Linux VPS 配置备忘
status
Published
type
Post
slug
vps-config-setup-record
date
Jul 22, 2020
tags
Config
Linux
Shell
summary
本文主要是 Linux VPS 配置的备忘。包含了许多命令和配置,如软件包更新、配置主机名、设置时区、新建用户、SSH配置、开启防火墙、BBR算法等。
命令虽然熟练,但还是整理一下,随时补充
命令基于 Debian 系(偏爱
软件包更新
apt update && apt upgrade -y && apt dist-upgrade -y && apt full-upgrade -y && apt autoremove -y
配置主机名
hostnamectl set-hostname example_hostname
设置时区
sudo timedatectl set-timezone Asia/Shanghai # Debian 另一种 sudo dpkg-reconfigure tzdata
新建用户
# adduser 命令交互,以 app 为例 adduser app # 或者 useradd 命令,指定用户组 groupadd -g 1000 appgrp useradd -d /home/username -m -g appgrp -s /bin/bash -u 1000 app passwd app
用户加入 sudo 且免密
# 添加到 sudo 组 usermod -aG sudo app # 验证 groups app # 配置免密 其他命令 visudo
# 找到如下内容 # User privilege specification root ALL=(ALL) ALL # 增加此行 app ALL=(ALL) NOPASSWD:ALL # Ctrl + X Y
SSH 配置
sudo vim /etc/ssh/sshd_config# 找到如下内容,对应修改 # 更改默认 22 端口,建议设置在 1025 - 65535 之间的端口号 Port 2333 # 关闭 Root 用户登录权限 PermitRootLogin no # 关闭密码登录,需要配置密钥登录后才能调整 PasswordAuthentication no # 配置可以用公钥对应的密钥登录 PubkeyAuthentication yes # 配置授权公钥的位置 AuthorizedKeysFile .ssh/authorized_keys # 保持连接的配置 # Server 每隔 60 秒发送一次请求给 Client,然后 Client响应,从而保持连接 ClientAliveInterval 60 # Server发出请求后,客户端没有响应得次数达到 10,就自动断开连接,正常情况下,Client不会不响应 ClientAliveCountMax 10
关闭 SSH 密码登录命令
sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/g' /etc/ssh/sshd_config sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config echo 'ChallengeResponseAuthentication no' >> /etc/ssh/sshd_config # Reload ssh agent systemctl reload ssh
重载配置:
sudo systemctl restart sshd.service先不要断开当前连接,另开终端进行测试
ssh -p <port> <username>@<Host-IP>
连接正常,开始配置密钥登录
ssh-keygen -t ed25519 -C "<email@address.example>" -f ~/.ssh/id_ed25519 ssh-copy-id -p <port> <username>@<Host-IP>
客户端 ssh_config
vim ~/.ssh/configHost vps HostName <Host-IP> User <username> Port <port> IdentityFile ~/.ssh/id_ed25519 IdentitiesOnly yes
- 开启防火墙
sudo apt install ufw -y # 安装完毕后, 开始配置 ufw # 入站默认阻止,出站默认允许 sudo ufw default deny incoming sudo ufw default allow outgoing # 如果要用 Zerotier, 记得允许 9993 进出站 # ufw allow 9993 # SSH 端口, 根据实际情况填写端口 sudo ufw allow 22 # sudo ufw allow 443 / sudo ufw delete allow 443 # sudo ufw allow ssh # sudo ufw allow http # sudo ufw allow https # 立即启用 ufw, 提示可能中断当前 SSH 连接, 按 y 继续即可 sudo ufw enable
网络参数配置
#!/usr/bin/env bash cat > /etc/sysctl.conf <<EOF net.ipv4.tcp_no_metrics_save=1 net.ipv4.tcp_ecn=2 net.ipv4.tcp_ecn_fallback = 1 net.ipv4.tcp_frto=0 net.ipv4.tcp_mtu_probing=0 net.ipv4.tcp_rfc1337=1 net.ipv4.tcp_sack=1 net.ipv4.tcp_fack=1 net.ipv4.tcp_window_scaling=1 net.ipv4.tcp_adv_win_scale=2 net.ipv4.tcp_moderate_rcvbuf=1 net.ipv4.tcp_rmem=4096 65536 16777216 net.ipv4.tcp_wmem=4096 65536 16777216 net.core.rmem_max=16777216 net.core.wmem_max=16777216 net.ipv4.udp_rmem_min=8192 net.ipv4.udp_wmem_min=8192 net.core.default_qdisc=fq net.ipv4.tcp_congestion_control=bbr net.ipv4.conf.all.route_localnet=1 net.ipv4.ip_forward=1 net.ipv4.conf.all.forwarding=1 net.ipv4.conf.default.forwarding=1 EOF sysctl -p
BBR 算法
BBR 是 Google 提出的 TCP拥塞控制算法,可以使Linux服务器显著地提高吞吐量和减少TCP连接的延迟。
检查核对命令:
sudo sysctl net.ipv4.tcp_available_congestion_control | grep bbr sudo sysctl net.ipv4.tcp_congestion_control | grep bbr
其他
- DD 重装
# moeclub bash <(wget --no-check-certificate -qO- 'https://raw.githubusercontent.com/MoeClub/Note/master/InstallNET.sh') -d 12 -v 64 -p 密码 -port 端口 -a -firmware # leitbogioro wget --no-check-certificate -qO InstallNET.sh 'https://raw.githubusercontent.com/leitbogioro/Tools/master/Linux_reinstall/InstallNET.sh' && chmod a+x InstallNET.sh && bash InstallNET.sh -debian 12 -pwd '密码'
- fail2ban 防 SSH 爆破
wget https://raw.githubusercontent.com/FunctionClub/Fail2ban/master/fail2ban.sh && bash fail2ban.sh 2>&1 | tee fail2ban.log
- 清理日志
journalctl --vacuum-time=1d && journalctl --vacuum-size=1M && systemctl restart systemd-journald.service
- 一键检测超售 LOC帖
wget --no-check-certificate -O memoryCheck.sh https://raw.githubusercontent.com/uselibrary/memoryCheck/main/memoryCheck.sh && chmod +x memoryCheck.sh && bash memoryCheck.sh # 移除 virtio_balloon rmmod virtio_balloon
- 跑分脚本
curl -L yabs.sh | bash
- openssl 生成自签名证书
openssl shell
#!/bin/sh mkdir -p ssl OUTPUT_FILENAME="example.com" printf "[req] prompt = no default_bits = 4096 default_md = sha256 encrypt_key = no string_mask = utf8only distinguished_name = cert_distinguished_name req_extensions = req_x509v3_extensions x509_extensions = req_x509v3_extensions [ cert_distinguished_name ] C = CN ST = BJ L = BJ O = example.com OU = example.com CN = example.com [req_x509v3_extensions] basicConstraints = critical,CA:true subjectKeyIdentifier = hash keyUsage = critical,digitalSignature,keyCertSign,cRLSign #,keyEncipherment extendedKeyUsage = critical,serverAuth #, clientAuth subjectAltName = @alt_names [alt_names] DNS.1 = example.com DNS.2 = *.example.com ">ssl/${OUTPUT_FILENAME}.conf openssl req -x509 -newkey rsa:2048 -keyout ssl/$OUTPUT_FILENAME.key -out ssl/$OUTPUT_FILENAME.crt -days 3600 -nodes -config ssl/${OUTPUT_FILENAME}.conf
# 通过openssl生成私钥 openssl genrsa -out server.key 2048 # 根据私钥生成证书申请文件csr openssl req -new -key server.key -out server.csr # 使用私钥对证书申请进行签名从而生成证书 openssl x509 -req -in server.csr -out server.crt -signkey server.key -days 3650
- acme 生成免费证书
curl https://get.acme.sh | sh #sudo apt install socat #sudo setcap 'cap_net_bind_service=+ep' /usr/bin/socat #acme.sh --issue -d example.eu.org -d *.example.eu.org --standalone #acme.sh --issue -d example.eu.org -d *.example.eu.org --standalone --httpport 12345
- 流媒体解锁检测
bash <(curl -L -s check.unlock.media)
- Docker
curl -sSL https://get.docker.com/ | sh
- 可选 - 更改默认 Shell 为 fish
sudo apt install fish chsh -s $(which fish)
- 探针
- 流量统计
sudo apt install -y vnstat