Ubuntu 20.04 LTS install

Ubuntu 20.04 LTS

If install in VM, disconnect network before install

sudo su
passwd root
vi /etc/sudoers
%admin ALL=(ALL) ALL
#%sudo  ALL=(ALL:ALL) ALL

exit

su root

timedatectl set-timezone Asia/Shanghai
date

vi /etc/apt/sources.list
Add in file top position:
deb http://mirrors.aliyun.com/ubuntu/ focal main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ focal main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ focal-security main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ focal-security main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ focal-updates main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ focal-updates main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ focal-proposed main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ focal-proposed main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ focal-backports main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ focal-backports main restricted universe multiverse

apt-get update
apt-get upgrade

If show:
The following packages have been kept back:
fwupd fwupd-signed libfwupd2
then:
apt-get install fwupd-signed fwupd libfwupd2 ...

apt install net-tools

reboot

vi /etc/ssh/sshd_config
#PermitRootLogin prohibit-password
UsePAM yes
to
PermitRootLogin no
UsePAM no

systemctl restart sshd

验证是否有账号存在空口令的情况: 
awk -F: '($2 == "") { print $1 }' /etc/shadow
检查除了root以外是否还有其它账号的UID为0:(任何UID为0的账号在系统上都具有超级用户权限.)
awk -F: '($3 == 0) { print $1 }' /etc/passwd

apt-get install fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

vi /etc/fail2ban/jail.local
Edit [sshd] to:
[sshd]
enabled=true

systemctl enable fail2ban
systemctl start fail2ban

fail2ban-client status sshd
/etc/init.d/fail2ban status -l

Unlock:
fail2ban-client set sshd unbanip you.wantto.unban.ip

ufw status
ufw default allow outgoing
ufw default deny incoming
ufw allow 80/tcp
ufw allow 22/tcp
ufw allow 10022/tcp
ufw enable
ufw status verbose

vi /etc/fail2ban/jail.local
注释掉第一个[sshd]
修改第二个[sshd]
port    = ssh
为
enabled = true
port    = 10022

vi /etc/ssh/sshd_config
修改
#Port 22
为
Port 10022

systemctl restart fail2ban
systemctl restart sshd

在终端中登录:
ssh user@IP地址 -p port

apt install curl gnupg2 ca-certificates lsb-release

echo "deb http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" \
    | tee /etc/apt/sources.list.d/nginx.list
echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" \
    | tee /etc/apt/preferences.d/99nginx
curl -o /tmp/nginx_signing.key https://nginx.org/keys/nginx_signing.key
gpg --dry-run --quiet --import --import-options show-only /tmp/nginx_signing.key
mv /tmp/nginx_signing.key /etc/apt/trusted.gpg.d/nginx_signing.asc

apt update
apt install nginx

systemctl enable nginx
systemctl start nginx
apt install software-properties-common
add-apt-repository ppa:ondrej/php
apt update
apt install php8.0 php8.0-fpm php8.0-common
apt install php8.0-dev php8.0-bcmath php8.0-gd
apt install libjpeg8-*
apt install php8.0-curl php8.0-intl php8.0-ldap php8.0-mbstring php8.0-mcrypt php8.0-mysqlnd php8.0-odbc php8.0-pdo php8.0-memcache php8.0-memcached php8.0-opcache php8.0-redis php8.0-soap php8.0-xml php8.0-xmlrpc php8.0-zip php8.0-mongodb
#php-mhash php-pear

cp /lib/systemd/system/php8.0-fpm.service /lib/systemd/system/php-fpm.service
systemctl daemon-reload
systemctl stop php8.0-fpm
systemctl disable php8.0-fpm
systemctl enable php-fpm
systemctl start php-fpm
systemctl status php-fpm

systemctl restart nginx

vi /etc/php/8.0/fpm/php.ini
cgi.fix_pathinfo=0
session.cookie_httponly = 1
post_max_size = 8M
upload_max_filesize = 8M
max_execution_time=60

vi /etc/php/8.0/fpm/pool.d/www.conf
listen.owner = nobody
listen.group = nobody
...
user = nobody
group = nobody

vi /etc/nginx/nginx.conf
user nobody;
client_max_body_size 8M;
keepalive_timeout  65;


vi /etc/nginx/conf.d/default.conf
server {
    listen       80;
    server_name  localhost;

    root   /usr/share/nginx/html;
    index  index.php index.html index.htm;

    location / {
        try_files $uri $uri/ =404;
    }
	
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
	
    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_pass   unix:/run/php/php8.0-fpm.sock;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }
	
    location ~ /\. {
        deny  all;
    }
}

groupadd nobody
systemctl restart php-fpm
systemctl restart nginx

vi /usr/share/nginx/html/info.php
<?php phpinfo(); ?>

http://your_server_IP_address/info.php

rm /usr/share/nginx/html/info.php


vi /etc/nginx/nginx.conf
在 http 区段中加入:
server_tokens  off;
proxy_hide_header        X-Powered-By;
X-Frame限制同源:
add_header X-Frame-Options SAMEORIGIN;
保存
检查配置文件是否有错误:
/usr/sbin/nginx -t
重启 Nginx :
systemctl reload nginx
or:
sudo systemctl restart nginx


vi /etc/php/8.0/fpm/php.ini
date.timezone = PRC
禁止显示php版本的信息:
expose_php = Off
禁止显示错误信息:
display_errors = Off
display_startup_errors = Off
error_reporting = E_ALL
log_errors = On
opcache.enable=1
opcache.jit=1205
opcache.jit_buffer_size=128M

vi /etc/php/8.0/fpm/pool.d/www.conf
catch_workers_output = yes
重启 php-fpm:
systemctl restart php-fpm
log会输出到:/var/log/php8.0-fpm.log


vi /etc/nginx/nginx.conf
在 http 区段里加入:
gzip on;
gzip_min_length 1k;
gzip_comp_level 6;
gzip_buffers 32 4k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
gzip_vary on;

vi /etc/nginx/conf.d/default.conf
修改:
location ~*^.+.(jpg|jpeg|gif|png)$ {
   expires 30d;
   add_header  Cache-Control private;
}


apt install redis
vi /etc/redis/redis.conf
maxmemory 100MB
systemctl enable redis
systemctl start redis


chown -R root:root /usr/share/nginx/html/


禁止IP直接访问,防止恶意解析:
vi /etc/nginx/nginx.conf
在 listen       [::]:80 default_server; 之后添加:
return    403;
如果 /etc/nginx/nginx.conf 文件中没有,则在 /etc/nginx/conf.d/default.conf 文件顶部添加:
server {
    listen     80;
    listen     [::]:80 default_server;
    return     403;
}

强制使用 www 二级域名访问:
vi /etc/nginx/conf.d/default.conf
# FORCE WWW
server {
    server_name  site.com;
    rewrite ^/(.*)$ http://www.site.com$1 permanent;
}

限制 PHP 脚本的文件访问范围,防止一个站点被攻陷后殃及整个服务器(重要!!!):
vi /etc/nginx/conf.d/default.conf
增加:
fastcgi_param  PHP_VALUE  "open_basedir=$document_root:/tmp/";
or:{
vi /etc/php/8.0/fpm/php.ini
在末尾加入:
[HOST=testdomain.com]
open_basedir=/usr/share/nginx/html/:/tmp/
}
注意用open_basedir指定的限制实际上是前缀,而不是目录名。所以如果要将访问限制在仅为指定的目录,请用斜线结束路径名。

systemctl restart nginx


禁用某些 PHP 内置函数:
vi /etc/php/8.0/fpm/php.ini
disable_functions = pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,phpinfo,exec,passthru,chroot,shell_exec,system,chgrp,chown,dl,show_source,highlight_file,gzinflate,str_rot13,pfsockopen,syslog,readlink,symlink,stream_socket_server,leak,popepassthru,escapeshellcmd,escapeshellarg,max_execution_time,ini_alter,pcntl_wifcontinued,pcntl_signal_dispatch,pcntl_unshare,ini_restore,popen,pclose,delete,fputs,openlog,link,imap_open,mail,rename,putenv,getcwd,proc_open,proc_close,proc_get_status,pcntl_signal_get_handler,pcntl_async_signals,pcntl_signal,pcntl_alarm
;For Laravel composer command:
;rename,putenv,getcwd,proc_open,proc_close,proc_get_status,pcntl_signal_get_handler
;For Laravel queue job:
;pcntl_async_signals,pcntl_signal,pcntl_alarm
;上面两个根据情况添加
;For Laravel Web:
;assert,file_get_contents,fopen,fwrite,opendir,ini_set,chmod,unlink,copy,mkdir,rmdir
;For WordPress:
;file,scandir,readdir,dir,set_time_limit

禁用远程url文件处理功能(打开它容易引起性能的问题,建议禁止,禁用之后 file_get_contents 函数将无法读取远程文件,可以用curl代替):
# 容易造成任意文件读取和包含问题,注意,此项默认就是开启的
allow_url_fopen = Off
# 容易造成远程包含,强烈建议关闭此项		
allow_url_include = Off

禁止加载动态连接库
enable_dl = Off

systemctl restart php-fpm
apt install mysql-server mysql-client
systemctl enable mysql
systemctl start mysql

vi /etc/mysql/mysql.conf.d/mysqld.cnf
[mysqld]
default-time_zone = '+8:00'
character-set-server = utf8mb4
default-authentication-plugin=mysql_native_password
#bind-address            = 127.0.0.1  #comment this if need remote login
#mysqlx-bind-address     = 127.0.0.1  #comment this if need remote login
[client]
default-character-set=utf8mb4

systemctl restart mysql

mysql_secure_installation

mysql -uroot -p
mysql> create user 'dba'@'localhost' identified by 'password';
mysql> ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'youpassword';
mysql> ALTER USER 'yourusername'@'localhost' IDENTIFIED WITH mysql_native_password BY 'youpassword';
mysql> flush privileges;

apt install mongodb
vi /etc/mongodb.conf
bind_ip = 0.0.0.0
port = 27017
systemctl restart mongodb
Nginx log添加host和请求时长
Nginx + php-fpm 性能优化
MySQL 5.7/8.0 优化
CentOS 7.0 添加 SWAP