自建vpn之二:保护你的机器

选完虚拟机供应商、机器规格、操作系统啥的,机器启动后的第一件事是保护它的安全,尽可能减少被攻击面。我在这里只提供一些最基本建议,主要是在防火墙的设置方面。这里提供的一些指令假定你是用Debian 7或8。你如果用Ubuntu,这些指令基本上可以直接拿过来用。CentOS/Red Hat/Fedora方面的指令类似,请自行查询。如有需要,等我有空专门写CentOS/Red Hat/Fedora的设置。

以下指令都是root级别。我假定你已经通过命令行连到服务器上。请根据需要在命令行前自行添加sudo或变成root。

  1. 给服务器做软件更新,打补丁:
    apt-get update
    apt-get upgrade
    (yum update)
  2. 调整ssh接口端,防范ssh攻击:
    Linux服务器默认ssh接口端是22。很多网络攻击就从这个接口强攻,用程序频繁自动发起无数次的连接申请,所谓的dictionary attack和brute-force attack。把默认的接口改成其它如50683,是防止这种攻击的有效手段。
    用你熟悉的编辑器,打开/etc/ssh/sshd_config,然后查找”Port 22″,把22改成50683后保存文件。
    接下来请重新启动ssh服务:
    service ssh restart
    注意以后的远程连接你要记得加-p 50683
  3. 建防火墙
    apt-get install iptables
    apt-get install iptables-persistent (运行这个指令,系统会问你要不要把现在的设置存下来,说要)
  4. 基本的防火墙设定,IPv4
    用你熟悉的编辑器,打开/etc/iptables/rules.v4,删除里面所有的内容,然后加下面的设置:
  5. *filter
    #  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
    -A INPUT -i lo -j ACCEPT
    -A INPUT -d 127.0.0.0/8 -j REJECT
    
    #  Accept all established inbound connections
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    #  Allow all outbound traffic - you can modify this to only allow certain traffic
    -A OUTPUT -j ACCEPT
    
    #  VPN port and forwarding.
    -A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT
    -A FORWARD -s 10.8.0.0/24 -j ACCEPT
    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    
    #  Allow SSH connections
    #
    #  The -dport number should be the same port number you set in sshd_config
    #
    -A INPUT -p tcp -m state --state NEW --dport 50683 -j ACCEPT
    
    #  Allow ping
    -A INPUT -p icmp -j ACCEPT
    
    #  Log iptables denied calls
    -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
    
    #  Drop all other inbound - default deny unless explicitly allowed policy
    -A INPUT -j DROP
    -A FORWARD -j DROP
    
    COMMIT
    
  6. 基本的防火墙设定,IPv6
    用你熟悉的编辑器,打开/etc/iptables/rules.v6,删除里面所有的内容,然后加下面的设置:
  7. *filter
    
    # Allow all loopback (lo0) traffic and reject traffic
    # to localhost that does not originate from lo0.
    -A INPUT -i lo -j ACCEPT
    -A INPUT ! -i lo -s ::1/128 -j REJECT
    
    # Allow ICMP
    -A INPUT  -p icmpv6 -j ACCEPT
    
    #  Allow SSH connections
    #
    #  The -dport number should be the same port number you set in sshd_config
    #
    -A INPUT -p tcp -m state --state NEW --dport 50683 -j ACCEPT
    
    # Accept inbound traffic from established connections.
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    # Log what was incoming but denied (optional but useful).
    -A INPUT -m limit --limit 5/min -j LOG --log-prefix "ip6tables_INPUT_denied: " --log-level 7
    
    # Reject all other inbound.
    -A INPUT -j REJECT
    
    # Log any traffic which was sent to you
    # for forwarding (optional but useful).
    -A FORWARD -m limit --limit 5/min -j LOG --log-prefix "ip6tables_FORWARD_denied: " --log-level 7
    
    # Reject all traffic forwarding.
    -A FORWARD -j REJECT
    
    COMMIT
    
    
  8. 激活防火墙

    iptables-restore < /etc/iptables/rules.v4 ip6tables-restore < /etc/iptables/rules.v6 [/code]

以上是一些很基本的保护措施。让服务器更安全,建议你以后安装Fail2Ban,使用ssh key认证,而不是简单的用户名密码认证,等等等等。接下来,我们就可以设置vpn服务器了。

PS. 本系列其它文章
自建vpn之一:挑选供应商
自建vpn之三:搭建openvpn service和生成客户端Profile
自建vpn之四:安装启动客户端

自建vpn之一:挑选供应商

想自建vpn,就必须有vpn的服务器。这种服务器一般是利用云服务公司提供的虚拟机服务VPS(Virtual Private Server)。

  1. 要有可以国外支付的办法,如信用卡、PayPal啥的;
  2. 业界比较知名的供应商有Amazon EC2,Microsoft Azure,LinodeDigitalOcean等等。这几个应当都可以;
  3. 如果是单纯做vpn翻墙供自己或小团队使用,供应商的最小配置就可以。我现在用的就是单CPU、128MB内存、10G硬盘小虚机,够我们多台设备一起用;
  4. 挑选数据中心时,不建议用英语国家的数据中心,特别是美国的。一是有安全和隐私方面的担心,相信大家都读过相关新闻;二是至少我尝试过的美国数据中心访问中国的一些网站都慢的要死,如优酷。但我发现西欧的数据中心如德国、荷兰、瑞典就没有这方面的问题。我不知道为什么。
  5. 操作系统当然要用Linux。我建议Debian。接下来的how to我会假定你的操作系统是Debian 7或8。如果你用其它操作系统,接下来的how to仍然会有帮助。

先写到这儿。亲爱的读者,你先去研究下哪个服务更适合你。之后再回来看我的指南。接下来的博客会提供些建议,讲如何提高你的虚拟机的安全。然后我们再说建vpn的事儿。

PS. 本系列其它文章
自建vpn之二:保护你的机器
自建vpn之三:搭建openvpn service和生成客户端Profile
自建vpn之四:安装启动客户端

Yanking and sorting lines matching a pattern

One of the best investments I’ve ever made is to be proficient with a good cross-platform editor, in my case Vim. It took me a good few months before I really became comfortable with it, but those few months’ struggle yielded huge dividend since then!

So after years of Vim usage, I consider myself a power user. Yet from time to time, I come across some nifty tips that remind me why I fall in love with it in the first place: the sense of wonder, awe, beauty, and intelligence of its creators!

Here are two things I learned recently:

  • Sort based on a pattern
    I use sort and sort u all the time. sort does what the word implies, sorting all lines in the buffer. sort u (unique) does the sort, but in addition to that, removes duplicate lines. Those two commands are extremely useful.

    Yesterday I was doing some email log analysis, and had a bunch of email addresses in my file. And I thought, wouldn’t it be nice if I could sort those addresses based on domain names? So I searched the web, then looked through :help sort. Sure enough, I can absolutely do that.

    Say you’ve got the following lines:

    person1@b.com
    person2@a.com
    person3@a.com
    person4@c.com
    person5@a.com

    To sort them based on domain names, type :sort /.\+@/ in normal mode will do just that.

  • Yank all matching lines into a register
    I use :g/pattern/d fairly often. What that line does is to delete all lines inside the document that match the pattern. Since you can use regex with pattern, this can be pretty powerful.

    However, before deleting them, sometime it is a good idea to save them away. To do that, run
    :g/pattern/yank CapitalLetter

    This command will put matching lines into a register. Let use X as an example. At a different buffer, you can run

    "Xp

    And it’ll paste those lines!

Ubuntu更新、Python和R软件包安装、和Firefox下载插件演示

视频演示:
1. 怎么更新Ubuntu Linux;
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install build-essential
2. 怎么安装Python包;
sudo apt-get install python-pip
sudo apt-get install python-dev
sudo pip install numpy
sudo pip install ggplot…
3. 怎么安装R和R包;
sudo apt-get install r-base
sudo apt-get install openjdk-7-jdk
sudo R
install.packages(“xlsx”)
4. 如何方便快捷下载视频:
Firefox, 插件DownThemAll

建立中文版Linux虚拟机

最近在几个QQ和微信IT群里灌水,注意到不少同学在大学或工作中没接触过Linux。而很多IT项目如大数据、机器学习、服务器等都需要Linux技能,所以很多人想开始接触、学习Linux。我就动手做了以下视频给初学者,希望能有帮助。这是我第一次做screencast,很希望能听到你的批评和建议。

更新:视频上传到优酷后,效果并不理想。我又尝试了其它视频分享网站如乐视、QQ视频、新浪视频、和土豆。乐视的上传网页没有上传渠道,或许因为我的IP地址在国外?我在新浪视频网页也碰到同样问题。QQ视频倒是允许上传,但最终告诉我“您的视频可能包含有相关主管机关明确规定不能出现的违规内容,因此无法通过审核。请修改后再重新上传。”,真是令人匪夷所思。

最后上传到土豆,效果还可以。我是把几个小视频合并到一个文件,但由于操作错误,我没有把一开始介绍VirtualBox软件的那部分合并进去。你只要记得VirtualBox在Windows、Linux、Mac上都可以免费运行并去下载安装就可以啦。