1, VPS 英国本土服务商 https://my.kuroit.com/store/native-uk-vps-servers
注意选择”Native UK VPS Servers” £3.50 GBP / 月的就可以了。
2, VPS 配置方法与意大利一样
3, 关闭IPv6
查看linux 版本
cat /etc/os-release
Ubuntu 使用 sysctl 永久关闭 IPv6
vi /etc/sysctl.d/99-disable-ipv6.confnet.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
应用配置
sudo sysctl –system
验证是否关闭成功
cat /proc/sys/net/ipv6/conf/all/disable_ipv6
输出应为:1
1,VPS 德国本土服务商 https://deinserverhost.de/, 选用 2,35€ 每个月的就可以了,这个可以用数字货币支付相当方便, DeinServerHost – KVM NVMe Server mieten
2, 与意大利VPS 配置相同, 详细参考意大利原生ip配置。
这是文件 “/etc/mosdns/config_custom.yaml” 的内容,您的 MosDNS 配置将从此文件生成。仅接受 yaml 格式的配置内容。
log:
level: info
file: "/var/log/mosdns.log"
plugins:
- tag: ddnslist
type: domain_set
args:
files:
- "/etc/mosdns/rule/ddnslist.txt"
# 缓存
- tag: lazy_cache
type: cache
args:
size: 400
lazy_cache_ttl: 60
dump_file: "/etc/mosdns/cache.dump"
dump_interval: 500
# 转发至本地服务器
- tag: forward_local
type: forward
args:
concurrent: 2
upstreams:
- addr: '119.29.29.29'
bootstrap: '119.29.29.29'
enable_pipeline: false
insecure_skip_verify: false
idle_timeout: 30
- addr: '223.5.5.5'
bootstrap: '119.29.29.29'
enable_pipeline: false
insecure_skip_verify: false
idle_timeout: 30
# 转发至远程服务器
- tag: forward_remote
type: forward
args:
concurrent:
upstreams:
- tag: google_doh
addr: "https://dns.google/dns-query"
dial_addr: "8.8.8.8"
bootstrap: "8.8.8.8"
idle_timeout: 30
socks5: "127.0.0.1:1083"
- addr: 'tcp://8.8.8.8'
idle_timeout: 30
socks5: '127.0.0.1:1083'
enable_pipeline: true
# 国内解析
- tag: local_sequence
type: sequence
args:
- exec: $forward_local
# 国外解析
- tag: remote_sequence
type: sequence
args:
- exec: prefer_ipv4
- exec: $forward_remote
# 有响应终止返回
- tag: has_resp_sequence
type: sequence
args:
- matches: has_resp
exec: accept
- tag: query_is_local
type: sequence
args:
- exec: $local_sequence
# fallback 用远程服务器 sequence
- tag: query_is_remote
type: sequence
args:
- exec: $remote_sequence
# fallback 用远程服务器 sequence
- tag: fallback
type: fallback
args:
primary: query_is_remote
secondary: query_is_remote
threshold: 30000
always_standby: false
- tag: query_is_ddns_domain
type: sequence
args:
- matches: qname $ddnslist
exec: $forward_local
# 主要的运行逻辑插件
# sequence 插件中调用的插件 tag 必须在 sequence 前定义,
# 否则 sequence 找不到对应插件。
- tag: main_sequence
type: sequence
args:
- matches:
- '!qname $ddnslist'
exec: $lazy_cache
- exec: $query_is_ddns_domain
- exec: jump has_resp_sequence
- exec: $fallback
# 启动 udp 服务器。
- tag: udp_server
type: udp_server
args:
entry: main_sequence
listen: ":5135"
- tag: tcp_server
type: tcp_server
args:
entry: main_sequence
listen: ':5135'其中/etc/mosdns/rule/ddnslist.txt 中
*.cpolar.top
cpolar.top
cpolard.cpolar.com
cpolar.com
*.cpolar.com
regexp:(^|\.)cpolar\.top$
问题: 有3个节点 A: 英国 B: 美国 C: 德国 . 要通过节点转发DNS 请求, 这样避免DNS请求被”墙“,或者被劫持。如何利用MosDns 配合Passwall 完成操作?
解决方案:
1: Passwall 开3个Socks 端口分别对应3个节点。 A: sock5: 1083 B: sock5:1084 C: sock5:1085 , 并且修改配置文件 /etc/config/passwall
config acl_rule
option enabled '1'
option remarks 'L1'
option interface 'L1'
option sources '192.168.101.0/24'
option tcp_no_redir_ports 'disable'
option udp_no_redir_ports 'disable'
option use_global_config '0'
option tcp_node 'oCQMCVBg'
option udp_node 'tcp'
option tcp_proxy_drop_ports 'disable'
option udp_proxy_drop_ports 'disable'
option tcp_redir_ports '1:65535'
option udp_redir_ports '1:65535'
option use_direct_list '0'
option use_proxy_list '0'
option use_block_list '0'
option use_gfw_list '0'
option chn_list '0'
option tcp_proxy_mode 'proxy'
option udp_proxy_mode 'proxy'
option dns_shunt 'dnsmasq'
option dns_mode 'tcp'
option dnsmasq_dns_redirect '0'
option remote_dns '127.0.0.1:5135'
config acl_rule
option enabled '1'
option remarks 'L2'
option interface 'L2'
option sources '192.168.102.0/24'
option tcp_no_redir_ports 'disable'
option udp_no_redir_ports 'disable'
option use_global_config '0'
option tcp_node 'XxxWUfAC'
option udp_node 'tcp'
option tcp_proxy_drop_ports 'disable'
option udp_proxy_drop_ports 'disable'
option tcp_redir_ports '1:65535'
option udp_redir_ports '1:65535'
option use_direct_list '0'
option use_proxy_list '0'
option use_block_list '0'
option use_gfw_list '0'
option chn_list '0'
option tcp_proxy_mode 'proxy'
option udp_proxy_mode 'proxy'
option dns_shunt 'tcp'
option dns_mode 'tcp'
option dnsmasq_dns_redirect '0'
option remote_dns '127.0.0.1:5136'
config acl_rule
option enabled '1'
option remarks 'L3'
option interface 'L3'
option sources '192.168.103.0/24'
option tcp_no_redir_ports 'disable'
option udp_no_redir_ports 'disable'
option use_global_config '0'
option tcp_node 'AI7uCLje'
option udp_node 'tcp'
option tcp_proxy_drop_ports 'disable'
option udp_proxy_drop_ports 'disable'
option tcp_redir_ports '1:65535'
option udp_redir_ports '1:65535'
option use_direct_list '0'
option use_proxy_list '0'
option use_block_list '0'
option use_gfw_list '0'
option chn_list '0'
option tcp_proxy_mode 'proxy'
option udp_proxy_mode 'proxy'
option dns_shunt 'dnsmasq'
option dns_mode 'tcp'
option dnsmasq_dns_redirect '0'
option remote_dns '127.0.0.1:5137'
2: MosDNS 开3个实例, 每个实例监听不同端口 A: 5135 B: 5136 C: 5137
A 实例配置(监听端口 5135,SOCKS5 代理 127.0.0.1:1083)
文件名示例:config_A.yaml
log:
level: info
file: "/tmp/mosdns_a.log"
plugins:
- tag: forward_remote
type: forward
args:
concurrent: 1
upstreams:
- tag: google_doh
addr: "https://dns.google/dns-query"
dial_addr: "8.8.8.8"
bootstrap: "8.8.8.8"
idle_timeout: 30
socks5: "127.0.0.1:1083"
- addr: "tcp://8.8.8.8"
idle_timeout: 30
socks5: "127.0.0.1:1083"
enable_pipeline: true
- tag: main_sequence
type: sequence
args:
- exec: $forward_remote
- tag: udp_server
type: udp_server
args:
entry: main_sequence
listen: ":5135"
- tag: tcp_server
type: tcp_server
args:
entry: main_sequence
listen: ":5135"
B 实例配置(监听端口 5136,SOCKS5 代理 127.0.0.1:1084)
文件名示例:config_B.yaml
log:
level: info
file: "/tmp/mosdns_b.log"
plugins:
- tag: forward_remote
type: forward
args:
concurrent: 1
upstreams:
- tag: google_doh
addr: "https://dns.google/dns-query"
dial_addr: "8.8.8.8"
bootstrap: "8.8.8.8"
idle_timeout: 30
socks5: "127.0.0.1:1084"
- addr: "tcp://8.8.8.8"
idle_timeout: 30
socks5: "127.0.0.1:1084"
enable_pipeline: true
- tag: main_sequence
type: sequence
args:
- exec: $forward_remote
- tag: udp_server
type: udp_server
args:
entry: main_sequence
listen: ":5136"
- tag: tcp_server
type: tcp_server
args:
entry: main_sequence
listen: ":5136"
C 实例配置(监听端口 5137,SOCKS5 代理 127.0.0.1:1085)
文件名示例:config_C.yaml
log:
level: info
file: "/tmp/mosdns_c.log"
plugins:
- tag: forward_remote
type: forward
args:
concurrent: 1
upstreams:
- tag: google_doh
addr: "https://dns.google/dns-query"
dial_addr: "8.8.8.8"
bootstrap: "8.8.8.8"
idle_timeout: 30
socks5: "127.0.0.1:1085"
- addr: "tcp://8.8.8.8"
idle_timeout: 30
socks5: "127.0.0.1:1085"
enable_pipeline: true
- tag: main_sequence
type: sequence
args:
- exec: $forward_remote
- tag: udp_server
type: udp_server
args:
entry: main_sequence
listen: ":5137"
- tag: tcp_server
type: tcp_server
args:
entry: main_sequence
listen: ":5137"
MosDNS 三实例 init 脚本合集,适用于 OpenWRT,分别控制 A/B/C 实例。
1. /etc/init.d/mosdns_a
#!/bin/sh /etc/rc.common
#
# Copyright (C) 2020-2022, IrineSistiana
#
# This file is part of mosdns.
#
# mosdns is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# mosdns is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
#
START=99
USE_PROCD=1
##### ONLY CHANGE THIS BLOCK ######
PROG=/usr/bin/mosdns # where is mosdns
RES_DIR=/etc/mosdns/ # resource dir / working dir / the dir where you store ip/domain lists
CONF=./config_A.yaml # where is the config file, it can be a relative path to $RES_DIR
##### ONLY CHANGE THIS BLOCK ######
start_service() {
procd_open_instance
procd_set_param command $PROG start -d $RES_DIR -c $CONF
procd_set_param user root
procd_set_param stdout 1
procd_set_param stderr 1
procd_set_param respawn "${respawn_threshold:-3600}" "${respawn_timeout:-5}" "${respawn_retry:-5}"
procd_close_instance
echo "mosdns is started!"
}
reload_service() {
stop
sleep 2s
echo "mosdns is restarted!"
start
}
/etc/init.d/mosdns_b#!/bin/sh /etc/rc.common
#
# Copyright (C) 2020-2022, IrineSistiana
#
# This file is part of mosdns.
#
# mosdns is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# mosdns is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
#
START=99
USE_PROCD=1
##### ONLY CHANGE THIS BLOCK ######
PROG=/usr/bin/mosdns # where is mosdns
RES_DIR=/etc/mosdns/ # resource dir / working dir / the dir where you store ip/domain lists
CONF=./config_B.yaml # where is the config file, it can be a relative path to $RES_DIR
##### ONLY CHANGE THIS BLOCK ######
start_service() {
procd_open_instance
procd_set_param command $PROG start -d $RES_DIR -c $CONF
procd_set_param user root
procd_set_param stdout 1
procd_set_param stderr 1
procd_set_param respawn "${respawn_threshold:-3600}" "${respawn_timeout:-5}" "${respawn_retry:-5}"
procd_close_instance
echo "mosdns is started!"
}
reload_service() {
stop
sleep 2s
echo "mosdns is restarted!"
start
}
/etc/init.d/mosdns_c#!/bin/sh /etc/rc.common
#
# Copyright (C) 2020-2022, IrineSistiana
#
# This file is part of mosdns.
#
# mosdns is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# mosdns is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
#
START=99
USE_PROCD=1
##### ONLY CHANGE THIS BLOCK ######
PROG=/usr/bin/mosdns # where is mosdns
RES_DIR=/etc/mosdns/ # resource dir / working dir / the dir where you store ip/domain lists
CONF=./config_C.yaml # where is the config file, it can be a relative path to $RES_DIR
##### ONLY CHANGE THIS BLOCK ######
start_service() {
procd_open_instance
procd_set_param command $PROG start -d $RES_DIR -c $CONF
procd_set_param user root
procd_set_param stdout 1
procd_set_param stderr 1
procd_set_param respawn "${respawn_threshold:-3600}" "${respawn_timeout:-5}" "${respawn_retry:-5}"
procd_close_instance
echo "mosdns is started!"
}
reload_service() {
stop
sleep 2s
echo "mosdns is restarted!"
start
}
统一控制脚本 /etc/init.d/mosdns_all,可以用来同时启动、停止、重启 MosDNS 的 A、B、C 三个实例。
/etc/init.d/mosdns_all
#!/bin/sh /etc/rc.common
# Unified control for MosDNS A, B, C instances
START=96
STOP=9
start() {
echo "Starting all MosDNS instances..."
/etc/init.d/mosdns_a start
/etc/init.d/mosdns_b start
/etc/init.d/mosdns_c start
}
stop() {
echo "Stopping all MosDNS instances..."
/etc/init.d/mosdns_a stop
/etc/init.d/mosdns_b stop
/etc/init.d/mosdns_c stop
}
restart() {
echo "Restarting all MosDNS instances..."
/etc/init.d/mosdns_a restart
/etc/init.d/mosdns_b restart
/etc/init.d/mosdns_c restart
}
使用方式:
chmod +x /etc/init.d/mosdns_all
/etc/init.d/mosdns_all enable
/etc/init.d/mosdns_all start # 启动全部
/etc/init.d/mosdns_all stop # 停止全部
/etc/init.d/mosdns_all restart # 重启全部
1, VPS 意大利土服务商 cyberfero.com , 选用 cloud.cyberfero.com/cart/iaas-public-cloud—vps 这款 2.99USD/月 的就可以了, 服务器在意大利为原生本土ip.
2,系统选用 Ubuntu 19.04 x64
Ubuntu 系统使用的是 Ubuntu 19.04(Disco Dingo),该版本早已于 2020 年 1 月停止支持,官方软件源已经被移除,因此你遇到了大量 404 Not Found 错误。
sudo cp /etc/apt/sources.list /etc/apt/sources.list.bak
sudo bash -c ‘cat > /etc/apt/sources.list’ <<EOF
deb http://old-releases.ubuntu.com/ubuntu/ disco main restricted universe multiverse
deb http://old-releases.ubuntu.com/ubuntu/ disco-updates main restricted universe multiverse
deb http://old-releases.ubuntu.com/ubuntu/ disco-security main restricted universe multiverse
deb http://old-releases.ubuntu.com/ubuntu/ disco-backports main restricted universe multiverse
EOF
sudo apt update && sudo apt upgrade -y
A: 安装X-UI
bash <(curl -Ls https://raw.githubusercontent.com/vaxilu/x-ui/master/install.sh)
B: 一键申请SSL证书
sudo apt install git -y && git clone https://github.com/slobys/SSL-Renewal.git /tmp/acme && mv /tmp/acme/* /root && bash acme_3.0.sh
特殊情况,如果遇到证书申请不成功,需要删除已存在文件的,请执行一下命令
sudo rm -rf ~/.acme.sh && sudo rm -rf /tmp/acme
C: 安装Fail2ban(防止服务器被黑)
sudo apt install fail2ban
写入配置文件, 10分种内当输入SSH密码三次错误后, 永久封锁ip
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
vi /etc/fail2ban/jail.local
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/messages
maxretry = 3
bantime = -1
findtime = 600
action = iptables-allports
开机自动启动 fail2ban
sudo systemctl enable fail2ban
systemctl start fail2ban
sudo fail2ban-client status sshd //查看被禁止的 IP 地址
sudo fail2ban-client set sshd unbanip <IP_ADDRESS> //解锁 IP
刚装上就禁用了黑ip
sudo apt update
sudo apt install ufw -y
sudo systemctl enable ufw
sudo ufw –force reset
sudo ufw allow 22/tcp # SSH
sudo ufw allow 53/tcp # DNS (TCP)
sudo ufw allow 53/udp # DNS (UDP)
sudo ufw allow 11111/tcp
sudo ufw allow 22115/tcp
sudo ufw allow 3379/tcp
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw enable
sudo ufw status verbose