Centos 7 下编译并安装Shadowsocks-libev 并启用obfs混淆

本文以Vultr购买的Centos 7主机为例,详细介绍了编译并部署Shadowsocks-libev的方法。建议以密钥的方式绑定主机并以此登录,注意保护好自己的密钥。

准备

首先,更新系统:

yum update

为了防止被人暴力扫描破解登录密码,我们先对Vultr自动生成的密码进行重置:

passwd root

这里我个人使用了256位随机密码,包含特殊字符。

另外也可以安装fail2ban来禁止掉反复尝试登录的ip地址:

yum install fail2ban

启用fail2ban:

systemctl enable fail2ban

编辑配置文件:

vi /etc/fail2ban/jail.local

这是一个新文件,添加如下的内容:

[DEFAULT]
# Ban hosts for one hour:
bantime = 43200
findtime = 600
maxretry = 1

# Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = iptables-multiport

[sshd]
enabled = true

重启fail2ban:

systemctl restart fail2ban

下面分别是查看fail2ban状态的两条命令:

fail2ban-client status
fail2ban-client status sshd

安装

安装一些必要的软件:

yum install git vim -y
yum install epel-release -y
yum install gcc gettext autoconf libtool automake make pcre-devel asciidoc xmlto udns-devel libev-devel mbedtls-devel -y

下载Shadowsocks-libev的源代码:

git clone https://github.com/shadowsocks/shadowsocks-libev.git
cd shadowsocks-libev
git submodule update --init --recursive

开始进行编译:

#安装libsodium
export LIBSODIUM_VER=1.0.13
wget https://download.libsodium.org/libsodium/releases/libsodium-$LIBSODIUM_VER.tar.gz
tar xvf libsodium-$LIBSODIUM_VER.tar.gz
pushd libsodium-$LIBSODIUM_VER
./configure --prefix=/usr && make
make install
popd
ldconfig

#开始编译shadowsocks-libev
./autogen.sh && ./configure --prefix=/usr && make
make install 

修改配置文件:

mkdir -p /etc/shadowsocks-libev
vim /etc/shadowsocks-libev/config.json

同时启用ipv4和ipv6:

config.json
1
2
3
4
5
6
7
8
{
"server":["[::0]","0.0.0.0"],
"server_port":自定端口号,
"local_port":1080,
"password":"自定密码",
"timeout":60,
"method":"aes-256-gcm"
}

设置开机自动启动

vi /etc/systemd/system/shadowsocks.service
shadowsocks.service
1
2
3
4
5
6
7
8
[Unit]
Description=Shadowsocks Server
After=network.target
[Service]
ExecStart=/usr/bin/ss-server -c /etc/shadowsocks-libev/config.json -u
Restart=on-abort
[Install]
WantedBy=multi-user.target
systemctl enable shadowsocks

运行

启动Shadowsocks服务:

systemctl start shadowsocks

此时,我们还不能通过外网访问服务器,因为防火墙并没有开启相应的端口,编辑防火墙开放的端口服务:

vi /etc/firewalld/zones/public.xml

添加如下行:

<port protocol="tcp" port="服务器端口"/>
<port protocol="udp" port="服务器端口"/>

使新规则生效:

firewall-cmd --complete-reload

至此,shadowsocks已经可以使用。可以查看服务状态:

systemctl status shadowsocks

更新

systemctl stop shadowsocks

在shadowsocks-libev目录下:

git pull
./configure
make
make install

systemctl start shadowsocks

启用Obfs混淆(可选)

安装必要的软件:

yum install zlib-devel openssl-devel -y

安装simple-obfs:

git clone https://github.com/shadowsocks/simple-obfs.git
cd simple-obfs
git submodule update --init --recursive
./autogen.sh
./configure && make
make install

修改配置文件:

vim /etc/shadowsocks-libev/config.json
config.json
1
2
3
4
5
6
7
8
9
10
{
"server":["[::0]","0.0.0.0"],
"server_port":自定端口号,
"local_port":1080,
"password":"自定密码",
"timeout":60,
"method":"aes-256-gcm",
"plugin":"obfs-server",
"plugin_opts":"obfs=http"
}

重启shadowsocks-libev:

systemctl restart shadowsocks

带obfs混淆的客户端配置

在配置文件中添加:

"plugin":"obfs-local",
"plugin_opts":"obfs=http;obfs-host=baidu.com",

故障解决

提示如下:

This system doesn't provide enough entropy to quickly generate high-quality random numbers
Installing the rng-utils/rng-tools or haveged packages may help.
On virtualized Linux environments, also consider using virtio-rng.
The service will not start until enough entropy has been collected.

安装rng-tools:

yum install rng-tool
rngd -r /dev/urandom