一、系统更新与基础安装

#更新系统
apt update && apt upgrade -y

#安装 shadowsocks-libev 和必要工具
apt install -y shadowsocks-libev netcat-openbsd socat bc

#安装网络优化工具
apt install -y ethtool

二、配置 ss-manager（Unix Socket 方式）

2.1 创建配置文件

#创建配置目录
mkdir -p /etc/shadowsocks-libev

#创建 manager 配置文件
cat > /etc/shadowsocks-libev/manager.json << 'EOF'
{
    "server": ["0.0.0.0", "::0"],
    "manager_address": "/var/run/shadowsocks-manager.sock",
    "method": "chacha20-ietf-poly1305",
    "timeout": 300,
    "fast_open": true,
    "reuse_port": true,
    "no_delay": true,
    "mode": "tcp_and_udp"
}
EOF

2.2 创建服务脚本和 systemd 服务

# 创建启动脚本
cat > /usr/local/bin/ss-manager-with-users << 'EOF'
#!/bin/bash

# 启动 ss-manager
/usr/bin/ss-manager -c /etc/shadowsocks-libev/manager.json --executable /usr/bin/ss-server &

# 等待 manager 启动
sleep 2

# 恢复用户配置
if [ -f /etc/shadowsocks-libev/users.conf ]; then
    while IFS=: read -r port password; do
        [[ "$port" =~ ^#.*$ ]] && continue
        [[ -z "$port" ]] && continue
        echo "add: {\"server_port\": $port, \"password\": \"$password\"}" | nc -Uu -w 2 /var/run/shadowsocks-manager.sock
    done < /etc/shadowsocks-libev/users.conf
fi

# 等待进程结束
wait
EOF

chmod +x /usr/local/bin/ss-manager-with-users

# 创建服务文件
cat > /etc/systemd/system/ss-manager.service << 'EOF'
[Unit]
Description=Shadowsocks-libev Manager with Auto Restore
After=network.target

[Service]
Type=simple
User=root
Group=root
ExecStart=/usr/local/bin/ss-manager-with-users
Restart=on-failure
RestartSec=5
LimitNOFILE=65535
Environment="SS_LOG_LEVEL=error"  #调整日志级别来减少输出

[Install]
WantedBy=multi-user.target
EOF

2.3 启动服务

#重新加载 systemd
systemctl daemon-reload

#启动 manager 服务
systemctl start ss-manager

#设置开机自启
systemctl enable ss-manager

#检查服务状态
systemctl status ss-manager

#验证 socket 文件是否创建成功
ls -la /var/run/shadowsocks-manager.sock

三、创建管理脚本

#安装管理脚本（自动保存到 users.conf）

cat > /usr/local/bin/ssm << 'EOF'
#!/bin/bash

SOCKET="/var/run/shadowsocks-manager.sock"
CONFIG_FILE="/etc/shadowsocks-libev/users.conf"

# 字节转人类可读格式（不依赖 bc）
human_readable() {
    local bytes=$1
    if [ $bytes -ge 1073741824 ]; then
        # GB - 使用 awk 计算，不依赖 bc
        echo "$(awk "BEGIN {printf \"%.2f\", $bytes/1073741824}")G"
    elif [ $bytes -ge 1048576 ]; then
        # MB
        echo "$(awk "BEGIN {printf \"%.2f\", $bytes/1048576}")M"
    elif [ $bytes -ge 1024 ]; then
        # KB
        echo "$(awk "BEGIN {printf \"%.2f\", $bytes/1024}")K"
    else
        echo "${bytes}B"
    fi
}

# 确保配置目录存在
mkdir -p /etc/shadowsocks-libev
touch $CONFIG_FILE

case "$1" in
    add)
        if [ -z "$2" ] || [ -z "$3" ]; then
            echo "Usage: ssm add <port> <password>"
            exit 1
        fi
        echo "add: {\"server_port\": $2, \"password\": \"$3\"}" | nc -Uu -w 2 $SOCKET
        if grep -q "^$2:" $CONFIG_FILE 2>/dev/null; then
            sed -i "s/^$2:.*/$2:$3/" $CONFIG_FILE
        else
            echo "$2:$3" >> $CONFIG_FILE
        fi
        echo "✓ User $2 added"
        ;;
    remove)
        if [ -z "$2" ]; then
            echo "Usage: ssm remove <port>"
            exit 1
        fi
        echo "remove: {\"server_port\": $2}" | nc -Uu -w 2 $SOCKET
        sed -i "/^$2:/d" $CONFIG_FILE
        echo "✓ User $2 removed"
        ;;
    list)
        echo "=== Active Users & Traffic ==="
        RESPONSE=$(echo "ping" | nc -Uu -w 2 $SOCKET 2>/dev/null)
        
        if [ -z "$RESPONSE" ]; then
            echo "  No response from manager"
            echo "  Make sure ss-manager is running"
            exit 1
        fi
        
        # 提取 JSON 部分
        if [[ $RESPONSE =~ stat:\ (.+) ]]; then
            JSON_DATA="${BASH_REMATCH[1]}"
            
            # 检查是否为空
            if [ "$JSON_DATA" = "{}" ]; then
                echo "  No users configured"
            else
                # 解析 JSON 中的键值对
                echo $JSON_DATA | grep -oE '"[0-9]+":[0-9]+' | while read -r item; do
                    port=$(echo $item | cut -d: -f1 | tr -d '"')
                    bytes=$(echo $item | cut -d: -f2)
                    human=$(human_readable $bytes)
                    # 格式化输出，右对齐
                    printf "  Port %-6s %12s (%'d bytes)\n" "$port" "$human" "$bytes"
                done
            fi
        else
            echo "  Unexpected response: $RESPONSE"
        fi
        ;;
    list-raw)
        echo "ping" | nc -Uu -w 2 $SOCKET
        ;;
    show-config)
        echo "=== Saved Config ($CONFIG_FILE) ==="
        if [ -s $CONFIG_FILE ]; then
            cat $CONFIG_FILE
        else
            echo "(empty)"
        fi
        ;;
    *)
        echo "Shadowsocks Manager Tool"
        echo ""
        echo "Usage:"
        echo "  ssm add <port> <password>       - Add user"
        echo "  ssm remove <port>               - Remove user"
        echo "  ssm list                        - List users with human-readable traffic"
        echo "  ssm list-raw                    - List users with raw bytes"
        echo "  ssm show-config                 - Show saved config"
        echo ""
        echo "Examples:"
        echo "  ssm add 65531 Tian@2026_"
        echo "  ssm list"
        echo "  ssm remove 65531"
        ;;
esac
EOF

chmod +x /usr/local/bin/ssm

echo "✓ Enhanced ssm installed with auto-save feature"

四、添加用户

4.1 添加单个用户

添加第一个用户（端口 8388）
ssm add 8388 "YourPassword1"

添加第二个用户（端口 8389）
ssm add 8389 "YourPassword2"

添加你需要的用户（端口 xxxx）
ssm add xxxx "xxxxxxxxx"

4.2 批量添加用户

# 创建批量添加脚本
cat > /tmp/batch_add.sh << 'EOF'
#!/bin/bash
# 格式：端口:密码
users=(
    "8388:password123"
    "8389:password456"
    "8390:password789"
)

for user in "${users[@]}"; do
    port=$(echo $user | cut -d: -f1)
    pass=$(echo $user | cut -d: -f2)
    echo "Adding user: $port"
    ssm add $port "$pass"
    sleep 1
done
EOF

chmod +x /tmp/batch_add.sh
/tmp/batch_add.sh

4.3 查看所有用户

#查看所有用户和流量统计
ssm list

五、网络优化

5.1 内核参数优化

cat > /etc/sysctl.d/99-shadowsocks.conf << 'EOF'
# TCP BBR 拥塞控制（提升速度）
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr

# TCP Fast Open（减少延迟）
net.ipv4.tcp_fastopen = 3

# 端口复用
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 0

# 增加连接队列（应对高并发）
net.core.somaxconn = 4096
net.ipv4.tcp_max_syn_backlog = 65536
net.core.netdev_max_backlog = 50000

# 文件描述符限制
fs.file-max = 655350

# 内存优化（提升吞吐量）
net.core.rmem_max = 134217728
net.core.wmem_max = 134217728
net.ipv4.tcp_rmem = 4096 87380 134217728
net.ipv4.tcp_wmem = 4096 65536 134217728

# 减少延迟
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_slow_start_after_idle = 0

# UDP 优化
net.core.rmem_default = 87380
net.core.wmem_default = 65536
EOF

# 应用配置
sysctl -p /etc/sysctl.d/99-shadowsocks.conf

5.2 验证 BBR 是否启用

# 检查当前拥塞控制算法
sysctl net.ipv4.tcp_congestion_control

# 检查 BBR 模块是否加载
lsmod | grep bbr

5.3 系统限制优化

# 增加文件描述符限制
cat >> /etc/security/limits.conf << 'EOF'
* soft nofile 65535
* hard nofile 65535
root soft nofile 65535
root hard nofile 65535
EOF

# 增加系统全局限制
cat >> /etc/systemd/system.conf << 'EOF'
DefaultLimitNOFILE=65535
DefaultLimitNPROC=65535
EOF

cat >> /etc/systemd/user.conf << 'EOF'
DefaultLimitNOFILE=65535
DefaultLimitNPROC=65535
EOF

六、防火墙配置

# 安装 UFW
apt install -y ufw

# 启用防火墙
ufw enable

# 开放 Shadowsocks 端口范围（根据需要修改）
ufw allow 8388:8400/tcp
ufw allow 8388:8400/udp

# 或者开放特定端口
ufw allow xxxxx/tcp
ufw allow xxxxx/udp

# 查看状态
ufw status verbose

七、验证服务

7.1 检查服务状态

# 查看 manager 状态
systemctl status ss-manager

# 查看所有运行的 ss-server 进程
ps aux | grep ss-server

# 查看监听端口
ss -tlnp | grep -E '838[0-9]|65535'
netstat -tulnp | grep ss-server

7.2 测试连接

# 本地测试（如果有 ss-local）
ss-local -s 127.0.0.1 -p 8388 -k "YourPassword1" -m chacha20-ietf-poly1305 -v

# 查看实时日志
journalctl -u ss-manager -f

八、日常管理命令

8.1 用户管理

# 添加用户
ssm add 8388 "newpassword"

# 查看所有用户
ssm list

# 删除用户
ssm remove 8388

# 查看流量统计
ssm stats

8.2 服务管理

# 重启 manager
systemctl restart ss-manager

# 查看日志
journalctl -u ss-manager -n 50 --no-pager

# 实时查看日志
journalctl -u ss-manager -f

# 停止服务
systemctl stop ss-manager

# 启动服务
systemctl start ss-manager

8.3查看是否有暴力破解尝试

# 查看该IP的连接记录
grep "147.185.132.250" /var/log/syslog | grep -i "auth"

# 查看失败次数
journalctl -u ss-manager | grep "authentication error" | wc -l

测试777

测试666

测试555

测试444