Shadowsocks-libev: ss-server block all requests from IP

Created on 6 Aug 2017  ·  9Comments  ·  Source: shadowsocks/shadowsocks-libev

What version of shadowsocks-libev are you using?

Server: libev-3.0.6
Client: mac-ShadowsocksX-NG-1.5.1(1); win7/10: Showsocks-windows-4.0.4
Panel:Shadowsocks-manager(node-js)

What operating system are you using?

centos7 , 4.11.5-1.el7.elrepo.x86_64 ,VPS at us.

What did you do?

The system seems to have no error after using ssmgr-panel (webgui) to create an account, ss-server starts listening account port(50018).

What did you expect to see?

But the Mac/win client can't connect to the serve and display 500 error sometime is "ERR_CONNECTION_CLOSED".

What did you see instead?

If the client is connected to the server through the 8388 port by the config.json file, it will run well.

What is your config in detail (with all sensitive info masked)?

config.json:
{
"server":"0.0.0.0",
"server_port":8388,
"local_address": "127.0.0.1",
"local_port":1080,
"password":"XXXXXXXX",

"timeout":300,
"method":"aes-256-cfb",
}

not a bug question
Source
picture allen-tsu

Most helpful comment

@duanshiqiang Add your load balancer's IP to the [white_list] section of the ACL file.

picture madeye on 15 Sep 2017
👍2

All 9 comments

Aug 6 18:18:55 US ss-server[22766]: block all requests from 125.210.xxx.xxx
Aug 6 18:18:55 US ss-server[22766]: block all requests from 125.210.xxx.xxx
Aug 6 18:19:50 US ss-server[24298]: UDP relay enabled
Aug 6 18:19:50 US ss-server[24298]: initializing ciphers... aes-256-cfb
Aug 6 18:19:50 US ss-server[24298]: tcp port reuse enabled
Aug 6 18:19:50 US ss-server[24298]: tcp server listening at 0.0.0.0:50018
Aug 6 18:19:50 US ss-server[24298]: udp port reuse enabled
Aug 6 18:19:50 US ss-server[24298]: udp server listening at 0.0.0.0:50018
Aug 6 18:19:50 US ss-server[24298]: running from root user
Aug 6 18:20:00 US ss-server[24332]: UDP relay enabled
Aug 6 18:20:00 US ss-server[24332]: initializing ciphers... aes-256-cfb
Aug 6 18:20:00 US ss-server[24332]: tcp port reuse enabled
Aug 6 18:20:00 US ss-server[24332]: tcp server listening at 0.0.0.0:50018
Aug 6 18:20:00 US ss-server[24332]: udp port reuse enabled
Aug 6 18:20:00 US ss-server[24332]: udp server listening at 0.0.0.0:50018
Aug 6 18:20:00 US ss-server[24332]: running from root user
Aug 6 18:21:12 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:13 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:13 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:14 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:14 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:14 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:14 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:14 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:14 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:15 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:15 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:16 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:16 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid host name
Aug 6 18:21:16 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:16 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:17 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:17 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:17 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:17 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:17 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type

Aug 6 18:21:25 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:26 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid host name
Aug 6 18:21:26 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:26 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:27 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:27 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:27 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:27 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:27 US ss-server[24332]: connect: Network is unreachable
Aug 6 18:21:27 US ss-server[24332]: connect error
Aug 6 18:21:28 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:28 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:28 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:28 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:29 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:29 US ss-server[24332]: getpeername: Transport endpoint is not connected
Aug 6 18:21:29 US ss-server[24332]: getpeername: Transport endpoint is not connected
Aug 6 18:21:29 US ss-server[24332]: getpeername: Transport endpoint is not connected
Aug 6 18:21:29 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:29 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:29 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:30 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:30 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:30 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:30 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:30 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:31 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:31 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:31 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:31 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid host name
Aug 6 18:21:31 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:31 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:32 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:32 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:32 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:32 US ss-server[24332]: getpeername: Transport endpoint is not connected
Aug 6 18:21:32 US ss-server[24332]: getpeername: Transport endpoint is not connected
Aug 6 18:21:32 US ss-server[24332]: getpeername: Transport endpoint is not connected
Aug 6 18:21:33 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:33 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:33 US ss-server[24332]: failed to handshake with 125.210.xxx.xxx: invalid address type
Aug 6 18:21:33 US ss-server[24332]: block all requests from 125.210.xxx.xxx
Aug 6 18:21:33 US ss-server[24332]: block all requests from 125.210.xxx.xxx
Aug 6 18:21:33 US ss-server[24332]: block all requests from 125.210.xxx.xxx
Aug 6 18:21:33 US ss-server[24332]: block all requests from 125.210.xxx.xxx
Aug 6 18:21:33 US ss-server[24332]: block all requests from 125.210.xxx.xxx
Aug 6 18:21:33 US ss-server[24332]: block all requests from 125.210.xxx.xxx
Aug 6 18:21:33 US ss-server[24332]: block all requests from 125.210.xxx.xxx
Aug 6 18:21:33 US ss-server[24332]: block all requests from 125.210.xxx.xxx
Aug 6 18:21:34 US ss-server[24332]: block all requests from 125.210.xxx.xxx
Aug 6 18:21:34 US ss-server[24332]: block all requests from 125.210.xxx.xxx
Aug 6 18:21:34 US ss-server[24332]: block all requests from 125.210.xxx.xxx
Aug 6 18:21:34 US ss-server[24332]: block all requests from 125.210.xxx.xxx
Aug 6 18:21:34 US ss-server[24332]: block all requests from 125.210.xxx.xxx
Aug 6 18:21:34 US ss-server[24332]: block all requests from 125.210.xxx.xxx
Aug 6 18:21:34 US ss-server[24332]: block all requests from 125.210.xxx.xxx
Aug 6 18:21:34 US ss-server[24332]: block all requests from 125.210.xxx.xxx
Aug 6 18:21:35 US ss-server[24332]: block all requests from 125.210.xxx.xxx
Aug 6 18:21:35 US ss-server[24332]: block all requests from 125.210.xxx.xxx
Aug 6 18:21:35 US ss-server[24332]: block all requests from 125.210.xxx.xxx
Aug 6 18:21:35 US ss-server[24332]: block all requests from 125.210.xxx.xxx
Aug 6 18:21:35 US ss-server[24332]: block all requests from 125.210.xxx.xxx
Aug 6 18:21:35 US ss-server[24332]: block all requests from 125.210.xxx.xxx
Aug 6 18:21:35 US ss-server[24332]: block all requests from 125.210.xxx.xxx
Aug 6 18:21:35 US ss-server[24332]: block all requests from 125.210.xxx.xxx
Aug 6 18:21:35 US ss-server[24332]: block all requests from 125.210.xxx.xxx
Aug 6 18:21:35 US ss-server[24332]: block all requests from 125.210.xxx.xxx
Aug 6 18:21:35 US ss-server[24332]: block all requests from 125.210.xxx.xxx
Aug 6 18:21:36 US ss-server[24332]: block all requests from 125.210.xxx.xxx
Aug 6 18:21:36 US ss-server[24332]: block all requests from 125.210.xxx.xxx
Aug 6 18:21:36 US ss-server[24332]: block all requests from 125.210.xxx.xxx
Aug 6 18:21:36 US ss-server[24332]: block all requests from 125.210.xxx.xxx
Aug 6 18:21:36 US ss-server[24332]: block all requests from 125.210.xxx.xxx
Aug 6 18:21:36 US ss-server[24332]: block all requests from 125.210.xxx.xxx

allen-tsu picture allen-tsu on 6 Aug 2017

client log:

[2017-08-06 19:51:32] connect to securepubads.g.doubleclick.net:443
[2017-08-06 19:51:32] connect to googleads.g.doubleclick.net:443
[2017-08-06 19:51:32] connect to s.youtube.com:443
[2017-08-06 19:51:32] connect to yt3.ggpht.com:443
[2017-08-06 19:51:32] connect to static.doubleclick.net:443
[2017-08-06 19:51:32] Socket connected to ss server: XXX.CC:50018
[2017-08-06 19:51:32] Socket connected to ss server: XXX.CC:50018
[2017-08-06 19:51:32] Socket connected to ss server: XXX.CC:50018
[2017-08-06 19:51:32] Socket connected to ss server: XXX.CC:50018
[2017-08-06 19:51:32] Socket connected to ss server: XXX.CC:50018
[2017-08-06 19:51:32] Socket connected to ss server: XXX.CC:50018
[2017-08-06 19:51:32] connect to www.youtube.com:443
[2017-08-06 19:51:33] Socket connected to ss server: XXX.CC:50018
[2017-08-06 19:51:33] Socket connected to ss server: XXX.CC:50018
[2017-08-06 19:51:34] connect to www.youtube.com:443
[2017-08-06 19:51:35] Socket connected to ss server: XXX.CC:50018
[2017-08-06 19:51:35] connect to www.youtube.com:443
[2017-08-06 19:51:36] Socket connected to ss server: XXX.CC:50018
[2017-08-06 19:51:41] connect to www.youtube.com:443
[2017-08-06 19:51:41] Socket connected to ss server: XXX.CC:50018
[2017-08-06 19:51:41] connect to www.youtube.com:443
[2017-08-06 19:51:42] Socket connected to ss server: XXX.CC:50018

allen-tsu picture allen-tsu on 6 Aug 2017 
webgui.yml:
---------------
type: m
empty: false

manager:
  address: 0.0.0.0:4001
  password: ‘123456

plugins:
  flowSaver:
    use: true
  user:
    use: true
  account:
    use: true
  email:
      use: true
      username: ‘XXXXXX’
      password: ‘XXXXX’
      host: ‘XXXXXXX'
  webgui:
      use: true
      host: 'localhost'
      port: '8080'
      site: 'https://xxxx.com
      gcmSenderId: '456102641793'
      gcmAPIKey: 'AAAAGzzdqrE:XXXXXXXXXXXXXX'
  alipay:
      use: true
      appid: 00007888887
      notifyUrl: 'https://XXXXXXX'
      merchantPrivateKey: ‘’XXXXX"
      alipayPublicKey: ‘XXXXX’
      gatewayUrl: 'https://openapi.alipay.com/gateway.do'
db: 'webgui.sqlite'

ss.yml:
----------------
type: s
empty: false
shadowsocks:
  address: 127.0.0.1:4000

manager:
  address: 0.0.0.0:4001
  password: ‘123456
db: 'ss.sqlite'

ss-server start:
ss-manager -m aes-256-cfb -u --manager-address 127.0.0.1:4000 &

allen-tsu picture allen-tsu on 7 Aug 2017

使用错误密码或者错误加密方式,重启服务端就好

Shadowhack0419 picture Shadowhack0419 on 7 Aug 2017
👎1

这是auto ban机制,一个ip多次连接失败就会被ban,需要重启server服务器才行

cokebar picture cokebar on 7 Aug 2017

auto ban机制的话,如果ss server是跑在load balancer下面的话,一个客户端连接失败就会导致整个server拒绝连接,应该有一个config来disable这个功能。

duanshiqiang picture duanshiqiang on 15 Sep 2017

@duanshiqiang Add your load balancer's IP to the [white_list] section of the ACL file.

madeye picture madeye on 15 Sep 2017
👍2

@madeye Thanks, it works :)

duanshiqiang picture duanshiqiang on 15 Sep 2017

can I use the fqdn instead of IP in ACL file?

myliyifei picture myliyifei on 22 Oct 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

blackgear picture blackgear  ·  3Comments
d0u9 picture d0u9  ·  4Comments
viennadd picture viennadd  ·  3Comments
jzp820927 picture jzp820927  ·  3Comments
DragonCat1 picture DragonCat1  ·  3Comments