页面“Debian利用shadowsocks和polipo终端代理翻墙”与“Debian服务器初始化”之间的差异

来自linux中国网wiki
(页面间的差异)
跳到导航 跳到搜索
 
 
第1行: 第1行:
= shadowsocks和polipo=
 
  
终端翻墙的方法,通过shadowsocks和polipo来实现
+
[[Salt-ssh批量初始化机器]]
 +
= os init=
 +
== change sources ==
 +
===10源===
 +
<pre>
  
==安装shadowsocks==
+
deb http://mirrors.aliyun.com/debian/ buster main non-free contrib
安装python包管理工具:
+
deb-src http://mirrors.aliyun.com/debian/ buster main non-free contrib
sudo apt-get install python-pip
+
deb http://mirrors.aliyun.com/debian-security buster/updates main
 +
deb-src http://mirrors.aliyun.com/debian-security buster/updates main
 +
deb http://mirrors.aliyun.com/debian/ buster-updates main non-free contrib
 +
deb-src http://mirrors.aliyun.com/debian/ buster-updates main non-free contrib
 +
deb http://mirrors.aliyun.com/debian/ buster-backports main non-free contrib
 +
deb-src http://mirrors.aliyun.com/debian/ buster-backports main non-free contrib
  
===apt===
+
</pre>
<pre>#apt
+
===9 源===
sudo apt install software-properties-common -y
+
<pre>
sudo add-apt-repository ppa:max-c-lv/shadowsocks-libev -y
 
sudo apt update
 
sudo apt install shadowsocks-libev
 
 
 
vi /etc/shadowsocks-libev/config.json
 
{
 
"server":"127.0.0.1",
 
"server_port":8388,
 
"local_port":1080,
 
"password":"focobguph",
 
"timeout":60,
 
"method":"chacha20-ietf-poly1305"
 
}
 
 
 
sudo systemctl enable shadowsocks-libev.service
 
  
 +
echo 'deb http://mirrors.aliyun.com/debian/ stretch main non-free contrib
 +
deb-src http://mirrors.aliyun.com/debian/ stretch main non-free contrib
 +
deb http://mirrors.aliyun.com/debian-security stretch/updates main
 +
deb-src http://mirrors.aliyun.com/debian-security stretch/updates main
 +
deb http://mirrors.aliyun.com/debian/ stretch-updates main non-free contrib
 +
deb-src http://mirrors.aliyun.com/debian/ stretch-updates main non-free contrib
 +
deb http://mirrors.aliyun.com/debian/ stretch-backports main non-free contrib
 +
deb-src http://mirrors.aliyun.com/debian/ stretch-backports main non-free contrib ' >sources.list
 
</pre>
 
</pre>
  
===pip===
+
== ssh config==
 
<pre>
 
<pre>
pip install shadowsocks
+
echo "ssh-rsa AAAAB3NzaC you_prk_key root@ops
#sudo pip install shadowsocks #格式有时不对,要小心
+
" >> /root/.ssh/authorized_keys
vi shadowsocks.json#新建shadowsocks配置文件shadowsocks.json
 
{
 
"server": "xxx.xxx.xxx.xxx",
 
"server_port": xxxx,
 
"local_port": 1080,
 
"password": "xxxxxxx",
 
"timeout": 600,
 
"method": "aes-256-cfb"
 
}
 
  
eg
+
sed -i "s/#PubkeyAuthentication yes/PubkeyAuthentication yes/g" /etc/ssh/sshd_config
  
echo '{
+
sed -i "s/^PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config
    "server":"linuxsh.org",
 
    "server_port":443,
 
    "local_port":1080,
 
    "password":"laepassword",
 
    "timeout":600,
 
    "method":"aes-256-cfb"
 
}' >shadowsocks.json </pre>
 
  
[https://www.linuxbabe.com/ubuntu/shadowsocks-libev-proxy-server-ubuntu-16-04-17-10 How to Set up Shadowsocks-libev Proxy Server on Ubuntu 16.04]
+
systemctl restart sshd
 +
#service  sshd restart
  
==安装polipo:==
+
</pre>
<pre>sudo apt-get install polipo -y
+
==常用软件==
 
 
#修改polipo配置文件
 
echo 'logSyslog = true
 
logFile = /var/log/polipo/polipo.log
 
proxyAddress = "0.0.0.0"
 
socksParentProxy = "127.0.0.1:1080"
 
socksProxyType = socks5
 
chunkHighMark = 50331648
 
objectHighMark = 16384
 
serverMaxSlots = 64
 
serverSlots = 16
 
serverSlots1 = 32' >/etc/polipo/config </pre>
 
 
 
==启动服务==
 
 
<pre>
 
<pre>
#启动shadowsocks服务: 如果是pip inst
+
useradd -d /data/evan -s /bin/bash -m evan
sudo sslocal -c /root/shadowsocks.json -d start
+
数m表示如果该目录不存在,则创建该目录
#重启polipo服务:
 
  /etc/init.d/polipo restart
 
设置http和https代理:
 
export http_proxy="http://127.0.0.1:8123/"
 
export https_proxy=$http_proxy
 
 
 
如果想长期 加到 /etc/profile
 
 
 
  
cat >> /etc/profile <<EOF
 
export http_proxy=http://127.0.0.1:8123
 
export https_proxy=http://127.0.0.1:8123
 
export ftp_proxy=http://127.0.0.1:8123
 
EOF
 
  
  source /etc/profile
+
apt install net-tools procps rsync wget  w3m    vim  build-essential dnsutils screen  curl sudo lsb-release  iotop software-properties-common  -y  #dig dnsutils  firewalld
  
#不要代理的 也要加进去
+
#全面的开发工具
export NO_PROXY='localhost,127.0.0.1,192.168.88.30,192.168.88.31,192.168.88.32,10.96.0.0,10.224.0.0,10.96.0.0/12,10.224.0.0/16'
+
sudo apt  install git golang build-essential gcc g++ gdb libboost-dev make automake autogen autoconf cscope global cmake cmake-gui astyle clang-format clang llvm lldb libsqlite3-dev sqlite3 bison flex ruby-dev linux-headers-`uname -r`
  
  
 +
#ps
 +
apt install procps
  
  
这里最好是gnome3 手工设置代理呢 如果你是有桌面的话
+
安装Fail2Ban
 +
</pre>
  
127.0.0.1 8123
+
[https://www.debian.cn/archives/2880 Debian 安装 fail2ban 方式SSH爆破攻击]
测试
 
访问谷歌,若有反应则成功:
 
w3m google.com
 
curl www.google.com #但是502 很容易让人误会会不成功我一开始也是这样
 
  
这个在ubbuntu16.04 server 中是成功的 centos的要再看一下
 
  
</pre>
+
[[Debian配置iptables]]
  
=浏览器=
+
=时间同步=
 
<pre>
 
<pre>
 +
UTC时区切换到CST 时区
  
#本地apt shadowsock and then ok 20190728 因为我本地的端口是7070
+
#用这个啦
chromium --proxy-server="http=socks5://127.0.0.1:1080"
+
# 设置亚洲时区 tzselect 有时不准
/opt/google/chrome/chrome --proxy-server="https=socks5://127.0.0.1:7070"
+
timedatectl set-timezone Asia/Shanghai
 +
# 启用NTP同步 #关闭是 false
 +
timedatectl set-ntp yes
  
  
chromium --proxy-server="http=socks5://127.0.0.1:1080"
+
echo "export TZ='Asia/Shanghai'" >> /etc/profile 
chromium --proxy-server="https=socks5://127.0.0.1:1080"
+
cat /etc/profile |grep TZ 
/opt/google/chrome/chrome --proxy-server="https=socks5://127.0.0.1:1080"
+
source /etc/profile
  
chrominum-browser --proxy-server="https=socks5://127.0.0.1:1080"
+
date -R  #时区查看
 +
date
 +
Sat Aug 19 17:03:17 CST 2017
 
</pre>
 
</pre>
https://www.linuxdashen.com/%E5%9C%A8%E5%91%BD%E4%BB%A4%E8%A1%8C%E4%B8%8B%E4%B8%BAchromium%E5%92%8Cgoogle-chrome%E6%B5%8F%E8%A7%88%E5%99%A8%E8%AE%BE%E7%BD%AE%E4%BB%A3%E7%90%86
 
  
=gnome 全局=
+
=security=
 +
==ufw==
  
network proxy
+
==firewalld==
HTTP 127.0.0.1  8123
+
这个放弃了
HTTPS 127.0.0.1 8123
 
这样就可以全局翻墙 然后 安装上chrome 扩展
 
  
=SS+PAC=
+
详情可见 [[Centos7 firewalld防火墙基础]]
[https://www.jianshu.com/p/11a3f84b6782 Manjaro17.0.1(xfce)+SS+PAC模式配置笔记]
 
  
= xfce=
+
[https://computingforgeeks.com/how-to-install-and-configure-firewalld-on-debian/ How To Install and Configure Firewalld on Debian 10]
  
要看一下这个 上次就是终端可以 ss 但是浏览器不行
+
[https://ywnz.com/linuxaq/5495.html 在Debian 10(Buster)上安装和配置Firewalld]
[https://scalpel.vip/2017/03/06/xfceautoproxy/ Xfce桌面环境下通过pac实现自动代理]
 
  
[https://github.com/yueyoum/myblogposts/blob/master/2013-01/%E4%B8%BAXfce4%E6%A1%8C%E9%9D%A2%E7%8E%AF%E5%A2%83%E8%AE%BE%E7%BD%AE%E5%85%A8%E5%B1%80%E4%BB%A3%E7%90%86.md 为Xfce4桌面环境设置全局代理]
+
=参考=
 
 
[https://my.oschina.net/u/1444992/blog/600517 Xfce设置代理Proxy]
 
 
 
=trouble shooting=
 
 
 
"timeout": 600,  这个记得不能设置太短 我一开始也是不可以的,后来改了几处,加上重启什么的 竟然就好了  可能是一开始就是好的呢
 
 
 
==Kali2.0 update到最新版本后安装shadowsocks服务报错问题 用于解决openssl升级到1.1.0以上版本,导致shadowsocks2.8.2启动报undefined symbol: EVP_CIPHER_CTX_cleanup错误==
 
<pre>
 
最近将kali升级到了最新版本,编译之后shadowsocks无法启动,报错如下:
 
 
 
INFO: loading config from ss.json
 
2016-12-14 22:47:50 INFO loading libcrypto from libcrypto.so.1.1
 
Traceback (most recent call last):
 
File “/usr/local/bin/sslocal”, line 11, in
 
sys.exit(main())
 
File “/usr/local/lib/python2.7/dist-packages/shadowsocks/local.py”, line 39, in main
 
config = shell.get_config(True)
 
File “/usr/local/lib/python2.7/dist-packages/shadowsocks/shell.py”, line 262, in get_config
 
check_config(config, is_local)
 
File “/usr/local/lib/python2.7/dist-packages/shadowsocks/shell.py”, line 124, in check_config
 
encrypt.try_cipher(config[‘password’], config[‘method’])
 
File “/usr/local/lib/python2.7/dist-packages/shadowsocks/encrypt.py”, line 44, in try_cipher
 
Encryptor(key, method)
 
File “/usr/local/lib/python2.7/dist-packages/shadowsocks/encrypt.py”, line 83, in init
 
random_string(self._method_info[1]))
 
File “/usr/local/lib/python2.7/dist-packages/shadowsocks/encrypt.py”, line 109, in get_cipher
 
return m[2](method, key, iv, op)
 
File “/usr/local/lib/python2.7/dist-packages/shadowsocks/crypto/openssl.py”, line 76, in init
 
load_openssl()
 
File “/usr/local/lib/python2.7/dist-packages/shadowsocks/crypto/openssl.py”, line 52, in load_openssl
 
libcrypto.EVP_CIPHER_CTX_cleanup.argtypes = (c_void_p,)
 
File “/usr/lib/python2.7/ctypes/init.py”, line 375, in getattr
 
func = self.getitem(name)
 
File “/usr/lib/python2.7/ctypes/init.py”, line 380, in getitem
 
func = self._FuncPtr((name_or_ordinal, self))
 
AttributeError: /usr/lib/x86_64-Linux-gnu/libcrypto.so.1.1: undefined symbol: EVP_CIPHER_CTX_cleanup
 
 
 
这个问题是由于在openssl1.1.0版本中,废弃了EVP_CIPHER_CTX_cleanup函数,如官网中所说:
 
 
 
EVP_CIPHER_CTX was made opaque in OpenSSL 1.1.0. As a result, EVP_CIPHER_CTX_reset() appeared and EVP_CIPHER_CTX_cleanup() disappeared.
 
EVP_CIPHER_CTX_init() remains as an alias for EVP_CIPHER_CTX_reset().
 
 
 
修改方法:
 
 
 
# pip install
 
用vim打开文件:vim /usr/local/lib/python2.7/dist-packages/shadowsocks/crypto/openssl.py (该路径请根据自己的系统情况自行修改,如果不知道该文件在哪里的话,可以使用find命令查找文件位置)
 
跳转到52行(shadowsocks2.8.2版本,其他版本搜索一下cleanup)
 
进入编辑模式
 
将第52行libcrypto.EVP_CIPHER_CTX_cleanup.argtypes = (c_void_p,)
 
改为libcrypto.EVP_CIPHER_CTX_reset.argtypes = (c_void_p,)
 
再次搜索cleanup(全文件共2处,此处位于111行),将libcrypto.EVP_CIPHER_CTX_cleanup(self._ctx)
 
改为libcrypto.EVP_CIPHER_CTX_reset(self._ctx)
 
保存并退出
 
启动shadowsocks服务:service shadowsocks start 或 sslocal -c ss配置文件目录
 
 
 
</pre>
 
  
=see also=
+
[https://blog.51cto.com/wzlinux/2043586 Ubuntu 新装服务器部署流程]
  
[https://www.jianshu.com/p/c30c1e7b90cf Ubuntu16.04 终端翻墙]
+
[https://www.howtoing.com/install-java-in-debian-and-ubuntu 如何在Debian和Ubuntu系统中安装Java 9]
  
[https://blog.itnmg.net/2016/04/30/shadowsocks/ CentOS 7 安装 Shadowsocks 科学上网]
+
[http://www.ruanyifeng.com/blog/2014/03/server_setup.html Linux服务器的初步配置流程]
  
[http://forum.ubuntu.org.cn/viewtopic.php?t=291484 在xfce下的chrome浏览器如何设置代理服务器?(已解决,换浏览器)]
+
[http://spenserj.com/blog/2013/07/15/securing-a-linux-server/ Securing a Linux Server]
  
 +
[http://blog.51cto.com/feihan21/1060365 Linux服务器初始化配置脚本]
  
[https://blog.fazero.me/2015/09/15/%E8%AE%A9%E7%BB%88%E7%AB%AF%E8%B5%B0%E4%BB%A3%E7%90%86%E7%9A%84%E5%87%A0%E7%A7%8D%E6%96%B9%E6%B3%95/ 让终端走代理的几种方法]
+
[https://blog.imdst.com/linux-fu-wu-qi-chu-shi-hua-an-quan-jia-gu/ Linux服务器初始化调优及安全加固]
  
[http://adagio-cantabile.github.io/2016/12/06/install-shadowsocks-in-ubuntu.html 如何在ubuntu16通过终端设置shadowsocks实现科学上网]
+
[https://linux.cn/article-5067-1.html 如何使用 fail2ban 防御 SSH 服务器的暴力破解攻击]
  
 +
[https://blog.csdn.net/developerinit/article/details/73065229?utm_source=blogxgwz7 Debian的一些常用命令]
  
[https://www.digitalocean.com/community/tutorials/how-to-route-web-traffic-securely-without-a-vpn-using-a-socks-tunnel How To Route Web Traffic Securely Without a VPN Using a SOCKS Tunnel]
 
  
[[category:linux]] [[category:ops]]
+
[https://www.cnblogs.com/yoyotl/p/8151409.html Debian 8 设置时区和时间配置]
 +
[[category:ops]] [[category:debian]]

2020年2月29日 (六) 03:52的版本

Salt-ssh批量初始化机器

os init

change sources

10源


deb http://mirrors.aliyun.com/debian/ buster main non-free contrib
deb-src http://mirrors.aliyun.com/debian/ buster main non-free contrib
deb http://mirrors.aliyun.com/debian-security buster/updates main
deb-src http://mirrors.aliyun.com/debian-security buster/updates main
deb http://mirrors.aliyun.com/debian/ buster-updates main non-free contrib
deb-src http://mirrors.aliyun.com/debian/ buster-updates main non-free contrib
deb http://mirrors.aliyun.com/debian/ buster-backports main non-free contrib
deb-src http://mirrors.aliyun.com/debian/ buster-backports main non-free contrib

9 源


echo 'deb http://mirrors.aliyun.com/debian/ stretch main non-free contrib
deb-src http://mirrors.aliyun.com/debian/ stretch main non-free contrib
deb http://mirrors.aliyun.com/debian-security stretch/updates main
deb-src http://mirrors.aliyun.com/debian-security stretch/updates main
deb http://mirrors.aliyun.com/debian/ stretch-updates main non-free contrib
deb-src http://mirrors.aliyun.com/debian/ stretch-updates main non-free contrib
deb http://mirrors.aliyun.com/debian/ stretch-backports main non-free contrib
deb-src http://mirrors.aliyun.com/debian/ stretch-backports main non-free contrib ' >sources.list

ssh config

echo "ssh-rsa AAAAB3NzaC you_prk_key root@ops
"  >> /root/.ssh/authorized_keys

sed -i "s/#PubkeyAuthentication yes/PubkeyAuthentication yes/g" /etc/ssh/sshd_config

sed -i "s/^PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config

systemctl restart sshd
#service  sshd restart

常用软件

useradd -d /data/evan  -s /bin/bash -m  evan
数m表示如果该目录不存在,则创建该目录


apt install net-tools procps  rsync wget   w3m    vim  build-essential dnsutils screen  curl sudo lsb-release  iotop software-properties-common  -y  #dig dnsutils   firewalld

#全面的开发工具
sudo apt  install git golang build-essential gcc g++ gdb libboost-dev make automake autogen autoconf cscope global cmake cmake-gui astyle clang-format clang llvm lldb libsqlite3-dev sqlite3 bison flex ruby-dev linux-headers-`uname -r`


#ps 
apt install procps


安装Fail2Ban

Debian 安装 fail2ban 方式SSH爆破攻击


Debian配置iptables

时间同步

UTC时区切换到CST 时区

#用这个啦 
# 设置亚洲时区  tzselect 有时不准
timedatectl set-timezone Asia/Shanghai
# 启用NTP同步 #关闭是 false 
timedatectl set-ntp yes


 echo "export TZ='Asia/Shanghai'"  >> /etc/profile  
 cat /etc/profile |grep TZ  
source /etc/profile

date -R  #时区查看 
 date 
Sat Aug 19 17:03:17 CST 2017

security

ufw

firewalld

这个放弃了

详情可见 Centos7 firewalld防火墙基础

How To Install and Configure Firewalld on Debian 10

在Debian 10(Buster)上安装和配置Firewalld

参考

Ubuntu 新装服务器部署流程

如何在Debian和Ubuntu系统中安装Java 9

Linux服务器的初步配置流程

Securing a Linux Server

Linux服务器初始化配置脚本

Linux服务器初始化调优及安全加固

如何使用 fail2ban 防御 SSH 服务器的暴力破解攻击

Debian的一些常用命令


Debian 8 设置时区和时间配置

取自“http://wiki.linuxchina.net/index.php?title=Debian利用shadowsocks和polipo终端代理翻墙&oldid=3059