maxwell/note
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
8b5f136703
note/tech/linux_secuirty.md
imac-maxwell b655fbadb3 init
2025-11-19 10:16:05 +08:00

3.3 KiB
Raw Blame History

linux security

Set in a new linux system

  1. Change Root Password
  2. Create a new user
  3. Disable root login in ssh
  4. Add user to sudo group
  5. Enable Pubkey Authentication

Install Applications

  1. caddy with forward
  2. syncthing
  3. cert
  4. limit log file size

System settings

  1. auto restart caddy crontab
# change root password
if [ "$EUID" -ne 0 ]; then
  echo "please run as root"
  exit 1
fi

echo "Please enter new root password: "
passwd
# set location
echo "export LANG=en_US.UTF-8" >> ~/.bashrc
echo "export LANGUAGE=en_US:en" >> ~/.bashrc
echo "export LC_ALL=en_US.UTF-8" >> ~/.bashrc
echo "export LC_TIME=en_US.UTF-8" >> ~/.bashrc
source ~/.bashrc



# enable Pubkey Authentication

sed -i's/^#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config
systemctl restart sshd
# add user to sudo
apt update -y && apt install sudo -y
# create a new user
echo "Please enter new user name: "
read username

# if user already exists, enter a new username
while id -u $username >/dev/null 2>&1; do
  echo "User $username already exists, please enter a new username: "
  read username
   # 如果username为空则跳出while循环
  if [ -z "$username" ]; then
    break
  fi
done
if [ $username ]; then
    useradd -m -g $username -G sudo   -s /bin/bash $username
    echo "Please enter new user password: "
    passwd $username
    mkdir /home/$username/.ssh
    touch /home/$username/.ssh/authorized_keys
    chown $username:$username /home/$username/.ssh/authorized_keys
    chmod 600 /home/$username/.ssh/authorized_keys
fi

# disable root login in ssh
sed -i's/^PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
# install caddy
apt install curl -y
apt install jq -y
mkdir -p /tmp/caddy
cd /tmp/caddy
RELEASE=$(curl -s "https://api.github.com/repos/klzgrad/forwardproxy/releases/latest" | jq -r .tag_name)
curl -sL "https://github.com/klzgrad/forwardproxy/releases/download/${RELEASE}/caddy-forwardproxy-naive.tar.xz" | tar xJf -
mv caddy-forwardproxy-naive/caddy /usr/bin
cd ..
rm -rf caddy
# caddy systemd
echo "Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
User=root
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target" > /etc/systemd/system/caddy.service
systemctl enable caddy
# caddy config
mkdir -p /etc/caddy
mkdir -p /var/www/html
# input your domain and email
read -p "Enter your domain: " domain
echo "Your domain is $domain"

read -p "Enter your email: " email
# create caddyfile
echo "Your email is $email"
echo "
{
  order forward_proxy before file_server
}
:443, $domain {
  tls $email
  forward_proxy {
    basic_auth user pass
    hide_ip
    hide_via
    probe_resistance
  }
  file_server {
    root /var/www/html
  }
}
" > /etc/caddy/Caddyfile
systemctl restart caddy
# check if caddy is running
systemctl status caddy
echo "Your caddy forward user and password is user:pass"

echo "Press and enter to continue"
read -n 1 -s

# limit log file size
sed -i 's/^\#SystemMaxUse=/SystemMaxUse=100M/' /etc/systemd/journald.conf

systemctl restart systemd-journald