Securing Public Shadowsocks Server

clowwindy edited this page Aug 16, 2015 · 5 revisions

If you share your server with strangers, you need to be careful. The numbers used below are just examples.

  1. Optimize your server

  2. Limit bandwidth

     apt-get install wondershaper
     # limit bandwidth to 10Mb/10Mb on eth0
     wondershaper eth0 10000 10000
    
  3. Limit connections

     iptables -A INPUT -p tcp --syn --dport ${SHADOWSOCKS_PORT} -m connlimit --connlimit-above 32 -j REJECT --reject-with tcp-reset
    
  4. Prevent ssh password cracking

     apt-get install denyhosts
    
  5. Prevent Shadowsocks password cracking

  6. Block connection to localhost

  7. Run Shadowsocks server as nonroot user

     sudo useradd ssuser
     sudo ssserver [other options] --user ssuser
    
  8. Block traffic to non-HTTP port

     iptables -t filter -m owner --uid-owner ssuser -A OUTPUT -p tcp --dport 80 -j ACCEPT
     iptables -t filter -m owner --uid-owner ssuser -A OUTPUT -p tcp --dport 443 -j ACCEPT
     iptables -t filter -m owner --uid-owner ssuser -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
    
  9. Block BitTorrent trackers

     apt-get install nginx
    

    Edit nginx configuration:

     server {
         listen 0.0.0.0:3128;
         resolver 8.8.8.8;
         location / {
             set $upstream_host $host;
         if ($request_uri ~ "^/announce.*") {
                 return 403;
             }
             if ($request_uri ~ "^.*torrent.*") {
                 return 403;
             }
             proxy_set_header Host $upstream_host;
             proxy_pass http://$upstream_host;
             proxy_buffering off;
         }
     }
    

Redirect 80 port to nginx:

    iptables -t nat -m owner --uid-owner ssuser -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.