重新梳理一下,我个人vps的全新安装与环境配置

前言

重新梳理一下,当新开一台vps,或者打算重新配置vps环境的流程。仅做个人备份。

一、重装系统

1.1 dd重装前的准备

#Debian/Ubuntu:
apt-get update
apt-get install -y xz-utils openssl gawk file

#RedHat/CentOS:
yum update
yum install -y xz openssl gawk file

1.2 dd重装系统

1.2.1 @coobar大佬的傻瓜式一键DD脚本(Linux+Windows)
##镜像文件在OneDrive
wget -N --no-check-certificate https://raw.githubusercontent.com/veip007/dd/master/dd-od.sh && chmod +x dd-od.sh && ./dd-od.sh

##镜像文件在GoogleDrive
wget -N --no-check-certificate https://raw.githubusercontent.com/veip007/dd/master/dd-gd.sh && chmod +x dd-gd.sh && ./dd-gd.sh
1.2.2 @dansnow大佬的究极一键重装系统脚本(Linux)
wget --no-check-certificate -O AutoReinstall.sh https://git.io/AutoReinstall.sh && bash AutoReinstall.sh
1.2.3 @Vicer大佬的重装脚本(Linux+Windows)

CentOS 7

wget --no-check-certificate -qO InstallNET.sh 'https://moeclub.org/attachment/LinuxShell/InstallNET.sh' && bash InstallNET.sh -dd 'https://gd.b2fun.net/Mirror/dd/cxthhhhh/CentOS_7.X_NetInstallation.vhd.gz'

CentOS 8

wget --no-check-certificate -qO InstallNET.sh 'https://moeclub.org/attachment/LinuxShell/InstallNET.sh' && bash InstallNET.sh -dd 'https://gd.b2fun.net/Mirror/dd/cxthhhhh/CentOS_8.X_NetInstallation.vhd.gz'

备注:

  • CentOS7/8镜像由@MeowLove大佬制作
  • 用户:root 密码:cxthhhhh.com

Debian

wget https://moeclub.org/attachment/LinuxShell/InstallNET.sh
chmod a+x InstallNET.sh
#Debian 9
bash InstallNET.sh -d 9 -v 64 -a --mirror 'http://mirrors.ustc.edu.cn/debian/'
#Debian 10
bash InstallNET.sh -d 10 -v 64 -a --mirror 'http://mirrors.ustc.edu.cn/debian/'

备注:

  • 用户:root 密码: MoeClub.org
Usage:
        bash InstallNET.sh      -d/--debian [dist-name]
                                -u/--ubuntu [dist-name]
                                -c/--centos [dist-version]
                                -v/--ver [32/i386|64/amd64]
                                --ip-addr/--ip-gate/--ip-mask
                                -apt/-yum/--mirror
                                -dd/--image
                                -a/-m
# dist-name: 发行版本代号
# dist-version: 发行版本号
# -apt/-yum/--mirror : 使用定义镜像
# -a/-m : 询问是否能进入VNC自行操作. -a 为不提示(一般用于全自动安装), -m 为提示.
##使用默认镜像全自动安装
bash InstallNET.sh -d 8 -v 64 -a

#使用自定义镜像全自动安装
bash InstallNET.sh -c 6.10 -v 64 -a --mirror 'http://mirror.centos.org/centos'

# 以下示例中,将X.X.X.X替换为自己的网络参数.
# --ip-addr :IP Address/IP地址
# --ip-gate :Gateway   /网关
# --ip-mask :Netmask   /子网掩码

#使用自定义镜像全自动安装
#bash InstallNET.sh -u 9 -v 64 -a --mirror 'http://mirrors.ustc.edu.cn/debian/'

#使用自定义镜像自定义网络参数全自动安装
#bash InstallNET.sh -u 16.04 -v 64 -a --ip-addr x.x.x.x --ip-gate x.x.x.x --ip-mask x.x.x.x --mirror 'http://archive.ubuntu.com/ubuntu'

#使用自定义网络参数全自动dd方式安装
#bash InstallNET.sh --ip-addr x.x.x.x --ip-gate x.x.x.x --ip-mask x.x.x.x -dd 'https://moeclub.org/onedrive/IMAGE/Windows/win7emb_x86.tar.gz'

#使用自定义网络参数全自动dd方式安装存储在谷歌网盘中的镜像(调用文件ID的方式)
#bash InstallNET.sh --ip-addr x.x.x.x --ip-gate x.x.x.x --ip-mask x.x.x.x -dd "https://image.moeclub.org/GoogleDrive/1cqVl2wSGx92UTdhOxU9pW3wJgmvZMT_J"

#使用自定义网络参数全自动dd方式安装存储在谷歌网盘中的镜像
#bash InstallNET.sh --ip-addr x.x.x.x --ip-gate x.x.x.x --ip-mask x.x.x.x -dd "https://image.moeclub.org/GoogleDrive/1cqVl2wSGx92UTdhOxU9pW3wJgmvZMT_J"

#国内推荐使用USTC源
#--mirror 'http://mirrors.ustc.edu.cn/debian/'

#可用镜像地址
# 推荐使用带有 /GoogleDrive/ 链接, 速度更快.
# 当然也可以使用自己GoogleDrive中储存的镜像,使用方式:
  https://image.moeclub.org/GoogleDrive/

# win7emb_x86.tar.gz:
  https://image.moeclub.org/GoogleDrive/1srhylymTjYS-Ky8uLw4R6LCWfAo1F3s7 
  https://moeclub.org/onedrive/IMAGE/Windows/win7emb_x86.tar.gz

# win8.1emb_x64.tar.gz:
  https://image.moeclub.org/GoogleDrive/1cqVl2wSGx92UTdhOxU9pW3wJgmvZMT_J
  https://moeclub.org/onedrive/IMAGE/Windows/win8.1emb_x64.tar.gz

# win10ltsc_x64.tar.gz:
  https://image.moeclub.org/GoogleDrive/1OVA3t-ZI2arkM4E4gKvofcBN9aoVdneh
  https://moeclub.org/onedrive/IMAGE/Windows/win10ltsc_x64.tar.gz
#说明
#全自动安装默认root密码: MoeClub.org,安装完成后请立即更改密码
#远程登陆账号为: Administrator,远程登陆密码为: Vicer
#建议通过加参数 -p 密码 的方式自定义密码

1.3 dd完成修改root密码

passwd root

按提示操作输入新密码,输两次,注意不会显示出来的。

二、配置vps

2.1 切换中文环境

切换中文环境操作,重连vps后生效。

#主机博客博主写的脚本
wget -N --no-check-certificate https://raw.githubusercontent.com/FunctionClub/LocaleCN/master/LocaleCN.sh && bash LocaleCN.sh

2.2 安装bbr/bbr2/锐速加速

#悟雨大佬的bbr2/bbr/锐速脚本合集
##不卸载原内核版本:
wget -N --no-check-certificate "https://github.000060000.xyz/tcpx.sh" && chmod +x tcpx.sh && ./tcpx.sh
##或
wget -N "https://github.000060000.xyz/tcpx.sh" && chmod +x tcpx.sh && ./tcpx.sh
##卸载原内核版本:
wget -N --no-check-certificate "https://github.000060000.xyz/tcp.sh" && chmod +x tcp.sh && ./tcp.sh
##或
wget -N "https://github.000060000.xyz/tcp.sh" && chmod +x tcp.sh && ./tcp.sh

按提示操作安装内核,重启,启用加速。

2.3 安装编译工具包

#RedHat/CentOS:
yum groupinstall "Development Tools"  -y

#Debian/Ubuntu:
apt-get install build-essential -y

2.4 安装Python管理工具pyenv

安装编译环境

#Ubuntu/Debian:
apt-get install -y make build-essential libssl-dev zlib1g-dev libbz2-dev \
libreadline-dev libsqlite3-dev wget curl llvm libncurses5-dev libncursesw5-dev \
xz-utils tk-dev libffi-dev liblzma-dev python-openssl git

#RedHat/CentOS:
yum install -y @development zlib-devel bzip2 bzip2-devel readline-devel sqlite \
sqlite-devel openssl-devel xz xz-devel libffi-devel findutils

创建目录、安装

mkdir ~/.pyenv
git clone git://github.com/yyuu/pyenv.git ~/.pyenv

配置环境变量

echo 'export PYENV_ROOT="$HOME/.pyenv"' >> ~/.bashrc
echo 'export PATH="$PYENV_ROOT/bin:$PATH"' >> ~/.bashrc
echo 'eval "$(pyenv init -)"' >> ~/.bashrc
exec $SHELL -l

列出所有版本

pyenv install --list

安装python 3.8.2

pyenv install 3.8.2

全局使用

pyenv global 3.8.2

检查版本

python --version

三、安全配置

3.1 关闭root,使用ssh key登录

生成ssh key

ssh-keygen -t rsa

终端提示内容与建议如下

Enter file in which to save the key (/root/.ssh/id_rsa): #建议直接回车使用默认路径
Enter passphrase (empty for no passphrase): #输入密码短语(留空则直接回车)
Enter same passphrase again: #重复密码短语

导入KEY文件

cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys

显示私钥,注意复制粘贴新建文本(无拓展名注意了)另存为id_rsa,utf-8格式,免得关闭root密码登录后进不去了。

cat /root/.ssh/id_rsa

或者直接用xftp、WinSCP等软件直接登陆访问,将/root/.ssh/id_rsa直接拷贝出来。

备注:
/root/.ssh/目录下生成的2个文件,id_rsa为私钥,id_rsa.pub为公钥。私钥注意在本地、本地、本地妥善保存(丢失就进不去服务器咯),安全第一,建议私钥最好从服务器里删除。公钥则可以任意公开。

修改/etc/ssh/sshd_config文件,关闭root密码登录,开启ssh key 认证。

#这是一整条命令,复制到终端运行
cat > /etc/ssh/sshd_config <<EOF
#  $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# System-wide Crypto policy:
# This system is following system-wide crypto policy. The changes to
# Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any
# effect here. They will be overridden by command-line options passed on
# the server start up.
# To opt out, uncomment a line with redefinition of  CRYPTO_POLICY=
# variable in  /etc/sysconfig/sshd  to overwrite the policy.
# For more information, see manual page for update-crypto-policies(8).

# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
#AuthorizedKeysFile    .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
#PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
# problems.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes

# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
# as it is more configurable and versatile than the built-in version.
PrintMotd no

#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#  X11Forwarding no
#  AllowTcpForwarding no
#  PermitTTY no
#  ForceCommand cvs server

#禁用root,开启key登陆
#RSAAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PubkeyAuthentication yes
PasswordAuthentication no
EOF

备注:

@edisonchen大佬:“RSAAuthentication yes”此项在debian9、ubuntu 18.04、centos7中已经去除该项。所以更新的系统并不需要此项。

修改完成,重启ssh服务。

#CentOS系统
service sshd restart
#Debian/Ubuntu系统
service ssh restart

然后以后登陆终端就需要用ssh-key方式登陆了,如图为XShell

接下来就是安装宝塔面板、改ssh端口、rclone、fail2ban(可以安装宝塔之后在软件商店里选用,可视化操作,也可以康康我之前的文章)等等什么的了。

文章参考来源:

点赞

    发表评论

    电子邮件地址不会被公开。必填项已用 * 标注