服务器日常维护常用指令

用户管理

• 创建新用户：sudo adduser username ;
• 删除用户：sudo userdel -r username ;
• 将普通用户添加到 sudo 组：sudo usermod -aG sudo username ;
• 将普通用户添加到 normuser 组：sudo usermod -aG normuser username ;
• 修改用户 uid ：sudo usermod -u uid username ;
• 修改用户 gid ：sudo groupmod -g gid username ;
• 修改用户默认 shell 为 zsh ：sudo usermod -s /bin/zsh username ;

文件解压缩

• .tar：

  • 解压：tar xvf FileName.tar ;
  • 压缩：tar cvf FileName.tar DirName ;

• .gz：

  • 解压：gunzip FileName.gz 或 gzip -d FileName.gz ;
  • 压缩：gzip FileName ;

• .tar.gz & .tgz ：

  • 解压：tar zxvf FileName.tar.gz ;
  • 压缩：tar zcvf FileName.tar.gz DirName ;

• .zip：

  • 解压：unzip FileName.zip ;
  • 压缩：zip FileName.zip DirName ;

• .rar：

  • 解压：rar x FileName.rar ;
  • 压缩：rar a FileName.rar DirName ;

Open-SSH 禁用密码登录

• 修改 /etc/ssh/sshd_config ，仅允许使用密钥登录，并修改端口为 6724：

  # $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
  
  # This is the sshd server system-wide configuration file.  See
  # sshd_config(5) for more information.
  
  # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
  
  # The strategy used for options in the default sshd_config shipped with
  # OpenSSH is to specify options with their default value where
  # possible, but leave them commented.  Uncommented options override the
  # default value.
  
  #Include /etc/ssh/sshd_config.d/*.conf
  
  #Port 22
  Port 6724
  #AddressFamily any
  #ListenAddress 0.0.0.0
  #ListenAddress ::
  
  #HostKey /etc/ssh/ssh_host_rsa_key
  #HostKey /etc/ssh/ssh_host_ecdsa_key
  #HostKey /etc/ssh/ssh_host_ed25519_key
  
  # Ciphers and keying
  #RekeyLimit default none
  
  # Logging
  #SyslogFacility AUTH
  #LogLevel INFO
  
  # Authentication:
  
  #LoginGraceTime 2m
  PermitRootLogin no
  #StrictModes yes
  #MaxAuthTries 6
  #MaxSessions 10
  
  PubkeyAuthentication yes
  
  # Expect .ssh/authorized_keys2 to be disregarded by default in future.
  #AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2
  
  #AuthorizedPrincipalsFile none
  
  #AuthorizedKeysCommand none
  #AuthorizedKeysCommandUser nobody
  
  # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
  #HostbasedAuthentication no
  # Change to yes if you don't trust ~/.ssh/known_hosts for
  # HostbasedAuthentication
  #IgnoreUserKnownHosts no
  # Don't read the user's ~/.rhosts and ~/.shosts files
  #IgnoreRhosts yes
  
  # To disable tunneled clear text passwords, change to no here!
  PasswordAuthentication no
  #PermitEmptyPasswords no
  
  # Change to yes to enable challenge-response passwords (beware issues with
  # some PAM modules and threads)
  ChallengeResponseAuthentication no
  
  # Kerberos options
  #KerberosAuthentication no
  #KerberosOrLocalPasswd yes
  #KerberosTicketCleanup yes
  #KerberosGetAFSToken no
  
  # GSSAPI options
  #GSSAPIAuthentication no
  #GSSAPICleanupCredentials yes
  #GSSAPIStrictAcceptorCheck yes
  #GSSAPIKeyExchange no
  
  # Set this to 'yes' to enable PAM authentication, account processing,
  # and session processing. If this is enabled, PAM authentication will
  # be allowed through the ChallengeResponseAuthentication and
  # PasswordAuthentication.  Depending on your PAM configuration,
  # PAM authentication via ChallengeResponseAuthentication may bypass
  # the setting of "PermitRootLogin without-password".
  # If you just want the PAM account and session checks to run without
  # PAM authentication, then enable this but set PasswordAuthentication
  # and ChallengeResponseAuthentication to 'no'.
  UsePAM no
  
  #AllowAgentForwarding yes
  #AllowTcpForwarding yes
  #GatewayPorts no
  X11Forwarding yes
  #X11DisplayOffset 10
  #X11UseLocalhost yes
  #PermitTTY yes
  PrintMotd no
  #PrintLastLog yes
  #TCPKeepAlive yes
  #PermitUserEnvironment no
  #Compression delayed
  #ClientAliveInterval 0
  #ClientAliveCountMax 3
  #UseDNS no
  #PidFile /var/run/sshd.pid
  #MaxStartups 10:30:100
  #PermitTunnel no
  #ChrootDirectory none
  #VersionAddendum none
  
  # no default banner path
  #Banner none
  
  # Allow client to pass locale environment variables
  AcceptEnv LANG LC_*
  
  # override default of no subsystems
  Subsystem	sftp	/usr/lib/openssh/sftp-server
  
  # Example of overriding settings on a per-user basis
  #Match User anoncvs
  #	X11Forwarding no
  #	AllowTcpForwarding no
  #	PermitTTY no
  #	ForceCommand cvs server
  

• 重启 sshd 服务，意使修改生效：sudo systemctl restart sshd.service ;

• 切换至用户账户：sudo su username

• 将用户的公钥添加到：/home/username/.ssh/authorized_keys 文件 ;

Clash 配置

• 下载 clash ：clash ;

• 下载 clash 配置文件：gist.github.com ;

• clash 启动脚本：

  #start_clash.sh
  
  WORKSPACE=/workspace/tools/clash
  #CLASH_URL=https://gist.github.com/GithubName/xxxx71a7db43bxxx/raw/clash_config.yaml
  
  # save pid of clash
  echo $$ > ${WORKSPACE}/clash.pid
  
  # download configration file
  #wget -O ${WORKSPACE}/clash_config.yaml ${CLASH_URL}
  
  # boot clash
  ${WORKSPACE}/clash -f ${WORKSPACE}/clash_config.yaml
  

• clash 停止脚本：

  # stop_clash.sh
  
  WORKSPACE=/workspace/tools/clash
  #CLASH_URL=https://gist.github.com/GithubName/xxxx71a7db43bxxx/raw/clash_config.yaml
  
  # download configration file
  proxychains4 -f /workspace/tools/proxychains/src/proxychains.conf wget -O ${WORKSPACE}/clash_config.yaml ${CLASH_URL}
  
  # read pid file
  PID=`cat ${WORKSPACE}/clash.pid`
  kill -9 ${PID}
  rm ${WORKSPACE}/clash.pid
  

• 使用 crontab 定时更新配置文件，开机启动：

  • 编辑 crontab：crontab -e ;

  • 添加内容：

    @reboot /workspace/tools/scripts/start_clash.sh
    00 04 * * * /workspace/tools/scripts/stop_clash.sh
    01 04 * * * /workspace/tools/scripts/start_clash.sh
    

Proxychains 配置

• 下载 proxychains4：proxychains

• 安装 proxychains4 ：

  • Step 1：./configure --prefix=/usr --sysconfdir=/etc ;
  • Step 2：make;
  • Step 3：sudo make install ;

• 修改 proxychains 配置文件，添加代理转发端口：

  [ProxyList]
  # add proxy here ...
  # meanwile
  # defaults set to "tor"
  http 	127.0.0.1 7890
  socks4 	127.0.0.1 7891
  socks5 	127.0.0.1 7891
  

• 修改 ~/.bashrc 添加别名：

  添加 alias pc='proxychains4 -f /workspace/tools/proxychains/src/proxychains.conf' ;

• 使用 proxychains：

  • Example 1：pc wget www.google.com ;
  • Example 2：pc bash ;

FRP 配置

• 下载 frp：frp ;

• 配置 frpc.ini：

  [common]
  tls_enable = true
  server_addr = domain.name.com
  server_port = 7000
  authentication_method = token
  token = qwertyuiop000000
  
  
  [ssh-122]
  type = tcp
  local_ip = 127.0.0.1
  local_port = 22
  remote_port = 10122
  

• 配置 frps.ini：

  TODO

• 配置开机启用 frpc：

  • Option 1：使用 crontab ;

    • 在 crontab 中添加：@reboot /usr/bin/frpc -c /etc/frp/frpc.ini ;

  • Option 2：使用 systemctl ;

    • 编写 frpc.service 存放于 /lib/systemd/system/ ;

      [Unit]
      Description=Frp Client Service
      After=network.target
      
      [Service]
      Type=simple
      User=nobody
      Restart=on-failure
      RestartSec=5s
      ExecStart=/usr/bin/frpc -c /etc/frp/frpc.ini
      ExecReload=/usr/bin/frpc reload -c /etc/frp/frpc.ini
      LimitNOFILE=1048576
      
      [Install]
      WantedBy=multi-user.target
      

    • 配置开机启动 frpc ：sudo systemctl enable frpc ;

    • 启动 frpc ：sudo systemctl start frpc ;

    • 停止 frpc ：sudo systemctl stop frpc ;

    • 重启 frpc ：sudo systemctl restart frpc ;

    • 查看 frpc 状态 ：sudo systemctl status frpc ;

​