396 lines
7.7 KiB
Bash
396 lines
7.7 KiB
Bash
#!/bin/bash
|
|
|
|
# Debian 12 系统配置脚本
|
|
# 系统基础配置和优化
|
|
|
|
set -e
|
|
|
|
# 颜色定义
|
|
RED='\033[0;31m'
|
|
GREEN='\033[0;32m'
|
|
YELLOW='\033[1;33m'
|
|
BLUE='\033[0;34m'
|
|
NC='\033[0m'
|
|
|
|
# 日志函数
|
|
log_info() {
|
|
echo -e "${BLUE}[INFO]${NC} $1"
|
|
}
|
|
|
|
log_success() {
|
|
echo -e "${GREEN}[SUCCESS]${NC} $1"
|
|
}
|
|
|
|
log_warning() {
|
|
echo -e "${YELLOW}[WARNING]${NC} $1"
|
|
}
|
|
|
|
log_error() {
|
|
echo -e "${RED}[ERROR]${NC} $1"
|
|
}
|
|
|
|
# 配置时区
|
|
configure_timezone() {
|
|
log_info "配置时区为 Asia/Shanghai..."
|
|
|
|
# 设置时区
|
|
timedatectl set-timezone Asia/Shanghai
|
|
|
|
# 安装并配置 chrony
|
|
apt update
|
|
apt install -y chrony
|
|
|
|
# 配置 chrony 使用国内 NTP 服务器
|
|
cat > /etc/chrony/chrony.conf << 'EOF'
|
|
# NTP servers from Alibaba Cloud
|
|
server ntp.aliyun.com iburst
|
|
server ntp1.aliyun.com iburst
|
|
server ntp2.aliyun.com iburst
|
|
server ntp3.aliyun.com iburst
|
|
|
|
# NTP servers from Tencent Cloud
|
|
server time1.cloud.tencent.com iburst
|
|
server time2.cloud.tencent.com iburst
|
|
|
|
# NTP servers from Baidu
|
|
server ntp1.baidu.com iburst
|
|
server ntp2.baidu.com iburst
|
|
|
|
# Allow NTP client access from local network
|
|
allow 192.168.0.0/16
|
|
allow 10.0.0.0/8
|
|
allow 172.16.0.0/12
|
|
|
|
# Serve time even if not synchronized to a time source
|
|
local stratum 10
|
|
|
|
# Specify directory for log files
|
|
logdir /var/log/chrony
|
|
|
|
# Select which information is logged
|
|
log measurements statistics tracking
|
|
EOF
|
|
|
|
systemctl restart chrony
|
|
systemctl enable chrony
|
|
|
|
log_success "时区配置完成"
|
|
}
|
|
|
|
# 配置语言环境
|
|
configure_locale() {
|
|
log_info "配置语言环境..."
|
|
|
|
# 生成中文 locale
|
|
sed -i 's/# zh_CN.UTF-8 UTF-8/zh_CN.UTF-8 UTF-8/' /etc/locale.gen
|
|
sed -i 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen
|
|
|
|
locale-gen
|
|
|
|
# 设置默认语言环境
|
|
cat > /etc/default/locale << 'EOF'
|
|
LANG=en_US.UTF-8
|
|
LANGUAGE=en_US:en
|
|
LC_CTYPE="en_US.UTF-8"
|
|
LC_NUMERIC=zh_CN.UTF-8
|
|
LC_TIME=zh_CN.UTF-8
|
|
LC_COLLATE="en_US.UTF-8"
|
|
LC_MONETARY=zh_CN.UTF-8
|
|
LC_MESSAGES="en_US.UTF-8"
|
|
LC_PAPER=zh_CN.UTF-8
|
|
LC_NAME=zh_CN.UTF-8
|
|
LC_ADDRESS=zh_CN.UTF-8
|
|
LC_TELEPHONE=zh_CN.UTF-8
|
|
LC_MEASUREMENT=zh_CN.UTF-8
|
|
LC_IDENTIFICATION=zh_CN.UTF-8
|
|
EOF
|
|
|
|
# 重新加载 locale 设置
|
|
update-locale LANG=en_US.UTF-8
|
|
|
|
log_success "语言环境配置完成"
|
|
}
|
|
|
|
# 配置系统限制
|
|
configure_limits() {
|
|
log_info "配置系统限制..."
|
|
|
|
cat >> /etc/security/limits.conf << 'EOF'
|
|
|
|
# EM Script Library - System Limits Configuration
|
|
* soft nofile 65536
|
|
* hard nofile 65536
|
|
* soft nproc 65536
|
|
* hard nproc 65536
|
|
root soft nofile 65536
|
|
root hard nofile 65536
|
|
root soft nproc 65536
|
|
root hard nproc 65536
|
|
|
|
# Increase core file size
|
|
* soft core unlimited
|
|
* hard core unlimited
|
|
root soft core unlimited
|
|
root hard core unlimited
|
|
EOF
|
|
|
|
# 配置 sysctl 参数
|
|
cat > /etc/sysctl.d/99-custom.conf << 'EOF'
|
|
# EM Script Library - System Control Configuration
|
|
|
|
# Increase system file descriptor limits
|
|
fs.file-max = 655360
|
|
|
|
# Network optimizations
|
|
net.core.somaxconn = 65535
|
|
net.core.netdev_max_backlog = 250000
|
|
net.ipv4.tcp_max_syn_backlog = 250000
|
|
net.ipv4.ip_local_port_range = 1024 65535
|
|
|
|
# TCP optimizations
|
|
net.ipv4.tcp_slow_start_after_idle = 0
|
|
net.ipv4.tcp_tw_reuse = 1
|
|
net.ipv4.tcp_tw_recycle = 1
|
|
net.ipv4.tcp_fin_timeout = 15
|
|
net.ipv4.tcp_keepalive_time = 600
|
|
net.ipv4.tcp_keepalive_intvl = 60
|
|
net.ipv4.tcp_keepalive_probes = 3
|
|
|
|
# Memory optimizations
|
|
vm.swappiness = 10
|
|
vm.dirty_ratio = 20
|
|
vm.dirty_background_ratio = 10
|
|
vm.vfs_cache_pressure = 50
|
|
|
|
# Security enhancements
|
|
net.ipv4.conf.all.rp_filter = 1
|
|
net.ipv4.conf.default.rp_filter = 1
|
|
net.ipv4.conf.all.accept_redirects = 0
|
|
net.ipv4.conf.default.accept_redirects = 0
|
|
net.ipv4.conf.all.secure_redirects = 0
|
|
net.ipv4.conf.default.secure_redirects = 0
|
|
EOF
|
|
|
|
# 应用 sysctl 配置
|
|
sysctl -p /etc/sysctl.d/99-custom.conf
|
|
|
|
log_success "系统限制配置完成"
|
|
}
|
|
|
|
# 配置 SSH
|
|
configure_ssh() {
|
|
log_info "配置 SSH 服务..."
|
|
|
|
# 备份原始配置
|
|
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup
|
|
|
|
# 配置 SSH
|
|
cat > /etc/ssh/sshd_config << 'EOF'
|
|
# EM Script Library - SSH Configuration
|
|
|
|
# Basic configuration
|
|
Port 22
|
|
AddressFamily any
|
|
ListenAddress 0.0.0.0
|
|
ListenAddress ::
|
|
|
|
# Host keys
|
|
HostKey /etc/ssh/ssh_host_rsa_key
|
|
HostKey /etc/ssh/ssh_host_ecdsa_key
|
|
HostKey /etc/ssh/ssh_host_ed25519_key
|
|
|
|
# Logging
|
|
LogLevel INFO
|
|
SyslogFacility AUTH
|
|
|
|
# Authentication
|
|
PermitRootLogin yes
|
|
StrictModes yes
|
|
MaxAuthTries 6
|
|
MaxSessions 10
|
|
|
|
# Password authentication
|
|
PasswordAuthentication yes
|
|
|
|
# Public key authentication
|
|
PubkeyAuthentication yes
|
|
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
|
|
|
|
# GSSAPI options
|
|
GSSAPIAuthentication no
|
|
GSSAPICleanupCredentials no
|
|
|
|
# Kerberos options
|
|
KerberosAuthentication no
|
|
KerberosOrLocalPasswd yes
|
|
KerberosTicketCleanup yes
|
|
KerberosGetAFSToken no
|
|
|
|
# Security options
|
|
UsePAM yes
|
|
AllowAgentForwarding yes
|
|
AllowTcpForwarding yes
|
|
GatewayPorts no
|
|
X11Forwarding yes
|
|
X11DisplayOffset 10
|
|
X11UseLocalhost yes
|
|
PermitTTY yes
|
|
PrintMotd no
|
|
PrintLastLog yes
|
|
TCPKeepAlive yes
|
|
PermitUserEnvironment no
|
|
Compression delayed
|
|
ClientAliveInterval 60
|
|
ClientAliveCountMax 3
|
|
UseDNS no
|
|
PidFile /var/run/sshd.pid
|
|
MaxStartups 10:30:100
|
|
PermitTunnel no
|
|
ChrootDirectory none
|
|
VersionAddendum none
|
|
|
|
# Allow client to pass locale environment variables
|
|
AcceptEnv LANG LC_*
|
|
|
|
# Override default of no subsystems
|
|
Subsystem sftp /usr/lib/openssh/sftp-server
|
|
EOF
|
|
|
|
# 重启 SSH 服务
|
|
systemctl restart ssh
|
|
systemctl enable ssh
|
|
|
|
log_success "SSH 配置完成"
|
|
}
|
|
|
|
# 配置防火墙
|
|
configure_firewall() {
|
|
log_info "配置防火墙..."
|
|
|
|
# 安装并启用 UFW
|
|
apt update
|
|
apt install -y ufw
|
|
|
|
# 配置 UFW
|
|
ufw --force reset
|
|
ufw default deny incoming
|
|
ufw default allow outgoing
|
|
|
|
# 允许 SSH
|
|
ufw allow ssh
|
|
ufw allow 22/tcp
|
|
|
|
# 允许 HTTP/HTTPS
|
|
ufw allow 80/tcp
|
|
ufw allow 443/tcp
|
|
|
|
# 启用防火墙
|
|
echo "y" | ufw enable
|
|
|
|
log_success "防火墙配置完成"
|
|
}
|
|
|
|
# 配置日志轮转
|
|
configure_logrotate() {
|
|
log_info "配置日志轮转..."
|
|
|
|
cat > /etc/logrotate.d/custom << 'EOF'
|
|
/var/log/*.log {
|
|
daily
|
|
missingok
|
|
rotate 52
|
|
compress
|
|
delaycompress
|
|
notifempty
|
|
create 644 root root
|
|
postrotate
|
|
systemctl reload rsyslog.service || true
|
|
endscript
|
|
}
|
|
|
|
/var/log/apt/*.log {
|
|
daily
|
|
missingok
|
|
rotate 12
|
|
compress
|
|
delaycompress
|
|
notifempty
|
|
create 644 root root
|
|
}
|
|
EOF
|
|
|
|
log_success "日志轮转配置完成"
|
|
}
|
|
|
|
# 显示帮助信息
|
|
show_help() {
|
|
cat << EOF
|
|
Debian 12 系统配置工具
|
|
|
|
用法: $0 [选项] [操作]
|
|
|
|
操作:
|
|
timezone 配置时区和 NTP
|
|
locale 配置语言环境
|
|
limits 配置系统限制
|
|
ssh 配置 SSH 服务
|
|
firewall 配置防火墙
|
|
logrotate 配置日志轮转
|
|
all 执行所有配置
|
|
|
|
选项:
|
|
-h, --help 显示此帮助信息
|
|
|
|
示例:
|
|
$0 timezone # 配置时区
|
|
$0 all # 执行所有配置
|
|
|
|
EOF
|
|
}
|
|
|
|
# 主函数
|
|
main() {
|
|
local action="$1"
|
|
|
|
case $action in
|
|
timezone)
|
|
configure_timezone
|
|
;;
|
|
locale)
|
|
configure_locale
|
|
;;
|
|
limits)
|
|
configure_limits
|
|
;;
|
|
ssh)
|
|
configure_ssh
|
|
;;
|
|
firewall)
|
|
configure_firewall
|
|
;;
|
|
logrotate)
|
|
configure_logrotate
|
|
;;
|
|
all)
|
|
configure_timezone
|
|
configure_locale
|
|
configure_limits
|
|
configure_ssh
|
|
configure_firewall
|
|
configure_logrotate
|
|
;;
|
|
""|-h|--help)
|
|
show_help
|
|
;;
|
|
*)
|
|
log_error "未知操作: $action"
|
|
show_help
|
|
exit 1
|
|
;;
|
|
esac
|
|
|
|
log_success "系统配置完成!"
|
|
}
|
|
|
|
# 执行主函数
|
|
main "$@" |