最近我的VPS因為開了不需要開的port,就是Postgrel 5432,是claude幫我寫的docker compose,然後就吃到這招,被bot爬到,所以就刪掉重開了…
可見資安控管真的要做好QQ
這篇記一下建VPS的流程,一邊做資安的控管
在自己的電腦產生SSH Key,就不用每次登入都要密碼。
建好VPS之後,會跳出訊息詢問,打yes就好
PS C:\Users\user> ssh root@199.199.19.199
The authenticity of host '199.199.19.199 (199.199.19.199)' can't be established.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '199.199.19.199' (ED25519) to the list of known hosts.
Enter passphrase for key 'C:\Users\user/.ssh/id_ed25519':接下來查詢我的VPS開放了哪些port
ss -tuln
下面這兩個指令也可以netstat -tulnnmap your.server.ip.address
可是因為要安裝套件,我懶得裝…先不用
接下來改掉SSH的預設port
nano /etc/ssh/sshd_config
改好之後增加防火牆裡要監控的port
(就是剛剛設定預設port),我發現VPS已經自動裝UFW了
ufw allow 2222/tcp
調好之後SSH要restart,指令要打 sshd_config 裡面提示的指令,GPT講的不準
接下來安裝需要的套件
sudo apt update && sudo apt upgrade
sudo apt install nginx certbot python3-certbot-nginx
sudo apt install docker.io docker-compose
systemctl enable nginx
systemctl enable docker
安裝完後打指令:reboot
接下來還要繼續安裝
Docker prerequisite packages:
apt install -y apt-transport-https ca-certificates curl software-properties-common
Add Docker’s GPG key:
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg –dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
Add Docker’s repository:
echo “deb [arch=$(dpkg –print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable” | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
Update apt and install Docker Engine:
apt update
apt install -y docker-ce
接下來幫網站加SSL
certbot –nginx -d vividcats.org -d www.vividcats.org -d buy.vividcats.org -d meme.vividcats.org
然後因為之前domain有調好了,就不用調了
接著安裝防駭的工具
sudo apt update
sudo apt install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
然後雖然GPT有建議要改設定檔但我改不成功就先放著
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local
查看狀態的指令
fail2ban-client status sshd