本文共 11357 字,大约阅读时间需要 37 分钟。
debian 服务器
When you first create a new Debian 10 server, there are a few configuration steps that you should take early on as part of the basic setup. This will increase the security and usability of your server and will give you a solid foundation for subsequent actions.
首次创建新的Debian 10服务器时,您应在基本设置的早期阶段执行一些配置步骤。 这将提高服务器的安全性和可用性,并为后续操作奠定坚实的基础。
In this tutorial, we will learn how to log into our server as the root user, create a new user with admin privileges, and set up a basic firewall.
在本教程中,我们将学习如何以root用户身份登录到服务器,如何使用admin特权创建新用户以及如何设置基本防火墙。
To log into your server, you will need to know your server’s public IP address. You will also need the password or, if you installed an SSH key for authentication, the private key for the root user’s account. If you have not already logged into your server, you may want to follow our guide on , which covers this process in detail.
要登录服务器,您需要知道服务器的公共IP地址 。 您还将需要密码,或者,如果您安装了用于身份验证的SSH密钥,还需要root用户帐户的私钥。 如果您尚未登录服务器,则可能要遵循我们的指南, ,该指南详细介绍了此过程。
If you are not already connected to your server, go ahead and log in as the root user using the following command (substitute the highlighted portion of the command with your server’s public IP address):
如果尚未连接到服务器,请继续并使用以下命令以root用户身份登录(用服务器的公共IP地址替换命令中突出显示的部分):
ssh root@your_server_ip
ssh root @ your_server_ip
Accept the warning about host authenticity if it appears. If you are using password authentication, provide your root password to log in. If you are using an SSH key that is passphrase protected, you may be prompted to enter the passphrase the first time you use the key each session. If this is your first time logging into the server with a password, you may also be prompted to change the root password.
接受有关主机真实性的警告(如果显示)。 如果使用密码认证,请提供root密码登录。如果使用受密码保护的SSH密钥,则首次在每个会话中第一次使用密钥时,系统可能会提示您输入密码。 如果这是您第一次使用密码登录服务器,则可能还会提示您更改root密码。
The root user is the administrative user in a Linux environment that has very broad privileges. Because of the heightened privileges of the root account, you are discouraged from using it on a regular basis. This is because part of the power inherent with the root account is the ability to make very destructive changes, even by accident.
超级用户是Linux环境中具有广泛特权的管理用户。 由于root帐户具有更高的特权,因此不建议您定期使用它。 这是因为root帐户固有的部分能力是即使在偶然的情况下也可以进行具有破坏性的更改。
The next step is to set up an alternative user account with a reduced scope of influence for day-to-day work. Later, we’ll explain how to gain increased privileges for those times when you need them.
下一步是建立一个替代用户帐户,以减少对日常工作的影响范围。 稍后,我们将说明在您需要的时候如何增加特权。
Once you are logged in as root, we’re prepared to add the new user account that we will use to log in from now on.
以root用户身份登录后,我们准备添加从现在开始将用于登录的新用户帐户。
This example creates a new user called sammy, but you should replace it with a username that you like:
本示例创建一个名为sammy的新用户,但您应将其替换为您喜欢的用户名:
adduser sammy
adduser sammy
You will be asked a few questions, starting with the account password.
从帐户密码开始,系统将询问您一些问题。
Enter a strong password and, optionally, fill in any of the additional information you would like. This is not required and you can just hit ENTER in any field you wish to skip.
输入一个强密码,并可以选择填写您想要的任何其他信息。 这不是必需的,您可以在任何要跳过的字段中按ENTER 。
Next, we’ll set up this new user with admin privileges.
接下来,我们将使用管理员权限设置此新用户。
Now, we have created a new user account with regular account privileges. However, we may sometimes need to do administrative tasks with it.
现在,我们创建了一个具有常规帐户特权的新用户帐户。 但是,有时我们可能需要执行管理任务。
To avoid having to log out of our normal user and log back in as the root account, we can set up what is known as superuser or root privileges for our normal account. This will allow our normal user to run commands with administrative privileges by putting the word sudo before the command.
为了避免注销普通用户并以root帐户重新登录,我们可以为普通帐户设置所谓的超级用户或root特权。 这将使我们的普通用户可以在命令前加上sudo来运行具有管理特权的命令。
To add these privileges to our new user, we need to add the new user to the sudo group. By default, on Debian 10, users who belong to the sudo group are allowed to use the sudo command.
要将这些特权添加到我们的新用户,我们需要将新用户添加到sudo组。 默认情况下,在Debian 10上,允许属于sudo组的用户使用sudo命令。
As root, run this command to add your new user to the sudo group (substitute the highlighted word with your new user):
以root身份运行此命令,将您的新用户添加到sudo组(用新用户替换突出显示的单词):
usermod -aG sudo sammy
usermod -aG sudo sammy
Now, when logged in as your regular user, you can type sudo before commands to run the command with superuser privileges.
现在,以普通用户身份登录后,您可以在命令前键入sudo来以超级用户权限运行命令。
Debian servers can use firewalls to make sure only certain connections to specific services are allowed. In this guide, we will install and use the UFW firewall to help set firewall policies and manage exceptions.
Debian服务器可以使用防火墙来确保仅允许与特定服务的某些连接。 在本指南中,我们将安装和使用UFW防火墙来帮助设置防火墙策略和管理异常。
We can use the apt package manager to install UFW. Update the local index to retrieve the latest information about available packages and then install the UFW firewall software by typing:
我们可以使用apt软件包管理器来安装UFW。 更新本地索引以检索有关可用软件包的最新信息,然后通过键入以下内容来安装UFW防火墙软件:
Note: If your servers are running on DigitalOcean, you can optionally use instead of the UFW firewall. We recommend using only one firewall at a time to avoid conflicting rules that may be difficult to debug.
注意:如果您的服务器在DigitalOcean上运行,则可以选择使用而不是UFW防火墙。 我们建议一次只使用一个防火墙,以避免可能难以调试的冲突规则。
Firewall profiles allow UFW to manage named sets of firewall rules for installed applications. Profiles for some common software are bundled with UFW by default and packages can register additional profiles with UFW during the installation process. OpenSSH, the service allowing us to connect to our server now, has a firewall profile that we can use.
防火墙配置文件使UFW可以为已安装的应用程序管理命名的防火墙规则集。 默认情况下,某些常用软件的配置文件与UFW捆绑在一起,并且软件包可以在安装过程中向UFW注册其他配置文件。 OpenSSH是一项使我们现在可以连接到服务器的服务,具有可使用的防火墙配置文件。
You list all available application profiles by typing:
您可以通过键入以下命令列出所有可用的应用程序配置文件:
Output Available applications: . . . OpenSSH . . .
We need to make sure that the firewall allows SSH connections so that we can log back in next time. We can allow these connections by typing:
我们需要确保防火墙允许SSH连接,以便我们下次可以重新登录。 我们可以通过输入以下内容来允许这些连接:
Afterwards, we can enable the firewall by typing:
之后,我们可以通过键入以下内容来启用防火墙:
Type y and press ENTER to proceed. You can see that SSH connections are still allowed by typing:
键入y ,然后按ENTER继续。 您可以通过键入以下命令查看仍然允许SSH连接:
Output Status: activeTo Action From-- ------ ----OpenSSH ALLOW AnywhereOpenSSH (v6) ALLOW Anywhere (v6)
As the firewall is currently blocking all connections except for SSH, if you install and configure additional services, you will need to adjust the firewall settings to allow acceptable traffic in. You can learn some common UFW operations in .
由于防火墙当前阻止除SSH之外的所有连接 ,因此,如果您安装和配置其他服务,则需要调整防火墙设置以允许可接受的流量进入。您可以在《 了解一些常见的UFW操作。
Now that we have a regular user for daily use, we need to make sure we can SSH into the account directly.
现在我们有一个日常使用的普通用户,我们需要确保我们可以直接通过SSH直接登录该帐户。
Note: Until verifying that you can log in and use sudo with your new user, we recommend staying logged in as root. This way, if you have problems, you can troubleshoot and make any necessary changes as root. If you are using a DigitalOcean Droplet and experience problems with your root SSH connection, you can also .
注意:在确认您可以登录并与新用户一起使用sudo ,我们建议保持root身份登录。 这样,如果遇到问题,您可以进行故障排除并以root身份进行任何必要的更改。 如果您正在使用DigitalOcean Droplet并遇到根 SSH连接问题,则还可以 。
The process for configuring SSH access for your new user depends on whether your server’s root account uses a password or SSH keys for authentication.
为新用户配置SSH访问的过程取决于服务器的root帐户是使用密码还是SSH密钥进行身份验证。
If you logged in to your root account using a password, then password authentication is enabled for SSH. You can SSH to your new user account by opening up a new terminal session and using SSH with your new username:
如果您使用password登录到root帐户,那么将为SSH启用密码身份验证。 您可以通过打开新的终端会话并使用带有新用户名的SSH SSH到新用户帐户:
ssh sammy@your_server_ip
ssh sammy @ your_server_ip
After entering your regular user’s password, you will be logged in. Remember, if you need to run a command with administrative privileges, type sudo before it like this:
输入普通用户的密码后,您将登录。请记住,如果您需要运行具有管理特权的sudo ,请像下面这样键入sudo :
sudo command_to_run
须藤command_to_run
You will be prompted for your regular user password when using sudo for the first time each session (and periodically afterwards).
在每个会话中首次使用sudo时,系统将提示您输入常规用户密码(此后定期)。
To enhance your server’s security, we strongly recommend setting up SSH keys instead of using password authentication. Follow our guide on to learn how to configure key-based authentication.
为了增强服务器的安全性, 强烈建议您设置SSH密钥,而不要使用密码身份验证 。 请遵循有关上指南,以了解如何配置基于密钥的身份验证。
If you logged in to your root account using SSH keys, then password authentication is disabled for SSH. You will need to add a copy of your local public key to the new user’s ~/.ssh/authorized_keys file to log in successfully.
如果您使用SSH密钥登录到根帐户,则SSH的密码身份验证被禁用 。 您需要将本地公共密钥的副本添加到新用户的~/.ssh/authorized_keys文件中,才能成功登录。
Since your public key is already in the root account’s ~/.ssh/authorized_keys file on the server, we can copy that file and directory structure to our new user account in our existing session with the cp command. Afterwards, we can adjust ownership of the files using the chown command.
由于您的公钥已经在服务器上根帐户的~/.ssh/authorized_keys文件中,因此我们可以在现有会话中使用cp命令将该文件和目录结构复制到我们的新用户帐户中。 之后,我们可以使用chown命令调整文件的所有权。
Make sure to change the highlighted portions of the command below to match your regular user’s name:
确保更改以下命令中突出显示的部分,以匹配普通用户的名称:
cp -r ~/.ssh /home/sammy
cp -r〜/ .ssh / home / sammy
chown -R sammy:sammy /home/sammy/.ssh
chown -R sammy : sammy / home / sammy /.ssh
The cp -r command copies the entire directory to the new user’s home directory, and the chown -R command changes the owner of that directory (and everything inside it) to the specified username:groupname (Debian creates a group with the same name as your username by default).
cp -r命令将整个目录复制到新用户的主目录,而chown -R命令将该目录的所有者(及其内部的所有内容)更改为指定的username:groupname (Debian创建一个与以下名称相同的组)默认情况下是您的用户名)。
Now, open up a new terminal session and log in via SSH with your new username:
现在,打开一个新的终端会话,并使用您的新用户名通过SSH登录:
ssh sammy@your_server_ip
ssh sammy @ your_server_ip
You should be logged in to the new user account without using a password. Remember, if you need to run a command with administrative privileges, type sudo before it like this:
您应该不使用密码登录到新用户帐户。 请记住,如果您需要运行具有管理特权的命令,请在sudo之前输入sudo ,如下所示:
sudo command_to_run
须藤command_to_run
You will be prompted for your regular user password when using sudo for the first time each session (and periodically afterwards).
在每个会话中首次使用sudo时,系统将提示您输入常规用户密码(此后定期)。
At this point, you have a solid foundation for your server. You can install any of the software you need on your server now.
至此,您已经为服务器奠定了坚实的基础。 您现在可以在服务器上安装所需的任何软件。
翻译自:
debian 服务器
转载地址:http://jthgb.baihongyu.com/