Proxy
Версия 6.1 от Anton Krivchenkov на 02.03.2026 11:03
Отключение ICMP
nano disable_ping.sh
-- НЕ ввезде прокатывает )) Зависит от Хостера
#!/usr/bin/env bash
set -e
# Требуются root-права
# Запретить входящие ICMP echo-request (ping) IPv4
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP # [web:6][web:9]
# Если используешь IPv6, можно дополнительно глушануть и его:
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type echo-request -j DROP # [web:9]
# Чтобы убедиться:
echo "Текущие правила ICMP:"
iptables -L INPUT -n | grep icmp || true
ip6tables -L INPUT -n | grep icmp || true
set -e
# Требуются root-права
# Запретить входящие ICMP echo-request (ping) IPv4
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP # [web:6][web:9]
# Если используешь IPv6, можно дополнительно глушануть и его:
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type echo-request -j DROP # [web:9]
# Чтобы убедиться:
echo "Текущие правила ICMP:"
iptables -L INPUT -n | grep icmp || true
ip6tables -L INPUT -n | grep icmp || true
применяем
chmod +x disable_ping.sh && ./disable_ping.sh
Утилиты
sudo apt update && sudo apt upgrade -y && \
sudo apt install -y \
gpg btop ncdu nload iperf3 mc htop net-tools curl wget tree \
git vim tmux mtr traceroute dnsutils iproute2 \
jq lsof rsync unzip zip \
netcat-openbsd socat \
bash-completion \
unattended-upgrades ufw fail2ban && \
sudo dpkg-reconfigure -plow unattended-upgrades && \
sudo apt clean && sudo apt autoremove -y
sudo apt install -y \
gpg btop ncdu nload iperf3 mc htop net-tools curl wget tree \
git vim tmux mtr traceroute dnsutils iproute2 \
jq lsof rsync unzip zip \
netcat-openbsd socat \
bash-completion \
unattended-upgrades ufw fail2ban && \
sudo dpkg-reconfigure -plow unattended-upgrades && \
sudo apt clean && sudo apt autoremove -y
Кратко, зачем что:
- git – конфиги, dotfiles, скрипты.xda-developers+1
- vim – базовый редактор всегда под рукой.tecmint+1
- tmux – мультиплексор, чтобы сессии не умирали по SSH.admin-companion+1
- mtr, traceroute – диагностика сети, трассировка + статистика.linuxblog+1
- dnsutils – dig, nslookup для проверки DNS.linuxblog
- iproute2 – современный стек ip, ss и т.п. (обычно уже стоит, но можно дотащить).manpages.ubuntu+1
- jq – парсинг JSON в CLI (API, kubectl, docker и т.д.).tecmint+1
- lsof – кто держит порт/файл, очень выручает.dedirock+1
- rsync – бэкапы, заливка на другие сервера.linuxblog
- unzip/zip – работа с zip‑архивами.linuxblog
- netcat-openbsd, socat – проверки портов, простые TCP/UDP туннели.dedirock+1
- bash-completion – автодополнение в bash (если на нём что‑то будешь делать).linuxblog
--
базовая настройка:
# UFW
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow OpenSSH
sudo ufw enable
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow OpenSSH
sudo ufw enable
fail2ban
sudo apt install fail2ban -y
sudo bash -c 'cat > /etc/fail2ban/jail.local << "JAIL"
[DEFAULT]
bantime = 24h
findtime = 10m
maxretry = 3
bantime.increment = true
bantime.factor = 2
bantime.maxtime = 4w
banaction = iptables-multiport
banaction_allports = iptables-allports
ignoreip = 127.0.0.1/8 ::1
[sshd]
enabled = true
logpath = %(sshd_log)s
backend = %(sshd_backend)s
maxretry = 3
bantime = 48h
findtime = 15m
mode = aggressive
[sshd-ddos]
enabled = true
logpath = %(sshd_log)s
backend = %(sshd_backend)s
maxretry = 5
bantime = 24h
findtime = 30s
[recidive]
enabled = true
logpath = /var/log/fail2ban.log
maxretry = 3
bantime = 4w
findtime = 7d
banaction = iptables-allports
JAIL
apt-get update
apt-get install -y fail2ban
systemctl enable --now fail2ban
systemctl restart fail2ban
echo "fail2ban настроен и запущен"
'
systemctl enable fail2ban
systemctl restart fail2ban
sudo bash -c 'cat > /etc/fail2ban/jail.local << "JAIL"
[DEFAULT]
bantime = 24h
findtime = 10m
maxretry = 3
bantime.increment = true
bantime.factor = 2
bantime.maxtime = 4w
banaction = iptables-multiport
banaction_allports = iptables-allports
ignoreip = 127.0.0.1/8 ::1
[sshd]
enabled = true
logpath = %(sshd_log)s
backend = %(sshd_backend)s
maxretry = 3
bantime = 48h
findtime = 15m
mode = aggressive
[sshd-ddos]
enabled = true
logpath = %(sshd_log)s
backend = %(sshd_backend)s
maxretry = 5
bantime = 24h
findtime = 30s
[recidive]
enabled = true
logpath = /var/log/fail2ban.log
maxretry = 3
bantime = 4w
findtime = 7d
banaction = iptables-allports
JAIL
apt-get update
apt-get install -y fail2ban
systemctl enable --now fail2ban
systemctl restart fail2ban
echo "fail2ban настроен и запущен"
'
systemctl enable fail2ban
systemctl restart fail2ban
ZSH
sudo apt update && sudo apt install -y zsh git fonts-powerline curl && \
sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" "" --unattended && \
sed -i 's/^ZSH_THEME=.*/ZSH_THEME="agnoster"/' ~/.zshrc && \
grep -q "^ZSH_DISABLE_COMPFIX=" ~/.zshrc && sed -i 's/^ZSH_DISABLE_COMPFIX=.*/ZSH_DISABLE_COMPFIX="true"/' ~/.zshrc || echo 'ZSH_DISABLE_COMPFIX="true"' >> ~/.zshrc && \
sed -i 's/^plugins=(.*/plugins=(git sudo zsh-autosuggestions zsh-syntax-highlighting)/' ~/.zshrc && \
git clone https://github.com/zsh-users/zsh-autosuggestions ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/zsh-autosuggestions && \
git clone https://github.com/zsh-users/zsh-syntax-highlighting.git ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/zsh-syntax-highlighting && \
printf "\nalias ll='ls -la'\nalias gs='git status'\nalias d='docker ps --format \"table {{.Names}}\t{{.Status}}\t{{.Ports}}\"'\nalias dcu='docker compose up -d'\nalias dcd='docker compose down'\nalias dl='docker logs'\nalias n='nano'\nalias lzd='lazydocker'\nalias dr='dry'\nalias dcuf='docker compose up -d --force-recreate'\nalias dv='docker ps -a --format \"table {{.Names}}\t{{.Mounts}}\"'\nalias dvc='docker ps -a --format \"{{.Mounts}}\" | tr \",\" \"\n\" | grep -v \"^$\" | sort | uniq'\nalias dvo='comm -23 <(docker volume ls -q | sort) <(docker ps -a --format \"{{.Mounts}}\" | tr \",\" \"\n\" | grep -v \"^$\" | sort | uniq)'\nalias dsp='docker system prune -a --volumes'\nalias ds='docker stats --no-stream'\nalias dcdub='docker compose down && docker compose up --build'\nalias cr_gitlab_repo='/prod/create_repo_and_push.sh'\n" >> ~/.zshrc && \
chsh -s "$(which zsh)"
sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" "" --unattended && \
sed -i 's/^ZSH_THEME=.*/ZSH_THEME="agnoster"/' ~/.zshrc && \
grep -q "^ZSH_DISABLE_COMPFIX=" ~/.zshrc && sed -i 's/^ZSH_DISABLE_COMPFIX=.*/ZSH_DISABLE_COMPFIX="true"/' ~/.zshrc || echo 'ZSH_DISABLE_COMPFIX="true"' >> ~/.zshrc && \
sed -i 's/^plugins=(.*/plugins=(git sudo zsh-autosuggestions zsh-syntax-highlighting)/' ~/.zshrc && \
git clone https://github.com/zsh-users/zsh-autosuggestions ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/zsh-autosuggestions && \
git clone https://github.com/zsh-users/zsh-syntax-highlighting.git ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/zsh-syntax-highlighting && \
printf "\nalias ll='ls -la'\nalias gs='git status'\nalias d='docker ps --format \"table {{.Names}}\t{{.Status}}\t{{.Ports}}\"'\nalias dcu='docker compose up -d'\nalias dcd='docker compose down'\nalias dl='docker logs'\nalias n='nano'\nalias lzd='lazydocker'\nalias dr='dry'\nalias dcuf='docker compose up -d --force-recreate'\nalias dv='docker ps -a --format \"table {{.Names}}\t{{.Mounts}}\"'\nalias dvc='docker ps -a --format \"{{.Mounts}}\" | tr \",\" \"\n\" | grep -v \"^$\" | sort | uniq'\nalias dvo='comm -23 <(docker volume ls -q | sort) <(docker ps -a --format \"{{.Mounts}}\" | tr \",\" \"\n\" | grep -v \"^$\" | sort | uniq)'\nalias dsp='docker system prune -a --volumes'\nalias ds='docker stats --no-stream'\nalias dcdub='docker compose down && docker compose up --build'\nalias cr_gitlab_repo='/prod/create_repo_and_push.sh'\n" >> ~/.zshrc && \
chsh -s "$(which zsh)"
дальше
exec zsh
что делает:
- ставит zsh, git и powerline‑шрифты
- ставит Oh My Zsh
- включает нужную тему и плагины
- добавляет твои алиасы
- включает ZSH_DISABLE_COMPFIX="true"
- делает zsh оболочкой по умолчанию
--
Докер
sudo curl -fsSL https://get.docker.com | sh &&
LATEST=$(curl -sL https://api.github.com/repos/docker/compose/releases/latest | grep '"tag_name":' | cut -d'"' -f4)
DOCKER_CONFIG=${DOCKER_CONFIG:-$HOME/.docker}
mkdir -p $DOCKER_CONFIG/cli-plugins
curl -sSL https://github.com/docker/compose/releases/download/$LATEST/docker-compose-linux-x86_64 -o ~/.docker/cli-plugins/docker-compose
chmod +x $DOCKER_CONFIG/cli-plugins/docker-compose
docker compose version
LATEST=$(curl -sL https://api.github.com/repos/docker/compose/releases/latest | grep '"tag_name":' | cut -d'"' -f4)
DOCKER_CONFIG=${DOCKER_CONFIG:-$HOME/.docker}
mkdir -p $DOCKER_CONFIG/cli-plugins
curl -sSL https://github.com/docker/compose/releases/download/$LATEST/docker-compose-linux-x86_64 -o ~/.docker/cli-plugins/docker-compose
chmod +x $DOCKER_CONFIG/cli-plugins/docker-compose
docker compose version
Управление докером
ctop
sudo wget https://github.com/bcicen/ctop/releases/download/v0.7.7/ctop-0.7.7-linux-amd64 -O /usr/local/bin/ctop
sudo chmod +x /usr/local/bin/ctop
sudo chmod +x /usr/local/bin/ctop
lzd
DIR=/usr/local/bin \
bash -c 'curl -fsSL https://raw.githubusercontent.com/jesseduffield/lazydocker/master/scripts/install_update_linux.sh | bash && echo "alias lzd='\''lazydocker'\''" >> "$HOME/.zshrc"'
bash -c 'curl -fsSL https://raw.githubusercontent.com/jesseduffield/lazydocker/master/scripts/install_update_linux.sh | bash && echo "alias lzd='\''lazydocker'\''" >> "$HOME/.zshrc"'