664 字
3 分钟
基于服务器的网站搭建心得
1. 推荐一键脚本解决
推荐使用 kejilion脚本面板 一键脚本,能够自动完成常见环境的安装和配置,极大简化搭建流程。
bash <(curl -sL kejilion.sh)一、前期准备
新建security-fix.sh文件,内容如下:
#!/bin/bashset -e
echo "📦 系统更新..."if command -v apt >/dev/null; then apt update && apt upgrade -yelif command -v yum >/dev/null; then yum update -yelif command -v dnf >/dev/null; then dnf upgrade -yelse echo "❌ 不支持的包管理器" exit 1fi
echo "🔐 移除 suid/sgid(保留 mount/umount)"chmod u-s /usr/bin/gpasswd 2>/dev/null || truechmod u-s /usr/bin/chfn 2>/dev/null || truechmod u-s /usr/bin/chsh 2>/dev/null || truechmod u-s /usr/bin/newgrp 2>/dev/null || truechmod g-s /usr/bin/chage 2>/dev/null || true
echo "🕒 SSH 登录超时配置"sshd_config=$(find /etc/ssh -name 'sshd_config' 2>/dev/null | head -n 1)if [ -f "$sshd_config" ]; then sed -i '/^#\?LoginGraceTime/c\LoginGraceTime 60' "$sshd_config"fi
echo "🕓 SSH 空闲超时配置"if [ -f "$sshd_config" ]; then sed -i '/^#\?ClientAliveInterval/c\ClientAliveInterval 600' "$sshd_config"fi
echo "📛 禁用 Ping"sysctl -w net.ipv4.icmp_echo_ignore_all=1grep -q "icmp_echo_ignore_all" /etc/sysctl.conf || echo "net.ipv4.icmp_echo_ignore_all = 1" >> /etc/sysctl.conf
echo "🔒 修复 grub 权限"for grubfile in /boot/grub2/grub.cfg /boot/grub/grub.cfg; do if [ -f "$grubfile" ]; then chmod 600 "$grubfile" chown root:root "$grubfile" fidone
echo "💾 限制核心转储"sysctl -w fs.suid_dumpable=0grep -q "fs.suid_dumpable" /etc/sysctl.conf || echo "fs.suid_dumpable = 0" >> /etc/sysctl.conf
echo "🔑 设置最小密码修改间隔"if [ -f /etc/login.defs ]; then sed -i '/^PASS_MIN_DAYS/c\PASS_MIN_DAYS 7' /etc/login.defsfiif command -v chage >/dev/null; then chage --mindays 7 root || truefi
echo "🔐 强制使用 SSH Protocol 2"if [ -f "$sshd_config" ]; then sed -i '/^#\?Protocol/c\Protocol 2' "$sshd_config"fi
echo "⚠️ 移除 cloud-init sudo NOPASSWD 权限"[ -f /etc/sudoers.d/90-cloud-init-users ] && sed -i 's/NOPASSWD.*//' /etc/sudoers.d/90-cloud-init-users
echo "⏱️ 命令行超时退出设置"grep -q "TMOUT=" /etc/profile || echo "TMOUT=300" >> /etc/profile
echo "🧹 设置 ls 命令别名(保留 rm 原样)"grep -q "alias ls=" ~/.bashrc || echo "alias ls='ls -alh --color=auto'" >> ~/.bashrc
echo "📡 启用 TCP SYN cookie 防护"sysctl -w net.ipv4.tcp_syncookies=1grep -q "tcp_syncookies" /etc/sysctl.conf || echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
echo "👮 限制 su 切换为 root,仅允许 wheel 组用户"if ! grep -q "pam_wheel.so" /etc/pam.d/su 2>/dev/null; then echo "auth required pam_wheel.so" >> /etc/pam.d/sufigroupadd wheel 2>/dev/null || truegpasswd -a root wheel 2>/dev/null || true
echo "✅ 所有安全修复已完成,建议手动执行:systemctl restart sshd"然后通过 . security-fix.sh 命令运行
二、部署面板
1. kejilion脚本面板
bash <(curl -sL kejilion.sh)2. 宝塔开心版面板 快云博客
CentOS安装脚本(2025.5.28测试通过:CentOS 8.2、7.6)
yum install -y wget && wget -O install.sh https://bl.yinghuangi.cn/install/install_panel.sh && sh install.shUbuntu/Debian安装脚本(2025.5.28测试通过:Ubuntu 18.04)
wget -O install.sh https://bl.yinghuangi.cn/install/install_panel.sh && bash install.shLinux面板升级命令:
curl https://bl.yinghuangi.cn/install/update6.sh|bash3. 1Panel面板
bash -c "$(curl -sSL https://resource.fit2cloud.com/1panel/package/v2/quick_start.sh)"如果遇到 Docker 安装失败等问题,可以尝试运行以下脚本:
bash <(curl -sSL https://linuxmirrors.cn/docker.sh)卸载命令
1pctl uninstall4. 宝塔官方面板
宝塔官方一键安装命令:
if [ -f /usr/bin/curl ];then curl -sSO https://download.bt.cn/install/install_panel.sh;else wget -O install_panel.sh https://download.bt.cn/install/install_panel.sh;fi;bash install_panel.sh ed8484bec5 Linuxmirrors
华为源最快 https://linuxmirrors.cn/#gnulinux
LinuxMirror软件源脚本
bash <(curl -sSL https://linuxmirrors.cn/main.sh)Docker 安装脚本
bash <(curl -sSL https://linuxmirrors.cn/docker.sh)部分信息可能已经过时