本篇教程致力于帮助那些希望去墙外的童鞋。
Shadowsocks是一个安全的Socks代理,用于保护网络流量不被干扰,也是开源的项目,非常感谢作者@clowwindy。主要特性包括:
快速(异步I/O和事件驱动程序)。
安全(所有的流量都经过加密算法加密,支持自定义算法)。
支持移动客户端(专为移动设备和无线网络优化)。
跨平台(可运行于包括PC,Mac,手机(Android和iOS)和路由器(OpenWrt)在内的多种平台上)。
使用Socks5协议和可自定义密码的工业级算法加密,流量在网络传输过程中不易被他人读取。
开源。
易于维护。
本文介绍的是在国外VPS环境下搭建Shadowsocks服务器的方法,服务端Shadowsocks(下文中以SS代替)是Python版本,OS是Cent OS 6。完成服务端配置后,运行本地端就可以无障碍的访问被墙的站点。其原理如下图。
博主现在使用的是搬瓦工一年4刀的VPS,每月200G的流量,2G的磁盘,96MB的RAM,一个Xeon处理器核心,跑SS服务还是绰绰有余的,用来建站就比较吃力了,总的来讲性价比还是蛮高的。具体购买教程大家可以百度,这里就不在详细叙述了。
如何搭建Shadowsocks服务器。
如果你购买的是搬瓦工的VPS,登陆搬瓦工的Client Area,Services—My Services,找到你买的VPS服务,进入KiwiVM控制面板,右侧显示的就是你的VPS的信息,从上至下依次是物理地址,IP地址,SSH端口号,运行状态,操作(开关机,重启),RAM占用,SWAP占用,磁盘占用,流量使用情况(每个月都会刷新),和Linux操作系统版本。
注意!!!不同操作系统下搭建SS服务器方法不同,本文的方法是基于Cent OS 6系统。如果你安装的其他Linux系统(如Debian,Ubuntu等),请自行百度SS安装教程,或点击KiwiVM控制面板左侧的 Install New OS重装Cent OS系统。
1.使用Putty连接VPS。Putty是Windows下的一个免费的SSH连接工具,如下图示
Host Name处填入VPS的IP地址,Port处填入SSH端口号,连接类型选择SSH,点击Open。
用户名:root,密码:KiwiVM面板左侧Rootpassword modification,点击Generate New password后会随机生成一组密码。
2.修改Root账户密码:登陆root账户后,运行命令passwd root修改root账户密码,以后登录root账户使用该密码。
3.安装SS服务端:
运行命令
1 2 3 | yum update yum install python-setuptools && easy_install pip pip install shadowsocks |
4.配置SS服务端:
新建一个配置文件,运行命令 vi /etc/shadowsocks.json
内容如下
1 2 3 4 5 6 7 8 9 | { "server" : "your_server_ip" , "server_port" : 8388 , "password" : "yourpassword" , "timeout" : 300 , "method" : "aes-256-cfb" , "fast_open" :false, "workers" : 1 } |
代码中各字段的含义:
server:服务器 IP地址 (IPv4/IPv6)
server_port:服务器监听的端口,一般设为80,443等,注意不要设为使用中的端口
password:设置密码,自定义
timeout:超时时间(秒)
method:加密方法,可选择 “aes-256-cfb”, “rc4-md5”等等。推荐使用 “rc4-md5”
fast_open:true 或 false。如果你的服务器 Linux 内核在3.7+,可以开启 fast_open 以降低延迟。
workers:workers数量,默认为 1。
备注:如要你需要分享SS服务给朋友或家人,可以配置多个SS账户,具体可以参考下面的代码。
1 2 3 4 5 6 7 8 9 10 11 12 13 | { "server" : "your_server_ip" , "port_password" :{ "8381" : "pass1" , "8382" : "pass2" , "8383" : "pass3" , "8384" : "pass4" }, "timeout" : 60 , "method" : "rc4-md5" , "fast_open" :false, "workers" : 1 } |
5.设置Shadowsocks开机自启。
修改rc.local文件,运行命令 vi /etc/rc.local
内容如下
1 2 | #!/bin/sh ssserver -c /etc/shadowsocks.json -d start |
运行命令 reboot 重启VPS。
6.客户端配置
Windows用户:下载 Shadowsocks-csharp
Mac OS用户:下载 Shadowsocksgui
安卓用户:下载 影梭
以Windows客户端为例,进入服务器选项-编辑服务器-添加,各项参数配置如下图示。
其中各项参数按照服务端的配置填入后确定,点击右键-启用系统代理。
其他客户端的配置方法与Windows客户端基本相同。
上述所有步骤完成之后,打开浏览器即可进入被墙的站点了,例如油管,谷歌等。
需要用到wget工具,wget 其实是一个从网络上自动下载文件的自由工具。系统没有的话根据系统使用下面的命令:
使用wget命令下载脚本。
接上一步的执行脚本,根据提示填写资料完成安装,输入数字选择或者按回车使用默认配置。
安装完成会输出节点配置信息,注意保密和保存。
安装完成,查看运行状态。
tips:脚本安装完成后,已将 ShadowsocksR 自动加入开机自启动。
卸载、重启等相关命令:
相关文件路径:
多用户配置示例:
本人使用vultr的new jersey的服务器,ios小飞机shadowrocket连接,YouTube 1080p正常观看,当然这个服务器没有日、韩、新加坡的快,是2.5$的尾货,将就用了。
协议默认origin(ss原版协议),混淆plain(不混淆),这样的设置可以兼容ss,如不考虑原版的情况下,推荐使用的协议有:auth_sha1_v4
和auth_aes128_md5
和auth_aes128_sha1
,推荐使用的混淆有:plain
,http_simple
,http_post
,tls1.2_ticket_auth
不要在阿里/腾讯+香港/美国之类(国产服务商+国外节点服务器)上使用,会被监控和警告,以及预期外的严重后果。
1.拉取一键安装脚本
[root@VPS ~]# wget -N --no-check-certificate https://raw.githubusercontent.com/wn789/serverspeeder/master/serverspeeder.sh1
注:锐速只支持kvm,不支持openvz
2.运行脚本
[root@California_VPS ~]# chmod +x serverspeeder.sh[root@California_VPS ~]# bash serverspeeder.sh12
注:如果内核不支持,转3
3.手动更换内核
(1)CentO S7.3的内核3.10.0-514.16.1.el7.x86_64暂不支持安装锐速,故更换为3.10.0-229.1.2.el7.x86_64
rpm -ivh http://soft.91yun.org/ISO/Linux/CentOS/kernel/kernel-3.10.0-229.1.2.el7.x86_64.rpm --force ##更换内核1
rpm -qa | grep kernel1
如果看到上述箭头所示,代表内核安装成功。
(2)重启查看内核版本
reboot uname -r12
(3)重新安装锐速
wget -N --no-check-certificate https://github.com/91yun/serverspeeder/raw/master/serverspeeder.sh && bash serverspeeder.sh1
(4)
yum install proftpd proftpd-mysql -y
groupadd -g 2001 ftpgroup
useradd -u 2001 -s /bin/false -d /bin/null -c "proftpd user" -g ftpgroup ftpuser
添加数据库
mysql -u root -p
create database ftp;
GRANT SELECT, INSERT, UPDATE, DELETE ON ftp.* TO 'proftpd'@'localhost' IDENTIFIED BY 'password';
GRANT SELECT, INSERT, UPDATE, DELETE ON ftp.* TO 'proftpd'@'localhost.localdomain' IDENTIFIED BY 'password';
FLUSH PRIVILEGES;
USE ftp;
CREATE TABLE ftpgroup (
groupname varchar(16) NOT NULL default '',
gid smallint(6) NOT NULL default '5500',
members varchar(16) NOT NULL default '',
KEY groupname (groupname),
PRIMARY KEY (gid)
) ENGINE=MyISAM COMMENT='ProFTP group table';
CREATE TABLE ftpquotalimits (
name varchar(30) default NULL,
quota_type enum('user','group','class','all') NOT NULL default 'user',
per_session enum('false','true') NOT NULL default 'false',
limit_type enum('soft','hard') NOT NULL default 'soft',
bytes_in_avail int(10) unsigned NOT NULL default '0',
bytes_out_avail int(10) unsigned NOT NULL default '0',
bytes_xfer_avail int(10) unsigned NOT NULL default '0',
files_in_avail int(10) unsigned NOT NULL default '0',
files_out_avail int(10) unsigned NOT NULL default '0',
files_xfer_avail int(10) unsigned NOT NULL default '0',
PRIMARY KEY (name)
) ENGINE=MyISAM;
CREATE TABLE ftpquotatallies (
name varchar(30) NOT NULL default '',
quota_type enum('user','group','class','all') NOT NULL default 'user',
bytes_in_used int(10) unsigned NOT NULL default '0',
bytes_out_used int(10) unsigned NOT NULL default '0',
bytes_xfer_used int(10) unsigned NOT NULL default '0',
files_in_used int(10) unsigned NOT NULL default '0',
files_out_used int(10) unsigned NOT NULL default '0',
files_xfer_used int(10) unsigned NOT NULL default '0',
PRIMARY KEY (name)
) ENGINE=MyISAM;
CREATE TABLE ftpuser (
id int(10) unsigned NOT NULL auto_increment,
userid varchar(32) NOT NULL default '',
passwd varchar(32) NOT NULL default '',
uid smallint(6) NOT NULL default '5500',
gid smallint(6) NOT NULL default '5500',
homedir varchar(255) NOT NULL default '',
shell varchar(16) NOT NULL default '/sbin/nologin',
count int(11) NOT NULL default '0',
accessed datetime NOT NULL default '0000-00-00 00:00:00',
modified datetime NOT NULL default '0000-00-00 00:00:00',
PRIMARY KEY (id),
UNIQUE KEY userid (userid)
) ENGINE=MyISAM COMMENT='ProFTP user table';
quit;
改配置
vi /etc/proftpd.conf
#AuthPAMConfig proftpd
#AuthOrder mod_auth_pam.c* mod_auth_unix.c
在最后加上
LoadModule mod_sql.c
LoadModule mod_sql_mysql.c
LoadModule mod_quotatab.c
LoadModule mod_quotatab_sql.c
# The passwords in MySQL are encrypted using CRYPT
SQLAuthTypes Plaintext Crypt
SQLAuthenticate users groups
# used to connect to the database
# databasename@host database_user user_password
SQLConnectInfo ftp@localhost proftpd password
# Here we tell ProFTPd the names of the database columns in the "usertable"
# we want it to interact with. Match the names with those in the db
SQLUserInfo ftpuser userid passwd uid gid homedir shell
# Here we tell ProFTPd the names of the database columns in the "grouptable"
# we want it to interact with. Again the names match with those in the db
SQLGroupInfo ftpgroup groupname gid members
# set min UID and GID - otherwise these are 999 each
SQLMinID 500
# create a user's home directory on demand if it doesn't exist
SQLHomedirOnDemand on
# Update count every time user logs in
SQLLog PASS updatecount
SQLNamedQuery updatecount UPDATE "count=count+1, accessed=now() WHERE userid='%u'" ftpuser
# Update modified everytime user uploads or deletes a file
SQLLog STOR,DELE modified
SQLNamedQuery modified UPDATE "modified=now() WHERE userid='%u'" ftpuser
# User quotas
# ===========
QuotaEngine on
QuotaDirectoryTally on
QuotaDisplayUnits Mb
QuotaShowQuotas on
SQLNamedQuery get-quota-limit SELECT "name, quota_type, per_session, limit_type, bytes_in_avail, bytes_out_avail, bytes_xfer_avail, files_in_avail, files_out_avail, files_xfer_avail FROM ftpquotalimits WHERE name = '%{0}' AND quota_type = '%{1}'"
SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used, bytes_out_used, bytes_xfer_used, files_in_used, files_out_used, files_xfer_used FROM ftpquotatallies WHERE name = '%{0}' AND quota_type = '%{1}'"
SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used = files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name = '%{6}' AND quota_type = '%{7}'" ftpquotatallies
SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4}, %{5}, %{6}, %{7}" ftpquotatallies
QuotaLimitTable sql:/get-quota-limit
QuotaTallyTable sql:/get-quota-tally/update-quota-tally/insert-quota-tally
RootLogin off
RequireValidShell off
注意修改SQLConnectInfo 数据库账号密码
systemctl enable proftpd
systemctl restart proftpd
插入数据
mysql -u root -p
USE ftp;
INSERT INTO `ftpgroup` (`groupname`, `gid`, `members`) VALUES ('ftpgroup', 2001, 'ftpuser');
INSERT INTO `ftpquotalimits` (`name`, `quota_type`, `per_session`, `limit_type`, `bytes_in_avail`, `bytes_out_avail`, `bytes_xfer_avail`, `files_in_avail`, `files_out_avail`, `files_xfer_avail`) VALUES ('exampleuser', 'user', 'true', 'hard', 15728640, 0, 0, 0, 0, 0);
INSERT INTO `ftpuser` (`id`, `userid`, `passwd`, `uid`, `gid`, `homedir`, `shell`, `count`, `accessed`, `modified`) VALUES (1, 'exampleuser', 'secret', 2001, 2001, '/home/www.example.com', '/sbin/nologin', 0, '', '');
quit;
重启服务后
试着ftp连接
数据库表解释
ftpuser Table:
The important columns are these (the others are handled by MySQL or Proftpd automatically, so do not fill these manually!):
userid: The name of the virtual Proftpd user (e.g. exampleuser).
passwd: The unencrypted (i.e., clear-text) password of the user.
uid: The userid of the ftp user you created at the end of step two (e.g. 2001).
gid: The groupid of the ftp group you created at the end of step two (e.g. 2001).
homedir: The home directory of the virtual Proftpd user (e.g. /home/www.example.com). If it does not exist, it will be created when the new user logs in the first time via FTP. The virtual user will be jailed into this home directory, i.e., he cannot access other directories outside his home directory.
shell: It is ok if you fill in /sbin/nologin here by default.
ftpquotalimits Table:
The important columns are these (the others are handled by MySQL or Proftpd automatically, so do not fill these manually!):
name: The name of the virtual Proftpd user (e.g. exampleuser).
quota_type: user or group. Normally, we use user here.
per_session: true or false. true means the quota limits are valid only for a session. For example, if the user has a quota of 15 MB, and he has uploaded 15 MB during the current session, then he cannot upload anything more. But if he logs out and in again, he again has 15 MB available. false means, that the user has 15 MB, no matter if he logs out and in again.
limit_type: hard or soft. A hard quota limit is a never-to-exceed limit, while a soft quota can be temporarily exceeded. Normally you use hard here.
bytes_in_avail: Upload limit in bytes (e.g. 15728640 for 15 MB). 0 means unlimited.
bytes_out_avail: Download limit in bytes. 0 means unlimited.
bytes_xfer_avail: Transfer limit in bytes. The sum of uploads and downloads a user is allowed to do. 0 means unlimited.
files_in_avail: Upload limit in files. 0 means unlimited.
files_out_avail: Download limit in files. 0 means unlimited.
files_xfer_avail: Tranfer limit in files. 0 means unlimited.
The ftpquotatallies table is used by Proftpd internally to manage quotas so you do not have to make entries there!
如果要用匿名
Anonymous FTP
groupadd -g 2002 anonymous_ftp
useradd -u 2002 -s /bin/false -d /home/anonymous_ftp -m -c "Anonymous FTP User" -g anonymous_ftp anonymous_ftp
cd /home/anonymous_ftp
rm -fr *
mkdir /home/anonymous_ftp/incoming
chown anonymous_ftp:nobody /home/anonymous_ftp/incoming
vi /etc/proftpd.conf
改为
<Anonymous ~anonymous_ftp>
User anonymous_ftp
Group nobody
# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous anonymous_ftp
# Cosmetic changes, all files belongs to ftp user
DirFakeUser on anonymous_ftp
DirFakeGroup on anonymous_ftp
RequireValidShell off
# Limit the maximum number of anonymous logins
MaxClients 10
# We want 'welcome.msg' displayed at login, and '.message' displayed
# in each newly chdired directory.
DisplayLogin welcome.msg
DisplayFirstChdir .message
# Limit WRITE everywhere in the anonymous chroot
<Directory *>
<Limit WRITE>
DenyAll
</Limit>
</Directory>
<Directory incoming>
# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022
<Limit READ WRITE>
DenyAll
</Limit>
<Limit STOR>
AllowAll
</Limit>
</Directory>
</Anonymous>
完成!
一、Active Directory操作主机角色概述
Active Directory 定义了五种操作主机角色(又称FSMO):
架构主机 schema master、
域命名主机 domain naming master
相对标识号 (RID) 主机 RID master
主域控制器模拟器 (PDCE)
基础结构主机 infrastructure master
二、环境分析
有一台主域控制器DC-01.test.com,还有一台额外域控制器DC-02.test.com。(操作系统都是server
2003)现主域控制器(DC-
01.test.com)由于硬件故障突然损坏,事先又没有DC-01.test.com的系统状态备份,没办法通过备份修复主域控制器(DC-
01.test.com),我们怎么让额外域控制器(DC-02.test.com)替代主域控制器,使Acitvie
Directory继续正常运行,并在损坏的主域控制器硬件修理好之后,如何使损坏的主域控制器恢复。
如果你的第一台DC坏了,还有额外域控制器正常,需要在一台额外域控制器上夺取这五种FMSO,并需要把额外域控制器设置为GC。
三、从AD中清除主域控制器DC-01.test.com对象
3.1在额外域控制器(DC-02.test.com)上通过ntdsutil.exe工具把主域控制器(DC-01.test.com)从AD中删除;
c:>ntdsutil
ntdsutil: metadata cleanup
metadata cleanup: select operation target
select operation target: connections
server connections: connect to server DC-02
select operation target: list sites
Found 1 site(s)
0 - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=com
select operation target: select site 0
Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=com
No current domain
No current server
No current Naming Context
select operation target: List domains in site
Found 1 domain(s)
0 - DC=test,DC=com
Found 1 domain(s)
0 - DC=test,DC=com
select operation target: select domain 0
Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=com
Domain - DC=test,DC=com
No current server
No current Naming Context
select operation target: List servers for domain in site
Found 2 server(s)
0 - CN=DC-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=te
st,DC=com
1 - CN=DC-02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=te
st,DC=com
select operation target: select server 0
select operation target: quit
metadata cleanup:Remove selected server
出现对话框,按“确定“删除DC-01主控服务器。
metadata cleanup:quit
ntdsutil: quit
3.2删除‘Active Directory 用户和计算机’中的Domain controllers中DC-01服务器对象,
打开ADSI EDIT工具,展开Domain NC[DC-02.test.com],展开OU=Domain controllers,右击CN=DC-01,然后选择Delete,把DC-01服务器对象删除
3.3 在’Active Directory 站点和服务’中删除DC-01服务器对象
打 开Administrative tools中的Active Directory 站点和服务,展开Sites,展开Default-First-Site-Name,展开Servers,右击DC-01,选择Delete,单击 Yes按钮
四、在额外域控制器上通过ntdsutil.exe工具执行夺取五种FMSO操作
c:>ntdsutil
ntdsutil: roles
fsmo maintenance: Select operation target
select operation target: connections
server connections: connect to server DC-02
select operation target: list sites
Found 1 site(s)
0 - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=com
select operation target: select site 0
Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=com
No current domain
No current server
No current Naming Context
select operation target: List domains in site
Found 1 domain(s)
0 - DC=test,DC=com
select operation target: select domain 0
Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=com
Domain - DC=test,DC=com
No current server
No current Naming Context
select operation target: List servers for domain in site
Found 1 server(s)
0 - CN=DC-02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=te
st,DC=com
select operation target: select server 0
select operation target: quit
fsmo maintenance:Seize domain naming master
出现对话框,按“确定“
fsmo maintenance:Seize infrastructure master
出现对话框,按“确定“
fsmo maintenance:Seize PDC
出现对话框,按“确定“
fsmo maintenance:Seize RID master
出现对话框,按“确定“
fsmo maintenance:Seize schema master
出现对话框,按“确定“
fsmo maintenance:quit
ntdsutil: quit
来自于157.0.111.176江苏省宿迁市 联通网友评分!
来自于42.119.148.32越南胡志明市网友评分!
来自于85.237.206.197英国英格兰伦敦网友评分!
来自于60.246.51.76澳门特别行政区网友评分!
来自于43.249.50.166印度网友评分!
来自于106.113.13.179河北省石家庄市 电信网友评分!
来自于101.94.224.43上海市上海市 电信网友评分!
来自于124.126.3.110北京市北京市 电信网友评分!
来自于106.87.116.73重庆市重庆市 电信网友评分!
来自于49.157.47.254菲律宾网友评分!
来自于3.112.41.223日本东京网友评分!
来自于106.87.116.73重庆市重庆市 电信网友评分!
来自于156.224.31.74香港特别行政区网友评分!
来自于118.150.135.228台湾省新北市网友评分!
来自于138.199.21.219欧洲网友评分!
来自于49.230.8.237泰国网友评分!
来自于1.200.36.188台湾省网友评分!
来自于94.66.59.128希腊网友评分!
来自于101.9.174.29台湾省网友评分!
来自于218.35.154.227台湾省新北市网友评分!
来自于111.55.11.245中国 移动网友评分!
来自于103.205.179.169巴基斯坦网友评分!
来自于183.200.16.191山西省太原市 移动网友评分!
来自于183.200.16.191山西省太原市 移动网友评分!
来自于176.97.73.32英国网友评分!
来自于46.232.121.89俄罗斯莫斯科网友评分!
来自于114.45.39.108台湾省台北市网友评分!
来自于164.155.132.208南非网友评分!
来自于14.192.208.96马来西亚吉隆坡网友评分!
来自于98.98.83.85美国佛罗里达网友评分!