侧边栏壁纸
博主头像
L1

write and record

  • 累计撰写 12 篇文章
  • 累计创建 3 个标签
  • 累计收到 1 条评论
标签搜索

目 录CONTENT

文章目录

DD纯净debian记录

L1
L1
2022-07-29 / 0 评论 / 0 点赞 / 58 阅读 / 781 字

debian

DD脚本

bash <(wget --no-check-certificate -qO- 'https://raw.githubusercontent.com/MoeClub/Note/master/InstallNET.sh') -d 11 -v 64 -p "你的ssh登陆密码" -port "ssh端口"

换源

仅针对服务器美国且DD 后

sed -i 's|security.debian.org/debian-security|mirrors.ocf.berkeley.edu/debian-security|g' /etc/apt/sources.list
sed -i 's/deb.debian.org/mirrors.ocf.berkeley.edu/g' /etc/apt/sources.list
# deb http://mirrors.ocf.berkeley.edu/debian bullseye main

deb http://mirrors.ocf.berkeley.edu/debian bullseye main
deb-src http://mirrors.ocf.berkeley.edu/debian bullseye main

deb http://mirrors.ocf.berkeley.edu/debian-security bullseye-security main
deb-src http://mirrors.ocf.berkeley.edu/debian-security bullseye-security main

# bullseye-updates, to get updates before a point release is made;
# see https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_updates_and_backports
deb http://mirrors.ocf.berkeley.edu/debian bullseye-updates main
deb-src http://mirrors.ocf.berkeley.edu/debian bullseye-updates main

更新&升级

apt update && apt upgrade -y

安装软件

apt install curl wget vim git firewalld docker docker-compose rclone fuse pwgen sudo -y

本地化

echo 'zh_CN.UTF-8 UTF-8'  >> /etc/locale.gen
locale-gen

echo 'LANG=en_US.UTF-8'  > /etc/locale.conf

hostnamectl set-hostname racknerd-debian11

时区

ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime

BBR和ip_forward

echo "net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr
net.ipv4.ip_forward = 1" >> /etc/sysctl.conf

sysctl -p

开机自启动

systemctl enable firewalld docker

reboot

firewalld + docker

网络方法:

systemctl stop docker

firewall-cmd --permanent --direct --remove-chain ipv4 filter DOCKER-USER
firewall-cmd --permanent --direct --remove-rules ipv4 filter DOCKER-USER
firewall-cmd --permanent --direct --add-chain ipv4 filter DOCKER-USER

firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 \
  -m conntrack \
  --ctstate RELATED,ESTABLISHED -j ACCEPT \
  -m comment --comment 'Allow containers to connect to the outside world'
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 \
  -j RETURN \
  -s 172.17.0.0/16 \
  -m comment --comment 'allow internal docker communication'

firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https

firewall-cmd --reload

firewall-cmd --direct --get-all-rules
firewall-cmd --direct --get-all-chains 

systemctl start docker

自己测试的

把docker端口前边加上ip172.17.0.1,开启firewalld,nmap扫描服务端口显示已经被过滤了

rclone + onedrive

mkdir -p /onedrive /docker .config/rclone

vim .config/rclone/rclone.conf

下边粘贴你电脑上生成的rclone.conf里的内容
rclone mount onedrive:/ /onedrive --copy-links --no-gzip-encoding --no-check-certificate --allow-other --allow-non-empty --umask 000

第一个onedrive是你rclone.conf里设置的名字,第二个/是挂载网盘的根目录(可以看到所有网盘文件),第三个/onedrive是你选择挂载在你服务器上的位置

添加用户

#生成长度为32,包含大写、数字、不包含模糊字符完全随机的密码
pwgen -cnBys1 32

useradd  -s /bin/bash 用户名
passwd 用户	#设置用户密码,用上边的pwgen随机生成的32位密码

visudo 设置用户不需要输入root密码

在 User Privilege Specification 下加入一行 vpsadmin ALL=(ALL) NOPASSWD: ALL 即可

#设置一个简单的root密码
passwd 

sshd

vim /etc/ssh/sshd_config

#更改 ssh port,取消root登陆
Port xxxxx
PermitRootLogin no

#重启sshd
systemctl restart sshd
#下次登陆ssh就使用上边设置的端口和密码

fail2ban

apt install fail2ban -y
systemctl enable --now fail2ban
fail2ban-client status sshd
vim /etc/fail2ban/jail.d/sshd.local

[sshd]
enabled   = true
filter    = sshd
banaction = iptables
backend   = systemd
maxretry  = 5
findtime  = 1d
bantime   = -1
ignoreip  = 127.0.0.1/8
systemctl restart fail2ban

基础配置结束

0

评论区