\u63a5\u89e6 VPS \u4e5f\u56db\u5e74\u591a\u4e86, \u5bf9\u4e8e\u5982\u4f55\u4fdd\u62a4\u81ea\u5df1\u7684 VPS, \u4e5f\u603b\u7ed3\u51fa\u4e00\u4e9b\u7ecf\u9a8c, \u4e8e\u662f\u5199\u4e2a\u5e16\u5b50\u5206\u4eab\u4e00\u4e0b, \u96c6\u601d\u5e7f\u76ca\u561b. \u505a\u5230\u4e0b\u9762\u7684\u5b89\u5168\u63aa\u65bd, \u9664\u975e\u88ab\u9488\u5bf9\u6027\u653b\u51fb, \u5426\u5219\u670d\u52a1\u5668\u5b89\u5168\u5b8c\u5168\u4e0d\u662f\u95ee\u9898.<\/p>\n
\u63d0\u524d\u8bf4\u4e00\u5634, \u6211\u4e2a\u4eba\u662f\u624b\u52a8\u7ba1\u7406\u4e00\u5207, \u6240\u4ee5 Nginx \u7b49\u7684\u914d\u7f6e\u6587\u4ef6\u90fd\u662f\u624b\u6413\u7684(\u5927\u5bb6\u73a9\u9e21\u8fdf\u65e9\u4e5f\u4f1a\u8fc7\u6e21\u5230\u8fd9\u4e00\u9636\u6bb5). \u5f88\u591a\u65b0\u624b\u7528\u7684\u5b9d\u5854, \u5305\u62ec\u6211\u4e00\u5f00\u59cb\u4e5f\u662f, \u65b9\u4fbf\u662f\u65b9\u4fbf, \u4ee3\u4ef7\u4e5f\u5f88\u5927. \u5b9d\u5854\u672c\u8eab\u6743\u9650\u592a\u9ad8, \u70b8\u4e2a\u96f6\u65e5\u6f0f\u6d1e\u5c31\u662f\u5927\u95ee\u9898, \u66f4\u4e0d\u7528\u8bf4\u662f\u95ed\u6e90\u7684, \u80cc\u540e\u5e72\u5565\u4e5f\u4e0d\u77e5\u9053, \u4f1a\u6536\u96c6\u670d\u52a1\u5668\u4fe1\u606f\u4e0a\u4f20\u4e4b\u7c7b\u7684\u4f20\u95fb\u4e5f\u662f\u6709\u7684. \u6240\u4ee5\u9010\u6e10\u719f\u6089 Linux \u64cd\u4f5c\u540e\u6211\u5c31\u4e0d\u7528\u4e86. \u6240\u4ee5, \u672c\u6587\u5f53\u4e2d\u7684\u547d\u4ee4, \u5efa\u8bae\u5728\u5168\u65b0\u7684\u7cfb\u7edf\u4e2d\u6267\u884c, \u7279\u522b\u662f\u65b0\u624b\u5403\u4e0d\u51c6\u547d\u4ee4\u7684\u542b\u4e49\u7684\u65f6\u5019. \u5f53\u7136, \u5982\u679c\u662f\u8001\u624b, \u4e00\u770b\u5c31\u61c2\u5566, \u6211\u4e5f\u53ea\u662f\u603b\u7ed3\u4e00\u4e0b.<\/p>\n
\u8981\u5b8c\u5168\u505a\u5230\u5b89\u5168\u662f\u4e0d\u53ef\u80fd\u7684, \u7edd\u5927\u591a\u6570\u4eba\u4e5f\u4e0d\u662f\u7f51\u7edc\u5b89\u5168\u4ece\u4e1a\u8005, \u672c\u5e16\u4e3b\u8981\u9762\u5411\u65b0\u624b\u626b\u76f2, \u522b\u72af\u4f1a\u88ab\u811a\u672c\u5c0f\u5b50\u5229\u7528\u7684\u95ee\u9898\u5c31\u597d.<\/p>\n
\u4ee5\u4e0b\u6559\u7a0b\u6d89\u53ca\u7684\u547d\u4ee4\u5747\u57fa\u4e8e Debian 12. \u6b64\u5904\u7ea6\u5b9a<\/strong>: \u66f4\u65b0\u5b8c\u6210\u540e\u5efa\u8bae\u91cd\u542f\u4e00\u4e0b: \u6ce8\u610f:<\/p>\n Ref: Debian 10 \u5347\u7ea7 Debian 11<\/a> \u5b8c\u6210\u7cfb\u7edf\u66f4\u65b0\u540e, \u5c31\u53ef\u4ee5\u4e0b\u4e00\u6b65\u4e86.<\/p>\n TL,DR: \u52a1\u5fc5\u914d\u7f6e\u5bc6\u94a5\u767b\u9646, \u907f\u514d\u4f7f\u7528\u5bc6\u7801\u767b\u9646, \u66f4\u4e0d\u7528\u8bf4\u5f31\u5bc6\u7801!<\/strong><\/p>\n \u5efa\u8bae\u672c\u5730\u751f\u6210\u516c\u79c1\u94a5\u518d\u624b\u52a8\u4e0a\u4f20\u516c\u94a5, \u4e0d\u8981\u628a SSH \u767b\u9646\u79c1\u94a5\u6254\u670d\u52a1\u5668\u4e0a<\/strong>!<\/p>\n Powershell \u6267\u884c \u6b64\u5904\u547d\u4ee4\u914d\u7f6e sshd_config, \u65b0\u673a\u5668\u65e0\u8111\u7167\u642c\u5c31\u884c, \u6709\u81ea\u5b9a\u4e49\u8bbe\u7f6e\u7684\u5c31\u522b\u76f4\u63a5\u6267\u884c, \u5230\u8fd9 SSH \u5c31\u975e\u5e38\u5b89\u5168\u5566~ \u4e5f\u6709\u4eba\u5efa\u8bae\u7528 fail2ban, \u5176\u5b9e\u6ca1\u5565\u5fc5\u8981, \u5bc6\u94a5\u767b\u9646\u9664\u975e\u670d\u52a1\u5668\u65e9\u5df2\u7ecf\u88ab\u653b\u9677\u6216\u8005\u79c1\u94a5\u6cc4\u9732\u5728\u91cf\u5b50\u8ba1\u7b97\u673a\u6210\u719f\u524d\u4e0d\u53ef\u80fd\u88ab\u7834\u89e3\u54c8\u54c8\u54c8. \u4e0b\u4e00\u6b65, \u6211\u4eec\u914d\u7f6e\u9632\u706b\u5899~<\/p>\n \u817e\u8baf\u4e91\u7b49\u5927\u5382\u7684\u670d\u52a1\u5668\u90fd\u5e26\u6709\u5b89\u5168\u7ec4, \u4e3b\u673a\u5c31\u57fa\u672c\u4e0d\u7528\u53e6\u5916\u5b89\u88c5\u9632\u706b\u5899\u4e86, \u5176\u4f59\u5546\u5bb6\u9ed8\u8ba4\u8ba4\u4e3a\u6ca1\u6709\u5b89\u5168\u7ec4, \u9700\u8981\u6211\u4eec\u81ea\u5df1\u5728 VPS \u4e0a\u914d\u7f6e\u9632\u706b\u5899, Debian \u7cfb\u5217\u4f7f\u7528 ufw.<\/p>\n \u5e38\u7528\u547d\u4ee4\u53c2\u8003(\u66f4\u591a\u6b64\u5904\u6ca1\u5217\u51fa\u7684\u547d\u4ee4\u8bf7\u76f4\u63a5\u6267\u884c \u542f\u7528 UFW: \u7981\u7528 UFW: \u5217\u51fa\u5f53\u524d\u6d3b\u52a8\u89c4\u5219(\u8be6\u7ec6\u5730): \u5217\u51fa\u5f53\u524d\u6d3b\u52a8\u89c4\u5219(\u5e26\u5e8f\u53f7): \u5141\u8bb8\u67d0 CIDR \u8bbf\u95ee\u672c\u673a\u6240\u6709\u7aef\u53e3: \u963b\u6b62\u67d0 CIDR \u8bbf\u95ee\u672c\u673a\u6240\u6709\u7aef\u53e3: \u5141\u8bb8\u8bbf\u95ee\u67d0\u7aef\u53e3: \u5bf9\u67d0\u4e00 CIDR \u66b4\u9732\u67d0\u7aef\u53e3: \u963b\u6b62\u8bbf\u95ee\u67d0\u7aef\u53e3: \u5bf9\u67d0\u4e00 CIDR \u963b\u6b62\u8bbf\u95ee\u67d0\u7aef\u53e3: \u5220\u9664\u67d0\u89c4\u5219: \u53ef\u4ee5\u662f\u4f60\u539f\u6765\u6267\u884c\u7684\u547d\u4ee4 RULE, \u5982\u539f\u6765\u6267\u884c\u4e86 \u8fd8\u53ef\u4ee5\u662f\u524d\u9762\u63d0\u5230\u7684\u89c4\u5219\u5e8f\u53f7 NUM<\/p>\n<\/li>\n \u5c06\u89c4\u5219 RULE \u63d2\u5165\u89c4\u5219\u5217\u8868\u4f4d\u7f6e NUM: , \u5982 \u66f4\u591a\u5730<\/p>\n Docker \u5e72\u9884 iptables \u5bfc\u81f4\u5f02\u5e38\u66b4\u9732\u7aef\u53e3\u7684\u95ee\u9898<\/strong> \u8bc4\u8bba\u533a #10 \u63d0\u5230<\/p>\n \u5b89\u88c5 Docker \u540e, \u52a1\u5fc5\u7f16\u8f91 \u6ce8\u610f: \u4eb2\u6d4b\u4e0d\u80fd\u4fee\u6539 Ref: https:\/\/webcache.googleusercontent.com\/search?q=cache:QqmiCta8mNwJ:https:\/\/blog.gujiakai.top\/2023\/03\/will-docker-container-be-limited-by-firewall.html&cd=14&hl=zh-CN&ct=clnk<\/a> Nginx \u6cc4\u9732\u6e90\u7ad9\u8bc1\u4e66, \u5bfc\u81f4\u6e90\u7ad9\u66b4\u9732\u662f\u76f8\u5f53\u5e38\u89c1\u95ee\u9898\u4e86. \u81ea 1.19.4 \u8d77, Nginx \u652f\u6301 \u4ee5\u4e0b\u793a\u4f8b\u57fa\u4e8e Nginx 1.25.1, \u914d\u7f6e\u6587\u4ef6\u4fdd\u5b58\u5728 \/etc\/nginx\/conf.d \u76ee\u5f55\u4e0b, \u8fd9\u4e5f\u662f\u901a\u8fc7 apt \u5b89\u88c5 nginx \u7684\u9ed8\u8ba4\u4f4d\u7f6e. \u6ce8\u610f, \u5728\u6b64\u4e4b\u524d\u5728\u522b\u7684\u914d\u7f6e\u6587\u4ef6\u914d\u7f6e\u4e86 default_server \u7684, \u8bb0\u5f97\u53bb\u5220\u6389, \u867d\u7136\u6ca1\u5220\u6389 nginx \u4e5f\u542f\u52a8\u4e0d\u4e86.<\/p>\n \u4f7f\u7528\u65e7\u4e8e 1.19.4 \u7684 nginx, \u81ea\u7b7e\u8bc1\u4e66\u5427, \u6b64\u5904\u6309\u4e0b\u4e0d\u8868 (\u867d\u7136\u6211\u4e5f\u5728\u914d\u7f6e\u6587\u4ef6\u91cc\u4f53\u73b0\u4e86)<\/p>\n TL,DR: \u4e0d\u8981\u8bbe\u7f6e DNS \u76f4\u63a5\u6307\u5411\u6e90\u7ad9, \u4f7f\u7528\u6cdb\u57df\u540d\u8bc1\u4e66<\/p>\n \u5e2e\u52a9\u597d\u51e0\u4e2a UP \u6392\u67e5\u6e90\u7ad9\u6cc4\u9732\u7684\u539f\u56e0, DNS \u6cc4\u9732\u662f\u4e2a\u76f8\u5f53\u5e38\u89c1\u7684\u539f\u56e0. \u6240\u4ee5, \u4e0d\u8981\u8bbe\u7f6e DNS \u76f4\u63a5\u6307\u5411\u6e90\u7ad9<\/strong>! \u5c31\u7b97\u540e\u9762\u6539\u4e3a CNAME \u5230 CDN \u7684\u57df\u540d, DNS \u8bb0\u5f55\u662f\u53ef\u4ee5\u67e5\u5386\u53f2\u7684!<\/p>\n \u5176\u6b21, \u5b50\u57df\u540d\u7206\u7834\u662f\u67e5\u6e90\u7ad9\u5e38\u7528\u65b9\u6cd5\u4e86, \u6709\u4e2a\u975e\u5e38\u597d\u7528\u7684\u67e5\u5b50\u57df\u540d\u7684\u65b9\u6cd5\u662f crt.sh<\/a>, \u539f\u7406\u662f\u67e5 SSL \u8bc1\u4e66\u9881\u53d1\u8bb0\u5f55, \u6240\u4ee5, \u63a8\u8350\u4f7f\u7528\u6cdb\u57df\u540d\u8bc1\u4e66<\/strong>.<\/p>\n \u8fd8\u6709 RDNS, \u4e0d\u8fc7\u4e00\u822c\u6ca1\u4eba\u4f1a\u5c06\u81ea\u5df1\u670d\u52a1\u5668 IP \u7684 RDNS \u914d\u7f6e\u4e3a\u81ea\u5df1\u7684\u57df\u540d, \u8bb8\u591a\u5546\u5bb6\u4e5f\u6ca1\u63d0\u4f9b\u8fd9\u4e2a\u529f\u80fd, \u6b64\u5904\u6309\u4e0b\u4e0d\u8868.<\/p>\n \u672c\u5904\u53ea\u4ecb\u7ecd Zerotier \u7ec4\u5efa\u865a\u62df\u5185\u7f51, tailscale \u7b49\u5176\u4ed6\u865a\u62df\u5185\u7f51\u65b9\u6848\u6211\u6ca1\u7528\u8fc7.<\/p>\n \u4e3a\u4ec0\u4e48\u8981\u865a\u62df\u5185\u7f51? \u539f\u56e0\u5f88\u7b80\u5355, \u642d\u5efa\u975e\u516c\u5f00\u7684\u670d\u52a1, \u5982\u4e2a\u4eba\u7684 emby \u5a92\u4f53\u5e93\u670d\u52a1\u53ea\u7ed9\u8ba4\u8bc6\u7684\u4eba\u7528, \u8fd8\u6709\u81ea\u5df1\u7ba1\u7406\u7684\u670d\u52a1\u5668\u95f4\u901a\u8fc7 socks5 \u7b49\u975e\u52a0\u5bc6\u4ee3\u7406\u534f\u8bae\u8bbf\u95ee\u5bf9\u65b9, \u4f7f\u7528\u865a\u62df\u5185\u7f51\u670d\u52a1\u5668\u65e0\u9700\u66b4\u9732\u76f8\u5e94\u7aef\u53e3, \u5927\u5927\u964d\u4f4e\u5b89\u5168\u98ce\u9669. \u597d\u5904\u591a\u591a\u53ef\u4ee5\u8bf4\u4e86. \u4f7f\u7528\u865a\u62df\u5185\u7f51\u540e, \u670d\u52a1\u5668\u53ea\u9700\u8981\u66b4\u9732 9993 \u7aef\u53e3(zerotier), SSH \u90fd\u4e0d\u7528\u66b4\u9732\u5728\u516c\u7f51, \u9664\u975e zerotier \u51fa\u4e86\u81f4\u547d\u96f6\u65e5\u6f0f\u6d1e, \u5426\u5219\u5b89\u5168\u7684\u5f88.<\/p>\n \u5f53\u7136, \u591a\u63d0\u4e00\u5634, \u7531\u4e8e\u56fd\u5185 v4 \u666e\u904d\u4e3a NAT4, P2P \u4e0d\u53ef\u80fd\u6253\u6d1e, \u5bfc\u81f4\u5ba2\u6237\u7aef\u95f4\u4e92\u8054\u53ea\u80fd relay \u6a21\u5f0f\u901a\u8fc7\u56fd\u5916\u670d\u52a1\u5668\u4e2d\u8f6c, \u901f\u5ea6\u53ef\u60f3\u800c\u77e5. \u540c\u65f6, zerotier \u7b49\u865a\u62df\u5185\u7f51\u65b9\u6848\u666e\u904d\u8d70 UDP (\u6709 TCP \u7684\u6b22\u8fce\u8e22\u6211\u4e00\u811a\u6211\u770b\u770b), \u90e8\u5206\u8fd0\u8425\u5546\u5bf9 UDP \u7684 QoS \u76f8\u5f53\u4e25\u91cd, \u6216\u8005\u670d\u52a1\u5668\u7ebf\u8def\u5dee, \u865a\u62df\u5185\u7f51\u8fde\u63a5\u8d28\u91cf\u4e5f\u4f1a\u5f88\u5dee, \u6240\u4ee5\u4e5f\u975e\u4e07\u91d1\u6cb9\u65b9\u6848. \u503c\u5f97\u9ad8\u5174\u7684\u662f, v6 \u7684\u666e\u53ca\u8ba9 NAT4 \u7684\u5f71\u54cd\u6ca1\u90a3\u4e48\u5927\u4e86, \u53ea\u8981\u53cc\u65b9\u6709 v6, \u901a\u8fc7 zerotier \u8f7b\u677e P2P \u76f4\u8fde. \u8fd9\u5c31\u662f\u9898\u5916\u8bdd\u4e86.<\/p>\n \u56de\u5f52\u6b63\u9898, \u5982\u4f55\u7ec4\u5efa zerotier \u5185\u7f51? \u6b64\u5904\u4ec5\u4ecb\u7ecd\u4e00\u822c\u6d41\u7a0b, \u81ea\u5efa moon \/ planet \u7b49\u9ad8\u7ea7\u7528\u6cd5\u4e0d\u505a\u4ecb\u7ecd.<\/p>\n P.S. Zerotier \u5b98\u65b9\u7248\u9650\u5236\u6700\u591a 25 \u8bbe\u5907, \u5982\u679c\u8bbe\u5907\u975e\u5e38\u591a, \u53ea\u80fd\u81ea\u5efa zerotier, \u6b64\u5904\u4e0d\u6d89\u53ca, \u4e00\u822c\u4e5f\u7528\u4e0d\u5230.<\/p>\n \u5047\u8bbe VPS \u662f\u865a\u62df\u5185\u7f51 IP \u662f 10.10.0.1, 8000 \u7aef\u53e3\u5efa\u4e86\u4e2a Alist, \u8bd5\u8bd5\u8bbf\u95ee 10.10.0.1:8000? \u80fd\u6253\u5f00\u5c31\u662f\u6210\u529f\u5566. SSH \u4e5f\u8bd5\u8bd5?<\/p>\n \u53ea\u80fd\u8bf4, Cloudflare \u662f\u6700\u4f1f\u5927\u7684 CDN \u5382\u5546 (\u66b4\u8bba!) \u514d\u8d39\u625b DDoS, \u4e00\u5806\u514d\u8d39\u597d\u7528\u7684\u529f\u80fd, \u9664\u4e86\u56fd\u5185\u8bbf\u95ee\u901f\u5ea6\u6162\u70b9\u800c\u5df2…<\/p>\n \u6b64\u5904\u4ecb\u7ecd\u901a\u8fc7 Cloudflare ZeroTrust \u91cc\u9762\u7684 Tunnel \u529f\u80fd\u505a\u5230\u670d\u52a1\u5668\u4e0d\u66b4\u9732 HTTPS \u7aef\u53e3\u5efa\u7ad9, \u5b89\u5168\u6027 UP \u4e00\u5927\u622a. \u6211\u4eec\u540e\u9762\u9ed8\u8ba4\u4f60\u5df2\u7ecf\u6ce8\u518c\u5e76\u7528\u8fc7\u4e86 Cloudflare.<\/p>\n{}<\/code> \u53ca\u5176\u62ec\u8d77\u6765\u7684\u5185\u5bb9\u4e3a\u6839\u636e\u4f60\u5b9e\u9645\u60c5\u51b5\u9700\u8981\u66ff\u6362\u7684\u6587\u672c\u5185\u5bb9, \u62ec\u8d77\u6765\u7684\u5185\u5bb9\u4e3a\u8bf4\u660e, \u5982 ssh {user}@{server ip}<\/code> \u4e3a ssh \u8fde\u63a5\u670d\u52a1\u5668\u7684\u547d\u4ee4, \u5047\u8bbe\u7528\u6237\u4e3a root<\/code>, \u670d\u52a1\u5668 IP \u4e3a 114.5.1.4<\/code>, \u5219\u4e3a ssh root@114.5.1.4<\/code><\/p>\n\u7cfb\u7edf\u66f4\u65b0<\/h2>\n
\n
apt update && apt upgrade -y && apt dist-upgrade -y && apt full-upgrade -y && apt autoremove -y<\/code><\/pre>\nreboot<\/code><\/p>\n\n
\n
\nRef: Debian 11 \u5347\u7ea7 Debian 12<\/a><\/p>\nSSH \u5b89\u5168\u7bc7<\/h2>\n
1. \u914d\u7f6e\u5bc6\u94a5\u767b\u9646<\/h3>\n
\n
\n
ssh-keygen -o -a 256 -t ed25519<\/code>, \u6b64\u5904 ed25519 \u662f\u52a0\u5bc6\u7b97\u6cd5\u7684\u4e00\u79cd, \u4e0d\u7528\u7406\u4f1a. \u63d0\u793a\u8f93\u5165\u5c06\u79c1\u94a5\u4fdd\u5b58\u5728\u54ea\u91cc, \u9ed8\u8ba4\u4fdd\u5b58\u5728 C:\\Users\\{your user name}\/.ssh\/<\/code>, \u6587\u4ef6\u540d id_ed25519<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\nGenerating public\/private ed25519 key pair.\nEnter file in which to save the key (C:\\Users\\Hantong\/.ssh\/id_ed25519):<\/code><\/pre>\n\n
Enter passphrase (empty for no passphrase):<\/code><\/pre>\n\n
Enter same passphrase again:<\/code><\/pre>\n\n
C:\\Users\\Hantong\/.ssh\/id_ed25519.pub<\/code> \u5c31\u662f\u63a5\u4e0b\u6765\u5c06\u4fdd\u5b58\u5230\u670d\u52a1\u5668\u7684\u516c\u94a5, C:\\Users\\Hantong\/.ssh\/id_ed25519<\/code> \u5c31\u662f\u767b\u9646\u7528\u7684\u79c1\u94a5<\/li>\n<\/ul>\nYour identification has been saved in C:\\Users\\Hantong\/.ssh\/id_ed25519.\nYour public key has been saved in C:\\Users\\Hantong\/.ssh\/id_ed25519.pub.\nThe key fingerprint is:\n***\nThe key's randomart image is:\n***<\/code><\/pre>\n\n
C:\\Users\\Hantong\/.ssh\/id_ed25519.pub<\/code>\u5e76\u590d\u5236\u5185\u5bb9\u5230\u526a\u8d34\u677f\u5907\u7528<\/li>\ncd ~\/.ssh # \u6587\u4ef6\u5939\u4e0d\u5b58\u5728\u5c31 mkdir ~\/.ssh\nnano authorized_keys # \u7f16\u8f91 authorized_keys, \u5c06\u521a\u521a\u590d\u5236\u7684\u516c\u94a5\u6587\u4ef6\u5185\u5bb9\u7c98\u8d34\u8fdb\u53bb, \u4fdd\u5b58\u5373\u53ef\nchmod 600 authorized_keys # \u914d\u7f6e\u6587\u4ef6\u6743\u9650\nsystemctl restart sshd # \u91cd\u542f SSH \u670d\u52a1<\/code><\/pre>\n\n
ssh -i "{\/entire\/path\/to\/your\/privkey\/with\/filename}" {user}@{server ip}<\/code>, \u6309\u63d0\u793a\u6765\u5c31\u884c, \u63d0\u793a\u4fdd\u5b58\u5230 known_host \u5c31 yes, \u524d\u9762\u7ed9\u79c1\u94a5\u8bbe\u7f6e\u4e86\u5bc6\u7801\u63d0\u793a\u8f93\u5bc6\u7801\u5c31\u8f93\u5bc6\u7801.<\/p>\n\n
cat <<'TEXT' > \/etc\/ssh\/sshd_config<\/code> \u540e TEXT<\/code> \u524d\u7684\u5185\u5bb9\u4e3a sshd_config \u7684\u5185\u5bb9, \u81ea\u884c\u624b\u52a8\u7f16\u8f91\u5c31\u884c. \u7f16\u8f91\u524d\u5efa\u8bae\u5907\u4efd\u4e00\u4e0b\u539f\u6765\u7684.<\/p>\nmv \/etc\/ssh\/sshd_config \/etc\/ssh\/sshd_config.b\ncat <<'TEXT' > \/etc\/ssh\/sshd_config\nInclude \/etc\/ssh\/sshd_config.d\/*.conf\n# \u7aef\u53e3, \u9ed8\u8ba422\n#Port 22\n# \u76d1\u542c\u5730\u5740\u76f8\u5173, \u4e0d\u9700\u4fee\u6539\n#AddressFamily any\n#ListenAddress 0.0.0.0\n#ListenAddress ::\n# Ciphers and keying\n#RekeyLimit default none\n# \u65e5\u5fd7\n# \u6307\u5b9a\u5c06\u65e5\u5fd7\u6d88\u606f\u901a\u8fc7\u54ea\u4e2a\u65e5\u5fd7\u5b50\u7cfb\u7edf(facility)\u53d1\u9001\nSyslogFacility AUTH\n# \u6307\u5b9a\u65e5\u5fd7\u7b49\u7ea7\nLogLevel INFO\n# \u9274\u6743\n# \u9650\u5236\u7528\u6237\u5fc5\u987b\u5728\u6307\u5b9a\u7684\u65f6\u9650(\u5355\u4f4d\u79d2)\u5185\u8ba4\u8bc1\u6210\u529f\nLoginGraceTime 2m\n# \u5141\u8bb8root\u7528\u6237\u767b\u5f55\nPermitRootLogin yes\n# \u6307\u5b9a\u662f\u5426\u8981\u6c42sshd(8)\u5728\u63a5\u53d7\u8fde\u63a5\u8bf7\u6c42\u524d\u5bf9\u7528\u6237\u4e3b\u76ee\u5f55\u548c\u76f8\u5173\u7684\u914d\u7f6e\u6587\u4ef6\u8fdb\u884c\u5bbf\u4e3b\u548c\u6743\u9650\u68c0\u67e5\nStrictModes yes\n# \u6307\u5b9a\u6bcf\u4e2a\u8fde\u63a5\u6700\u5927\u5141\u8bb8\u7684\u8ba4\u8bc1\u6b21\u6570\nMaxAuthTries 6\n# \u6700\u5927\u5141\u8bb8\u4fdd\u6301\u591a\u5c11\u4e2a\u8fde\u63a5\u3002\u9ed8\u8ba4\u503c\u662f 10\nMaxSessions 16\n# \u662f\u5426\u5f00\u542f\u516c\u94a5\u8ba4\u8bc1, \u4ec5\u53ef\u4ee5\u7528\u4e8eSSH-2. \u9ed8\u8ba4\u503c\u4e3a"yes"\nPubkeyAuthentication yes\n# \u662f\u5426\u5141\u8bb8\u5bc6\u7801\u9a8c\u8bc1\nPasswordAuthentication no\n# \u662f\u5426\u5141\u8bb8\u7a7a\u5bc6\u7801\nPermitEmptyPasswords no\n# \u662f\u5426\u5141\u8bb8\u8d28\u7591-\u5e94\u7b54(challenge-response)\u8ba4\u8bc1\nChallengeResponseAuthentication no\n# \u662f\u5426\u901a\u8fc7PAM\u9a8c\u8bc1\nUsePAM yes\n# \u662f\u5426\u5141\u8bb8X11\u8f6c\u53d1\nX11Forwarding yes\n#X11DisplayOffset 10\n#X11UseLocalhost yes\n# \u6307\u5b9asshd\u662f\u5426\u5728\u6bcf\u4e00\u6b21\u4ea4\u4e92\u5f0f\u767b\u5f55\u65f6\u6253\u5370 \/etc\/motd \u6587\u4ef6\u7684\u5185\u5bb9\nPrintMotd no\n# \u6307\u5b9asshd\u662f\u5426\u5728\u6bcf\u4e00\u6b21\u4ea4\u4e92\u5f0f\u767b\u5f55\u65f6\u6253\u5370\u6700\u540e\u4e00\u4f4d\u7528\u6237\u7684\u767b\u5f55\u65f6\u95f4\nPrintLastLog yes\n# \u914d\u7f6e\u8d85\u65f6\nTCPKeepAlive yes\nClientAliveInterval 120\nClientAliveCountMax 10\n# \u914d\u7f6ePid\nPidFile \/var\/run\/sshd.pid\n# Allow client to pass locale environment variables\nAcceptEnv LANG LC_*\n# override default of no subsystems\nSubsystem sftp \/usr\/lib\/openssh\/sftp-server\nTEXT\nservice sshd restart<\/code><\/pre>\n\u9632\u706b\u5899\u7bc7<\/h2>\n
\n
apt update && apt upgrade -y\napt install ufw -y\n# \u5b89\u88c5\u5b8c\u6bd5\u540e, \u5f00\u59cb\u914d\u7f6e ufw\nufw default deny incoming # \u9ed8\u8ba4\u963b\u6b62\u5165\u7ad9\nufw default allow outgoing # \u9ed8\u8ba4\u5141\u8bb8\u51fa\u7ad9\n# ufw allow 9993 # \u5982\u679c\u8981\u7528 Zerotier, \u8bb0\u5f97\u5141\u8bb8 9993 \u8fdb\u51fa\u7ad9\nufw allow 22 # SSH \u7aef\u53e3, \u6839\u636e\u5b9e\u9645\u60c5\u51b5\u586b\u5199\u7aef\u53e3\nufw allow 443 # HTTPS\n# \u7acb\u5373\u542f\u7528 ufw, \u63d0\u793a\u53ef\u80fd\u4e2d\u65ad\u5f53\u524d SSH \u8fde\u63a5, \u6309 y \u7ee7\u7eed\u5373\u53ef\nufw enable<\/code><\/pre>\n\n
ufw<\/code>, ufw \u4f1a\u544a\u8bc9\u4f60\u7528\u6cd5, \u6216\u8005 Google \u4e00\u4e0b)<\/p>\n\n
ufw enable<\/code><\/p>\n<\/li>\nufw disable<\/code><\/p>\n<\/li>\nufw status verbose<\/code><\/p>\n<\/li>\nufw status numbered<\/code> # \u6b64\u5904\u5e8f\u53f7\u6807\u8bc6\u4e86\u6b64\u6761\u89c4\u5219<\/p>\n<\/li>\nufw allow from {CIDR}<\/code><\/p>\n<\/li>\nufw deny from {CIDR}<\/code><\/p>\n<\/li>\nufw allow {PORT}<\/code><\/p>\n<\/li>\nufw allow from {CIDR} to any port {PORT}<\/code><\/p>\n<\/li>\nufw deny {PORT}<\/code><\/p>\n<\/li>\nufw deny from {CIDR} to any port {PORT}<\/code><\/p>\n<\/li>\nufw delete {RULE}|{NUM}<\/code><\/p>\n<\/li>\nufw allow 443<\/code>, \u8981\u5220\u9664\u6b64\u89c4\u5219, \u5c31\u662f ufw delete allow 443<\/code>, \u5176\u4ed6\u4f9d\u6b64\u7c7b\u63a8<\/p>\n<\/li>\nufw insert {NUM} {RULE}<\/code><\/p>\n<\/li>\n<\/ul>\nufw insert 1 allow 443<\/code>\u8868\u793a\u5c06\u89c4\u5219allow 443<\/code> \u63d2\u5165\u5230\u89c4\u5219\u5217\u8868\u7b2c\u4e00\u4f4d<\/p>\n\n
\u5e8f\u53f7<\/code>, \u56e0\u4e3a ufw \u89c4\u5219\u5305\u62ec v6 \u89c4\u5219, \u800c\u4f7f\u7528 ufw status numbered<\/code> \u5217\u51fa\u89c4\u5219\u5217\u8868\u65f6, v6 \u7684\u89c4\u5219\u7684\u89c4\u5219\u662f\u63a5\u7740 v4 \u7684\u7ee7\u7eed\u5217\u4e0b\u53bb\u7684.<\/li>\n<\/ul>\n<\/li>\n\n
Cloudflared<\/code>.<\/li>\n\/etc\/docker\/daemon.json<\/code>(\u6ca1\u6709\u5c31\u65b0\u5efa\u4e00\u4e2a), \u8bbe\u7f6e ip<\/code> \u4e3a 127.0.0.1<\/code>, \u9632\u6b62 docker \u81ea\u5df1\u4fee\u6539\u4e86 iptable \u5bfc\u81f4 ufw \u5931\u6548. \u4fee\u6539\u5b8c\u6bd5\u540e\u6267\u884c systemctl daemon-reload && systemctl restart docker<\/code> \u91cd\u542f Docker \u670d\u52a1.
\n\u6ce8\u610f, \/etc\/docker\/daemon.json<\/code> \u5e94\u5f53\u662f\u6709\u6548\u7684 json. \u4e0b\u9762\u662f\u4e2a\u53c2\u8003(\u66f4\u591a\u5730: \u5f00\u542f\u4e86 IPv6 \u652f\u6301, \u914d\u7f6e\u4e86 DNS. \u56fd\u5916\u670d\u52a1\u5668\u81ea\u884c\u66ff\u6362\u4e3a 1.1.1.1<\/code>, 8.8.8.8<\/code>):<\/p>\n{\n "dns":[\n "119.29.29.29",\n "223.5.5.5"\n ],\n "ipv6":true,\n "fixed-cidr-v6":"fd00:db8:1::\/64",\n "experimental":true,\n "ip6tables":true,\n "ip":"127.0.0.1"\n}<\/code><\/pre>\n\/lib\/systemd\/system\/docker.service<\/code> \u52a0\u4e0a --iptables=false<\/code>, \u5426\u5219 Docker \u65e0\u6cd5\u542f\u52a8. \u4fee\u6539 \/etc\/docker\/daemon.json<\/code> \u52a0\u4e0a { "iptables" : false }<\/code> \u672c\u8d28\u4e00\u6837.<\/p>\n
\nRef: https:\/\/askubuntu.com\/questions\/652556\/uncomplicated-firewall-ufw-is-not-blocking-anything-when-using-docker<\/a>
\nRef: https:\/\/docs.docker.com\/network\/packet-filtering-firewalls\/<\/a><\/p>\nNginx \u7bc7<\/h2>\n
ssl_reject_handshake<\/code> \u53c2\u6570, \u8bbe\u7f6e\u4e3a on, \u5f53\u5ba2\u6237\u7aef\u4f20\u8fc7\u6765\u7684 SNI \u4e0e\u5df2\u914d\u7f6e\u7684 server name \u90fd\u4e0d\u5339\u914d\u65f6, \u4f1a\u62d2\u7edd SSL \u63e1\u624b, \u8fdb\u800c\u907f\u514d\u8bc1\u4e66\u6cc4\u9732.<\/p>\ncat <<'TEXT' > nxdomain.conf<\/code> \u540e TEXT<\/code> \u524d\u5373\u4e3a\u914d\u7f6e\u6587\u4ef6\u5185\u5bb9. \u4f7f\u7528\u975e\u6b63\u5e38\u9014\u5f84\u5b89\u88c5\u7684 nginx \u8bf7\u81ea\u884c\u627e\u914d\u7f6e\u6587\u4ef6\u76ee\u5f55, \u65b0\u5efa\u4e2a nxdomain.conf \u6587\u4ef6\u628a\u5185\u5bb9\u8d34\u8fdb\u53bb\u5c31\u884c.<\/p>\ncd \/etc\/nginx\/conf.d\ncat <<'TEXT' > nxdomain.conf\nserver\n{\n listen 80 default_server; # \u8bbe\u7f6e80\u7aef\u53e3\u9ed8\u8ba4\u4e3a\u6b64\u7ad9\u70b9\n listen 443 ssl default_server; # \u8bbe\u7f6e443\u7aef\u53e3\u9ed8\u8ba4\u4e3a\u6b64\u7ad9\u70b9\n listen 443 quic reuseport; # 1.25.0+ QUIC \u5e76\u5165\u4e3b\u7ebf\u4e86\n server_name _; # \u9ed8\u8ba4\u63a5\u53d7\u6240\u6709\n # ssl_certificate \/etc\/nginx\/certs\/nxdomain\/fullchain.pem;\n # ssl_certificate_key \/etc\/nginx\/certs\/nxdomain\/privkey.pem;\n ssl_reject_handshake on;\n return 444; # \u76f4\u63a5\u5207\u65ad\u8fde\u63a5, \u7701\u70b9\u6d41\u91cf\n # access_log \/www\/logs\/nxdomain.com.log details;\n}\nTEXT\nsystemctl restart nginx<\/code><\/pre>\nDNS \u53ca SSL \u7bc7<\/h2>\n
\n\u540e\u9762\u7684\u4e24\u4e2a\u89e3\u51b3\u65b9\u6848\u662f\u6211\u4e2a\u4eba\u89c9\u5f97\u6bd4\u8f83\u597d\u7684, \u4f46\u662f\u6bcf\u4e2a\u4eba\u60c5\u51b5\u4e0d\u4e00\u6837, \u4ec5\u4f9b\u53c2\u8003, \u6b22\u8fce\u5927\u5bb6\u5206\u4eab\u81ea\u5df1\u7684\u65b9\u6cd5~<\/h2>\n
\n\u865a\u62df\u5185\u7f51\u7bc7(Zerotier)<\/h2>\n
\n
Create A Network<\/code>, \u4e0b\u9762\u5c31\u4f1a\u51fa\u73b0\u4e00\u4e2a network, \u70b9\u8fdb\u53bbBasics<\/code>\u8bbe\u7f6e\n\n
Advanced<\/code>\u8bbe\u7f6e<\/li>\nIPv4 Auto-Assign<\/code> \u5efa\u8bae\u9009\u62e9\u548c\u5bb6\u91cc\u5185\u7f51\u9519\u5f00\u7684\u5185\u7f51\u7f51\u5740\u6bb5, \u522b\u7528 192.168.**<\/code> \u8fd9\u79cd\u7528\u70c2\u4e86\u7684.<\/li>\nIPv6 Auto-Assign<\/code> \u6ca1\u5fc5\u8981, \u4e0d\u7528\u7ba1<\/li>\n<\/ul>\n<\/li>\nzerotier-cli join {Network ID}<\/code>, Network ID \u5c31\u662f\u524d\u9762\u63d0\u5230\u7684\u7f51\u7edc ID.<\/li>\nifconfig<\/code> \u5c31\u80fd\u770b\u5230\u5206\u914d\u7684 IP \u4e86, \u5f53\u7136\u4f60\u4e5f\u53ef\u4ee5\u81ea\u5df1\u5728\u63a7\u5236\u53f0\u624b\u52a8\u5206\u914d\u4e00\u4e2a.<\/li>\nufw allow 9993<\/code><\/li>\n<\/ul>\nCloudflare ZeroTrust Tunnel \u7bc7<\/h2>\n