vps快速折腾

先挂上参考博客:
添加超级用户
配置ssh
修改ssh端口
防火墙 ss&bbr&fastopen配置

之前vps似乎是被人艹了一发, 实在乱糟糟的于是就删掉了. 这两天终于退役了, 于是重新开始折腾这玩意.

1. 远程登陆

1.1 添加登陆用户

1
2
3
4
5
6
7
root@ubuntu:~$ useradd username
root@ubuntu:~$ passwd username
Enter new Unix password:
Retype new Unix password:
passwd: passwd update successfully
root@ubuntu:~$ usermod -s /bin/bash username
root@ubuntu:~$ usermod -d /home/username username

1.2 添加用户权限

1
root@ubuntu:~$ visudo

在 root ALL=(ALL:ALL) ALL 下面添加一行代码:

1
username ALL=(ALL:ALL) ALL

保存退出.

1.3 ssh

• 安装

  1
  2
  root@ubuntu:~$ apt-get install openssh-server
  root@ubuntu:~$ apt-get install openssh-client
  

• 禁用root账号登陆

  1
  root@ubuntu:~$ vim /etc/ssh/sshd_config
  

  将

  1
  PermitRootLogin yes
  

  更改为

  1
  PermitRootLogin preohibit-password
  

• 常用命令:

  1
  2
  3
  root@ubuntu:~$ service ssh start
  root@ubuntu:~$ service ssh stop
  root@ubuntu:~$ service ssh restart
  

• 修改ssh端口

  1
  root@ubuntu:~$ vim /etc/ssh/sshd_config
  

  将Port 22字段改为Port {myport}

  1.4 防火墙

  1
  2
  3
  root@ubuntu:~$ sudo apt-get install ufw
  root@ubuntu:~$ sudo ufw enable
  root@ubuntu:~$ sudo ufw default deny
  

  常用命令:

  1
  2
  3
  4
  5
  6
  7
  8
  9
  10
  sudo ufw enable
  sudo ufw default deny
  sudo ufw disable 
  sudo ufw status
  sudo ufw allow 80
  sudo ufw delete allow 80
  sudo ufw allow from 192.168.1.1
  sudo ufw deny smtp
  sudo ufw delete allow smtp
  sudo ufw deny proto tcp from 10.0.0.0/8 to 192.168.0.1 port 22
  

2. SS & bbr

2.1 安装

1
2
3
root@ubuntu:~$ sudo apt install python3-pip
root@ubuntu:~$ pip install https://github.com/shadowsocks/shadowsocks/archive/master.zip
root@ubuntu:~$ sudo mkdir /etc/shadowsocks

2.2 搭建

1
root@ubuntu:~$ sudo nano root@ubuntu:~$ /etc/shadowsocks/config.json

写入:

1
2
3
4
5
6
7
8
9
10
{
    "server":"serverip",
    "server_port":{myport},
    "local_address": "127.0.0.1",
    "local_port":1080,
    "password":"mypassword",
    "timeout":300,
    "method":"aes-256-cfb",
    "fast_open": false
}

测试能否运行:

1
ssserver -c /etc/shadowsocks/config.json

2.3 配置

1
root@ubuntu:~$ sudo nano /etc/systemd/system/shadowsocks-server.service

写入:

1
2
3
4
5
6
7
8
9
10
[Unit]
Description=Shadowsocks Server
After=network.target

[Service]
ExecStart=/usr/local/bin/ssserver -c /etc/shadowsocks/config.json
Restart=on-abort

[Install]
WantedBy=multi-user.target

启动:

1
root@ubuntu:~$ sudo systemctl start shadowsocks-server

开机自启:

1
root@ubuntu:~$ sudo systemctl enable shadowsocks-server

2.4 bbr

• 检查linux内核

  1
  root@ubuntu:~$ uname -r
  

  如果内核版本在4.9.0以下则升级内核版本:

  1
  2
  3
  4
  root@ubuntu:~$ sudo apt-cache showpkg linux-image
  root@ubuntu:~$ sudo apt install linux-image-4.10.0-22-generic
  root@ubuntu:~$ sudo reboot
  root@ubuntu:~$ sudo purge-old-kernels
  

• 开启BBR

  1
  2
  3
  4
  5
  root@ubuntu:~$ modprobe tcp_bbr
  root@ubuntu:~$ echo "tcp_bbr" >> /etc/modules-load.d/modules.conf
  root@ubuntu:~$ echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf
  root@ubuntu:~$ echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf
  root@ubuntu:~$ sysctl -p
  

  保存生效, 运行

  1
  2
  root@ubuntu:~$ sysctl net.ipv4.tcp_available_congestion_control
  root@ubuntu:~$ sysctl net.ipv4.tcp_congestion_control
  

  若均有bbr, 则开启成功

• 优化吞吐量 在/etc/sysctl.d/下建立名为local.conf的文件, 内容如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
# max open files
fs.file-max = 51200
# max read buffer
net.core.rmem_max = 67108864
# max write buffer
net.core.wmem_max = 67108864
# default read buffer
net.core.rmem_default = 65536
# default write buffer
net.core.wmem_default = 65536
# max processor input queue
net.core.netdev_max_backlog = 4096
# max backlog
net.core.somaxconn = 4096

# resist SYN flood attacks
net.ipv4.tcp_syncookies = 1
# reuse timewait sockets when safe
net.ipv4.tcp_tw_reuse = 1
# turn off fast timewait sockets recycling
net.ipv4.tcp_tw_recycle = 0
# short FIN timeout
net.ipv4.tcp_fin_timeout = 30
# short keepalive time
net.ipv4.tcp_keepalive_time = 1200
# outbound port range
net.ipv4.ip_local_port_range = 10000 65000
# max SYN backlog
net.ipv4.tcp_max_syn_backlog = 4096
# max timewait sockets held by system simultaneously
net.ipv4.tcp_max_tw_buckets = 5000
# turn on TCP Fast Open on both client and server side
net.ipv4.tcp_fastopen = 3
# TCP receive buffer
net.ipv4.tcp_rmem = 4096 87380 67108864
# TCP write buffer
net.ipv4.tcp_wmem = 4096 65536 67108864
# turn on path MTU discovery
net.ipv4.tcp_mtu_probing = 1

net.ipv4.tcp_congestion_control = bbr

运行

1
root@ubuntu:~$ sysctl --system

编辑文件/etc/systemd/system/shadowsocks-server.service
在 ExceStart...前加入一行

1
ExecStartPre=/bin/sh -c 'ulimit -n 51200'

修改后的文件为:

1
2
3
4
5
6
7
8
9
10
11
[Unit]
Description=Shadowsocks Server
After=network.target

[Service]
ExecStartPre=/bin/sh -c 'ulimit -n 51200'
ExecStart=/usr/local/bin/ssserver -c /etc/shadowsocks/config.json
Restart=on-abort

[Install]
WantedBy=multi-user.target

重启ss

1
2
root@ubuntu:~$ sudo systemctl daemon-reload
root@ubuntu:~$ sudo systemctl restart shadowsocks-server

• 开启TCP Fast Open 将/etc/shadowsocks/config.json中fast_open的值由false改为true保存即可. 重启ss

  1
  2
  root@ubuntu:~$ sudo systemctl daemon-reload
  root@ubuntu:~$ sudo systemctl restart shadowsocks-server
  

  注意：TCP Fast Open同时需要客户端的支持，即客户端Linux内核版本为3.7.1及以上；你可以在Shadowsocks客户端中启用TCP Fast Open。

• Previous
  Homework Report
• Next
  contest of ACM Lesson(part3)