1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
                         ./+o+-
yyyyy- -yyyyyy+ OS: Ubuntu 24.04 noble
://+//////-yyyyyyo Kernel: x86_64 Linux 6.8.0-90-generic
.++ .:/++++++/-.+sss/`
.:++o: /++++++++/:--:/-
o:+o+:++.`..```.-/oo+++++/ Shell: zsh 5.9
.:+o:+o/. `+sssoo+/ Resolution: No X Server
.++/+:+oo+o:` /sssooo. WM: Not Found
/+++//+:`oo+o /::--:. GTK Theme: [GTK3]
\+/+o+++`o++o ++////.
.++.o+++oo+:` /dddhhh. CPU: AMD EPYC 7K62 48-Core @ 2x 2.595GHz
.+.o+oo:. `oddhhhh+ GPU: Cirrus Logic GD 5446
\+.++o+o ``-````.: ohdhhhhh+ RAM: 3915MiB
`:o+++ ` ohhhhhhhhyo++os:
.o: `.syhhhhhhh/.oo++o`
/osyyyyyyo++ooo+++/
````` +oo+++o\:
`oo++.

代理服务器

进行下面配置前需提前选购 合适地区 的服务器

首先配置防火墙,这里选择用 ufw

1
2
3
4
5
6
sudo apt update
sudo apt install ufw -y
sudo ufw allow ssh
sudo ufw allow 8388/tcp # 8388 是 Shadowsocks 的默认端口,可选,建议更换
sudo ufw allow 8388/udp
sudo ufw enable

然后安装代理软件 Shadowsocks

1
sudo apt install shadowsocks-libev -y

配置文件位于 /etc/shadowsocks-libev/config.json

1
2
3
4
5
6
7
8
9
10
11
{
"server":["0.0.0.0"],
"server_port":8388,
"local_port":1080,
"mode":"tcp_and_udp",
"password":"",
"timeout":300,
"method":"aes-256-gcm",
"fast_open": true,
"no_delay": true
}
参数名 参数值 备注
server 0.0.0.0 监听所有 IP 地址
server_port 自定义端口号 监听端口
local_port 自定义端口号 本地端口
mode tcp_and_udp 同时支持 TCP 和 UDP
password 随机密码 连接口令
timeout 300s 连接超时时间
method aes-256-gcm 加密方式
fast_open true TCP 快速打开
no_delay true 禁用 Nagle 算法,减少延迟

为了后续监控方便,下面修改默认的服务配置文件 /usr/lib/systemd/system/shadowsocks-libev.service

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#  This file is part of shadowsocks-libev.
#
# Shadowsocks-libev is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This file is default for Debian packaging. See also
# /etc/default/shadowsocks-libev for environment variables.

[Unit]
Description=Shadowsocks-libev Default Server Service
Documentation=man:shadowsocks-libev(8)
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
DynamicUser=true
EnvironmentFile=/etc/default/shadowsocks-libev
LimitNOFILE=32768
ExecStart=/usr/bin/ss-server -c $CONFFILE $DAEMON_ARGS -v
StandardOutput=append:/var/log/shadowsocks.log
StandardError=append:/var/log/shadowsocks.log

[Install]
WantedBy=multi-user.target

配置完成后启动服务

1
2
sudo systemctl start shadowsocks-libev
sudo systemctl enable shadowsocks-libev

服务端配置完成后,需下载客户端软件

操作系统 客户端
Windows shadowsocks-windows
Android shadowsocks-android

填写配置信息,与服务端对应即可。然后启动 System Proxy.

另外,在 Arch Linux 系统中配置客户端,由于 Shadowsocks 跑在 socket5 上面,需要使用 privoxy 把流量导向 http/https,具体操作如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
sudo pacman -S privoxy
sudo nvim /etc/privoxy/config
# 取消注释以下两行
# listen-address 127.0.0.1:8118
# forward-socks5t / 127.0.0.1:1080 .

sudo systemctl enable privoxy
sudo systemctl start privoxy
sudo systemctl status privoxy
sudo nvim ~/.zshrc
# 添加下面两行
# export http_proxy = http://127.0.0.1:8118
# export https_proxy = http://127.0.0.1:8118

然后配置 /etc/shadowsocks/config.json

1
2
3
4
5
6
7
8
9
10
11
12
{
"server":"<server_ip>",
"server_port":<server_port>,
"local_address": "127.0.0.1",
"local_port":1080,
"password":"<your_password>",
"method":"aes-256-gcm",
"mode":"tcp_and_udp",
"timeout": 300,
"fast_open": true,
"no_delay": true
}

然后启动 shadowsocks-libev@config

1
sudo systemctl start shadowsocks-libev@config

入侵防御

通过监控与匹配恶意行为,如暴力破解、漏洞扫描等,自动调用系统防火墙封禁相应的 IP 地址。这里选用 Fail2ban

1
2
sudo apt update
sudo apt install fail2ban -y

然后为 Shaowsocks 添加过滤器文件,位于 /etc/fail2ban/filter.d/shadowsocks.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
# Fail2Ban filter for shadowsocks
[Definition]

failregex = ^.*ERROR.*can.t decrypt.*from\s+<HOST>.*$
^.*ERROR.*invalid password.*from\s+<HOST>.*$
^.*ERROR.*authentication failed.*<HOST>.*$
^.*WARNING.*wrong password.*<HOST>.*$
^\s*\S+ \S+\s+ERROR:\s+failed to handshake with <HOST>:\d+
^\s*\S+ \S+\s+ERROR:\s+tcp_recv_decrypt:\s+invalid password or cipher from <HOST>:\d+
^\s*\S+ \S+\s+ERROR:\s+repeating salt detected from <HOST>:\d+
^\s*\S+ \S+\s+ERROR:\s+unable to parse header when handling connection from <HOST>:\d+

ignoreregex = ^.*INFO.*connected.*$

然后配置 Fail2ban,配置文件位于 /etc/fail2ban/jail.local

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# Fail2ban Configuration

[DEFAULT]
ignoreip = 127.0.0.1/8 ::1
bantime = 1d
findtime = 1m
maxretry = 5
action = %(action_)s
banaction = ufw

# =================================================================================
# Jails
# =================================================================================
# Recidive - fail2ban.log
[recidive]
enabled = true
logpath = /var/log/fail2ban.log
action = %(banaction_allports)s
findtime = 1d
maxretry = 3
bantime = 2w

[sshd]
enabled = true
port = 22
maxretry = 3
bantime = 1w

[shadowsocks]
enabled = true
port = 8388
protocol = tcp,udp
logpath = /var/log/shadowsocks.log
filter = shadowsocks
maxretry = 10
findtime = 5m
bantime = 3d

配置完成后启动服务

1
2
sudo systemctl start fail2ban
sudo systemctl enable fail2ban
  • 解封 IP 地址
1
sudo fail2ban-client set sshd unbanip <ip_addr>
  • 检查 fail2ban 状态
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
❯ sudo fail2ban-client status
Status
|- Number of jail: 3
`- Jail list: recidive, shadowsocks, sshd

❯ sudo fail2ban-client status | grep "Jail list:" | sed -e 's/.*Jail list:[ \t]*//' -e 's/,//g' | xargs -n1 sudo fail2ban-client status
Status for the jail: recidive
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- Journal matches: _SYSTEMD_UNIT=fail2ban.service PRIORITY=5
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
Status for the jail: shadowsocks
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- Journal matches:
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:

参考资料

shadowsocks

Shadowsocks 节点配置完全指南:从零开始搭建高性能代理服务(2025 最新版)

fail2ban/fail2ban

Fail2ban 安装与使用终极笔记

Shadowsocks client on archlinux