Исходный код вики Proxy
Версия 7.1 от Anton Krivchenkov на 02.03.2026 17:03
Последние авторы
| author | version | line-number | content |
|---|---|---|---|
| 1 | # Отключение ICMP | ||
| 2 | |||
| 3 | nano disable_ping.sh | ||
| 4 | |||
| 5 | -- НЕ ввезде прокатывает )) Зависит от Хостера | ||
| 6 | |||
| 7 | #!/usr/bin/env bash | ||
| 8 | set -e | ||
| 9 | |||
| 10 | # Требуются root-права | ||
| 11 | |||
| 12 | # Запретить входящие ICMP echo-request (ping) IPv4 | ||
| 13 | iptables -A INPUT -p icmp --icmp-type echo-request -j DROP # [web:6][web:9] | ||
| 14 | |||
| 15 | # Если используешь IPv6, можно дополнительно глушануть и его: | ||
| 16 | ip6tables -A INPUT -p ipv6-icmp --icmpv6-type echo-request -j DROP # [web:9] | ||
| 17 | |||
| 18 | # Чтобы убедиться: | ||
| 19 | echo "Текущие правила ICMP:" | ||
| 20 | iptables -L INPUT -n | grep icmp || true | ||
| 21 | ip6tables -L INPUT -n | grep icmp || true | ||
| 22 | |||
| 23 | применяем | ||
| 24 | |||
| 25 | chmod +x disable_ping.sh && ./disable_ping.sh | ||
| 26 | |||
| 27 | # Утилиты | ||
| 28 | |||
| 29 | sudo apt update && sudo apt upgrade -y && \ | ||
| 30 | sudo apt install -y \ | ||
| 31 | gpg btop ncdu nload iperf3 mc htop net-tools curl wget tree \ | ||
| 32 | git vim tmux mtr traceroute dnsutils iproute2 \ | ||
| 33 | jq lsof rsync unzip zip \ | ||
| 34 | netcat-openbsd socat \ | ||
| 35 | bash-completion \ | ||
| 36 | unattended-upgrades ufw fail2ban && \ | ||
| 37 | sudo dpkg-reconfigure -plow unattended-upgrades && \ | ||
| 38 | sudo apt clean && sudo apt autoremove -y | ||
| 39 | |||
| 40 | Кратко, зачем что: | ||
| 41 | |||
| 42 | * git – конфиги, dotfiles, скрипты.xda-developers+1 | ||
| 43 | * vim – базовый редактор всегда под рукой.tecmint+1 | ||
| 44 | * tmux – мультиплексор, чтобы сессии не умирали по SSH.admin-companion+1 | ||
| 45 | * mtr, traceroute – диагностика сети, трассировка + статистика.linuxblog+1 | ||
| 46 | * dnsutils – dig, nslookup для проверки DNS.[linuxblog](https://linuxblog.io/linux-sysadmin-tools/) | ||
| 47 | * iproute2 – современный стек ip, ss и т.п. (обычно уже стоит, но можно дотащить).manpages.ubuntu+1 | ||
| 48 | * jq – парсинг JSON в CLI (API, kubectl, docker и т.д.).tecmint+1 | ||
| 49 | * lsof – кто держит порт/файл, очень выручает.dedirock+1 | ||
| 50 | * rsync – бэкапы, заливка на другие сервера.[linuxblog](https://linuxblog.io/linux-sysadmin-tools/) | ||
| 51 | * unzip/zip – работа с zip‑архивами.[linuxblog](https://linuxblog.io/linux-sysadmin-tools/) | ||
| 52 | * netcat-openbsd, socat – проверки портов, простые TCP/UDP туннели.dedirock+1 | ||
| 53 | * bash-completion – автодополнение в bash (если на нём что‑то будешь делать).[linuxblog](https://linuxblog.io/linux-sysadmin-tools/) | ||
| 54 | |||
| 55 | -- | ||
| 56 | |||
| 57 | базовая настройка: | ||
| 58 | |||
| 59 | # UFW | ||
| 60 | sudo ufw default deny incoming | ||
| 61 | sudo ufw default allow outgoing | ||
| 62 | sudo ufw allow OpenSSH | ||
| 63 | sudo ufw enable | ||
| 64 | |||
| 65 | ### fail2ban | ||
| 66 | |||
| 67 | sudo apt install fail2ban -y | ||
| 68 | sudo bash -c 'cat > /etc/fail2ban/jail.local << "JAIL" | ||
| 69 | [DEFAULT] | ||
| 70 | bantime = 24h | ||
| 71 | findtime = 10m | ||
| 72 | maxretry = 3 | ||
| 73 | |||
| 74 | bantime.increment = true | ||
| 75 | bantime.factor = 2 | ||
| 76 | bantime.maxtime = 4w | ||
| 77 | |||
| 78 | banaction = iptables-multiport | ||
| 79 | banaction_allports = iptables-allports | ||
| 80 | |||
| 81 | ignoreip = 127.0.0.1/8 ::1 | ||
| 82 | |||
| 83 | [sshd] | ||
| 84 | enabled = true | ||
| 85 | logpath = %(sshd_log)s | ||
| 86 | backend = %(sshd_backend)s | ||
| 87 | maxretry = 3 | ||
| 88 | bantime = 48h | ||
| 89 | findtime = 15m | ||
| 90 | mode = aggressive | ||
| 91 | |||
| 92 | [sshd-ddos] | ||
| 93 | enabled = true | ||
| 94 | logpath = %(sshd_log)s | ||
| 95 | backend = %(sshd_backend)s | ||
| 96 | maxretry = 5 | ||
| 97 | bantime = 24h | ||
| 98 | findtime = 30s | ||
| 99 | |||
| 100 | [recidive] | ||
| 101 | enabled = true | ||
| 102 | logpath = /var/log/fail2ban.log | ||
| 103 | maxretry = 3 | ||
| 104 | bantime = 4w | ||
| 105 | findtime = 7d | ||
| 106 | banaction = iptables-allports | ||
| 107 | JAIL | ||
| 108 | apt-get update | ||
| 109 | apt-get install -y fail2ban | ||
| 110 | systemctl enable --now fail2ban | ||
| 111 | systemctl restart fail2ban | ||
| 112 | echo "fail2ban настроен и запущен" | ||
| 113 | ' | ||
| 114 | systemctl enable fail2ban | ||
| 115 | systemctl restart fail2ban | ||
| 116 | |||
| 117 | # ZSH | ||
| 118 | |||
| 119 | sudo apt update && sudo apt install -y zsh git fonts-powerline curl && \ | ||
| 120 | sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" "" --unattended && \ | ||
| 121 | sed -i 's/^ZSH_THEME=.*/ZSH_THEME="agnoster"/' ~/.zshrc && \ | ||
| 122 | grep -q "^ZSH_DISABLE_COMPFIX=" ~/.zshrc && sed -i 's/^ZSH_DISABLE_COMPFIX=.*/ZSH_DISABLE_COMPFIX="true"/' ~/.zshrc || echo 'ZSH_DISABLE_COMPFIX="true"' >> ~/.zshrc && \ | ||
| 123 | sed -i 's/^plugins=(.*/plugins=(git sudo zsh-autosuggestions zsh-syntax-highlighting)/' ~/.zshrc && \ | ||
| 124 | git clone https://github.com/zsh-users/zsh-autosuggestions ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/zsh-autosuggestions && \ | ||
| 125 | git clone https://github.com/zsh-users/zsh-syntax-highlighting.git ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/zsh-syntax-highlighting && \ | ||
| 126 | printf "\nalias ll='ls -la'\nalias gs='git status'\nalias d='docker ps --format \"table {{.Names}}\t{{.Status}}\t{{.Ports}}\"'\nalias dcu='docker compose up -d'\nalias dcd='docker compose down'\nalias dl='docker logs'\nalias n='nano'\nalias lzd='lazydocker'\nalias dr='dry'\nalias dcuf='docker compose up -d --force-recreate'\nalias dv='docker ps -a --format \"table {{.Names}}\t{{.Mounts}}\"'\nalias dvc='docker ps -a --format \"{{.Mounts}}\" | tr \",\" \"\n\" | grep -v \"^$\" | sort | uniq'\nalias dvo='comm -23 <(docker volume ls -q | sort) <(docker ps -a --format \"{{.Mounts}}\" | tr \",\" \"\n\" | grep -v \"^$\" | sort | uniq)'\nalias dsp='docker system prune -a --volumes'\nalias ds='docker stats --no-stream'\nalias dcdub='docker compose down && docker compose up --build'\nalias cr_gitlab_repo='/prod/create_repo_and_push.sh'\n" >> ~/.zshrc && \ | ||
| 127 | chsh -s "$(which zsh)" | ||
| 128 | |||
| 129 | дальше | ||
| 130 | |||
| 131 | exec zsh | ||
| 132 | |||
| 133 | что делает: | ||
| 134 | |||
| 135 | * ставит zsh, git и powerline‑шрифты | ||
| 136 | * ставит Oh My Zsh | ||
| 137 | * включает нужную тему и плагины | ||
| 138 | * добавляет твои алиасы | ||
| 139 | * включает ZSH_DISABLE_COMPFIX="true" | ||
| 140 | * делает zsh оболочкой по умолчанию | ||
| 141 | |||
| 142 | -- | ||
| 143 | |||
| 144 | # Докер | ||
| 145 | |||
| 146 | sudo curl -fsSL https://get.docker.com | sh && | ||
| 147 | LATEST=$(curl -sL https://api.github.com/repos/docker/compose/releases/latest | grep '"tag_name":' | cut -d'"' -f4) | ||
| 148 | DOCKER_CONFIG=${DOCKER_CONFIG:-$HOME/.docker} | ||
| 149 | mkdir -p $DOCKER_CONFIG/cli-plugins | ||
| 150 | curl -sSL https://github.com/docker/compose/releases/download/$LATEST/docker-compose-linux-x86_64 -o ~/.docker/cli-plugins/docker-compose | ||
| 151 | chmod +x $DOCKER_CONFIG/cli-plugins/docker-compose | ||
| 152 | docker compose version | ||
| 153 | |||
| 154 | ## Управление докером | ||
| 155 | |||
| 156 | ### ctop | ||
| 157 | |||
| 158 | sudo wget https://github.com/bcicen/ctop/releases/download/v0.7.7/ctop-0.7.7-linux-amd64 -O /usr/local/bin/ctop | ||
| 159 | sudo chmod +x /usr/local/bin/ctop | ||
| 160 | |||
| 161 | ### lzd | ||
| 162 | |||
| 163 | DIR=/usr/local/bin \ | ||
| 164 | curl -fsSL https://raw.githubusercontent.com/jesseduffield/lazydocker/master/scripts/install_update_linux.sh | sudo DIR=/usr/local/bin bash && echo "alias lzd='lazydocker'" >> "$HOME/.zshrc" |