-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathinit.sh
More file actions
executable file
·183 lines (162 loc) · 5.63 KB
/
init.sh
File metadata and controls
executable file
·183 lines (162 loc) · 5.63 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
#!/bin/bash
#
# Linux Server Init Script
# 一键初始化 Linux 服务器(Debian/Ubuntu)
# 功能:系统更新、防火墙、SSH加固、fail2ban、常用工具、swap、BBR
#
# 用法:curl -sL https://raw.githubusercontent.com/devguoo/linux-server-init/main/init.sh | bash
# 或:bash init.sh [--timezone Asia/Shanghai] [--ssh-port 22222] [--no-swap] [--no-bbr]
#
# GitHub: https://github.com/devguoo/linux-server-init
# 更多VPS教程: https://www.world-best-vps.com/guide.html
set -e
# ========== 颜色定义 ==========
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
info() { echo -e "${BLUE}[INFO]${NC} $1"; }
ok() { echo -e "${GREEN}[✓]${NC} $1"; }
warn() { echo -e "${YELLOW}[!]${NC} $1"; }
err() { echo -e "${RED}[✗]${NC} $1"; }
# ========== 参数解析 ==========
TIMEZONE="Asia/Shanghai"
SSH_PORT="22"
ENABLE_SWAP=true
ENABLE_BBR=true
while [[ $# -gt 0 ]]; do
case $1 in
--timezone) TIMEZONE="$2"; shift 2 ;;
--ssh-port) SSH_PORT="$2"; shift 2 ;;
--no-swap) ENABLE_SWAP=false; shift ;;
--no-bbr) ENABLE_BBR=false; shift ;;
*) shift ;;
esac
done
# ========== Root 检查 ==========
if [ "$EUID" -ne 0 ]; then
err "请使用 root 用户运行此脚本"
exit 1
fi
echo ""
echo -e "${GREEN}========================================${NC}"
echo -e "${GREEN} Linux Server Init Script v1.0${NC}"
echo -e "${GREEN}========================================${NC}"
echo ""
info "时区: $TIMEZONE | SSH端口: $SSH_PORT"
info "Swap: $ENABLE_SWAP | BBR: $ENABLE_BBR"
echo ""
# ========== 1. 系统更新 ==========
info "正在更新系统包..."
export DEBIAN_FRONTEND=noninteractive
apt update -qq && apt upgrade -y -qq
ok "系统更新完成"
# ========== 2. 安装常用工具 ==========
info "安装常用工具..."
apt install -y -qq htop vim curl git wget unzip net-tools \
lsof tree tmux ncdu iftop dnsutils software-properties-common \
> /dev/null 2>&1
ok "常用工具安装完成"
# ========== 3. 配置时区 ==========
info "设置时区为 $TIMEZONE..."
timedatectl set-timezone "$TIMEZONE" 2>/dev/null || ln -sf /usr/share/zoneinfo/$TIMEZONE /etc/localtime
ok "时区设置完成: $(date)"
# ========== 4. UFW 防火墙 ==========
info "配置 UFW 防火墙..."
apt install -y -qq ufw > /dev/null 2>&1
ufw default deny incoming > /dev/null 2>&1
ufw default allow outgoing > /dev/null 2>&1
ufw allow "$SSH_PORT"/tcp > /dev/null 2>&1
ufw allow 80/tcp > /dev/null 2>&1
ufw allow 443/tcp > /dev/null 2>&1
echo "y" | ufw enable > /dev/null 2>&1
ok "UFW 防火墙已启用(开放端口: $SSH_PORT, 80, 443)"
# ========== 5. SSH 加固 ==========
info "加固 SSH 配置..."
SSHD_CONFIG="/etc/ssh/sshd_config"
cp "$SSHD_CONFIG" "${SSHD_CONFIG}.bak.$(date +%Y%m%d)"
# 修改端口
sed -i "s/^#\?Port .*/Port $SSH_PORT/" "$SSHD_CONFIG"
# 禁用密码登录(确保已配置密钥后再启用)
# sed -i 's/^#\?PasswordAuthentication .*/PasswordAuthentication no/' "$SSHD_CONFIG"
# 禁用 root 密码登录
sed -i 's/^#\?PermitRootLogin .*/PermitRootLogin prohibit-password/' "$SSHD_CONFIG"
# 禁用空密码
sed -i 's/^#\?PermitEmptyPasswords .*/PermitEmptyPasswords no/' "$SSHD_CONFIG"
# 限制最大尝试次数
sed -i 's/^#\?MaxAuthTries .*/MaxAuthTries 3/' "$SSHD_CONFIG"
systemctl restart sshd
ok "SSH 已加固(端口: $SSH_PORT, 禁止空密码, 最多3次尝试)"
warn "密码登录暂未禁用,请先配置 SSH 密钥后手动禁用"
# ========== 6. fail2ban ==========
info "安装配置 fail2ban..."
apt install -y -qq fail2ban > /dev/null 2>&1
cat > /etc/fail2ban/jail.local << JAILEOF
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 5
backend = systemd
[sshd]
enabled = true
port = $SSH_PORT
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 7200
JAILEOF
systemctl enable fail2ban > /dev/null 2>&1
systemctl restart fail2ban
ok "fail2ban 已配置(SSH 3次失败封禁2小时)"
# ========== 7. Swap ==========
if [ "$ENABLE_SWAP" = true ]; then
MEM_MB=$(free -m | awk '/^Mem:/{print $2}')
if [ "$MEM_MB" -lt 2048 ] && [ ! -f /swapfile ]; then
info "内存 ${MEM_MB}MB < 2GB,配置 1GB swap..."
fallocate -l 1G /swapfile
chmod 600 /swapfile
mkswap /swapfile > /dev/null
swapon /swapfile
echo '/swapfile none swap sw 0 0' >> /etc/fstab
echo 'vm.swappiness=10' >> /etc/sysctl.conf
sysctl -p > /dev/null 2>&1
ok "Swap 已配置(1GB, swappiness=10)"
else
ok "内存 ${MEM_MB}MB >= 2GB 或 swap 已存在,跳过"
fi
fi
# ========== 8. BBR ==========
if [ "$ENABLE_BBR" = true ]; then
info "开启 BBR 加速..."
if ! grep -q "tcp_bbr" /etc/modules-load.d/modules.conf 2>/dev/null; then
echo "tcp_bbr" >> /etc/modules-load.d/modules.conf
fi
if ! grep -q "net.core.default_qdisc" /etc/sysctl.conf; then
echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf
fi
sysctl -p > /dev/null 2>&1
if sysctl net.ipv4.tcp_congestion_control 2>/dev/null | grep -q bbr; then
ok "BBR 加速已开启"
else
warn "BBR 需要重启后生效"
fi
fi
# ========== 完成 ==========
echo ""
echo -e "${GREEN}========================================${NC}"
echo -e "${GREEN} ✓ 服务器初始化完成!${NC}"
echo -e "${GREEN}========================================${NC}"
echo ""
info "SSH 端口: $SSH_PORT"
info "防火墙: UFW 已启用"
info "fail2ban: 已运行"
info "时区: $TIMEZONE"
echo ""
warn "重要提醒:"
warn "1. 请配置 SSH 密钥后禁用密码登录"
warn "2. 如果修改了 SSH 端口,请确保新端口可连接后再断开当前会话"
echo ""
info "更多 VPS 教程: https://www.world-best-vps.com/guide.html"
echo ""