我了个擦,差不多一年迁移一次的节奏,so,so 为了避免每次迁移到VPS需要重新搭建站点环境,终于下了一个很艰难的决定,在博客上详细记录一下VPS的基本设置和站点环境搭建步骤,之前每次都是记录在印象笔记上,感觉笔记上记录的东西太杂乱,所以整理以前的笔记到博客上以正视听,方便以后参阅。
本文以Centos 7/Ubuntu 16.04为例。
cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core)
VPS配置如下:
- 1024 MB RAM
- 1 CPU (1x priority)
- 50 GB Storage
- 2 Mbps Bandwidth
- 1 ipv4
- 禁止搭建任何代理服务
一、基本设置
登录VPS
首先在你的VPS面板上找到你的VPS的IP地址,通过如下命令凭你设置好的密码登录VPS:
ssh root@103.251.90.140
登录后第一件事更改系统分配给你的root密码
passwd
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Installing Software Updates
# centos
yum update
# ubuntu
apt-get update
apt-get upgrade
#升级ubuntu
apt-get dist-upgrade
Setting the Hostname
echo "HOSTNAME=sobird" >> /etc/sysconfig/network hostname "sobird"
# 或
vi /etc/hostname
Setting the Timezone
ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
二、Securing Your Server
修改root密码
passwd
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
# 前面已设置 此处可忽略
Adding a New User
adduser sobird
passwd sobird
# 给sobird添加sudo权限
vi /etc/sudoers
加入下面一行
sobird ALL=(ALL) ALL
Using SSH Key Pair Authentication
默认情况下,我们都使用密码来登录ssh,但是加密的密钥对更加安全,因为私钥代替了密码,更难被破解
ssh-keygen -b 4096
如果你客户端目录下 ~.ssh/已经存在了id_rsa ,则不需要再次生成,可以直接使用。
将客户端的id_rsa.pub文件发送的VPS主机上:
scp ~/.ssh/id_rsa.pub sobird@103.251.90.140:~/.ssh/authorized_keys
设置ssh服务,打开秘钥登录功能
vi /etc/ssh/sshd_config
去掉下面注释
RSAAuthentication yes #Centos7 没有了此选项
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
重启sshd服务
sudo service sshd restart
重新登录ssh
ssh sobird@103.251.90.140
如果没有提示输入密码就登入,说明配置成功,然后就可以禁用密码登录了。
PasswordAuthentication no
# 禁止root用户登录
PermitRootLogin no
再次重启sshd服务
sudo service sshd restart
配置防火墙
查看VPS默认的防火墙配置,默认无防火墙配置则显示如下信息:
sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
创建防火墙规则文件
sudo vi /etc/iptables.firewall.rules
输入下面规则
*filter
# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT
# Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Allow SSH connections
#
# The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Allow ping
-A INPUT -p icmp -j ACCEPT
# Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT
上面的规则将允许对以下服务和端口的流量:HTTP(80)、HTTPS(443)、SSH(22)和ping
应用防火墙规则
sudo iptables-restore < /etc/iptables.firewall.rules
再次查看
sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere loopback/8 reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT icmp -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix `iptables denied: '
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ufw
Linux原始的防火墙工具iptables过于繁琐,所以Ubuntu系统默认提供了一个基于iptable之上的防火墙工具ufw。如果是Ubuntu系统我们则可以使用这个工具更加方便的配置防火墙。
查看版本
ufw version
ufw 0.35
Copyright 2008-2015 Canonical Ltd.
添加规则
可以通过两种方式添加规则:服务端口号或服务名称。
ssh服务
# 允许所有的外部IP访问本机的22/tcp (ssh)端口
ufw allow ssh
# 或者
ufw allow 22
http(s)服务
ufw allow 80
ufw allow 443
其他规则示例:
# 允许指定IP访问所有的本机端口
ufw allow from 192.168.1.100
# 允许指定子网的连接
ufw allow from 198.51.100.0/24
# 允许1725端口上使用UDP数据包
ufw allow 1725/udp
# 禁止外部访问smtp服务
ufw deny smtp
# 删除允许80端口的规则
ufw delete allow 80
启动
ufw enable
停止
ufw disable
状态
ufw status
鉴于时效性以及VPS服务器存在升级等情况,本文会不定时进行更新