创建一个新的linux服务器安装步骤

从17年开始三年了,购买使用了不下十台vps,每次购买新的vps之后都需要对他进行初始化设置,很是繁琐,所以最近在写一个一键脚本,这样可以一键安装并设置所有需要的软件,方便了许多。目前脚本还没有完成,所以我先把初始化的这些步骤全部记录下来,既是方便自己,也可以为大家提供一份参考。

前期重要软件更新与安装

yum install nano git
yum update

ssh设置

首先打开sshd_config

nano /etc/ssh/sshd_config

image-20201229204345469

首先将Port 22取消注释,然后添加一行 Port 1022。保存退出

再将sshd服务重启。

systemctl restart sshd

这时候使用ssh连接工具连接你设置的端口(我的是1022),如果成功连接,则可以重复上述步骤将Port 22一行注释掉,这样22端口就不会暴露出来,部分保证安全。如果不能连接,可以去服务器提供商控制面板找找有没有端口开放设置。

安全设置

创建一个目录名叫AutoTasks,新建一个脚本,名称为auto_block_failed_ip.sh

脚本内添加如下内容:

#! /bin/bash
cat /var/log/secure|awk '/Failed/{print $(NF-3)}'|sort|uniq -c|awk '{print $2"="$1;}' > /usr/local/bin/black.list
for i in `cat  /usr/local/bin/black.list`
do
  IP=`echo $i |awk -F= '{print $1}'`
  NUM=`echo $i|awk -F= '{print $2}'`
  if [ ${#NUM} -gt 1 ]; then
    grep $IP /etc/hosts.deny > /dev/null
    if [ $? -gt 0 ];then
      echo "sshd:$IP:deny" >> /etc/hosts.deny
    fi
  fi
done

保存退出

chmod +x auto_block_failed_ip.sh

将脚本添加可执行权限。

crontab -e
# 然后添加如下一行
0 * * * * /bin/sh /root/AutoTasks/auto_block_failed_ip.sh
# 注意将地址改为你设置的地址
# 作用是每天0点执行一次 封禁多次尝试登录失败的ip

安装acme.sh

curl  https://get.acme.sh | sh

执行下面的命令:

# 注意将下方的your.site.name改为你的域名地址。
./acme.sh --issue -d your.site.name --webroot /var/www/speedtest

mkdir -p /root/cert/sites/your.site.name

./acme.sh --install-cert -d your.site.name \
--fullchain-file      /root/cert/sites/your.site.name/your.site.name.crt  \
--key-file       /root/cert/sites/your.site.name/your.site.name.key  \
--reloadcmd "systemctl restart trojan && systemctl restart caddy"

安装caddy前的准备

创建一个新目录:

mkdir /var/www
cd /var/www
git clone https://github.com/librespeed/speedtest
mv example-singleServer-pretty.html index.html
rm -rf example-*

如果想要真正的测速服务器,请参考我的这篇文章

安装caddy

请查看官方脚本进行设置。如下只是本文写成时官方的操作指南。

yum install yum-plugin-copr
yum copr enable @caddy/caddy
yum install caddy

创建一个Caddyfile

nano /etc/caddy/Caddyfile
# 粘贴如下内容
:80 {
  root * /var/www/speedtest
  file_server
  reverse_proxy /mineray localhost:8888
}

启动caddy

systemctl enable caddy
systemctl start caddy
# 可以使用如下命令查看是否启动成功
systemctl status caddy

安装V2RAY

bash <(curl -L https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-release.sh)
# 安装最新发行的 geoip.dat 和 geosite.dat
bash <(curl -L https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-dat-release.sh)

脚本设置:

nano /usr/local/etc/v2ray/config.json
# 粘贴如下内容, 将clients里面的id改成自己的,可以在这里生成:https://www.uuidgenerator.net/
&#123;
  "log": &#123;
    "access": "/var/log/v2ray/access.log",
    "error": "/var/log/v2ray/error.log",
    "loglevel": "warning"
  &#125;,
  "inbounds": [
    &#123;
      "port": 8888,
      "listen": "127.0.0.1",
      "protocol": "vmess",
      "settings": &#123;
        "clients": [
          &#123;
            "id": "fa3caf94-7fd1-4cae-bf99-7c3f64dfe5bf",
            "level": 1,
            "alterId": 64
          &#125;
    ]
      &#125;,
      "streamSettings": &#123;
        "network": "ws",
        "wsSettings": &#123;
          "path": "/mineray"
        &#125;
      &#125;
    &#125;
  ],
  "outbounds": [
    &#123;
      "protocol": "freedom",
      "settings": &#123;&#125;
    &#125;
  ],
  "routing": &#123;
    "strategy": "rules",
    "settings": &#123;
      "rules": [
        &#123;
          "type": "field",
          "ip": [
            "0.0.0.0/8",
            "10.0.0.0/8",
            "10.0.0.0/8",
            "100.64.0.0/10",
            "127.0.0.0/8",
            "169.254.0.0/16",
            "172.16.0.0/12",
            "192.0.0.0/24",
            "192.0.2.0/24",
            "192.168.0.0/16",
            "198.18.0.0/15",
            "198.51.100.0/24",
        "203.0.113.0/24",
            "::1/128",
            "fc00::/7",
            "fe80::/10"
          ],
          "outboundTag": "blocked"
        &#125;
      ]
    &#125;
  &#125;
&#125;
systemctl enable v2ray
systemctl start v2ray
# 可以使用如下命令查看是否启动成功
systemctl status v2ray

安装 Trojan

请查阅官方教程进行安装,如下只是本文写成时官方的安装指南

sudo bash -c "$(curl -fsSL https://raw.githubusercontent.com/trojan-gfw/trojan-quickstart/master/trojan-quickstart.sh)"

脚本设置:

nano /usr/local/etc/trojan/config.json
# 粘贴如下内容,将密码改成自己的。证书路径改成自己的。
&#123;
    "run_type": "server",
    "local_addr": "0.0.0.0",
    "local_port": 443,
    "remote_addr": "127.0.0.1",
    "remote_port": 80,
    "password": [
        "password1",
        "password2"
    ],
    "log_level": 1,
    "ssl": &#123;
        "cert": "/path/to/certificate.crt",
        "key": "/path/to/private.key",
        "key_password": "",
        "cipher": "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384",
        "cipher_tls13": "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384",
        "prefer_server_cipher": true,
        "alpn": [
            "http/1.1"
        ],
        "alpn_port_override": &#123;
            "h2": 81
        &#125;,
        "reuse_session": true,
        "session_ticket": false,
        "session_timeout": 600,
        "plain_http_response": "",
        "curves": "",
        "dhparam": ""
    &#125;,
    "tcp": &#123;
        "prefer_ipv4": false,
        "no_delay": true,
        "keep_alive": true,
        "reuse_port": false,
        "fast_open": false,
        "fast_open_qlen": 20
    &#125;,
    "mysql": &#123;
        "enabled": false,
        "server_addr": "127.0.0.1",
        "server_port": 3306,
        "database": "trojan",
        "username": "trojan",
        "password": "",
        "key": "",
        "cert": "",
        "ca": ""
    &#125;
&#125;
systemctl enable trojan
systemctl start trojan
# 可以使用如下命令查看是否启动成功
systemctl status trojan

启用bbr

参考这篇文章

rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-3.el7.elrepo.noarch.rpm
yum --enablerepo=elrepo-kernel install kernel-ml -y
rpm -qa | grep kernel
# 下面这句执行后选中需要的内核,从0开始排序
egrep ^menuentry /etc/grub2.cfg | cut -f 2 -d \'
grub2-set-default 0

# 这里reboot

sudo modprobe tcp_bbr
echo "tcp_bbr" | sudo tee --append /etc/modules-load.d/modules.conf
echo "net.core.default_qdisc=fq" | sudo tee --append /etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbr" | sudo tee --append /etc/sysctl.conf
sudo sysctl -p

# 下面三个是检查有没有成功开启bbr
sysctl net.ipv4.tcp_available_congestion_control
sysctl net.ipv4.tcp_congestion_control
lsmod | grep bbr

最后重启即可。