一、系统更新与基础安装
#更新系统
apt update && apt upgrade -y
#安装 shadowsocks-libev 和必要工具
apt install -y shadowsocks-libev netcat-openbsd socat bc
#安装网络优化工具
apt install -y ethtool
二、配置 ss-manager(Unix Socket 方式)
2.1 创建配置文件
#创建配置目录
mkdir -p /etc/shadowsocks-libev
#创建 manager 配置文件
cat > /etc/shadowsocks-libev/manager.json << 'EOF'
{
"server": ["0.0.0.0", "::0"],
"manager_address": "/var/run/shadowsocks-manager.sock",
"method": "chacha20-ietf-poly1305",
"timeout": 300,
"fast_open": true,
"reuse_port": true,
"no_delay": true,
"mode": "tcp_and_udp"
}
EOF
2.2 创建服务脚本和 systemd 服务
# 创建启动脚本
cat > /usr/local/bin/ss-manager-with-users << 'EOF'
#!/bin/bash
# 启动 ss-manager
/usr/bin/ss-manager -c /etc/shadowsocks-libev/manager.json --executable /usr/bin/ss-server &
# 等待 manager 启动
sleep 2
# 恢复用户配置
if [ -f /etc/shadowsocks-libev/users.conf ]; then
while IFS=: read -r port password; do
[[ "$port" =~ ^#.*$ ]] && continue
[[ -z "$port" ]] && continue
echo "add: {\"server_port\": $port, \"password\": \"$password\"}" | nc -Uu -w 2 /var/run/shadowsocks-manager.sock
done < /etc/shadowsocks-libev/users.conf
fi
# 等待进程结束
wait
EOF
chmod +x /usr/local/bin/ss-manager-with-users
# 创建服务文件
cat > /etc/systemd/system/ss-manager.service << 'EOF'
[Unit]
Description=Shadowsocks-libev Manager with Auto Restore
After=network.target
[Service]
Type=simple
User=root
Group=root
ExecStart=/usr/local/bin/ss-manager-with-users
Restart=on-failure
RestartSec=5
LimitNOFILE=65535
Environment="SS_LOG_LEVEL=error" #调整日志级别来减少输出
[Install]
WantedBy=multi-user.target
EOF
2.3 启动服务
#重新加载 systemd
systemctl daemon-reload
#启动 manager 服务
systemctl start ss-manager
#设置开机自启
systemctl enable ss-manager
#检查服务状态
systemctl status ss-manager
#验证 socket 文件是否创建成功
ls -la /var/run/shadowsocks-manager.sock
三、创建管理脚本
#安装管理脚本(自动保存到 users.conf)
cat > /usr/local/bin/ssm << 'EOF'
#!/bin/bash
SOCKET="/var/run/shadowsocks-manager.sock"
CONFIG_FILE="/etc/shadowsocks-libev/users.conf"
# 字节转人类可读格式(不依赖 bc)
human_readable() {
local bytes=$1
if [ $bytes -ge 1073741824 ]; then
# GB - 使用 awk 计算,不依赖 bc
echo "$(awk "BEGIN {printf \"%.2f\", $bytes/1073741824}")G"
elif [ $bytes -ge 1048576 ]; then
# MB
echo "$(awk "BEGIN {printf \"%.2f\", $bytes/1048576}")M"
elif [ $bytes -ge 1024 ]; then
# KB
echo "$(awk "BEGIN {printf \"%.2f\", $bytes/1024}")K"
else
echo "${bytes}B"
fi
}
# 确保配置目录存在
mkdir -p /etc/shadowsocks-libev
touch $CONFIG_FILE
case "$1" in
add)
if [ -z "$2" ] || [ -z "$3" ]; then
echo "Usage: ssm add <port> <password>"
exit 1
fi
echo "add: {\"server_port\": $2, \"password\": \"$3\"}" | nc -Uu -w 2 $SOCKET
if grep -q "^$2:" $CONFIG_FILE 2>/dev/null; then
sed -i "s/^$2:.*/$2:$3/" $CONFIG_FILE
else
echo "$2:$3" >> $CONFIG_FILE
fi
echo "✓ User $2 added"
;;
remove)
if [ -z "$2" ]; then
echo "Usage: ssm remove <port>"
exit 1
fi
echo "remove: {\"server_port\": $2}" | nc -Uu -w 2 $SOCKET
sed -i "/^$2:/d" $CONFIG_FILE
echo "✓ User $2 removed"
;;
list)
echo "=== Active Users & Traffic ==="
RESPONSE=$(echo "ping" | nc -Uu -w 2 $SOCKET 2>/dev/null)
if [ -z "$RESPONSE" ]; then
echo " No response from manager"
echo " Make sure ss-manager is running"
exit 1
fi
# 提取 JSON 部分
if [[ $RESPONSE =~ stat:\ (.+) ]]; then
JSON_DATA="${BASH_REMATCH[1]}"
# 检查是否为空
if [ "$JSON_DATA" = "{}" ]; then
echo " No users configured"
else
# 解析 JSON 中的键值对
echo $JSON_DATA | grep -oE '"[0-9]+":[0-9]+' | while read -r item; do
port=$(echo $item | cut -d: -f1 | tr -d '"')
bytes=$(echo $item | cut -d: -f2)
human=$(human_readable $bytes)
# 格式化输出,右对齐
printf " Port %-6s %12s (%'d bytes)\n" "$port" "$human" "$bytes"
done
fi
else
echo " Unexpected response: $RESPONSE"
fi
;;
list-raw)
echo "ping" | nc -Uu -w 2 $SOCKET
;;
show-config)
echo "=== Saved Config ($CONFIG_FILE) ==="
if [ -s $CONFIG_FILE ]; then
cat $CONFIG_FILE
else
echo "(empty)"
fi
;;
*)
echo "Shadowsocks Manager Tool"
echo ""
echo "Usage:"
echo " ssm add <port> <password> - Add user"
echo " ssm remove <port> - Remove user"
echo " ssm list - List users with human-readable traffic"
echo " ssm list-raw - List users with raw bytes"
echo " ssm show-config - Show saved config"
echo ""
echo "Examples:"
echo " ssm add 65531 Tian@2026_"
echo " ssm list"
echo " ssm remove 65531"
;;
esac
EOF
chmod +x /usr/local/bin/ssm
echo "✓ Enhanced ssm installed with auto-save feature"
四、添加用户
4.1 添加单个用户
添加第一个用户(端口 8388)
ssm add 8388 "YourPassword1"
添加第二个用户(端口 8389)
ssm add 8389 "YourPassword2"
添加你需要的用户(端口 xxxx)
ssm add xxxx "xxxxxxxxx"
4.2 批量添加用户
# 创建批量添加脚本
cat > /tmp/batch_add.sh << 'EOF'
#!/bin/bash
# 格式:端口:密码
users=(
"8388:password123"
"8389:password456"
"8390:password789"
)
for user in "${users[@]}"; do
port=$(echo $user | cut -d: -f1)
pass=$(echo $user | cut -d: -f2)
echo "Adding user: $port"
ssm add $port "$pass"
sleep 1
done
EOF
chmod +x /tmp/batch_add.sh
/tmp/batch_add.sh
4.3 查看所有用户
#查看所有用户和流量统计
ssm list
五、网络优化
5.1 内核参数优化
cat > /etc/sysctl.d/99-shadowsocks.conf << 'EOF'
# TCP BBR 拥塞控制(提升速度)
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr
# TCP Fast Open(减少延迟)
net.ipv4.tcp_fastopen = 3
# 端口复用
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 0
# 增加连接队列(应对高并发)
net.core.somaxconn = 4096
net.ipv4.tcp_max_syn_backlog = 65536
net.core.netdev_max_backlog = 50000
# 文件描述符限制
fs.file-max = 655350
# 内存优化(提升吞吐量)
net.core.rmem_max = 134217728
net.core.wmem_max = 134217728
net.ipv4.tcp_rmem = 4096 87380 134217728
net.ipv4.tcp_wmem = 4096 65536 134217728
# 减少延迟
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_slow_start_after_idle = 0
# UDP 优化
net.core.rmem_default = 87380
net.core.wmem_default = 65536
EOF
# 应用配置
sysctl -p /etc/sysctl.d/99-shadowsocks.conf
5.2 验证 BBR 是否启用
# 检查当前拥塞控制算法
sysctl net.ipv4.tcp_congestion_control
# 检查 BBR 模块是否加载
lsmod | grep bbr
5.3 系统限制优化
# 增加文件描述符限制
cat >> /etc/security/limits.conf << 'EOF'
* soft nofile 65535
* hard nofile 65535
root soft nofile 65535
root hard nofile 65535
EOF
# 增加系统全局限制
cat >> /etc/systemd/system.conf << 'EOF'
DefaultLimitNOFILE=65535
DefaultLimitNPROC=65535
EOF
cat >> /etc/systemd/user.conf << 'EOF'
DefaultLimitNOFILE=65535
DefaultLimitNPROC=65535
EOF
六、防火墙配置
# 安装 UFW
apt install -y ufw
# 启用防火墙
ufw enable
# 开放 Shadowsocks 端口范围(根据需要修改)
ufw allow 8388:8400/tcp
ufw allow 8388:8400/udp
# 或者开放特定端口
ufw allow xxxxx/tcp
ufw allow xxxxx/udp
# 查看状态
ufw status verbose
七、验证服务
7.1 检查服务状态
# 查看 manager 状态
systemctl status ss-manager
# 查看所有运行的 ss-server 进程
ps aux | grep ss-server
# 查看监听端口
ss -tlnp | grep -E '838[0-9]|65535'
netstat -tulnp | grep ss-server
7.2 测试连接
# 本地测试(如果有 ss-local)
ss-local -s 127.0.0.1 -p 8388 -k "YourPassword1" -m chacha20-ietf-poly1305 -v
# 查看实时日志
journalctl -u ss-manager -f
八、日常管理命令
8.1 用户管理
# 添加用户
ssm add 8388 "newpassword"
# 查看所有用户
ssm list
# 删除用户
ssm remove 8388
# 查看流量统计
ssm stats
8.2 服务管理
# 重启 manager
systemctl restart ss-manager
# 查看日志
journalctl -u ss-manager -n 50 --no-pager
# 实时查看日志
journalctl -u ss-manager -f
# 停止服务
systemctl stop ss-manager
# 启动服务
systemctl start ss-manager
8.3查看是否有暴力破解尝试
# 查看该IP的连接记录
grep "147.185.132.250" /var/log/syslog | grep -i "auth"
# 查看失败次数
journalctl -u ss-manager | grep "authentication error" | wc -l
