Securing Public Shadowsocks Server - renfufei/shadowsocks GitHub Wiki
If you share your server with strangers, you need to be careful. The numbers used below are just examples.
-
Limit bandwidth
apt-get install wondershaper # limit bandwidth to 10Mb/10Mb on eth0 wondershaper eth0 10000 10000
-
Limit connections
iptables -A INPUT -p tcp --syn --dport ${SHADOWSOCKS_PORT} -m connlimit --connlimit-above 32 -j REJECT --reject-with tcp-reset
-
Prevent ssh password cracking
apt-get install denyhosts
-
Run Shadowsocks server as nonroot user
sudo useradd ssuser sudo ssserver [other options] --user ssuser
-
Block traffic to non-HTTP port
iptables -t filter -m owner --uid-owner ssuser -A OUTPUT -p tcp --dport 80 -j ACCEPT iptables -t filter -m owner --uid-owner ssuser -A OUTPUT -p tcp --dport 443 -j ACCEPT iptables -t filter -m owner --uid-owner ssuser -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
-
Block BitTorrent trackers
apt-get install nginx
Edit nginx configuration:
server { listen 0.0.0.0:3128; resolver 8.8.8.8; location / { set $upstream_host $host; if ($request_uri ~ "^/announce.*") { return 403; } if ($request_uri ~ "^.*torrent.*") { return 403; } proxy_set_header Host $upstream_host; proxy_pass http://$upstream_host; proxy_buffering off; } }
Redirect 80 port to nginx:
iptables -t nat -m owner --uid-owner ssuser -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128