“Debian服务器初始化”的版本间的差异

来自linux中国网wiki
跳到导航 跳到搜索
 
(未显示同一用户的52个中间版本)
第1行: 第1行:
 +
 +
[[Salt-ssh批量初始化机器]]
 +
[https://debian-handbook.info/browse/zh-CN/stable/sect.how-to-migrate.html Debian 管理员手册]
 +
=os install=
 +
有时候会出现 select  and install software  等等几个小时的情况 应该是不要选择mirrors就好了 安装后再自己加
 +
 +
debian 系统老旧版本iso下载 good
 +
 +
https://cdimage.debian.org/cdimage/archive
 +
 +
这里我们发现,在默认情况下,对于此处的每个发行版,他们将所有映像保留为jigdo格式,以节省空间和下载时间。但是保留每个系列的最新版本的ISO映像。
 +
首先在Who are we?找到我们需要的版本,这里我直接下载ISO映像,所以我选择了Debian8系列的最新版本8.10.0
 +
选择amd64
 +
 
= os init=  
 
= os init=  
 +
Gentoo Linux 手册 非常有学习的价值
 +
 +
[[容器初始化]]
 
== change sources ==
 
== change sources ==
 +
==if docker==
 +
[[利用Dockerfile修改容器中的apt源(debian源)]]
 +
===11 ===
 +
<pre>
 +
cat /etc/apt/sources.list
 +
 +
deb http://mirrors.huaweicloud.com/debian/ bullseye main
 +
deb-src http://mirrors.huaweicloud.com/debian/ bullseye main
 +
 +
 +
 +
or
 +
 +
 +
 +
deb http://mirrors.aliyun.com/debian/ bullseye main non-free contrib
 +
deb-src http://mirrors.aliyun.com/debian/ bullseye main non-free contrib
 +
deb http://mirrors.aliyun.com/debian-security bullseye/updates main
 +
deb-src http://mirrors.aliyun.com/debian-security bullseye/updates main
 +
deb http://mirrors.aliyun.com/debian/ bullseye-updates main non-free contrib
 +
deb-src http://mirrors.aliyun.com/debian/ bullseye-updates main non-free contrib
 +
deb http://mirrors.aliyun.com/debian/ bullseye-backports main non-free contrib
 +
deb-src http://mirrors.aliyun.com/debian/ bullseye-backports main non-free contrib
 +
 +
</pre>
 +
 
===10源===
 
===10源===
 
<pre>
 
<pre>
第25行: 第68行:
 
deb http://mirrors.aliyun.com/debian/ stretch-backports main non-free contrib
 
deb http://mirrors.aliyun.com/debian/ stretch-backports main non-free contrib
 
deb-src http://mirrors.aliyun.com/debian/ stretch-backports main non-free contrib ' >sources.list
 
deb-src http://mirrors.aliyun.com/debian/ stretch-backports main non-free contrib ' >sources.list
 +
</pre>
 +
 +
== ssh config==
 +
<pre>
 +
 +
openssh
 +
 +
apt-get install openssh-client openssh-server
 +
这个要先安装 不然自启动会不成功
 +
 +
如何激活服务并在启动时启用或禁用服务(即系统启动时自动启动服务)
 +
# systemctl is-active ssh.service
 +
systemctl enable ssh.service
 +
# systemctl disable ssh.service
 +
 +
 +
 +
echo "ssh-rsa AAAAB3NzaC you_prk_key root@ops
 +
"  >> /root/.ssh/authorized_keys
 +
 +
sed -i "s/#PubkeyAuthentication yes/PubkeyAuthentication yes/g" /etc/ssh/sshd_config
 +
 +
sed -i "s/^PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config
 +
sed -i "s/^#PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config
 +
 +
systemctl restart sshd
 +
#service  sshd restart
 +
 +
补充
 +
服务端
 +
chown -R 0700  ~/.ssh
 +
chown -R 0644  ~/.ssh/authorized_keys
 +
 +
客户端改一下
 +
chmod 600 id_rsa
 +
 
</pre>
 
</pre>
  
 
==常用软件==
 
==常用软件==
 
<pre>
 
<pre>
 +
 +
#alias
 +
cp /etc/profile  /etc/profile_bak
 +
echo "alias ll='ls $LS_OPTIONS -l'" >>/etc/profile  &&  source /etc/profile
 +
 +
 
useradd -d /data/evan  -s /bin/bash -m  evan
 
useradd -d /data/evan  -s /bin/bash -m  evan
 
数m表示如果该目录不存在,则创建该目录
 
数m表示如果该目录不存在,则创建该目录
  
  
apt install net-tools vim  build-essential dnsutils screen -y #dig dnsutils  
+
apt install net-tools procps  rsync wget  w3m    vim  build-essential gcc  dnsutils tmux  curl sudo lsb-release  iotop software-properties-common -y   # 说明 dig dnsutils   firewalld  screen 暂时不要
 +
 
 +
 
 +
#troubleshooting  163的源可能有问题
 +
build-essential
 +
 
 +
perl : Depends: perl-base (= 5.32.1-4) but 5.32.1-4+deb11u1 is to be installed
 +
E: Unable to correct problems, you have held broken packages.
 +
 
  
 
#全面的开发工具
 
#全面的开发工具
第39行: 第132行:
  
  
#ps  
+
#ps 说明
 
apt install procps
 
apt install procps
  
 +
mariadb-client
  
 
安装Fail2Ban
 
安装Fail2Ban
 +
 +
 +
#安装上传rz、下载sz工具
 +
sudo apt-get install lrzsz
 
  </pre>
 
  </pre>
  
第50行: 第148行:
  
 
[[Debian配置iptables]]
 
[[Debian配置iptables]]
 +
 +
=时间同步=
 +
<pre>
 +
UTC时区切换到CST 时区
 +
 +
#用这个啦
 +
# 设置亚洲时区  tzselect 有时不准
 +
timedatectl set-timezone Asia/Shanghai
 +
# 启用NTP同步 #关闭是 false
 +
timedatectl set-ntp yes
 +
 +
 +
#有效果  2021
 +
echo "export TZ='Asia/Shanghai'"  >> /etc/profile 
 +
cat /etc/profile |grep TZ 
 +
source /etc/profile
 +
 +
date -R  #时区查看
 +
date
 +
Sat Aug 19 17:03:17 CST 2017
 +
 +
 +
校正日期和时间  linux256
 +
 +
cp /usr/share/zoneinfo/Asia/ShangHai  /etc/localtime    #时区为亚洲/上海
 +
# 网络校时
 +
apt-get install ntpdate
 +
ntpdate 210.72.145.44        # 中国国家时间服务器: 210.72.145.44
 +
 +
# 手动校时
 +
sudo date -s 11/13/2019                #2019年11月13日
 +
sudo date -s 10:05:30                  #10点05分30秒
 +
 +
</pre>
 +
 +
=security=
 +
==ufw==
 +
 +
==firewalld==
 +
这个不错,ufw 用得少,用这个更加统一  May  23  2022
 +
 +
详情可见 [[Centos7 debian firewalld防火墙基础]]
 +
 +
[https://computingforgeeks.com/how-to-install-and-configure-firewalld-on-debian/ How To Install and Configure Firewalld on Debian 10]
 +
 +
[https://ywnz.com/linuxaq/5495.html 在Debian 10(Buster)上安装和配置Firewalld]
 +
 +
= 优化optimize=
 +
 +
[https://www.cnblogs.com/coding-my-life/p/11220989.html  debian设置limits.conf]
 +
 +
[https://github.com/mostamazing/mostamazing/issues/28  linux 里ulimit永久生效设置(debian9 64]
 +
 +
=9 update to 10=
 +
  sudo apt dist-upgrade -y #在之前改成 10的源
 +
 +
在QCLOUD上升级失败了  可以试一下他们自己的源
 +
https://mirrors.cloud.tencent.com/debian/dists/
 +
 +
https://cloud.tencent.com/developer/article/1473368
 +
 +
=故障=
 +
==报错1 ==
 +
<pre>
 +
Reading package lists...
 +
E: Release file for http://mirrors.ustc.edu.cn/debian/dists/stretch-updates/InRelease is expired (invalid since 69d 5h 56min 7s). Updates for this repository will not be applied.
 +
E: Release file for http://mirrors.ustc.edu.cn/debian/dists/stretch-backports/InRelease is expired (invalid since 69d 5h 56min 7s). Updates for this repository will not be applied.
 +
E: Release file for http://mirrors.ustc.edu.cn/debian-security/dists/stretch/updates/InRelease is expired (invalid since 66d 14h 56min 48s). Updates for this repository will not be applied.
 +
ERROR: Service 'php-worker' failed to build: The command '/bin/sh -c apt-get  update' returned a non-zero code: 100
 +
</pre>
 +
 +
 +
==处理 ==
 +
<pre>
 +
###########################################################################
 +
# Crontab
 +
###########################################################################
 +
RUN rm -f /etc/apt/sources.list
 +
RUN rm -f /etc/apt/sources.list.d/buster.list
 +
COPY  sources.list /etc/apt/
 +
RUN apt -o Acquire::Check-Valid-Until=false update
 +
 +
RUN  apt-get  update 
 +
RUN  apt-get clean
 +
RUN  apt-get install -y apt-transport-https
 +
RUN  apt install -y cron vim
 +
RUN ["service","cron","start"]
 +
 +
 +
cat php-worker/sources.list
 +
 +
deb http://deb.debian.org/debian stretch main
 +
 +
</pre>
 +
 +
==报错2 ==
 +
Error message “sudo: unable to resolve host (none)”
 +
 +
That /etc/hosts has an entry for localhost. It should have something like:
 +
 +
127.0.0.1    localhost.localdomain localhost
 +
127.0.1.1    you-hostname
  
 
=参考=
 
=参考=
 +
 +
[https://blog.chaos.run/dreams/ubuntu-server-starting-settings/index.html Debian服务器的初始化配置-Google Authenticator]
 +
 +
[https://www.debian.cn/archives/2880  Debian 安装 fail2ban 方式SSH爆破攻击]
  
 
[https://blog.51cto.com/wzlinux/2043586 Ubuntu 新装服务器部署流程]
 
[https://blog.51cto.com/wzlinux/2043586 Ubuntu 新装服务器部署流程]

2022年6月17日 (五) 07:18的最新版本

Salt-ssh批量初始化机器 Debian 管理员手册

os install

有时候会出现 select  and install software  等等几个小时的情况 应该是不要选择mirrors就好了 安装后再自己加

debian 系统老旧版本iso下载 good

https://cdimage.debian.org/cdimage/archive

这里我们发现,在默认情况下,对于此处的每个发行版,他们将所有映像保留为jigdo格式,以节省空间和下载时间。但是保留每个系列的最新版本的ISO映像。 首先在Who are we?找到我们需要的版本,这里我直接下载ISO映像,所以我选择了Debian8系列的最新版本8.10.0 选择amd64

os init

Gentoo Linux 手册 非常有学习的价值

容器初始化

change sources

if docker

利用Dockerfile修改容器中的apt源(debian源)

11

cat /etc/apt/sources.list

deb http://mirrors.huaweicloud.com/debian/ bullseye main
deb-src http://mirrors.huaweicloud.com/debian/ bullseye main



or 



deb http://mirrors.aliyun.com/debian/ bullseye main non-free contrib
deb-src http://mirrors.aliyun.com/debian/ bullseye main non-free contrib
deb http://mirrors.aliyun.com/debian-security bullseye/updates main
deb-src http://mirrors.aliyun.com/debian-security bullseye/updates main
deb http://mirrors.aliyun.com/debian/ bullseye-updates main non-free contrib
deb-src http://mirrors.aliyun.com/debian/ bullseye-updates main non-free contrib
deb http://mirrors.aliyun.com/debian/ bullseye-backports main non-free contrib
deb-src http://mirrors.aliyun.com/debian/ bullseye-backports main non-free contrib

10源


deb http://mirrors.aliyun.com/debian/ buster main non-free contrib
deb-src http://mirrors.aliyun.com/debian/ buster main non-free contrib
deb http://mirrors.aliyun.com/debian-security buster/updates main
deb-src http://mirrors.aliyun.com/debian-security buster/updates main
deb http://mirrors.aliyun.com/debian/ buster-updates main non-free contrib
deb-src http://mirrors.aliyun.com/debian/ buster-updates main non-free contrib
deb http://mirrors.aliyun.com/debian/ buster-backports main non-free contrib
deb-src http://mirrors.aliyun.com/debian/ buster-backports main non-free contrib

9 源


echo 'deb http://mirrors.aliyun.com/debian/ stretch main non-free contrib
deb-src http://mirrors.aliyun.com/debian/ stretch main non-free contrib
deb http://mirrors.aliyun.com/debian-security stretch/updates main
deb-src http://mirrors.aliyun.com/debian-security stretch/updates main
deb http://mirrors.aliyun.com/debian/ stretch-updates main non-free contrib
deb-src http://mirrors.aliyun.com/debian/ stretch-updates main non-free contrib
deb http://mirrors.aliyun.com/debian/ stretch-backports main non-free contrib
deb-src http://mirrors.aliyun.com/debian/ stretch-backports main non-free contrib ' >sources.list

ssh config


openssh

apt-get install openssh-client openssh-server
这个要先安装 不然自启动会不成功

如何激活服务并在启动时启用或禁用服务(即系统启动时自动启动服务)
# systemctl is-active ssh.service
systemctl enable ssh.service
# systemctl disable ssh.service



echo "ssh-rsa AAAAB3NzaC you_prk_key root@ops
"  >> /root/.ssh/authorized_keys

sed -i "s/#PubkeyAuthentication yes/PubkeyAuthentication yes/g" /etc/ssh/sshd_config

sed -i "s/^PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config
sed -i "s/^#PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config

systemctl restart sshd
#service  sshd restart

补充
服务端
chown -R 0700  ~/.ssh
chown -R 0644  ~/.ssh/authorized_keys

客户端改一下
chmod 600 id_rsa

常用软件


#alias
cp /etc/profile  /etc/profile_bak
echo "alias ll='ls $LS_OPTIONS -l'" >>/etc/profile  &&   source /etc/profile 


useradd -d /data/evan  -s /bin/bash -m  evan
数m表示如果该目录不存在,则创建该目录


apt install net-tools procps  rsync wget   w3m    vim  build-essential gcc  dnsutils tmux  curl sudo lsb-release  iotop software-properties-common  -y   # 说明 dig dnsutils   firewalld  screen 暂时不要 


#troubleshooting  163的源可能有问题
 build-essential

perl : Depends: perl-base (= 5.32.1-4) but 5.32.1-4+deb11u1 is to be installed
E: Unable to correct problems, you have held broken packages.


#全面的开发工具
sudo apt  install git golang build-essential gcc g++ gdb libboost-dev make automake autogen autoconf cscope global cmake cmake-gui astyle clang-format clang llvm lldb libsqlite3-dev sqlite3 bison flex ruby-dev linux-headers-`uname -r`


#ps 说明
apt install procps

mariadb-client

安装Fail2Ban


#安装上传rz、下载sz工具
sudo apt-get install lrzsz
 

Debian 安装 fail2ban 方式SSH爆破攻击


Debian配置iptables

时间同步

UTC时区切换到CST 时区

#用这个啦 
# 设置亚洲时区  tzselect 有时不准
timedatectl set-timezone Asia/Shanghai
# 启用NTP同步 #关闭是 false 
timedatectl set-ntp yes


#有效果  2021
 echo "export TZ='Asia/Shanghai'"  >> /etc/profile  
 cat /etc/profile |grep TZ  
source /etc/profile

date -R  #时区查看 
 date 
Sat Aug 19 17:03:17 CST 2017


校正日期和时间  linux256

cp /usr/share/zoneinfo/Asia/ShangHai  /etc/localtime     #时区为亚洲/上海
# 网络校时
apt-get install ntpdate
ntpdate 210.72.145.44        # 中国国家时间服务器: 210.72.145.44

# 手动校时
sudo date -s 11/13/2019                #2019年11月13日
sudo date -s 10:05:30                  #10点05分30秒

security

ufw

firewalld

这个不错,ufw 用得少,用这个更加统一 May 23 2022

详情可见 Centos7 debian firewalld防火墙基础

How To Install and Configure Firewalld on Debian 10

在Debian 10(Buster)上安装和配置Firewalld

优化optimize

debian设置limits.conf

linux 里ulimit永久生效设置(debian9 64

9 update to 10

 sudo apt dist-upgrade -y #在之前改成 10的源
在QCLOUD上升级失败了   可以试一下他们自己的源

https://mirrors.cloud.tencent.com/debian/dists/

https://cloud.tencent.com/developer/article/1473368

故障

报错1

Reading package lists...
E: Release file for http://mirrors.ustc.edu.cn/debian/dists/stretch-updates/InRelease is expired (invalid since 69d 5h 56min 7s). Updates for this repository will not be applied.
E: Release file for http://mirrors.ustc.edu.cn/debian/dists/stretch-backports/InRelease is expired (invalid since 69d 5h 56min 7s). Updates for this repository will not be applied.
E: Release file for http://mirrors.ustc.edu.cn/debian-security/dists/stretch/updates/InRelease is expired (invalid since 66d 14h 56min 48s). Updates for this repository will not be applied.
ERROR: Service 'php-worker' failed to build: The command '/bin/sh -c apt-get  update' returned a non-zero code: 100


处理

###########################################################################
# Crontab
###########################################################################
RUN rm -f /etc/apt/sources.list 
RUN rm -f /etc/apt/sources.list.d/buster.list 
COPY  sources.list /etc/apt/
RUN apt -o Acquire::Check-Valid-Until=false update

RUN  apt-get  update  
RUN  apt-get clean 
RUN  apt-get install -y apt-transport-https
RUN  apt install -y cron vim 
RUN ["service","cron","start"]


cat php-worker/sources.list

deb http://deb.debian.org/debian stretch main

报错2

Error message “sudo: unable to resolve host (none)”

That /etc/hosts has an entry for localhost. It should have something like:

127.0.0.1    localhost.localdomain localhost
127.0.1.1    you-hostname

参考

Debian服务器的初始化配置-Google Authenticator

Debian 安装 fail2ban 方式SSH爆破攻击

Ubuntu 新装服务器部署流程

如何在Debian和Ubuntu系统中安装Java 9

Linux服务器的初步配置流程

Securing a Linux Server

Linux服务器初始化配置脚本

Linux服务器初始化调优及安全加固

如何使用 fail2ban 防御 SSH 服务器的暴力破解攻击

Debian的一些常用命令


Debian 8 设置时区和时间配置