从17年开始三年了,购买使用了不下十台vps,每次购买新的vps之后都需要对他进行初始化设置,很是繁琐,所以最近在写一个一键脚本,这样可以一键安装并设置所有需要的软件,方便了许多。目前脚本还没有完成,所以我先把初始化的这些步骤全部记录下来,既是方便自己,也可以为大家提供一份参考。
前期重要软件更新与安装
yum install nano git
yum update
ssh设置
首先打开sshd_config
nano /etc/ssh/sshd_config
首先将Port 22取消注释,然后添加一行 Port 1022。保存退出
再将sshd服务重启。
systemctl restart sshd
这时候使用ssh连接工具连接你设置的端口(我的是1022),如果成功连接,则可以重复上述步骤将Port 22一行注释掉,这样22端口就不会暴露出来,部分保证安全。如果不能连接,可以去服务器提供商控制面板找找有没有端口开放设置。
安全设置
创建一个目录名叫AutoTasks,新建一个脚本,名称为auto_block_failed_ip.sh
脚本内添加如下内容:
#! /bin/bash
cat /var/log/secure|awk '/Failed/{print $(NF-3)}'|sort|uniq -c|awk '{print $2"="$1;}' > /usr/local/bin/black.list
for i in `cat /usr/local/bin/black.list`
do
IP=`echo $i |awk -F= '{print $1}'`
NUM=`echo $i|awk -F= '{print $2}'`
if [ ${#NUM} -gt 1 ]; then
grep $IP /etc/hosts.deny > /dev/null
if [ $? -gt 0 ];then
echo "sshd:$IP:deny" >> /etc/hosts.deny
fi
fi
done
保存退出
chmod +x auto_block_failed_ip.sh
将脚本添加可执行权限。
crontab -e
# 然后添加如下一行
0 * * * * /bin/sh /root/AutoTasks/auto_block_failed_ip.sh
# 注意将地址改为你设置的地址
# 作用是每天0点执行一次 封禁多次尝试登录失败的ip
安装acme.sh
curl https://get.acme.sh | sh
执行下面的命令:
# 注意将下方的your.site.name改为你的域名地址。
./acme.sh --issue -d your.site.name --webroot /var/www/speedtest
mkdir -p /root/cert/sites/your.site.name
./acme.sh --install-cert -d your.site.name \
--fullchain-file /root/cert/sites/your.site.name/your.site.name.crt \
--key-file /root/cert/sites/your.site.name/your.site.name.key \
--reloadcmd "systemctl restart trojan && systemctl restart caddy"
安装caddy前的准备
创建一个新目录:
mkdir /var/www
cd /var/www
git clone https://github.com/librespeed/speedtest
mv example-singleServer-pretty.html index.html
rm -rf example-*
如果想要真正的测速服务器,请参考我的这篇文章。
安装caddy
请查看官方脚本进行设置。如下只是本文写成时官方的操作指南。
yum install yum-plugin-copr
yum copr enable @caddy/caddy
yum install caddy
创建一个Caddyfile
nano /etc/caddy/Caddyfile
# 粘贴如下内容
:80 {
root * /var/www/speedtest
file_server
reverse_proxy /mineray localhost:8888
}
启动caddy
systemctl enable caddy
systemctl start caddy
# 可以使用如下命令查看是否启动成功
systemctl status caddy
安装V2RAY
bash <(curl -L https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-release.sh)
# 安装最新发行的 geoip.dat 和 geosite.dat
bash <(curl -L https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-dat-release.sh)
脚本设置:
nano /usr/local/etc/v2ray/config.json
# 粘贴如下内容, 将clients里面的id改成自己的,可以在这里生成:https://www.uuidgenerator.net/
{
"log": {
"access": "/var/log/v2ray/access.log",
"error": "/var/log/v2ray/error.log",
"loglevel": "warning"
},
"inbounds": [
{
"port": 8888,
"listen": "127.0.0.1",
"protocol": "vmess",
"settings": {
"clients": [
{
"id": "fa3caf94-7fd1-4cae-bf99-7c3f64dfe5bf",
"level": 1,
"alterId": 64
}
]
},
"streamSettings": {
"network": "ws",
"wsSettings": {
"path": "/mineray"
}
}
}
],
"outbounds": [
{
"protocol": "freedom",
"settings": {}
}
],
"routing": {
"strategy": "rules",
"settings": {
"rules": [
{
"type": "field",
"ip": [
"0.0.0.0/8",
"10.0.0.0/8",
"10.0.0.0/8",
"100.64.0.0/10",
"127.0.0.0/8",
"169.254.0.0/16",
"172.16.0.0/12",
"192.0.0.0/24",
"192.0.2.0/24",
"192.168.0.0/16",
"198.18.0.0/15",
"198.51.100.0/24",
"203.0.113.0/24",
"::1/128",
"fc00::/7",
"fe80::/10"
],
"outboundTag": "blocked"
}
]
}
}
}
systemctl enable v2ray
systemctl start v2ray
# 可以使用如下命令查看是否启动成功
systemctl status v2ray
安装 Trojan
请查阅官方教程进行安装,如下只是本文写成时官方的安装指南
sudo bash -c "$(curl -fsSL https://raw.githubusercontent.com/trojan-gfw/trojan-quickstart/master/trojan-quickstart.sh)"
脚本设置:
nano /usr/local/etc/trojan/config.json
# 粘贴如下内容,将密码改成自己的。证书路径改成自己的。
{
"run_type": "server",
"local_addr": "0.0.0.0",
"local_port": 443,
"remote_addr": "127.0.0.1",
"remote_port": 80,
"password": [
"password1",
"password2"
],
"log_level": 1,
"ssl": {
"cert": "/path/to/certificate.crt",
"key": "/path/to/private.key",
"key_password": "",
"cipher": "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384",
"cipher_tls13": "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384",
"prefer_server_cipher": true,
"alpn": [
"http/1.1"
],
"alpn_port_override": {
"h2": 81
},
"reuse_session": true,
"session_ticket": false,
"session_timeout": 600,
"plain_http_response": "",
"curves": "",
"dhparam": ""
},
"tcp": {
"prefer_ipv4": false,
"no_delay": true,
"keep_alive": true,
"reuse_port": false,
"fast_open": false,
"fast_open_qlen": 20
},
"mysql": {
"enabled": false,
"server_addr": "127.0.0.1",
"server_port": 3306,
"database": "trojan",
"username": "trojan",
"password": "",
"key": "",
"cert": "",
"ca": ""
}
}
systemctl enable trojan
systemctl start trojan
# 可以使用如下命令查看是否启动成功
systemctl status trojan
启用bbr
参考这篇文章
rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-3.el7.elrepo.noarch.rpm
yum --enablerepo=elrepo-kernel install kernel-ml -y
rpm -qa | grep kernel
# 下面这句执行后选中需要的内核,从0开始排序
egrep ^menuentry /etc/grub2.cfg | cut -f 2 -d \'
grub2-set-default 0
# 这里reboot
sudo modprobe tcp_bbr
echo "tcp_bbr" | sudo tee --append /etc/modules-load.d/modules.conf
echo "net.core.default_qdisc=fq" | sudo tee --append /etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbr" | sudo tee --append /etc/sysctl.conf
sudo sysctl -p
# 下面三个是检查有没有成功开启bbr
sysctl net.ipv4.tcp_available_congestion_control
sysctl net.ipv4.tcp_congestion_control
lsmod | grep bbr