1.AWS创建新的实例
2.固定IP
绑定原IP或者使用新的IP,如绑定原IP需要先将原IP在原实例中解绑,然后在HOME-Networking中将原IP绑定到新的实例中。
3.connect using SSH
sudo su4.修改管理员和新建用户
passwd root
useradd appadmin
passwd appadmin5.SSH配置:
vim /etc/ssh/sshd_config
- PermitRootLogin ~~yes~~ //不允许root登录
- PasswordAuthentication yes //设置是否使用口令验证
service sshd reload6.升级软件和系统内核(Centos或Debian):
yum -y update
apt -y update
apt -y upgrade7.常用工具安装:
apt -y install lrzsz
apt install net-tools
apt install lsof
vi /root/.bashrc
. /root/.bashrc8.安装docker|nginx
docker:
curl -fsSL https://get.docker.com/ | sh
sudo systemctl start docker
sudo systemctl status docker
sudo systemctl enable dockerdocker-compose:
Check the Releases and if necessary, update it in the command below:
sudo curl -L "https://github.com/docker/compose/releases/download/v2.18.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose sudo chmod +x /usr/local/bin/docker-compose
docker-compose --versionnginx:
sudo apt install nginx
systemctl enable nginx
systemctl start nginx
systemctl status nginx9.shadowsocks:
版本号参考:https://github.com/shadowsocks/shadowsocks-rust
wget https://github.com/shadowsocks/shadowsocks-rust/releases/download/v1.16.1/shadowsocks-v1.16.1.x86_64-unknown-linux-gnu.tar.xz tar -xf shadowsocks-v1.16.1.x86_64-unknown-linux-gnu.tar.xz
mv ss* /usr/local/bin/.
cd /etc
mkdir shadowsocks
cd shadowsocks/
vi config.json
ssserver -c /etc/shadowsocks/config.json
nohup ssserver -c /etc/shadowsocks/config.json &
ps -ef|grep sss**加入系统服务:** cd /etc/systemd/system/
vi shadowsocks.service
input:
[Unit]
Description=Shadowsocks Logging Service
[Service]
Type=simple
ExecStart=/usr/local/bin/ssserver -c /etc/shadowsocks/config.json
[Install]
WantedBy=multi-user.target
systemctl daemon-reload
systemctl enable shadowsocks
systemctl start shadowsocks 10.执行优化脚本:
bash vmupgrade_.sh 11.安装acme.sh(前提有域名),生成证书
安装acme.sh
curl https://get.acme.sh | sh生成证书:
/root/.acme.sh/acme.sh --issue --standalone -d xxx.xyz
yum install socat
/root/.acme.sh/acme.sh --issue --standalone -d 20081014.xyz
systemctl stop nginx
/root/.acme.sh/acme.sh --issue --standalone -d 20081014.xyz
acme.sh --register-account -m bj.guozhong@gmail.com
/root/.acme.sh/acme.sh --register-account -m bj.guozhong@gmail.com
/root/.acme.sh/acme.sh --issue --standalone -d passwd.20081014.xyz
/root/.acme.sh/acme.sh --issue --standalone -d www.313390.xyz -d 313390.xyz --force**以下说明证书生成成功:** [Thu Jun 1 15:23:17 CST 2023] Your cert is in:
/root/.acme.sh/passwd.abc.xyz_ecc/passwd.abc.xyz.cer
[Thu Jun 1 15:23:17 CST 2023] Your cert key is in:
/root/.acme.sh/passwd.abc.xyz_ecc/passwd.abc.xyz.key
[Thu Jun 1 15:23:17 CST 2023] The intermediate CA cert is in:
/root/.acme.sh/passwd.abc.xyz_ecc/ca.cer
[Thu Jun 1 15:23:17 CST 2023] And the full chain certs is there:
/root/.acme.sh/passwd.abc.xyz_ecc/fullchain.cer**将生成的证书文件配置在nginx中:conf.d/abc.xyz.conf**
[root@ip-172-26-2-136 conf.d]# vi abc.xyz.conf
server
{
listen 443 ssl http2;
server_name passwd.xxx.xyz;
ssl_certificate /root/.acme.sh/passwd.abc.xyz_ecc/passwd.abc.xyz.cer;
ssl_certificate_key /root/.acme.sh/passwd.abc.xyz_ecc/passwd.abc.xyz.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_session_cache builtin:1000 shared:SSL:10m;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
location / {
proxy_pass http://127.0.0.1:8001;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /notifications/hub {
proxy_pass http://127.0.0.1:3012;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /notifications/hub/negotiate {
proxy_pass http://127.0.0.1:8001;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}**证书自动更新:** /root/.acme.sh/acme.sh --upgrade --auto-upgrade12.安装fail2ban,防止暴力攻击:
apt-get install fail2ban
systemctl status fail2ban
cd /etc/fail2ban/
cp jail.local .
systemctl start fail2ban
cd /etc/fail2ban/
vi jail.local 输入以下内容:
[DEFAULT]
# Ban hosts for one hour:
bantime = 3600
# Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = iptables-multiport
[sshd]
enabled = true
[nginx-http-auth]
enabled = true systemctl restart fail2ban
systemctl status fail2ban.
systemctl status fail2ban
fail2ban status
fail2ban-client status--查看日志
tail -f /var/log/fail2ban.log13.nginx加密,安装htpasswd
yum install -y httpd-tools
apt-get install apache2-utils
htpasswd -c /etc/nginx/.htpasswd gz
New password:
Re-type new password:
Adding password for user gz
**ls -a 可查看密码文件,之后在nginx.conf中配置:**
server {
listen 80;
server_name localhost;
.......
#新增下面两行
auth_basic "Please input password"; #这里是验证时的提示信息
auth_basic_user_file /usr/local/src/nginx/passwd;
location /{
.......
}14.查看docker容器运行的日志:
docker logs -f -t --tail 行数 容器名[containerID] 15.关于防火墙:
您可以使用以下命令检查CentOS使用的防火墙是iptables还是firewalld:
sudo firewall-cmd --state如果输出结果为“running”,则表示CentOS使用的是firewalld。 如果该命令未返回任何内容,则表示CentOS使用的是iptables。
另外,您还可以使用以下命令来检查防火墙服务的状态:
如果输出结果包含“inactive”,则表示CentOS使用的是iptables:
sudo systemctl status iptables.service如果输出结果包含“active (running)”或“active (exited)”,则表示CentOS使用的是firewalld:
sudo systemctl status firewalld.service如果您的防火墙使用的是firewalld,则可以使用以下命令查看允许通过的端口:
sudo firewall-cmd --list-ports 列出允许通过的端口列表: sudo firewall-cmd --list-ports输出将显示所有允许通过的端口。
要查看特定区域的端口,可以使用以下命令:
sudo firewall-cmd --list-ports --zone=public您可以将“public”替换为您想要查看其允许端口的区域名称。
ufw allow ssh
ufw allow http
ufw allow https使用命令sudo firewall-cmd --list-ports列出允许通过的端口列表:
结果为空
ufw allow 80/tcp
ufw allow 443/tcp结果为:80/tcp 443/tcp
16.域名服务器更新IP之后,本地还是访问原IP地址,需要清理本地DNS缓存:
对于 Windows 系统,清空 DNS 缓存的方法如下:
打开命令提示符,以管理员身份运行。
输入以下命令清空 DNS 缓存:
ipconfig /flushdns17.更新升级bitwarden
$ cd ~/bitwarden
$ docker-compose down
$ docker pull vaultwarden/server:latest
$ docker-compose up -d