VPS rental and security maintenance

This site provides several tutorials for friends who are interested in creating their own VPN and SOCKS5 proxy:

Self-built VPN: the classic SoftetherVPN and the emerging WireGuard
Self-built Scoks5 proxy: the simplest SSH agent and super V2Ray proxy
There are detailed descriptions and pictures for the server and the client, which can be selected according to the main and auxiliary menus

The initial work of the self-built proxy is to rent a VPS (Virtual Private Server). A VPS with a monthly rent of a few dollars can satisfy personal use. You can search for VPS suppliers with VPS keywords on the search engine, or you can choose through the website that introduces VPS. A strong password is required to register a VPS account.

Recommend:  Rental Vultr VPS graphic tutorial 

The operating system of VPS is linux as the common one. Debian system is recommended here, which takes up relatively small resources. This article uses Debian and Ubuntu systems (ubuntu is a Debian-based system) as examples. The operating system is often chosen by oneself to deploy. After deployment, you will get a domain name or IP, and you need to set a strong password. We first need to log in to the remote VPS system. Here we recommend Bitvise SSH Client (Bitvise SSH Client)。

On the Login interface of Bitvise SSH Client, fill in the Host domain (or IP), Username (usually root), port (default 22), and Password (previously set), then you can log in remotely and open the terminal (Terminal is shown in the figure below) . Our self-built VPN server process must be carried out through this terminal.

Before building an proxy, you need to do necessarysecurity maintenance on the remote host.First of all, it is recommended to install and use Fail2Ban to defend against SSH brute force password cracking.

Update the system first:

apt-get update
apt-get upgrade -y

You can use the "clear" command to clear the screen.

Install fail2ban:

apt install -y fail2ban

View fail2ban service status:

systemctl status fail2ban.service

As you can see, the green "active (running)" indicates that the fail2ban service is already running. If this is not the case, you need to start the fail2ban service:

systemctl start fail2ban

Set the fail2ban service to start automatically after booting:

systemctl enable fail2ban

The most critical step isto configure jail.local

nano /etc/fail2ban/jail.local

Because it is a newly created file, it is blank. Copy and paste the following content into it:

[DEFAULT]

bantime = 604800
findtime  = 6000

[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

Use "Ctrl+X" to save and exit.

When you press "Ctrl+X", "Save modified buffer?" will pop up:

At this time, enter "Y" and press Enter:

You will see that "File Name to Write: /etc/fail2ban/jail.local" pops up again:

Press Enter again to save it.

Finally, restart the fail2ban service:

systemctl restart fail2ban

In the above configuration: maxretry = 3, which means that as long as the password is entered incorrectly three times, the program will prohibit the malicious cracker's IP from continuing to try to log in. You can simulate and test it yourself. After three failures, you will lose the opportunity to log in again. You will see this record (in the red box):

Tip: After the test your computer will be forbidden to log in, you have to change your Internet IP to log in to the remote host again.

Preparation 2: Set up the firewall

Use this command to see the firewall settings

iptables -L   

Install iptables-persistent:

apt-get install iptables-persistent

Windows will pop up during the installation process, all select yes
After the installation, the current settings will be automatically stored in /etc/iptables/rules.v4 /etc/iptables/rules.v6
Save the pre-drawn firewall rules in /etc/iptables/rules.v4 (use the following command to clear the original content of rules.v4 and open it for editing

rm /etc/iptables/rules.v4 && nano /etc/iptables/rules.v4

Copy and paste the following settings into it (click the right mouse button to paste, do not use ctrl+v to paste) :

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

### Flush all rules
-F
### Trusted IP Access

-A INPUT -i lo -j ACCEPT
#內網全放行
#-A INPUT -s 192.168.0.0/16 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# ↓隱形掃瞄攻擊防範
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
-A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
-A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j DROP
-A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
-A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP
COMMIT

Ctrl+X to save changes and exit.

Execute the following command to load the rules:

/etc/init.d/netfilter-persistent reload

With the iptables -L command, you can see that the proposed firewall rules have been successfully loaded: