make install
    echo "nohup /usr/local/bin/ss-server -s 0.0.0.0 -p 80 -k yourpassword -m rc4-md5 --fast-open > /var/log/ss & " > ~/soft/ss
    chmod u+x ~/soft/ss
    echo "/root/soft/ss" >> /etc/rc.local

其中yourpassword请改成自己的密码,选项--fast-open要新内核才支持,默认2.x不支持,我已经自己升级了内核,客户端也要配置的才有效。如何优化SS,放在后面吧~

Nginx

这个主要用来反代的,由于要用到几个第三方module-ngx_http_substitutions_filter_module,所以需要自己编译安装

    yum install make perl perl-devel perl-ExtUtils-Embed apr* autoconf automake curl-devel gcc gcc-c++ zlib-devel openssl openssl-devel pcre-devel gd kernel keyutils patch perl kernel-headers compat* mpfr cpp glibc libgomp libstdc++-devel ppl cloog-ppl keyutils-libs-devel libcom_err-devel libsepol-devel  libselinux-devel krb5-devel zlib-devel libXpm* freetype libjpeg* libpng* php-common php-gd ncurses* libtool* libxml2 libxml2-devel patch
    cd ~/soft
    git clone git://github.com/yaoweibin/ngx_http_substitutions_filter_module.git
    wget http://nginx.org/download/nginx-1.6.2.tar.gz
    tar xvf nginx-1.6.2.tar.gz
    cd nginx-1.6.2
    
    ./configure --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/var/run/nginx.pid --lock-path=/var/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_realip_module --with-http_addition_module  --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_stub_status_module --with-http_perl_module --with-mail --with-mail_ssl_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=atom -fasynchronous-unwind-tables' --with-ld-opt=-Wl,-E --add-module=/root/soft/ngx_http_substitutions_filter_module/  --with-http_spdy_module
    
    make && make install

接下来开始配置nginx,直接贴配置文件了

/etc/nginx.conf

    user              nginx;
    worker_processes  1;
    
    error_log  /var/log/nginx/error.log crit;
    
    pid        /var/run/nginx.pid;
    
    events {
        use epoll;
        worker_connections  10240;
        multi_accept on;
    }
    
    http {
        include       /etc/nginx/mime.types;
        default_type  application/octet-stream;
        server_names_hash_bucket_size 256;
        client_header_buffer_size 16k;
        client_body_buffer_size  2M;
        large_client_header_buffers 2 16k;
        client_max_body_size 8M;
        server_tokens off;
    
    ## Start: Timeouts ##
      client_body_timeout   10;
      client_header_timeout 10;
      keepalive_timeout     15;
      send_timeout          30;
    ## End: Timeouts ##
        server_name_in_redirect off;
        sendfile        on;
        tcp_nopush     on;
        tcp_nodelay on;
    
        log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                          '$status $body_bytes_sent "$http_referer" '
                          '"$http_user_agent" "$http_x_forwarded_for"';
    
        access_log  /var/log/nginx/access.log  main;
    
    gzip              on;
    gzip_disable "msie6";
    gzip_proxied any;
    gzip_min_length   1k;
    gzip_buffers      4 16k;
    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
    gzip_comp_level   4;
    gzip_vary         on;
    gzip_http_version 1.1;
    
        # Load config files from the /etc/nginx/conf.d directory
        # The default server is in conf.d/default.conf
        include /etc/nginx/conf.d/*.conf;
    
    }

/etc/nginx/conf.d/default.conf

proxy_cache_path /data/nginx/ levels=1:2 keys_zone=cache_one:64m inactive=12h max_size=8m ;
server {
        listen      443 ssl spdy;
        server_name  id.holmesian.org;
        ssl on;
        ssl_certificate /root/key/id.holmesian.crt;
        ssl_certificate_key /root/key/id.holmesian.key;
        #ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_protocols SSLv3 TLSv1; #Not safe!!
        #ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!DSS:!PKS;
        #ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:2m;
        ssl_session_timeout 30m;

location /robots.txt {
alias    /data/www/robots.txt;
        access_log off;
        error_log off;
}

location / {
                auth_basic "secret";
                auth_basic_user_file /data/passwd.db;   #The password is test
                proxy_cache cache_one;
                proxy_cache_valid  200 304 12h;
                proxy_cache_key $host$uri$is_args$args;
                proxy_redirect https://www.google.com/ /;
                proxy_cookie_domain google.com id.holmesian.org;
                proxy_pass              https://www.google.com;
                proxy_set_header Host "www.google.com";
                proxy_set_header Accept-Encoding "";
                proxy_set_header User-Agent $http_user_agent;
                proxy_set_header Accept-Language "zh-CN";
                proxy_set_header Cookie "PREF=ID=798233ca25b8f3e7:FF=2:LD=zh-CN:NW=1:TM=1414228652:LM=1414228652:GM=1:SG=2:S=Pyy5DHOfFDgN3Lh_;NID=67=MDk4wPqtURIfBEaTNu3xt5kAsvNJjFJox_uz9CgTKAtcEdkN_722KynIAQKnuPymBmiEmssCBGGOc1QfntwwrVqSvODVxL3oW0Dz3zIbHDJykfG_cnr510o9Y3FN71hz";
                subs_filter www.google.com id.holmesian.org;
                subs_filter //ssl.gstatic.com "/gstatic";
                subs_filter id.google.com  id.holmesian.org;
                subs_filter "google.timers.load.t.xjsls" "#"
                expires      1d;

}
location  /www/ {
              alias    /data/www/;
              index index.html index.htm;
#        access_log off;
        error_log off;
                }
        }

上面是一个id.holmesian.org的例子,需要自己先创建一个/data目录,自备SSL证书,其他的反代配置就不贴了,nginx -t无误后就把nignx加入自启动了。

PPTP

网上现成的很多,随便贴一下


    # cat /etc/pptpd.conf |grep -v ^#
    option /etc/ppp/options.pptpd
    logwtmp
    connections 10
    localip 10.168.0.1
    remoteip 10.168.0.234-238,10.168.0.245
    # cat /etc/ppp/options.pptpd |grep -v ^#
    name holmesianjp
    refuse-pap
    refuse-chap
    refuse-mschap
    require-mschap-v2
    require-mppe-128
    ms-dns 8.8.8.8
    ms-dns 8.8.4.4
    proxyarp
    lock
    nobsdcomp
    novj
    novjccomp
    nologfd

/etc/ppp/chap-secrets的密码就自己设置了~

iptables

直接上结果,#Open for service,其中8.8.8.8为DNS地址


    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
    iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
    iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT 
    iptables -A INPUT -p tcp -m tcp --dport 3389 -j ACCEPT 
    iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT 
    iptables -A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT 
    iptables -A INPUT -p tcp -m tcp --dport 47 -j ACCEPT
    iptables -A INPUT -s 8.8.8.8/32 -j ACCEPT
    iptables -A INPUT -p gre -j ACCEPT
    iptables -A INPUT -i lo -j ACCEPT
    #Default rules
    iptables -P INPUT DROP
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT
    # For PPTP NAT and MTU faster
    iptables -t nat -A POSTROUTING -j MASQUERADE
    iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
    service iptables save

80给ss,443给nginx,1723和gre给pptp,3389给sshd。

最后两条一条是给PPTPNAT上网用的,一条是统一MTU在一些情况下加速用的。

service iptables save保存,service iptables restart生效。

Fail2ban

从yum源安装好,然后修改一些配置

    yum -y install fail2ban

    # cat /etc/fail2ban/fail2ban.conf |grep -v ^#
    
    [Definition]
    
    loglevel = 2
    
    logtarget = /var/log/fail2ban.log
    
    socket = /var/run/fail2ban/fail2ban.sock
    
    pidfile = /var/run/fail2ban/fail2ban.pid

/etc/fail2ban/jail.conf里面有几个重点


    [DEFAULT]                                 #全局设置 
    ignoreip = 127.0.0.1                      #忽略的IP列表,不受设置限制(白名单) 
    bantime  = 600                            #屏蔽时间,单位:秒 
    findtime  = 600                           #这个时间段内超过规定次数会被ban掉 
    maxretry = 3                              #最大尝试次数 
    backend = auto                            #日志修改检测机制(gamin、polling和auto这三种) 
     
    [ssh-iptables]                            #针对各服务的检查配置,如设置bantime、findtime、maxretry和全局冲突,服务优先级大于全局设置 
    enabled  = true                           #是否激活此项(true/false) 
    filter   = sshd                           #过滤规则filter的名字,对应filter.d目录下的sshd.conf 
    action   = iptables[name=SSH, port=ssh, protocol=tcp]                                                                        #动作的相关参数,这里port的值等于ssh的端口号,如改过ssh端口要相应修改。
               sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com]   #触发报警的收件人 
    logpath  = /var/log/secure                #检测的系统的登陆日志文件 
    
    [ssh-ddos]
    
    enabled  = true
    filter   = sshd-ddos
    action   = iptables[name=SSHDDOS, port=3389, protocol=tcp]
    logpath  = /var/log/secure
    
    
    [nginx-http-40x]
    enabled = true
    filter  = nginx-401  #这个是自定义的filter,对应filter.d目录下的nginx-401.conf,下面类似
    action  = iptables-multiport[name=nginx-401,port="443"]
    logpath = /var/log/nginx/access.log
    
    [ss-fail]
    enabled = true
    filter  = ss-fail
    action  = iptables-multiport[name=ss-fail,port="80,443,4869"]
    logpath = /var/log/messages
    
    
    [anyconnect-fail]
    enabled = true
    filter  = anyconnect-fail
    action  = iptables-multiport[name=anyconnect-fail,port="80,443,4869"]
    logpath = /var/log/messages

修改/etc/fail2ban/filter.d/sshd.conf,在规则里添加一项^%(__prefix_line)sBad protocol version identification . from <HOST>s$,因为我把ssh端口改成了3389,扫描器会用错误的协议尝试访问,通过这个提示也ban掉扫描器。


    #cat nginx-401.conf
    
    [Definition]
    
    failregex = <HOST> -.*- .*HTTP/1.* 401 .*$
     <HOST> -.*- .*HTTP/1.* 404 .*$
    
    ignoreregex =
    
    
    # cat anyconnect-fail.conf
    
    [Definition]
    
    failregex = worker: (:\d+)? tlslib.c:372: error verifying client certificate: No certificate was found.
    
    ignoreregex =
    
    
    
    #cat ss-fail.conf
    
    [Definition]
    
    failregex =  failed to handshake with $
    ignoreregex =

全部搞定之后,service fail2ban restart,然后iptables -L -n -v看看是否生效。 6、其他配置 无论用sshd还是dropbear,改端口和禁止root登陆是必须的,新建一个普通帐号然后加入sudo里是良好的习惯。如果上网设备固定可以考虑证书登陆和禁用PAM,UseDNS no可以加快ssh登陆

内核调优

/etc/sysctl.conf


    # Controls IP packet forwarding
    net.ipv4.ip_forward = 1
    
    # Controls source route verification
    net.ipv4.conf.default.rp_filter = 1
    
    # Do not accept source routing
    net.ipv4.conf.default.accept_source_route = 0
    
    # Controls the System Request debugging functionality of the kernel
    kernel.sysrq = 0
    
    # Controls whether core dumps will append the PID to the core filename.
    # Useful for debugging multi-threaded applications.
    kernel.core_uses_pid = 1
    
    # Controls the use of TCP syncookies
    net.ipv4.tcp_syncookies = 1
    
    # Disable netfilter on bridges.
    net.bridge.bridge-nf-call-ip6tables = 0
    net.bridge.bridge-nf-call-iptables = 0
    net.bridge.bridge-nf-call-arptables = 0
    
    # Controls the default maxmimum size of a mesage queue
    kernel.msgmnb = 65536
    
    # Controls the maximum size of a message, in bytes
    kernel.msgmax = 65536
    
    # Controls the maximum shared segment size, in bytes
    kernel.shmmax = 4294967295
    
    # Controls the maximum number of shared memory segments, in pages
    kernel.shmall = 268435456
    
    #This is for shadowsocks
    fs.file-max = 51200
    
    net.ipv4.tcp_tw_reuse = 1
    net.ipv4.tcp_tw_recycle = 0
    net.ipv4.tcp_fin_timeout = 15
    net.ipv4.tcp_keepalive_time = 1200
    net.ipv4.ip_local_port_range = 10000 65000
    net.ipv4.tcp_max_syn_backlog = 10240
    net.ipv4.tcp_max_tw_buckets = 5000
    
    
    # increase TCP max buffer size settable using setsockopt()
    net.core.rmem_max = 67108864
    net.core.wmem_max = 67108864
    # increase Linux autotuning TCP buffer limit
    #net.ipv4.tcp_mem = 25600 51200 102400
    net.ipv4.tcp_rmem = 4096 87380 67108864
    net.ipv4.tcp_wmem = 4096 65536 67108864
    # increase the length of the processor input queue
    net.core.netdev_max_backlog = 30000
    # recommended for hosts with jumbo frames enabled
    net.ipv4.tcp_mtu_probing=1
    
    net.ipv4.tcp_fastopen=3
    net.ipv4.tcp_congestion_control=htcp
    #net.ipv4.tcp_congestion_control = hybla

sysctl -p立即生效,这里可以分别做一个hybla和一个htcp的配置文件,放在crontab里根据时间来切换,记得切换之后重启一下SS。

关闭邮件

由于vultrl默认是不让发邮件的,要发邮件的话要自己转发到其他支持SSL的SMTP上去发,我暂时用不到,就干脆关掉了


    service postfix stop
    chkconfig postfix off

额外的安全设置

想继续折腾的TX为了安全期间,Shadowsocks还是不要用root账户运行,但是非root权限默认不能启用1024以下的端口,这里就要用到setcap了。先创建一个无密码不能登陆的用户,用它启动ss再专门赋予权限:


    adduser --no-create-home shadowsocks
    nohup su - shadowsocks -c "/usr/local/bin/ss-server -s 0.0.0.0 -p 80 -k yourpassword -m rc4-md5 &" > /var/log/ss 

然后配置iptables,添加一个SHADOWSOCKS的表,用来匹配控制SHADOWSOCKS规则,


    iptables -N SHADOWSOCKS
    iptables -t filter -m owner --uid-owner shadowsocks  -A SHADOWSOCKS -d 127.0.0.0/8 -j REJECT
    iptables -t filter -m owner --uid-owner shadowsocks  -A SHADOWSOCKS -d 169.254.0.0/16 -j REJECT
    iptables -t filter -m owner --uid-owner shadowsocks  -A SHADOWSOCKS -d 172.16.0.0/12 -j REJECT
    iptables -t filter -m owner --uid-owner shadowsocks  -A SHADOWSOCKS -d 192.168.0.0/16 -j REJECT
    iptables -t filter -m owner --uid-owner shadowsocks  -A SHADOWSOCKS -d 10.168.0.0/24 -j REJECT
    iptables -t filter -m owner --uid-owner shadowsocks  -A SHADOWSOCKS -d 0.0.0.0/0 -j ACCEPT
    iptables -A OUTPUT -j SHADOWSOCKS

我这里是禁止shadowsocks访问本地有关的地址,还可以做重定向啦,后端nginx/squid缓存之类的,这在要把shadowsocks共享出去的情况下非常有用。

当前页面是本站的「Baidu MIP」版。发表评论请点击:完整版 »