代理服务器

                         ./+o+-
                 yyyyy- -yyyyyy+      OS: Ubuntu 24.04 noble
              ://+//////-yyyyyyo      Kernel: x86_64 Linux 6.8.0-90-generic
          .++ .:/++++++/-.+sss/`
        .:++o:  /++++++++/:--:/-
       o:+o+:++.`..```.-/oo+++++/     Shell: zsh 5.9
      .:+o:+o/.          `+sssoo+/    Resolution: No X Server
 .++/+:+oo+o:`             /sssooo.   WM: Not Found
/+++//+:`oo+o               /::--:.   GTK Theme:  [GTK3]
\+/+o+++`o++o               ++////.
 .++.o+++oo+:`             /dddhhh.   CPU: AMD EPYC 7K62 48-Core @ 2x 2.595GHz
      .+.o+oo:.          `oddhhhh+    GPU: Cirrus Logic GD 5446
       \+.++o+o ``-````.: ohdhhhhh+   RAM: 3915MiB
        `:o+++ ` ohhhhhhhhyo++os:
          .o: `.syhhhhhhh/.oo++o`
              /osyyyyyyo++ooo+++/
                  ````` +oo+++o\:
                         `oo++.

代理服务器

进行下面配置前需提前选购 合适地区 的服务器

首先配置防火墙，这里选择用 ufw

sudo apt update
sudo apt install ufw -y
sudo ufw allow ssh
sudo ufw allow 8388/tcp  # 8388 是 Shadowsocks 的默认端口，可选，建议更换
sudo ufw allow 8388/udp
sudo ufw enable

然后安装代理软件 Shadowsocks

1	sudo apt install shadowsocks-libev -y

配置文件位于 /etc/shadowsocks-libev/config.json

{
    "server":["0.0.0.0"],
    "server_port":8388,
    "local_port":1080,
    "mode":"tcp_and_udp",
    "password":"",
    "timeout":300,
    "method":"aes-256-gcm",
    "fast_open": true,
    "no_delay": true
}

参数名	参数值	备注
server	0.0.0.0	监听所有 IP 地址
server_port	自定义端口号	监听端口
local_port	自定义端口号	本地端口
mode	tcp_and_udp	同时支持 TCP 和 UDP
password	随机密码	连接口令
timeout	300s	连接超时时间
method	aes-256-gcm	加密方式
fast_open	true	TCP 快速打开
no_delay	true	禁用 Nagle 算法，减少延迟

为了后续监控方便，下面修改默认的服务配置文件 /usr/lib/systemd/system/shadowsocks-libev.service

#  This file is part of shadowsocks-libev.
#
#  Shadowsocks-libev is free software; you can redistribute it and/or modify
#  it under the terms of the GNU General Public License as published by
#  the Free Software Foundation; either version 3 of the License, or
#  (at your option) any later version.
#
#  This file is default for Debian packaging. See also
#  /etc/default/shadowsocks-libev for environment variables.

[Unit]
Description=Shadowsocks-libev Default Server Service
Documentation=man:shadowsocks-libev(8)
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
DynamicUser=true
EnvironmentFile=/etc/default/shadowsocks-libev
LimitNOFILE=32768
ExecStart=/usr/bin/ss-server -c $CONFFILE $DAEMON_ARGS -v
StandardOutput=append:/var/log/shadowsocks.log
StandardError=append:/var/log/shadowsocks.log

[Install]
WantedBy=multi-user.target

配置完成后启动服务

1 2	sudo systemctl start shadowsocks-libev sudo systemctl enable shadowsocks-libev

服务端配置完成后，需下载客户端软件

操作系统	客户端
Windows	shadowsocks-windows
Android	shadowsocks-android

填写配置信息，与服务端对应即可。然后启动 System Proxy.

另外，在 Arch Linux 系统中配置客户端，由于 Shadowsocks 跑在 socket5 上面，需要使用 privoxy 把流量导向 http/https，具体操作如下：

sudo pacman -S privoxy
sudo nvim /etc/privoxy/config
# 取消注释以下两行
# listen-address 127.0.0.1:8118 
# forward-socks5t / 127.0.0.1:1080 .

sudo systemctl enable privoxy
sudo systemctl start privoxy
sudo systemctl status privoxy
sudo nvim ~/.zshrc
# 添加下面两行
# export http_proxy = http://127.0.0.1:8118
# export https_proxy = http://127.0.0.1:8118

然后配置 /etc/shadowsocks/config.json，

{
    "server":"<server_ip>",
    "server_port":<server_port>,
    "local_address": "127.0.0.1",
    "local_port":1080,
    "password":"<your_password>",
    "method":"aes-256-gcm",
    "mode":"tcp_and_udp",
    "timeout": 300,
    "fast_open": true,
    "no_delay": true
}

然后启动 shadowsocks-libev@config

1	sudo systemctl start shadowsocks-libev@config

入侵防御

通过监控与匹配恶意行为，如暴力破解、漏洞扫描等，自动调用系统防火墙封禁相应的 IP 地址。这里选用 Fail2ban

1 2	sudo apt update sudo apt install fail2ban -y

然后为 Shaowsocks 添加过滤器文件，位于 /etc/fail2ban/filter.d/shadowsocks.conf

# Fail2Ban filter for shadowsocks
[Definition]

failregex = ^.*ERROR.*can.t decrypt.*from\s+<HOST>.*$
            ^.*ERROR.*invalid password.*from\s+<HOST>.*$
            ^.*ERROR.*authentication failed.*<HOST>.*$
            ^.*WARNING.*wrong password.*<HOST>.*$
             ^\s*\S+ \S+\s+ERROR:\s+failed to handshake with <HOST>:\d+
            ^\s*\S+ \S+\s+ERROR:\s+tcp_recv_decrypt:\s+invalid password or cipher from <HOST>:\d+
            ^\s*\S+ \S+\s+ERROR:\s+repeating salt detected from <HOST>:\d+
            ^\s*\S+ \S+\s+ERROR:\s+unable to parse header when handling connection from <HOST>:\d+

ignoreregex = ^.*INFO.*connected.*$

然后配置 Fail2ban，配置文件位于 /etc/fail2ban/jail.local，

# Fail2ban Configuration

[DEFAULT]
ignoreip = 127.0.0.1/8 ::1
bantime = 1d
findtime = 1m
maxretry = 5
action = %(action_)s
banaction = ufw

# =================================================================================
# Jails
# =================================================================================
# Recidive - fail2ban.log
[recidive]
enabled  = true
logpath  = /var/log/fail2ban.log
action   = %(banaction_allports)s
findtime = 1d
maxretry = 3
bantime  = 2w

[sshd]
enabled  = true
port     = 22
maxretry = 3
bantime  = 1w

[shadowsocks]
enabled  = true
port     = 8388
protocol = tcp,udp
logpath  = /var/log/shadowsocks.log
filter   = shadowsocks
maxretry = 10
findtime = 5m
bantime  = 3d

配置完成后启动服务

1 2	sudo systemctl start fail2ban sudo systemctl enable fail2ban

解封 IP 地址

1	sudo fail2ban-client set sshd unbanip <ip_addr>

检查 fail2ban 状态

❯ sudo fail2ban-client status
Status
|- Number of jail:      3
`- Jail list:   recidive, shadowsocks, sshd

❯ sudo fail2ban-client status | grep "Jail list:" | sed -e 's/.*Jail list:[ \t]*//' -e 's/,//g' | xargs -n1 sudo fail2ban-client status
Status for the jail: recidive
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- Journal matches:  _SYSTEMD_UNIT=fail2ban.service PRIORITY=5
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:
Status for the jail: shadowsocks
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- Journal matches:
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:
Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list: