喜欢 1
派生 0

最后活跃于 5 months ago

Init a server from cloud provider

anduin's Avatar anduin 修订了这个 Gist 5 months ago. 转到此修订

1 file changed, 1 insertion, 1 deletion

init.sh

@@ -124,7 +124,7 @@ print_ok "Hardening SSH settings"
124 124 run_remote "sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/; \
125 125 s/PasswordAuthentication yes/PasswordAuthentication no/; \
126 126 s/#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config && \
127 - sudo systemctl restart sshd"
127 + sudo systemctl restart sshd || sudo systemctl restart ssh"
128 128
129 129 # 9) Remove other non-system users
130 130 print_ok "Removing other users"

anduin's Avatar anduin 修订了这个 Gist 5 months ago. 转到此修订

1 file changed, 3 insertions, 2 deletions

init.sh

@@ -154,7 +154,8 @@ sudo tee /etc/fail2ban/jail.local > /dev/null <<EOJ
154 154 enabled = true
155 155 port = ssh
156 156 filter = sshd
157 - logpath = /var/log/auth.log
157 + backend = systemd
158 + logpath = journal
158 159 maxretry = 3
159 160 findtime = 600
160 161 bantime = 3600
@@ -239,4 +240,4 @@ print_ok "Setup complete. Connect via: ssh $NEWUSER@$SERVER"
239 240 # * Have the latest updates installed
240 241 # * Have sysbench installed for performance testing
241 242 # * Have a final benchmark run to verify CPU performance
242 - # * Have a final cleanup of unnecessary packages
243 + # * Have a final cleanup of unnecessary packages

anduin's Avatar anduin 修订了这个 Gist 5 months ago. 转到此修订

1 file changed, 4 insertions, 2 deletions

init.sh

@@ -91,13 +91,15 @@ run_remote "echo '$NEWUSER ALL=(ALL) NOPASSWD:ALL' | sudo tee /etc/sudoers.d/$NE
91 91 # 6) Generate & persist random password (once)
92 92 if run_remote "[ -f /etc/$NEWUSER.pass ]" &>/dev/null; then
93 93 # In this case, the password is already set
94 - print_ok "Reusing existing password for $NEWUSER"
95 - PASS_NEW=$(<"/etc/$NEWUSER.pass")
94 + print_ok "Don't have to change password. Reusing existing password for $NEWUSER"
95 + PASS_NEW=$(run_remote "sudo cat /etc/$NEWUSER.pass")
96 96 else
97 97 PASS_NEW=$(uuidgen)
98 98 print_ok "Setting password for $NEWUSER"
99 99 run_remote "echo '$NEWUSER:$PASS_NEW' | sudo chpasswd"
100 100 run_remote "echo '$PASS_NEW' | sudo tee /etc/$NEWUSER.pass > /dev/null"
101 + run_remote "sudo chmod 600 /etc/$NEWUSER.pass"
102 + run_remote "sudo chown root:root /etc/$NEWUSER.pass"
101 103 print_ok "New password generated for $NEWUSER and persisted at /etc/$NEWUSER.pass. Please back it up! It can still be used to log in via serial console or rescue mode!"
102 104 fi
103 105

anduin's Avatar anduin 修订了这个 Gist 5 months ago. 转到此修订

1 file changed, 27 insertions, 4 deletions

init.sh

@@ -15,7 +15,7 @@ Green="\033[32m"; Red="\033[31m"; Yellow="\033[33m"; Blue="\033[36m"; Font="\033
15 15 OK="${Green}[ OK ]${Font}"; ERROR="${Red}[FAILED]${Font}"; WARN="${Yellow}[ WARN ]${Font}"
16 16
17 17 print_ok(){ echo -e "${OK} $1"; }
18 - print_error(){echo -e "${ERROR} $1"; }
18 + print_error(){ echo -e "${ERROR} $1"; }
19 19 print_warn(){ echo -e "${WARN} $1"; }
20 20
21 21 #-----------------------------------
@@ -36,7 +36,7 @@ areYouSure(){
36 36 run_local(){ print_ok "Local: $*"; "$@"; }
37 37 run_remote(){ sshpass -p "$REMOTE_PASS" ssh -o StrictHostKeyChecking=no "$REMOTE_USER@$SERVER" "$*"; }
38 38 wait_ssh(){
39 - print_ok "Waiting for SSH on $SERVER..."
39 + print_ok "Waiting for SSH on $SERVER... (Running ssh $REMOTE_USER@$SERVER)"
40 40 until sshpass -p "$REMOTE_PASS" ssh -q -o StrictHostKeyChecking=no "$REMOTE_USER@$SERVER" exit; do
41 41 print_warn "SSH not ready, retrying in 5s..."
42 42 sleep 5
@@ -90,14 +90,15 @@ run_remote "echo '$NEWUSER ALL=(ALL) NOPASSWD:ALL' | sudo tee /etc/sudoers.d/$NE
90 90
91 91 # 6) Generate & persist random password (once)
92 92 if run_remote "[ -f /etc/$NEWUSER.pass ]" &>/dev/null; then
93 - PASS_NEW=$(run_remote "sudo cat /etc/$NEWUSER.pass")
93 + # In this case, the password is already set
94 94 print_ok "Reusing existing password for $NEWUSER"
95 + PASS_NEW=$(<"/etc/$NEWUSER.pass")
95 96 else
96 97 PASS_NEW=$(uuidgen)
97 98 print_ok "Setting password for $NEWUSER"
98 99 run_remote "echo '$NEWUSER:$PASS_NEW' | sudo chpasswd"
99 100 run_remote "echo '$PASS_NEW' | sudo tee /etc/$NEWUSER.pass > /dev/null"
100 - print_ok "New password generated for $NEWUSER"
101 + print_ok "New password generated for $NEWUSER and persisted at /etc/$NEWUSER.pass. Please back it up! It can still be used to log in via serial console or rescue mode!"
101 102 fi
102 103
103 104 # 7) Copy SSH key (only if absent)
@@ -215,3 +216,25 @@ run_remote "sudo apt-get autoremove -y --purge && \
215 216 sudo apt-get autoremove -y sysbench --purge"
216 217
217 218 print_ok "Setup complete. Connect via: ssh $NEWUSER@$SERVER"
219 +
220 + # After this script, server will:
221 +
222 + # * Only allow SSH key login
223 + # * Root login disabled, password authentication disabled
224 + # * Have a new hostname set
225 + # * Have a new user with sudo privileges and can log in via SSH
226 + # * Have a random password stored securely at /etc/<new_user>.pass
227 + # * Have SSH key copied to authorized_keys so you can log in without a password
228 + # * Be hardened with UFW, Fail2Ban and allowed SSH connections(only)
229 + # * Have BBR enabled for better network performance
230 + # * Have the latest HWE kernel installed
231 + # * Have the best mirror selected for package updates
232 + # * Have snap removed
233 + # * Have CPU performance tuned to 'performance' mode
234 + # * Have timezone set to GMT
235 + # * Have all unnecessary users removed (Check /etc/passwd for remaining users)
236 + # * Have all unnecessary packages removed
237 + # * Have the latest updates installed
238 + # * Have sysbench installed for performance testing
239 + # * Have a final benchmark run to verify CPU performance
240 + # * Have a final cleanup of unnecessary packages

anduin's Avatar anduin 修订了这个 Gist 5 months ago. 转到此修订

1 file changed, 65 insertions, 49 deletions

init.sh

@@ -1,6 +1,6 @@
1 1 #!/usr/bin/env bash
2 2 #===============================================================================
3 - # Concise server preparation script with error confirmation
3 + # Concise server preparation script with error confirmation (idempotent)
4 4 #===============================================================================
5 5
6 6 set -euo pipefail
@@ -14,8 +14,8 @@ export DEBIAN_FRONTEND=noninteractive
14 14 Green="\033[32m"; Red="\033[31m"; Yellow="\033[33m"; Blue="\033[36m"; Font="\033[0m"
15 15 OK="${Green}[ OK ]${Font}"; ERROR="${Red}[FAILED]${Font}"; WARN="${Yellow}[ WARN ]${Font}"
16 16
17 - print_ok(){ echo -e "${OK} $1"; }
18 - print_error(){ echo -e "${ERROR} $1"; }
17 + print_ok(){ echo -e "${OK} $1"; }
18 + print_error(){echo -e "${ERROR} $1"; }
19 19 print_warn(){ echo -e "${WARN} $1"; }
20 20
21 21 #-----------------------------------
@@ -33,10 +33,10 @@ areYouSure(){
33 33 #-----------------------------------
34 34 # Helpers
35 35 #-----------------------------------
36 - run_local(){ print_ok "Local: $*"; "$@"; }
37 - run_remote(){ sshpass -p "$REMOTE_PASS" ssh -o StrictHostKeyChecking=no "$REMOTE_USER@$SERVER" "$*"; }
36 + run_local(){ print_ok "Local: $*"; "$@"; }
37 + run_remote(){ sshpass -p "$REMOTE_PASS" ssh -o StrictHostKeyChecking=no "$REMOTE_USER@$SERVER" "$*"; }
38 38 wait_ssh(){
39 - print_ok "Waiting for SSH on $SERVER...(Running ssh $REMOTE_USER@$SERVER)"
39 + print_ok "Waiting for SSH on $SERVER..."
40 40 until sshpass -p "$REMOTE_PASS" ssh -q -o StrictHostKeyChecking=no "$REMOTE_USER@$SERVER" exit; do
41 41 print_warn "SSH not ready, retrying in 5s..."
42 42 sleep 5
@@ -61,13 +61,18 @@ run_local sudo apt-get install -y sshpass
61 61 run_local ssh-keygen -R "$SERVER" -f ~/.ssh/known_hosts
62 62 wait_ssh
63 63
64 - # 3) Hostname & reboot
65 - print_ok "Setting hostname to $HOSTNAME"
66 - run_remote "sudo hostnamectl set-hostname $HOSTNAME"
67 - run_remote "sudo reboot" || true
68 - print_ok "Server rebooting..."
69 - sleep 5
70 - wait_ssh
64 + # 3) Hostname & reboot (only if changed)
65 + CURRENT_HOST=$(run_remote "hostname")
66 + if [[ "$CURRENT_HOST" != "$HOSTNAME" ]]; then
67 + print_ok "Setting hostname to $HOSTNAME"
68 + run_remote "sudo hostnamectl set-hostname $HOSTNAME"
69 + run_remote "sudo reboot" || true
70 + print_ok "Server rebooting..."
71 + sleep 5
72 + wait_ssh
73 + else
74 + print_ok "Hostname already '$HOSTNAME', skipping"
75 + fi
71 76
72 77 # 4) Create or verify new user
73 78 if run_remote "id -u $NEWUSER" &>/dev/null; then
@@ -80,36 +85,47 @@ fi
80 85 # 5) Grant sudo & set up passwordless
81 86 print_ok "Granting sudo to $NEWUSER"
82 87 run_remote "sudo usermod -aG sudo $NEWUSER"
83 -
84 88 print_ok "Setting passwordless sudo for $NEWUSER"
85 89 run_remote "echo '$NEWUSER ALL=(ALL) NOPASSWD:ALL' | sudo tee /etc/sudoers.d/$NEWUSER"
86 90
87 - # 6) Generate & set random password
88 - PASS_NEW=$(uuidgen)
89 - print_ok "Setting password for $NEWUSER"
90 - run_remote "echo '$NEWUSER:$PASS_NEW' | sudo chpasswd"
91 - print_ok "New password for $NEWUSER: $PASS_NEW"
91 + # 6) Generate & persist random password (once)
92 + if run_remote "[ -f /etc/$NEWUSER.pass ]" &>/dev/null; then
93 + PASS_NEW=$(run_remote "sudo cat /etc/$NEWUSER.pass")
94 + print_ok "Reusing existing password for $NEWUSER"
95 + else
96 + PASS_NEW=$(uuidgen)
97 + print_ok "Setting password for $NEWUSER"
98 + run_remote "echo '$NEWUSER:$PASS_NEW' | sudo chpasswd"
99 + run_remote "echo '$PASS_NEW' | sudo tee /etc/$NEWUSER.pass > /dev/null"
100 + print_ok "New password generated for $NEWUSER"
101 + fi
92 102
93 - # 7) Copy SSH key
103 + # 7) Copy SSH key (only if absent)
94 104 [ ! -f ~/.ssh/id_rsa.pub ] && run_local ssh-keygen -t rsa -N "" -f ~/.ssh/id_rsa
95 - print_ok "Copying SSH key"
96 - sshpass -p "$PASS_NEW" ssh-copy-id -i ~/.ssh/id_rsa.pub "$NEWUSER@$SERVER"
105 + PUBKEY=$(<~/.ssh/id_rsa.pub)
106 + print_ok "Ensuring SSH key in authorized_keys"
107 + run_remote "mkdir -p /home/$NEWUSER/.ssh && \
108 + sudo bash -c 'grep -qxF \"$PUBKEY\" /home/$NEWUSER/.ssh/authorized_keys 2>/dev/null || \
109 + echo \"$PUBKEY\" >> /home/$NEWUSER/.ssh/authorized_keys' && \
110 + sudo chown -R $NEWUSER:$NEWUSER /home/$NEWUSER/.ssh && \
111 + sudo chmod 700 /home/$NEWUSER/.ssh && \
112 + sudo chmod 600 /home/$NEWUSER/.ssh/authorized_keys"
97 113
98 114 # Switch to new user for subsequent operations
99 - print_ok "Switching to new user $NEWUSER instead of $REMOTE_USER"
115 + print_ok "Switching to new user $NEWUSER"
100 116 REMOTE_USER="$NEWUSER"; REMOTE_PASS="$PASS_NEW"
101 117 wait_ssh
102 118
103 119 # 8) Harden SSH
104 120 print_ok "Hardening SSH settings"
105 - run_remote "sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/; s/PasswordAuthentication yes/PasswordAuthentication no/; s/#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config"
106 - run_remote "sudo systemctl restart sshd"
121 + run_remote "sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/; \
122 + s/PasswordAuthentication yes/PasswordAuthentication no/; \
123 + s/#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config && \
124 + sudo systemctl restart sshd"
107 125
108 126 # 9) Remove other non-system users
109 127 print_ok "Removing other users"
110 - others=$(run_remote \
111 - "awk -F: -v skip='$NEWUSER' '\$3>=1000 && \$1!=skip {print \$1}' /etc/passwd")
112 -
128 + others=$(run_remote "awk -F: -v skip='$NEWUSER' '\$3>=1000 && \$1!=skip {print \$1}' /etc/passwd")
113 129 for u in $others; do
114 130 print_warn "Deleting user $u"
115 131 run_remote "sudo pkill -u $u || true; sudo deluser --remove-home $u"
@@ -117,18 +133,17 @@ done
117 133
118 134 # 10) Reset machine-id
119 135 print_ok "Resetting machine-id"
120 - run_remote "sudo rm -f /etc/machine-id /var/lib/dbus/machine-id"
121 - run_remote "sudo systemd-machine-id-setup; sudo cp /etc/machine-id /var/lib/dbus/machine-id"
136 + run_remote "sudo rm -f /etc/machine-id /var/lib/dbus/machine-id && \
137 + sudo systemd-machine-id-setup && \
138 + sudo cp /etc/machine-id /var/lib/dbus/machine-id"
122 139
123 140 # 11) Enable UFW & OpenSSH
124 141 print_ok "Enabling UFW firewall"
125 - run_remote "sudo apt-get install -y ufw"
126 - run_remote "sudo ufw allow OpenSSH && echo y | sudo ufw enable"
142 + run_remote "sudo apt-get install -y ufw && sudo ufw allow OpenSSH && echo y | sudo ufw enable"
127 143
128 144 # 12) Install & configure Fail2Ban
129 145 print_ok "Installing Fail2Ban"
130 - run_remote "sudo apt-get update"
131 - run_remote "sudo apt-get install -y fail2ban"
146 + run_remote "sudo apt-get update && sudo apt-get install -y fail2ban"
132 147 print_ok "Configuring Fail2Ban"
133 148 run_remote <<'EOF'
134 149 sudo tee /etc/fail2ban/jail.local > /dev/null <<EOJ
@@ -144,17 +159,17 @@ EOJ
144 159 sudo systemctl restart fail2ban
145 160 EOF
146 161 print_ok "Fail2Ban setup complete"
147 - run_remote "sudo fail2ban-client status sshd"
148 162
149 - # 13) Enable BBR
163 + # 13) Enable BBR (only once)
150 164 print_ok "Enabling BBR congestion control"
151 - #run_remote "sudo bash -c 'grep -q bbr /etc/sysctl.conf || { echo net.core.default_qdisc=fq >>/etc/sysctl.conf; echo net.ipv4.tcp_congestion_control=bbr >>/etc/sysctl.conf; sysctl -p; }'"
152 165 run_remote <<'EOF'
153 - sudo tee /etc/sysctl.d/99-bbr.conf > /dev/null <<SYSCTL
166 + grep -q 'net.ipv4.tcp_congestion_control = bbr' /etc/sysctl.d/99-bbr.conf 2>/dev/null || {
167 + sudo tee /etc/sysctl.d/99-bbr.conf > /dev/null <<SYSCTL
154 168 net.core.default_qdisc = fq
155 169 net.ipv4.tcp_congestion_control = bbr
156 170 SYSCTL
157 - sudo sysctl --system
171 + sudo sysctl --system
172 + }
158 173 EOF
159 174
160 175 # 14) Select best mirror & update
@@ -178,15 +193,16 @@ run_remote "sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get autor
178 193
179 194 # 18) Performance tuning
180 195 print_ok "Tuning CPU performance & timezone"
181 - run_remote "sudo apt-get install -y linux-tools-$(uname -r)"
182 - run_remote "sudo apt-get install -y cpupower" || true
183 - run_remote "sudo cpupower frequency-set -g performance" || true
184 - run_remote "sudo timedatectl set-timezone GMT"
196 + run_remote "sudo apt-get install -y linux-tools-$(uname -r) cpupower && \
197 + sudo cpupower frequency-set -g performance || true && \
198 + sudo timedatectl set-timezone GMT"
185 199
186 200 # 19) Remove snap
187 201 print_ok "Removing snapd"
188 - run_remote "sudo systemctl disable --now snapd && sudo apt-get purge -y snapd && sudo rm -rf /snap /var/lib/snapd /var/cache/snapd"
189 - run_remote "sudo tee /etc/apt/preferences.d/no-snap.pref <<EOF
202 + run_remote "sudo systemctl disable --now snapd && \
203 + dpkg -l snapd &>/dev/null && sudo apt-get purge -y snapd && \
204 + sudo rm -rf /snap /var/lib/snapd /var/cache/snapd && \
205 + sudo tee /etc/apt/preferences.d/no-snap.pref > /dev/null <<EOF
190 206 Package: snapd
191 207 Pin: release a=*
192 208 Pin-Priority: -10
@@ -194,8 +210,8 @@ EOF"
194 210
195 211 # 20) Final cleanup & benchmark
196 212 print_ok "Final autoremove & benchmark"
197 - run_remote "sudo apt-get autoremove -y --purge"
198 - run_remote "sudo apt-get install -y sysbench && sysbench cpu --threads=\$(nproc) run"
199 - run_remote "sudo apt-get autoremove -y sysbench --purge"
200 - print_ok "Setup complete. Connect via: ssh $NEWUSER@$SERVER"
213 + run_remote "sudo apt-get autoremove -y --purge && \
214 + sudo apt-get install -y sysbench && sysbench cpu --threads=$(nproc) run && \
215 + sudo apt-get autoremove -y sysbench --purge"
201 216
217 + print_ok "Setup complete. Connect via: ssh $NEWUSER@$SERVER"

anduin's Avatar anduin 修订了这个 Gist 5 months ago. 转到此修订

1 file changed, 29 insertions, 8 deletions

init.sh

@@ -125,7 +125,28 @@ print_ok "Enabling UFW firewall"
125 125 run_remote "sudo apt-get install -y ufw"
126 126 run_remote "sudo ufw allow OpenSSH && echo y | sudo ufw enable"
127 127
128 - # 12) Enable BBR
128 + # 12) Install & configure Fail2Ban
129 + print_ok "Installing Fail2Ban"
130 + run_remote "sudo apt-get update"
131 + run_remote "sudo apt-get install -y fail2ban"
132 + print_ok "Configuring Fail2Ban"
133 + run_remote <<'EOF'
134 + sudo tee /etc/fail2ban/jail.local > /dev/null <<EOJ
135 + [sshd]
136 + enabled = true
137 + port = ssh
138 + filter = sshd
139 + logpath = /var/log/auth.log
140 + maxretry = 3
141 + findtime = 600
142 + bantime = 3600
143 + EOJ
144 + sudo systemctl restart fail2ban
145 + EOF
146 + print_ok "Fail2Ban setup complete"
147 + run_remote "sudo fail2ban-client status sshd"
148 +
149 + # 13) Enable BBR
129 150 print_ok "Enabling BBR congestion control"
130 151 #run_remote "sudo bash -c 'grep -q bbr /etc/sysctl.conf || { echo net.core.default_qdisc=fq >>/etc/sysctl.conf; echo net.ipv4.tcp_congestion_control=bbr >>/etc/sysctl.conf; sysctl -p; }'"
131 152 run_remote <<'EOF'
@@ -136,33 +157,33 @@ SYSCTL
136 157 sudo sysctl --system
137 158 EOF
138 159
139 - # 13) Select best mirror & update
160 + # 14) Select best mirror & update
140 161 print_ok "Selecting best mirror & updating"
141 162 run_remote "curl -s https://gist.aiursoft.cn/anduin/879917820a6c4b268fc12c21f1b3fe7a/raw/HEAD/mirror.sh | bash"
142 163 run_remote "sudo apt-get update"
143 164
144 - # 14) Install latest HWE kernel
165 + # 15) Install latest HWE kernel
145 166 print_ok "Installing latest HWE kernel"
146 167 run_remote "sudo apt-get install -y \$(apt search linux-generic-hwe- | awk -F/ '/linux-generic-hwe-/{print \$1}' | head -1)"
147 168
148 - # 15) Reboot & wait
169 + # 16) Reboot & wait
149 170 print_ok "Rebooting server"
150 171 run_remote "sudo reboot" || true
151 172 sleep 5
152 173 wait_ssh
153 174
154 - # 16) Final updates & cleanup
175 + # 17) Final updates & cleanup
155 176 print_ok "Installing upgrades & cleanup"
156 177 run_remote "sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get autoremove -y"
157 178
158 - # 17) Performance tuning
179 + # 18) Performance tuning
159 180 print_ok "Tuning CPU performance & timezone"
160 181 run_remote "sudo apt-get install -y linux-tools-$(uname -r)"
161 182 run_remote "sudo apt-get install -y cpupower" || true
162 183 run_remote "sudo cpupower frequency-set -g performance" || true
163 184 run_remote "sudo timedatectl set-timezone GMT"
164 185
165 - # 18) Remove snap
186 + # 19) Remove snap
166 187 print_ok "Removing snapd"
167 188 run_remote "sudo systemctl disable --now snapd && sudo apt-get purge -y snapd && sudo rm -rf /snap /var/lib/snapd /var/cache/snapd"
168 189 run_remote "sudo tee /etc/apt/preferences.d/no-snap.pref <<EOF
@@ -171,7 +192,7 @@ Pin: release a=*
171 192 Pin-Priority: -10
172 193 EOF"
173 194
174 - # 19) Final cleanup & benchmark
195 + # 20) Final cleanup & benchmark
175 196 print_ok "Final autoremove & benchmark"
176 197 run_remote "sudo apt-get autoremove -y --purge"
177 198 run_remote "sudo apt-get install -y sysbench && sysbench cpu --threads=\$(nproc) run"

anduin's Avatar anduin 修订了这个 Gist 5 months ago. 转到此修订

1 file changed, 41 insertions

install_fail2ban.sh(文件已创建)

@@ -0,0 +1,41 @@
1 + #!/usr/bin/env bash
2 + set -euo pipefail
3 +
4 + echo "[+] Updating package index and installing fail2ban..."
5 + sudo apt update
6 + sudo apt install -y fail2ban
7 +
8 + echo "[+] Writing /etc/fail2ban/jail.local..."
9 + sudo tee /etc/fail2ban/jail.local > /dev/null <<'EOF'
10 + [sshd]
11 + enabled = true
12 + port = ssh
13 + filter = sshd
14 + logpath = /var/log/auth.log
15 + maxretry = 3
16 + findtime = 600
17 + bantime = 3600
18 + EOF
19 + sleep 1
20 +
21 + echo "[+] Restarting fail2ban service..."
22 + sudo systemctl restart fail2ban
23 +
24 + echo "=== Fail2Ban global status ==="
25 + # Allow script to continue even if fail2ban-client status fails (e.g., socket not yet ready)
26 + sudo fail2ban-client status || true
27 +
28 + echo "=== SSHD jail status ==="
29 + sudo fail2ban-client status sshd || true
30 +
31 + echo "Tip: To view the currently banned IP list again, run:"
32 + echo "sudo fail2ban-client status sshd"
33 +
34 + echo "Tip: To unban an IP address, run:"
35 + echo "sudo fail2ban-client set sshd unbanip <IP_ADDRESS>"
36 +
37 + echo "Tip: To ban an IP address manually, run:"
38 + echo "sudo fail2ban-client set sshd banip <IP_ADDRESS>"
39 +
40 + echo "Tip: To view the fail2ban logs, run:"
41 + echo "sudo journalctl -u fail2ban"

anduin's Avatar anduin 修订了这个 Gist 5 months ago. 转到此修订

1 file changed, 1 insertion, 1 deletion

init.sh

@@ -175,6 +175,6 @@ EOF"
175 175 print_ok "Final autoremove & benchmark"
176 176 run_remote "sudo apt-get autoremove -y --purge"
177 177 run_remote "sudo apt-get install -y sysbench && sysbench cpu --threads=\$(nproc) run"
178 - run remote "sudo apt-get autoremove -y sysbench --purge"
178 + run_remote "sudo apt-get autoremove -y sysbench --purge"
179 179 print_ok "Setup complete. Connect via: ssh $NEWUSER@$SERVER"
180 180

anduin's Avatar anduin 修订了这个 Gist 5 months ago. 转到此修订

1 file changed, 1 insertion, 1 deletion

init.sh

@@ -158,7 +158,7 @@ run_remote "sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get autor
158 158 # 17) Performance tuning
159 159 print_ok "Tuning CPU performance & timezone"
160 160 run_remote "sudo apt-get install -y linux-tools-$(uname -r)"
161 - run_remote "sudo apt-get install -y cpupower"
161 + run_remote "sudo apt-get install -y cpupower" || true
162 162 run_remote "sudo cpupower frequency-set -g performance" || true
163 163 run_remote "sudo timedatectl set-timezone GMT"
164 164

anduin's Avatar anduin 修订了这个 Gist 5 months ago. 转到此修订

2 files changed, 165 insertions, 273 deletions

init.sh

@@ -1,287 +1,180 @@
1 - #!/bin/bash
1 + #!/usr/bin/env bash
2 + #===============================================================================
3 + # Concise server preparation script with error confirmation
4 + #===============================================================================
2 5
3 - #==========================
4 - # Set up the environment
5 - #==========================
6 - set -e # exit on error
7 - set -o pipefail # exit on pipeline error
8 - set -u # treat unset variable as error
9 -
10 - #==========================
11 - # Basic Information
12 - #==========================
6 + set -euo pipefail
13 7 export LC_ALL=C
14 8 export LANG=en_US.UTF-8
15 9 export DEBIAN_FRONTEND=noninteractive
16 - export SCRIPT_DIR="$(dirname "$(readlink -f "$0")")"
17 -
18 - #==========================
19 - # Color
20 - #==========================
21 - Green="\033[32m"
22 - Red="\033[31m"
23 - Yellow="\033[33m"
24 - Blue="\033[36m"
25 - Font="\033[0m"
26 - GreenBG="\033[42;37m"
27 - RedBG="\033[41;37m"
28 - OK="${Green}[ OK ]${Font}"
29 - ERROR="${Red}[FAILED]${Font}"
30 - WARNING="${Yellow}[ WARN ]${Font}"
31 -
32 - #==========================
33 - # Print Colorful Text
34 - #==========================
35 - function print_ok() {
36 - echo -e "${OK} ${Blue} $1 ${Font}"
37 - }
38 -
39 - function print_error() {
40 - echo -e "${ERROR} ${Red} $1 ${Font}"
41 - }
42 -
43 - function print_warn() {
44 - echo -e "${WARNING} ${Yellow} $1 ${Font}"
45 - }
46 -
47 - #==========================
48 - # Judge function
49 - #==========================
50 - function judge() {
51 - if [[ 0 -eq $? ]]; then
52 - print_ok "$1 succeeded"
53 - sleep 0.2
54 - else
55 - print_error "$1 failed"
56 - exit 1
57 - fi
58 - }
59 -
60 - prepare_host()
61 - {
62 - print_ok "Update apt-get"
63 - sudo apt-get update
64 - judge "Update apt-get"
65 -
66 - print_ok "Install sshpass"
67 - sudo apt-get install -y sshpass
68 - judge "Install sshpass"
69 - }
70 10
71 - wait_server_till_can_ssh()
72 - {
73 - userName=$1
74 - password=$2
75 - serverName=$3
76 -
77 - print_ok "Waiting for server to be ready: ssh $userName@$serverName"
78 - while true; do
79 - set +e
80 - sshpass -p $password ssh -o StrictHostKeyChecking=no $userName@$serverName "echo 'Server is ready'"
81 - if [ $? -eq 0 ]; then
82 - break
83 - fi
84 - print_warn "Server is not ready yet. Retrying..."
85 - sleep 5
86 - done
87 -
88 - print_ok "Server is ready to connect via ssh"
89 - set -e
11 + #-----------------------------------
12 + # Colors & Prompts
13 + #-----------------------------------
14 + Green="\033[32m"; Red="\033[31m"; Yellow="\033[33m"; Blue="\033[36m"; Font="\033[0m"
15 + OK="${Green}[ OK ]${Font}"; ERROR="${Red}[FAILED]${Font}"; WARN="${Yellow}[ WARN ]${Font}"
16 +
17 + print_ok(){ echo -e "${OK} $1"; }
18 + print_error(){ echo -e "${ERROR} $1"; }
19 + print_warn(){ echo -e "${WARN} $1"; }
20 +
21 + #-----------------------------------
22 + # Error handling & confirmation
23 + #-----------------------------------
24 + on_error(){ print_error "Error at line $1."; areYouSure; }
25 + trap 'on_error $LINENO' ERR
26 +
27 + areYouSure(){
28 + print_warn "Continue despite errors? [y/N]"
29 + read -r ans
30 + case $ans in [yY]*) print_ok "Continuing...";; *) print_error "Aborted."; exit 1;; esac
90 31 }
91 32
92 - prepare_server()
93 - {
94 - userName=$1
95 - if [ -z "$userName" ]; then
96 - print_error "Please provide username. Usage: prepare_server.sh '<username>' '<password>' '<serverName>' '<desiredHostname>' '<desiredUsername>'"
97 - exit 1
98 - fi
99 -
100 - password=$2
101 - if [ -z "$password" ]; then
102 - print_error "Please provide password for user $userName. Usage: prepare_server.sh '<username>' '<password>' '<serverName>' '<desiredHostname>' '<desiredUsername>'"
103 - exit 1
104 - fi
105 -
106 - serverName=$3
107 - if [ -z "$serverName" ]; then
108 - print_error "Please provide server name. Usage: prepare_server.sh '<username>' '<password>' '<serverName>' '<desiredHostname>' '<desiredUsername>'"
109 - exit 1
110 - fi
111 -
112 - desiredHostname=$4
113 - if [ -z "$desiredHostname" ]; then
114 - echo "Please provide desired hostname. Usage: prepare_server.sh '<username>' '<password>' '<serverName>' '<desiredHostname>' '<desiredUsername>'"
115 - exit 1
116 - fi
117 -
118 - desiredUsername=$5
119 - if [ -z "$desiredUsername" ]; then
120 - print_error "Please provide desired username. Usage: prepare_server.sh '<username>' '<password>' '<serverName>' '<desiredHostname>' '<desiredUsername>'"
121 - exit 1
122 - fi
123 -
124 - prepare_host
125 - ssh-keygen -f "/home/anduin/.ssh/known_hosts" -R $serverName
126 -
127 - wait_server_till_can_ssh $userName $password $serverName
128 -
129 - print_ok "Changing hostname for $serverName to $desiredHostname"
130 - sshpass -p $password ssh -o StrictHostKeyChecking=no $userName@$serverName "sudo hostnamectl set-hostname $desiredHostname"
131 - sshpass -p $password ssh -o StrictHostKeyChecking=no $userName@$serverName "sleep 3"
132 - sshpass -p $password ssh -o StrictHostKeyChecking=no $userName@$serverName "sudo reboot" || true
33 + #-----------------------------------
34 + # Helpers
35 + #-----------------------------------
36 + run_local(){ print_ok "Local: $*"; "$@"; }
37 + run_remote(){ sshpass -p "$REMOTE_PASS" ssh -o StrictHostKeyChecking=no "$REMOTE_USER@$SERVER" "$*"; }
38 + wait_ssh(){
39 + print_ok "Waiting for SSH on $SERVER...(Running ssh $REMOTE_USER@$SERVER)"
40 + until sshpass -p "$REMOTE_PASS" ssh -q -o StrictHostKeyChecking=no "$REMOTE_USER@$SERVER" exit; do
41 + print_warn "SSH not ready, retrying in 5s..."
133 42 sleep 5
134 - print_ok "Hostname changed to $desiredHostname"
135 - print_warn "Server is rebooting..."
136 -
137 - wait_server_till_can_ssh $userName $password $serverName
138 -
139 - print_ok "Creating a new user..."
140 - alreadyExist=$(sshpass -p $password ssh -o StrictHostKeyChecking=no $userName@$serverName "cat /etc/passwd | grep -w $desiredUsername | wc -l")
141 - if [ $alreadyExist -gt 0 ]; then
142 - print_ok "User $desiredUsername already exists."
143 - else
144 - print_ok "Creating user $desiredUsername"
145 - sshpass -p $password ssh -o StrictHostKeyChecking=no $userName@$serverName "sudo adduser $desiredUsername --gecos 'First Last,RoomNumber,WorkPhone,HomePhone' --disabled-password"
146 - judge "User $desiredUsername created"
147 - fi
148 -
149 - print_ok "Adding user $desiredUsername to sudo group"
150 - sshpass -p $password ssh -o StrictHostKeyChecking=no $userName@$serverName "sudo usermod -aG sudo $desiredUsername"
151 - judge "User $desiredUsername created with password"
152 -
153 - print_ok "Allowing user $desiredUsername to run sudo without password"
154 - sshpass -p $password ssh -o StrictHostKeyChecking=no $userName@$serverName "sudo mkdir -p /etc/sudoers.d"
155 - sshpass -p $password ssh -o StrictHostKeyChecking=no $userName@$serverName "sudo touch /etc/sudoers.d/$desiredUsername"
156 - sshpass -p $password ssh -o StrictHostKeyChecking=no $userName@$serverName "echo '$desiredUsername ALL=(ALL) NOPASSWD:ALL' | sudo tee -a /etc/sudoers.d/$desiredUsername"
157 - judge "User $desiredUsername can run sudo without password"
158 -
159 - userPassword=$(uuidgen)
160 - print_ok "Setting password for user $desiredUsername to $userPassword"
161 - sshpass -p $password ssh -o StrictHostKeyChecking=no $userName@$serverName "echo $desiredUsername:$userPassword | sudo chpasswd"
162 - judge "Password set for user $desiredUsername as $userPassword"
163 -
164 -
165 - # If ~/ssh/id_rsa.pub does not exist, create it
166 - if [ ! -f ~/.ssh/id_rsa.pub ]; then
167 - print_warn "Creating ssh keys on local machine"
168 - ssh-keygen -t rsa -N "" -f ~/.ssh/id_rsa
169 - fi
170 -
171 - print_ok "Copying ssh keys with ssh-copy-id"
172 - sshpass -p $userPassword ssh-copy-id -i ~/.ssh/id_rsa.pub $desiredUsername@$serverName
173 - print_ok "SSH keys copied"
174 -
175 - wait_server_till_can_ssh $desiredUsername $userPassword $serverName
176 -
177 - print_ok "Disabling root login, password login and enabling ssh key login"
178 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config"
179 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config"
180 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo sed -i 's/PubkeyAuthentication no/PubkeyAuthentication yes/g' /etc/ssh/sshd_config"
181 - # Uncomment those lines if they are commented
182 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo sed -i 's/#PermitRootLogin no/PermitRootLogin no/g' /etc/ssh/sshd_config"
183 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo sed -i 's/#PasswordAuthentication no/PasswordAuthentication no/g' /etc/ssh/sshd_config"
184 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/g' /etc/ssh/sshd_config"
185 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo systemctl restart ssh*"
186 - judge "Disable root login, password login and enabled ssh key login"
187 -
188 - print_ok "Server is ready for $desiredUsername to login. Deleting other users..."
189 - otherUsers=$(ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "cat /etc/passwd | grep -v nologin | grep -v false | grep -v root | grep -v sync | grep -v $desiredUsername | cut -d: -f1")
190 - for otherUser in $otherUsers; do
191 - print_warn "Deleting user $otherUser..."
192 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo pkill -u $otherUser" || true
193 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo deluser --remove-home $otherUser"
194 - done
195 -
196 - print_ok "Resetting machine-id"
197 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo rm /etc/machine-id"
198 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo rm /var/lib/dbus/machine-id"
199 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo systemd-machine-id-setup"
200 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo cp /etc/machine-id /var/lib/dbus/machine-id"
201 - judge "Machine-id reset"
202 -
203 - print_ok "Enabling ufw firewall"
204 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo apt-get install -y ufw"
205 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo ufw allow OpenSSH"
206 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "echo 'y' | sudo ufw enable"
207 - judge "Ufw firewall enabled"
208 -
209 - print_ok "Enabling BBR if not enabled"
210 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo sysctl net.ipv4.tcp_available_congestion_control | grep -q bbr || echo 'net.core.default_qdisc=fq' | sudo tee -a /etc/sysctl.conf"
211 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo sysctl net.ipv4.tcp_available_congestion_control | grep -q bbr || echo 'net.ipv4.tcp_congestion_control=bbr' | sudo tee -a /etc/sysctl.conf"
212 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo sysctl -p"
213 - judge "BBR enabled"
214 -
215 - print_ok "Selecting best mirror"
216 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "curl -s https://gist.aiursoft.cn/anduin/879917820a6c4b268fc12c21f1b3fe7a/raw/HEAD/mirror.sh | bash"
217 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo apt update"
218 - judge "Best mirror selected"
219 -
220 - print_ok "Installing latest kernel..."
221 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo apt search linux-generic-hwe-* | awk -F'/' '/linux-generic-hwe-/ {print $1}' | sort | head -n 1 | xargs -r sudo apt install -y"
222 - judge "Latest kernel installed"
223 -
224 - print_ok "Rebooting server..."
225 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sleep 3"
226 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo reboot" || true
227 - sleep 5
228 - print_warn "Server is rebooting..."
229 -
230 - wait_server_till_can_ssh $desiredUsername $userPassword $serverName
231 -
232 - print_ok "Installing updates"
233 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo apt update"
234 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo apt upgrade -y"
235 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo apt autoremove -y"
236 - judge "Updates installed"
237 -
238 - print_ok "Rebooting server..."
239 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sleep 3"
240 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo reboot" || true
241 - sleep 5
242 - print_warn "Server is rebooting..."
243 -
244 - wait_server_till_can_ssh $desiredUsername $userPassword $serverName
245 -
246 - print_ok "Set CPU to performance mode"
247 - ssh -o StrictHostKeyChecking=no "$desiredUsername@$serverName" "sudo apt install -y linux-tools-common linux-tools-\$(uname -r)"
248 - ssh -o StrictHostKeyChecking=no "$desiredUsername@$serverName" "sudo cpupower frequency-info"
249 - ssh -o StrictHostKeyChecking=no "$desiredUsername@$serverName" "sudo cpupower frequency-set -g performance" || true
250 - judge "CPU set to performance mode"
251 -
252 - print_ok "Set timezone to GMT"
253 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo timedatectl set-timezone GMT"
254 - judge "Timezone set to GMT"
43 + done
44 + print_ok "SSH available."
45 + }
255 46
256 - print_ok "Removing snap..."
257 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo systemctl disable --now snapd"
258 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo apt purge -y snapd"
259 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo rm -rf /snap /var/snap /var/lib/snapd /var/cache/snapd /usr/lib/snapd ~/snap"
260 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "cat << EOF | sudo tee -a /etc/apt/preferences.d/no-snap.pref
47 + usage(){ echo "Usage: $0 <orig_user> <orig_pass> <server> <new_hostname> <new_user>"; exit 1; }
48 +
49 + #-----------------------------------
50 + # Main
51 + #-----------------------------------
52 + [ $# -ne 5 ] && usage
53 + USER="$1"; PASS="$2"; SERVER="$3"; HOSTNAME="$4"; NEWUSER="$5"
54 + REMOTE_USER="$USER"; REMOTE_PASS="$PASS"
55 +
56 + # 1) Install sshpass locally
57 + run_local sudo apt-get update -y
58 + run_local sudo apt-get install -y sshpass
59 +
60 + # 2) Clear known_hosts, wait for SSH
61 + run_local ssh-keygen -R "$SERVER" -f ~/.ssh/known_hosts
62 + wait_ssh
63 +
64 + # 3) Hostname & reboot
65 + print_ok "Setting hostname to $HOSTNAME"
66 + run_remote "sudo hostnamectl set-hostname $HOSTNAME"
67 + run_remote "sudo reboot" || true
68 + print_ok "Server rebooting..."
69 + sleep 5
70 + wait_ssh
71 +
72 + # 4) Create or verify new user
73 + if run_remote "id -u $NEWUSER" &>/dev/null; then
74 + print_ok "User $NEWUSER exists"
75 + else
76 + print_ok "Creating user $NEWUSER"
77 + run_remote "sudo adduser --disabled-password --gecos '' $NEWUSER"
78 + fi
79 +
80 + # 5) Grant sudo & set up passwordless
81 + print_ok "Granting sudo to $NEWUSER"
82 + run_remote "sudo usermod -aG sudo $NEWUSER"
83 +
84 + print_ok "Setting passwordless sudo for $NEWUSER"
85 + run_remote "echo '$NEWUSER ALL=(ALL) NOPASSWD:ALL' | sudo tee /etc/sudoers.d/$NEWUSER"
86 +
87 + # 6) Generate & set random password
88 + PASS_NEW=$(uuidgen)
89 + print_ok "Setting password for $NEWUSER"
90 + run_remote "echo '$NEWUSER:$PASS_NEW' | sudo chpasswd"
91 + print_ok "New password for $NEWUSER: $PASS_NEW"
92 +
93 + # 7) Copy SSH key
94 + [ ! -f ~/.ssh/id_rsa.pub ] && run_local ssh-keygen -t rsa -N "" -f ~/.ssh/id_rsa
95 + print_ok "Copying SSH key"
96 + sshpass -p "$PASS_NEW" ssh-copy-id -i ~/.ssh/id_rsa.pub "$NEWUSER@$SERVER"
97 +
98 + # Switch to new user for subsequent operations
99 + print_ok "Switching to new user $NEWUSER instead of $REMOTE_USER"
100 + REMOTE_USER="$NEWUSER"; REMOTE_PASS="$PASS_NEW"
101 + wait_ssh
102 +
103 + # 8) Harden SSH
104 + print_ok "Hardening SSH settings"
105 + run_remote "sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/; s/PasswordAuthentication yes/PasswordAuthentication no/; s/#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config"
106 + run_remote "sudo systemctl restart sshd"
107 +
108 + # 9) Remove other non-system users
109 + print_ok "Removing other users"
110 + others=$(run_remote \
111 + "awk -F: -v skip='$NEWUSER' '\$3>=1000 && \$1!=skip {print \$1}' /etc/passwd")
112 +
113 + for u in $others; do
114 + print_warn "Deleting user $u"
115 + run_remote "sudo pkill -u $u || true; sudo deluser --remove-home $u"
116 + done
117 +
118 + # 10) Reset machine-id
119 + print_ok "Resetting machine-id"
120 + run_remote "sudo rm -f /etc/machine-id /var/lib/dbus/machine-id"
121 + run_remote "sudo systemd-machine-id-setup; sudo cp /etc/machine-id /var/lib/dbus/machine-id"
122 +
123 + # 11) Enable UFW & OpenSSH
124 + print_ok "Enabling UFW firewall"
125 + run_remote "sudo apt-get install -y ufw"
126 + run_remote "sudo ufw allow OpenSSH && echo y | sudo ufw enable"
127 +
128 + # 12) Enable BBR
129 + print_ok "Enabling BBR congestion control"
130 + #run_remote "sudo bash -c 'grep -q bbr /etc/sysctl.conf || { echo net.core.default_qdisc=fq >>/etc/sysctl.conf; echo net.ipv4.tcp_congestion_control=bbr >>/etc/sysctl.conf; sysctl -p; }'"
131 + run_remote <<'EOF'
132 + sudo tee /etc/sysctl.d/99-bbr.conf > /dev/null <<SYSCTL
133 + net.core.default_qdisc = fq
134 + net.ipv4.tcp_congestion_control = bbr
135 + SYSCTL
136 + sudo sysctl --system
137 + EOF
138 +
139 + # 13) Select best mirror & update
140 + print_ok "Selecting best mirror & updating"
141 + run_remote "curl -s https://gist.aiursoft.cn/anduin/879917820a6c4b268fc12c21f1b3fe7a/raw/HEAD/mirror.sh | bash"
142 + run_remote "sudo apt-get update"
143 +
144 + # 14) Install latest HWE kernel
145 + print_ok "Installing latest HWE kernel"
146 + run_remote "sudo apt-get install -y \$(apt search linux-generic-hwe- | awk -F/ '/linux-generic-hwe-/{print \$1}' | head -1)"
147 +
148 + # 15) Reboot & wait
149 + print_ok "Rebooting server"
150 + run_remote "sudo reboot" || true
151 + sleep 5
152 + wait_ssh
153 +
154 + # 16) Final updates & cleanup
155 + print_ok "Installing upgrades & cleanup"
156 + run_remote "sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get autoremove -y"
157 +
158 + # 17) Performance tuning
159 + print_ok "Tuning CPU performance & timezone"
160 + run_remote "sudo apt-get install -y linux-tools-$(uname -r)"
161 + run_remote "sudo apt-get install -y cpupower"
162 + run_remote "sudo cpupower frequency-set -g performance" || true
163 + run_remote "sudo timedatectl set-timezone GMT"
164 +
165 + # 18) Remove snap
166 + print_ok "Removing snapd"
167 + run_remote "sudo systemctl disable --now snapd && sudo apt-get purge -y snapd && sudo rm -rf /snap /var/lib/snapd /var/cache/snapd"
168 + run_remote "sudo tee /etc/apt/preferences.d/no-snap.pref <<EOF
261 169 Package: snapd
262 170 Pin: release a=*
263 171 Pin-Priority: -10
264 172 EOF"
265 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo chown root:root /etc/apt/preferences.d/no-snap.pref"
266 - judge "Snap removed"
267 173
268 - print_ok "Autoremoving apt packages"
269 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo apt autoremove -y --purge"
270 - judge "Apt packages autoremoved"
271 -
272 - print_ok "Benchmarking server..."
273 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sudo apt install -y sysbench"
274 - ssh -o StrictHostKeyChecking=no $desiredUsername@$serverName "sysbench cpu --threads=\$(nproc) run"
275 - judge "Server benchmarked"
276 -
277 - print_ok "Server is ready for use"
278 - print_ok "ssh $desiredUsername@$serverName"
279 - }
174 + # 19) Final cleanup & benchmark
175 + print_ok "Final autoremove & benchmark"
176 + run_remote "sudo apt-get autoremove -y --purge"
177 + run_remote "sudo apt-get install -y sysbench && sysbench cpu --threads=\$(nproc) run"
178 + run remote "sudo apt-get autoremove -y sysbench --purge"
179 + print_ok "Setup complete. Connect via: ssh $NEWUSER@$SERVER"
280 180
281 - # To use this function:
282 - # Arg1: username
283 - # Arg2: password
284 - # Arg3: servername
285 - # Arg4: Desired hostname
286 - # Arg5: Desired username
287 - prepare_server "$@"

mirror.sh

@@ -42,7 +42,6 @@ function switchSource() {
42 42 "http://mirrors.163.com/ubuntu/" # 网易
43 43 "http://mirrors.cloud.tencent.com/ubuntu/" # 腾讯云
44 44 "http://mirror.aiursoft.cn/ubuntu/" # Aiursoft
45 - "http://mirrors.anduinos.com/ubuntu/" # AnduinOS
46 45 "http://mirrors.huaweicloud.com/ubuntu/" # 华为云
47 46 "http://mirrors.zju.edu.cn/ubuntu/" # 浙江大学
48 47 "http://azure.archive.ubuntu.com/ubuntu/" # Azure
上一页 下一页

Opengist 强力驱动 Load: 30ms

中文