If you share your server with strangers, you need to be careful. The numbers used below are just examples.

Optimize your server

Limit bandwidth

 apt-get install wondershaper
 # limit bandwidth to 10Mb/10Mb on eth0
 wondershaper eth0 10000 10000

Limit connections

 iptables -A INPUT -p tcp --syn --dport ${SHADOWSOCKS_PORT} -m connlimit --connlimit-above 32 -j REJECT --reject-with tcp-reset

Prevent ssh password cracking
```
 apt-get install denyhosts
```
Prevent Shadowsocks password cracking
Block connection to localhost

Run Shadowsocks server as nonroot user

 sudo useradd ssuser
 sudo ssserver [other options] --user ssuser

Block traffic to non-HTTP port

 iptables -t filter -m owner --uid-owner ssuser -A OUTPUT -p tcp --dport 80 -j ACCEPT
 iptables -t filter -m owner --uid-owner ssuser -A OUTPUT -p tcp --dport 443 -j ACCEPT
 iptables -t filter -m owner --uid-owner ssuser -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset

Block BitTorrent trackers

 apt-get install nginx

Edit nginx configuration:

 server {
     listen 0.0.0.0:3128;
     resolver 8.8.8.8;
     location / {
         set $upstream_host $host;
     if ($request_uri ~ "^/announce.*") {
             return 403;
         }
         if ($request_uri ~ "^.*torrent.*") {
             return 403;
         }
         proxy_set_header Host $upstream_host;
         proxy_pass http://$upstream_host;
         proxy_buffering off;
     }
 }

Redirect 80 port to nginx:

    iptables -t nat -m owner --uid-owner ssuser -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Securing-Public-Shadowsocks-Server.md

Securing-Public-Shadowsocks-Server.md

Files

Securing-Public-Shadowsocks-Server.md

Latest commit

History

Securing-Public-Shadowsocks-Server.md

File metadata and controls