| linux, server

VPS roles

What a VPS can do, actually it's out of my imagenation.

I got a really cheap and stable KVM vps on hosteons.com, and run shadowsocksR as the main job.

1 Basic

ssh log in ubuntu 16, the vnc will encouter a template error with GUI. 

1
2
3
4
5
6
ssh root@your_vps_ip
export LC_ALL="en_US.UTF-8"
### Type yes and password to login vps
ssh-keygen
vi ~/.ssh/authorized_keys
vi /etc/ssh/sshd_config
1
PasswordAuthentication no
1
2
3
sudo service sshd restart
### Add your laptop's rsa public key to it
vi .ssh/config
1
2
3
4
Host eula.cf
   HostName your_vps_ip
   Port your_ssh_port
   User your_user_name
1
2
3
4
5
ssh eula.cf
## Download from vps
scp eula.cf file.gz
## Upload to vps
scp blog.tar.gz eula.cf

2 SSR server

2.1 speed benchmark

1
wget -qO- https://raw.githubusercontent.com/oooldking/script/master/superbench.sh | bash

2.2 bbr

1
2
3
4
5
6
7
8
9
10
11
## for ubuntu 18
wget --no-check-certificate https://github.com/teddysun/across/raw/master/bbr.sh
chmod +x bbr.sh
./bbr.sh
lsmod |grep 'bbr'
sysctl net.ipv4.tcp_available_congestion_control

## for ubuntu 16
wget --no-check-certificate -qO 'BBR.sh' 'https://moeclub.org/attachment/LinuxShell/BBR.sh' && chmod a+x BBR.sh && bash BBR.sh -f
wget --no-check-certificate -qO 'BBR_POWERED.sh' 'https://moeclub.org/attachment/LinuxShell/BBR_POWERED.sh' && chmod a+x BBR_POWERED.sh && bash BBR_POWERED.sh
lsmod |grep 'bbr'

2.3 ssr

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
mkdir -p ssr && cd ssr
wget --no-check-certificate https://raw.githubusercontent.com/teddysun/shadowsocks_install/master/shadowsocksR.sh
chmod +x shadowsocksR.sh
./shadowsocksR.sh 2>&1 | tee shadowsocksR.log
reboot
# ./shadowsocksR.sh uninstall
/etc/init.d/shadowsocks restart
vi /etc/shadowsocks.json
## Check configuration
{
    "server":"0.0.0.0",
    "server_ipv6":"[::]",
    "port_password":{
        "8089":"your_pass",
        "8090":"your_passwd",
        "8091":"your_password"
        },
    "local_address":"127.0.0.1",
    "local_port":1080,
    "password":"your_pass",
    "timeout":120,
    "method":"encryption_method",
    "protocol":"choose_proto",
    "protocol_param":"",
    "obfs":"plain",
    "obfs_param":"",
    "redirect":"",
    "dns_ipv6":false,
    "fast_open":false,
    "workers":1
}

2.4 Other options

ss

1
2
3
4
pip install shadowsocks
apt install shadowsocks
## Start service
ssserver -c /etc/shadowsocks.json

local to vps

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
apt-get install build-essential libtool libpcre3 libpcre3-dev zlib1g-dev openssl
### Auto install nginx
apt install nginx
ls /var/www/html
### Manual install newest nginx server
wget http://nginx.org/download/nginx-1.15.5.tar.gz
tar -zxvf nginx-1.15.5.tar.gz && cd nginx-1.15.5
./configure --prefix=/usr/local/nginx
make
make install
sudo /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
ps -ef|grep nginx
/usr/local/nginx/sbin/nginx -V
vi /usr/local/nginx/conf/nginx.conf
/usr/local/nginx/sbin/nginx -s reload
### Stop nginx
/usr/local/nginx/sbin/nginx -s stop

streisand

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
apt install python
apt install git
# apt install python-pip python-pycurl python-dev build-essential python-paramiko
apt install python-pip
pip install ansible markupsafe
git clone https://github.com/StreisandEffect/streisand.git && cd streisand
export LC_ALL="en_US.UTF-8"
./util/venv-dependencies.sh ./venv
source ./venv/bin/activate
./streisand
### Linode and other famous vps should install another package or skip this
### I choose 7. localhost and default setting, and 8. Existing Server also is ok
### Then streisand will deploy successfully on Ubuntu 16 with root as default user
### Then default 5 accounts will be created.
tar -czf streisand.tar.gz /root/streisand/generated-docs
scp root@your_vps_ip:/root/streisand.tar.gz streisand.tar.gz
### Visit https://your_vps_ip with CA and password for user streisand.

3 Web server

3.1 http

nginx

1
2
3
4
apt install nginx
ls /var/www/html
nginx -v
mv ~/test.pkg /var/www/html/

frp

  • installation
    1
    2
    3
    4
    5
    6
    7
    8
    9
    PKG_VER=0.21.0
    PKG_ARCH=linux_amd64
    PKG_NAME=frp_$(PKG_VER)_$(PKG_ARCH)
    wget https://github.com/fatedier/frp/releases/download/v$(PKG_VER)/$(PKG_NAME).tar.gz
    tar -xzf $(PKG_NAME).tar.gz
    cd $(PKG_NAME)
    PKG_PATH=$(PWD)/frps
    ./frps -c ./frps.ini --reload
    sudo cat $(PKG_PATH) -c $(PKG_PATH).ini & >> /etc/rc.local
  • frps startup
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    sudo vi /lib/systemd/system/frps.service

    [Unit]
    Description=frps service
    After=network.target syslog.target
    Wants=network.target

    [Service]
    Type=simple
    ExecStart=/root/frp/frps -c /root/frp/frps.ini

    [Install]
    WantedBy=multi-user.target

    scp 0x99-frps.service eula.fc:/lib/systemd/system/frps.service
    sudo systemctl start frps
    sudo systemctl enable frps
  • frps screen1
    1
    2
    3
    screen -S frp /root/frp/frps -c /root/frp/frps.ini
    ln -s /root/frp/frps /usr/bin/frps
    screen -S frp frps -c /root/frp/frps.ini

    The config file 

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    [common]
    token = your_passwd
    bind_port = 7000
    kcp_bind_port = 7000
    vhost_http_port = 80
    vhost_https_port = 443
    subdomain_host = your_domain

    dashboard_port = 8000
    dashboard_user = username
    dashboard_pwd = passwd
    1
    2
    3
    4
    5
    6
    7
    8
    9
    [ssh]
    type = tcp
    listen_port = 9000
    auth_token = passwd1

    [ssh_1]
    type = tcp
    listen_port = 9001
    auth_token = passwd2
  • https2, 3

    ssl – let's encrypt

  • frp on openwrt

    Add to /etc/init.d/frpc 

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    #!/bin/sh /etc/rc.common

    START=99
    USE_PROCD=1

    start_service() {
        procd_open_instance "frpc"
        procd_set_param command /tmp/frpc -c /root/frp/frpc.ini
        procd_set_param stdout 1
        procd_set_param stderr 1
        procd_set_param user root
        procd_close_instance
    }
    • original
      1
      ./tmp/frpc -c /root/frp/frpc.ini
      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      13
      14
      15
      16
      17
      18
      [common]
      server_addr = your_vps_ip
      server_port = 7000
      token = your_passwd
      login_fail_exit = false
      admin_port = 7400

      [lede]
      type = http
      local_ip = 192.168.1.1
      local_port = 80
      subdomain = lede

      [aria2]
      type = http
      local_ip = 192.168.1.1
      local_port = 6800
      subdomain = aria2
    • xfrp4

      For Netgear 43005, and xfrpc only work with xfrps. 

      1
      2
      find / -name "*libevent*"
      ln -s /usr/lib/libevent-2.0.so.5 /usr/lib/libevent-2.1.so.6

npm

1
2
3
4
curl -sL https://deb.nodesource.com/setup_10.x | sudo bash -
sudo apt install nodejs
npm -v
sudo node http_server.js

docker6

  • docker usage
    1
    2
    3
    4
    5
    6
    7
    8
    sudo apt install apt-transport-https ca-certificates curl software-properties-common
    curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
    sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu bionic stable"
    sudo apt update
    apt-cache policy docker-ce
    sudo apt install docker-ce
    sudo systemctl status docker
    sudo apt install net-tools
    1
    2
    3
    4
    5
    6
    7
    docker run image_name
    docker ps
    docker ps -a
    docker kill `docker ps -q`
    docker stop ID
    docker start ID
    docker rm `docker ps -q -a`

3.2 domain name

Register a free domain name on freenom and a china dnspod as nameserver according to this.

freenom

You can register a free name for a long time.

dnspod7

4 Mail server

Most vps has blocked port 25 in and out traffic, so check with telnet IP port. Out traffic of 25 can be transferred to other ports8.

4.1 maildev9

docker or npm smtp test server, catch and send mail, webclient with password. 

1
2
3
4
5
npm install -g maildev
screen -S mail maildev -s 25 -w 8080
screen -S mail maildev -s 25 -w 8080 --web-user adnil --web-pass 6LZ0dmYrxpSnhY
### Or run with docker
docker run --name maildev -d -p 8080:80 -p 25:25 djfarrelly/maildev

https://danfarrelly.nyc/MailDev/

Check with this site

forsaken10

1
2
3
  docker run --name fmail -d -p 25:25 -p 3000:3000 denghongcai/forsaken-mail
# Or like this
  docker run --name fomail -d -p 1025:25 -p 3000:3000 denghongcai/forsaken-mail

iRedMail11

Open source serious server,

Modoboa12

Multi-function

mailinabox13

Multi-function

Mailu14

Serious server, need more than 2G total memory and 1G free memory.

mailslurper15

Go compiled

5 Issues

5.1 iptables

clear all

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -t raw -F
iptables -F
iptables -X
iptables -nvL
### Maybe ip6tables needs clear
ip6tables -P INPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -t nat -F
ip6tables -t mangle -F
ip6tables -F
ip6tables -X
1
2
3
iptables-save | awk '/^[*]/ { print $1 }
                     /^:[A-Z]+ [^-]/ { print $1 " ACCEPT" ; }
                     /COMMIT/ { print $0; }' | iptables-restore

[2018-11-15 Thu]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
root@eula:~# iptables -L -n -v
Chain INPUT (policy ACCEPT 138 packets, 11707 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  131  943K DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  131  943K DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   95  941K ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
   36  2116 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 7 packets, 700 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:3000
    0     0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:25

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
   36  2116 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
  131  943K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
   36  2116 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
  131  943K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0
root@eula:~# netstat -anpt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      255/systemd-resolve
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      440/sshd
tcp        0      0 your_vps_ip:55313      172.217.14.78:443       ESTABLISHED 499/python
tcp        0    376 your_vps_ip:22         14.16.103.178:61552     ESTABLISHED 707/sshd: root@pts/
tcp        0      0 your_vps_ip:45507      74.125.197.188:443      ESTABLISHED 499/python
tcp6       0      0 :::22                   :::*                    LISTEN      440/sshd
tcp6       0      0 :::3000                 :::*                    LISTEN      806/docker-proxy
tcp6       0      0 :::25                   :::*                    LISTEN      818/docker-proxy
tcp6       0      0 :::8089                 :::*                    LISTEN      499/python
tcp6       0      0 your_vps_ip:8089       14.16.103.178:61655     ESTABLISHED 499/python
tcp6       0      0 your_vps_ip:8089       14.16.103.178:61596     ESTABLISHED 499/python
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
root@eula:~# iptables -L -n -v
Chain INPUT (policy ACCEPT 2444 packets, 579K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy DROP 165 packets, 9880 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 1050 packets, 495K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:3000
    0     0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:25

Chain DOCKER-ISOLATION-STAGE-1 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER-ISOLATION-STAGE-2 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER-USER (0 references)
 pkts bytes target     prot opt in     out     source               destination
root@eula:~# iptables-
iptables-apply    iptables-restore  iptables-save     iptables-xml
root@eula:~# iptables-
iptables-apply    iptables-restore  iptables-save     iptables-xml
root@eula:~# iptables-
iptables-apply    iptables-restore  iptables-save     iptables-xml
root@eula:~# iptables-save
# Generated by iptables-save v1.6.1 on Thu Nov 15 06:30:12 2018
*nat
:PREROUTING ACCEPT [1712:142062]
:INPUT ACCEPT [115:20353]
:OUTPUT ACCEPT [32:7256]
:POSTROUTING ACCEPT [32:7256]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 3000 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 25 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 3000 -j DNAT --to-destination 172.17.0.2:3000
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 172.17.0.2:25
COMMIT
# Completed on Thu Nov 15 06:30:12 2018
# Generated by iptables-save v1.6.1 on Thu Nov 15 06:30:12 2018
*filter
:INPUT ACCEPT [2754:615656]
:FORWARD DROP [175:10504]
:OUTPUT ACCEPT [1141:520115]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 3000 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 25 -j ACCEPT
COMMIT
# Completed on Thu Nov 15 06:30:12 2018



root@eula:~# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  all  --  0.0.0.0/0            0.0.0.0/0
DOCKER-ISOLATION-STAGE-1  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.2           tcp dpt:3000
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.2           tcp dpt:25

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0
root@eula:~# iptables -L -n -v
Chain INPUT (policy ACCEPT 1714 packets, 385K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  205  955K DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  205  955K DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  133  949K ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    4   256 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
   68  6427 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 885 packets, 326K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination
    4   256 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:3000
    0     0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:25

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
   68  6427 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
  205  955K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
   68  6427 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
  205  955K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

5.2 startup

Ubuntu 18.04 LTS support systemctl and cannot edit rc.local directly to config startup. 

1
2
sudo vim /etc/systemd/system/rc-local.service
### Add this section in rc-local.service
1
2
[Install]
WantedBy=multi-user.target
1
sudo vim /etc/rc.local
1
2
3
4
5
6
#!/bin/sh -e
#
# rc.local
./frps -c frps.ini &
maildev -s 25 -w 8080 &
exit 0
1
2
3
sudo chmod +x /etc/rc.local
sudo systemctl enable rc-local
sudo systemctl start rc-local.service