shadowsocks的优化和安全设置总结

last modified : 2017-06-04 | published: 2016-11-21 | category:

环境

Debian “testing” Vultr

ChangeLog

# 2017.04
* 升级到debian 9+ (stretch/testing)

# 2017.06
* squid 不再劫持流量,使用sstunel转发。
+ 使用gfwlist生成proxy.pac
+ 使用privoxy将socks5转化成http

1. 安装

版本的选择

根据官方文档:Feature Comparison across Different Versions

通过源安装Shadowsocks-libev

apt update 
apt install shadowsocks-libev

2. 安全配置

以非root运行shadowsocks

开源程序,不怕后门怕漏洞 新建低权限系统用户shadowsocks

adduser --system --disabled-password --disabled-login --no-create-home shadowsocks

修改 /lib/systemd/system/shadowsocks-libev.service

USER=shadowsocks
GROUP=nogroup

输入systemctl daemon-reloadservice shadowsocks-libev restart生效。

允许shadowsocks运行在1024以下端口

机房的网络往往有QOS,低位端口的优先级往往比高位端口的优先级高。

apt install libcap2-bin
setcap 'cap_net_bind_service=+ep' /usr/bin/ss-server

禁止shadowsocks访问本地网络

禁止shadowsocks访问vps本地服务,避免shadowsocks成为防火墙的后门。缘起:v2ex的一个帖子

# 新建一个名为SHADOWSOCKS的Chain,应用在OUTPUT上。
iptables -N SHADOWSOCKS
iptables -A OUTPUT -j SHADOWSOCKS
# 相应本地请求
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -m state --state ESTABLISHED,RELATED -j ACCEPT
# 禁止主动访问本机
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 127.0.0.0/8 -j RETURN
# 禁止访问本地网络
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 224.0.0.0/4 -j RETURN
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN
# 禁止SMTP发垃圾邮件
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -p tcp --dport 25 -j RETURN
# 允许访问DNS、HTTP、HTTPS
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -p udp --dport 53 -j ACCEPT
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -p tcp --dport 53 -j ACCEPT
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -p tcp --dport 80 -j ACCEPT
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -p tcp --dport 443 -j ACCEPT
## 允许访问其他资源
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -j ACCEPT
# OR 禁止访问其他资源
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -p tcp -j REJECT --reject-with tcp-reset
iptables -t filter -m owner --uid-owner shadowsocks -A SHADOWSOCKS -p udp -j REJECT

3. 速度优化

使用Squid

注意:

apt install squid
cd /etc/squid
mv squid.conf squid.conf.old

编辑配置文件/etc/squid3/squid.conf

# 监听127.0.0.1:3128
http_port 127.0.0.1:3128
# 允许所有流量
http_access allow all
# 64M内存缓存,2G硬盘做缓存,可自行调整
cache_mem 64 MB
cache_dir ufs /var/spool/squid 2000 16 256
# 不保存日志
cache_log /dev/null
# 一些优化参数
maximum_object_size 4096 KB
maximum_object_size_in_memory 64 KB
hierarchy_stoplist cgi-bin ?
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern \.(jpg|png|gif|mp3|xml|html|htm|css|js) 1440 50% 2880 ignore-reload
refresh_pattern . 0 20% 4320


# 禁止代理识别
via off
forwarded_for off

request_header_access From deny all
request_header_access Server deny all
request_header_access WWW-Authenticate deny all
request_header_access Link deny all
request_header_access Cache-Control deny all
request_header_access Proxy-Connection deny all
request_header_access X-Cache deny all
request_header_access X-Cache-Lookup deny all
request_header_access Via deny all
request_header_access X-Forwarded-For deny all
request_header_access Pragma deny all
request_header_access Keep-Alive deny all

配置iptables

# 允许shadowsocks访问本地3128端口
iptables -t filter -m owner --uid-owner shadowsocks -I SHADOWSOCKS 2 -p tcp -d 127.0.0.0/8 --dport 3128 -j ACCEPT

本地配置:

修改 /lib/systemd/system/shadowsocks-libev.service 替换 ExecStart=/usr/bin/ss-server -c $CONFFILE $DAEMON_ARGSExecStart=/usr/bin/ss-tunnel -c $CONFFILE $DAEMON_ARGS

使用单边TCP优化工具

使用Google BBR

编辑/etc/sysctl.d/local.conf

# max open files
fs.file-max = 51200
# max read buffer
net.core.rmem_max = 67108864
# max write buffer
net.core.wmem_max = 67108864
# default read buffer
net.core.rmem_default = 65536
# default write buffer
net.core.wmem_default = 65536
# max processor input queue
net.core.netdev_max_backlog = 4096
# max backlog
net.core.somaxconn = 4096
# resist SYN flood attacks
net.ipv4.tcp_syncookies = 1
# reuse timewait sockets when safe
net.ipv4.tcp_tw_reuse = 1
# turn off fast timewait sockets recycling
net.ipv4.tcp_tw_recycle = 0
# short FIN timeout
net.ipv4.tcp_fin_timeout = 30
# short keepalive time
net.ipv4.tcp_keepalive_time = 1200
# outbound port range
net.ipv4.ip_local_port_range = 10000 65000
# max SYN backlog
net.ipv4.tcp_max_syn_backlog = 4096
# max timewait sockets held by system simultaneously
net.ipv4.tcp_max_tw_buckets = 5000
# turn on TCP Fast Open on both client and server side
net.ipv4.tcp_fastopen = 3
# TCP receive buffer
net.ipv4.tcp_rmem = 4096 87380 67108864
# TCP write buffer
net.ipv4.tcp_wmem = 4096 65536 67108864
# turn on path MTU discovery
net.ipv4.tcp_mtu_probing = 1
net.core.default_qdisc=fq  
net.ipv4.tcp_congestion_control=bbr

编辑完成后sysctl --system 生效,并sysctl net.ipv4.tcp_available_congestion_controllsmod | grep bbr命令测试`

# sysctl net.ipv4.tcp_available_congestion_control
net.ipv4.tcp_available_congestion_control = bbr hybla cubic reno
# lsmod | grep bbr
tcp_bbr                20480  45

4. 加强混淆

注意,这些方法未必真的有效,毕竟gfw也不是开源的。

使用随机端口

注意:

监听在23,将4000-4999端口的流量转发到23端口。

iptables -t nat -A PREROUTING -p tcp -m multiport --dport 4000:4999 -j REDIRECT --to-ports 23
iptables -t nat -A PREROUTING -p udp -m multiport --dport 4000:4999 -j REDIRECT --to-ports 23

在基于openwrt的路由器上

echo "iptables -t nat -I OUTPUT 1 -d 【VPS IP】 -p tcp --dport 23 -j DNAT --to-destination 【VPS IP】:4000-4999 --random" >>/etc/firewall.user
echo "iptables -t nat -I OUTPUT 1 -d 【VPS IP】 -p udp --dport 23 -j DNAT --to-destination【VPS IP】:4000-4999 --random" >>/etc/firewall.user
reboot

5. 客户端本地

使用privoxy将socks转化为http代理

安装privoxy

apt install privoxy

修改配置文件

cd /etc/privoxy/
mv config config.bak
touch config

编辑/etc/privoxy/config

listen-address 127.0.0.1:8118
confdir /etc/privoxy
logdir /var/log/privoxy
actionsfile default.action
actionsfile user.action
filterfile default.filter
logfile logfile
forward-socks5 / 127.0.0.1:1080 .
debug   4096
debug   8192
toggle  1
enable-remote-toggle 0
enable-edit-actions 0
enable-remote-http-toggle 0
buffer-limit 4096

重启privoxy

/etc/init.d/privoxy restart

使用gfwlist

安装genpac

(venv) $ pip2 install genpac

生成socks5 proxy的pac:

genpac  --pac-proxy="SOCKS5 127.0.0.1:1080"  --pac-compress -o proxy.pac

生成http proxy的pac:

genpac --pac-proxy="PROXY 127.0.0.1:8118"  --pac-compress -o proxy.pac