出处:134333.xyz
1、DD 系统
- -firmware 额外的驱动支持 -d Debian 系统 后面是系统版本号 -c Centos 系统 后面是系统版本号 -v 后面写 64 位 32 位 -a auto,全自动无人值守安装 –mirror 后面是镜像源地址 -p 后面写自定义密码 –ip-addr ifconfig -a 后获取到的 例:194.87.xxx.xxx –ip-gate route -n 后获取到的 例 194.87.xxx.xxx –ip-mask 255.255.xxx.xx
bash <(wget --no-check-certificate -qO- 'https://raw.githubusercontent.com/MoeClub/Note/master/InstallNET.sh') -d 11 -v 64 -p 密码 -port 22 -a -firmware
2、初始化和禁用 IPV6
# 更新包
apt-get -y update
apt-get -y upgrade
# 修改主机名称
echo "vps" > /etc/hostname
# 修改DNS
echo "nameserver 8.8.8.8" > /etc/resolv.conf
echo "nameserver 1.1.1.1" >> /etc/resolv.conf
# 以 IPV4 优先
echo "precedence ::ffff:0:0/96 100" >> /etc/gai.conf
# 禁用IPV6 必须重启
echo "net.ipv6.conf.all.disable_ipv6 = 1" >>/etc/sysctl.conf
echo "net.ipv6.conf.default.disable_ipv6 = 1" >>/etc/sysctl.conf
3、配置 BBR
echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf
sysctl -p
sysctl net.ipv4.tcp_available_congestion_control
lsmod | grep bbr
4、配置服务器语言和时区
记得重启
# 1 配置语言
apt install -y locales
echo "Asia/Shanghai" > /etc/timezone && \
dpkg-reconfigure -f noninteractive tzdata && \
sed -i -e 's/# zh_CN.UTF-8 UTF-8/zh_CN.UTF-8 UTF-8/' /etc/locale.gen && \
echo 'LANG="zh_CN.UTF-8"'>/etc/default/locale && \
dpkg-reconfigure --frontend=noninteractive locales && \
update-locale LANG=zh_CN.UTF-8
echo "Asia/Shanghai" > /etc/timezone
# 2 重启
reboot
# 3 查看结果, 需要重启
locale
# 4 修改时区
apt install -y ntpdate
timedatectl set-timezone Asia/Shanghai
ntpdate cn.pool.ntp.org
# 5 查看时间
date
# 6 使用 crontab 定时同步时间
crontab -e
# 写入以下内容
<<<
*/60 * * * * /usr/sbin/ntpdate cn.pool.ntp.org
>>>
# 出来使用 sh 执行以内内容
/etc/init.d/cron restart
5、修改 ssh 链接
# 修改端口
sed -i 's/^Port.*$/Port 92/' /etc/ssh/sshd_config
# 设置如果用户不能成功登录,在切断连接之前服务器需要等待的时间(以秒为单位)。
sed -i 's/^#LoginGraceTime.*$/LoginGraceTime 30/' /etc/ssh/sshd_config
# 最大尝试次数
sed -i 's/^#MaxAuthTries.*$/MaxAuthTries 3/' /etc/ssh/sshd_config
# 开启 RSA
sed -i 's/^#RSAAuthentication.*$/RSAAuthentication yes/' /etc/ssh/sshd_config
# 是否使用公钥验证
sed -i 's/^#PubkeyAuthentication/PubkeyAuthentication/' /etc/ssh/sshd_config
sed -i 's/^#AuthorizedKeysFile/AuthorizedKeysFile/' /etc/ssh/sshd_config
# 超时
sed -i 's/^#TCPKeepAlive/TCPKeepAlive/' /etc/ssh/sshd_config
sed -i 's/^#ClientAliveInterval.*$/ClientAliveInterval 600/' /etc/ssh/sshd_config
sed -i 's/^#ClientAliveCountMax.*$/ClientAliveCountMax 3/' /etc/ssh/sshd_config
service sshd restart
不推荐复制服务器的密钥出来
如果你需要免密登录请在系统(不是服务器)上创建密钥, 然后将值复制到服务器的 ~/.ssh/authorized_keys 就可以了
mkdir -p ~/.ssh
nano ~/.ssh/authorized_keys
service sshd restart
6、添加 fail2ban
echo "[sshd]" > /etc/fail2ban/jail.d/customisation.conf
echo "port = 92" >> /etc/fail2ban/jail.d/customisation.conf
echo "bantime = 86400" >> /etc/fail2ban/jail.d/customisation.conf
echo "findtime = 600" >> /etc/fail2ban/jail.d/customisation.conf
echo "maxretry = 3" >> /etc/fail2ban/jail.d/customisation.conf
systemctl restart fail2ban
7、修改系统日志存储方式
# 修改日志最大容量
# RuntimeMaxUse是限制/run/log/journal/
# 所有日志总大小不超过1G
echo "SystemMaxUse=1536M" >> /etc/systemd/journald.conf
echo "RuntimeMaxUse=512M" >> /etc/systemd/journald.conf
echo "SystemMaxFileSize=64M" >> /etc/systemd/journald.conf
echo "RuntimeMaxFileSize=32M" >> /etc/systemd/journald.conf
echo "SystemMaxFiles=14" >> /etc/systemd/journald.conf
echo "RuntimeMaxFiles=14" >> /etc/systemd/journald.conf
systemctl restart systemd-journald.service
8、装 docker
提醒一下, 下面第三部分修改日志中 iptables 属性, 他是关闭了创建容器时自动开启端口功能, 如果你使用 UFW 则推荐关闭, 否则 UFW 不生效。
# docker
curl -sSL https://get.docker.com/ | sh
docker run --rm hello-world
# docker-compose
curl -SL https://github.com/docker/compose/releases/download/v2.17.2/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
docker-compose --version
# 修改日志
nano /etc/docker/daemon.json
<<<
{
"log-driver": "json-file",
"log-opts": {
"max-size": "64m",
"max-file": "3"
},
"iptables": false
}
<<<
systemctl daemon-reload
systemctl restart docker
9、ufw 防火墙管理
apt install -y ufw
ufw status
Status: inactive
# 启用
ufw enable
# 禁用
ufw disable
# logs
ufw logging on
ufw default allow outgoing
ufw default deny incoming
ufw allow 22
ufw allow 443
ufw allow 80
# 更新
ufw reload
# 阻止
$ ufw deny
# 删除
$ ufw delete allow 80
# 删除2
$ ufw status numbered
$ ufw delete 上面列表的数字
10、设置 swap 交换内存
sudo apt update -y
sudo apt upgrade -y
# 查看交换空间
swapon -s free -m
# 开启交换空间
sudo fallocate -l 1G /swapfile
chmod 600 /swapfile
# 必须告诉系统该文件将用于交换
sudo mkswap /swapfile
# 激活 Debian 系统上的交换内存
sudo swapon /swapfile
nano /etc/fstab
# 将以下条目添加到文件末尾
/swapfile swap swap defaults 0 0
# 验证您的交换空间是否处于活动状态
sudo swapon --show
# 删除交换空间
sudo swapoff -a
# 删除条目
nano /etc/fstab
# 禁用+删除交换文件
rm -rf /swapfile
11、设置 zsh
apt install zsh -y
sh -c "$(wget -O- https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"
git clone https://github.com/zsh-users/zsh-syntax-highlighting ~/.oh-my-zsh/plugins/zsh-syntax-highlighting
git clone https://github.com/zsh-users/zsh-autosuggestions ~/.oh-my-zsh/plugins/zsh-autosuggestions
# 主题
git clone --depth=1 https://github.com/romkatv/powerlevel10k.git ${ZSH_CUSTOM:-$HOME/.oh-my-zsh/custom}/themes/powerlevel10k
nano ~/.zshrc
# 设置
ZSH_THEME="powerlevel10k/powerlevel10k"
plugins=(
colored-man-pages
colorize
copypath
git
sudo
vi-mode
z
zsh-autosuggestions
zsh-syntax-highlighting
)