我的 Debian 配置
Package 安装
apt install sudo curl vim wget axel iperf3 rsync btop command-not-found unzip vim bash-completion bind9-dnsutils nftables git -y
# 自动更新
apt install unattended-upgrades apt-listchanges needrestart -y
dpkg-reconfigure -plow unattended-upgrades
# 时间同步
timedatectl set-ntp false
apt install chrony -y
systemctl enable chronyd --now
# DNS 服务器
apt install unbound openresolv unbound-anchor -y
systemctl mask unbound-resolvconf.service
# 妙妙工具
apt install plocate fd-find ripgrep
## apt install etckeeper
# 防火墙配置
curl -s https://install.crowdsec.net | sudo sh
apt install crowdsec -y
apt install crowdsec-firewall-bouncer-nftables -y
cscli console enroll your-key
systemctl restart crowdsec
写入 nftables 基础规则
cat > /etc/nftables.conf << EOF
# !/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
iif lo accept
ct state established,related accept
# SSH:仅限新建连接速率,降低爆破与队列增长
tcp dport 22 ct state new limit rate 30/minute burst 60 packets accept
# IPv4 ICMP 限速接收(ping 等)
ip protocol icmp icmp type {
echo-request, echo-reply,
destination-unreachable, time-exceeded, parameter-problem
} limit rate 50/second burst 100 packets accept
# IPv6 ICMPv6(含 NDP)限速接收
ip6 nexthdr icmpv6 icmpv6 type {
echo-request, echo-reply,
destination-unreachable, time-exceeded, parameter-problem, packet-too-big,
nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert
} limit rate 50/second burst 100 packets accept
# DHCPv6 客户端
udp dport 546 udp sport 547 accept
# 无效连接尽早丢弃
ct state invalid drop
# 日志也限速,防止刷屏
limit rate 5/second burst 25 packets log prefix "NFT INPUT DROP: " flags all
counter drop
}
chain forward { type filter hook forward priority filter; policy drop; }
chain output { type filter hook output priority filter; policy accept; }
}
EOF防火墙重启生效
systemctl enable --now nftables
systemctl restart nftables日志配置
/etc/systemd/journald.conf
[Journal]
# --- 存储相关 ---
# 持久化日志,重启后不会丢失
Storage=persistent
# 压缩旧日志文件,节省空间
Compress=yes
# 日志文件签名,防止篡改
Seal=yes
# 按用户 UID 分日志目录(更安全)
SplitMode=uid
# --- 同步与速率限制 ---
# 每分钟刷写一次日志到磁盘,减少数据丢失风险
SyncIntervalSec=1m
# 限流周期
RateLimitIntervalSec=30s
# 每周期最多允许 5000 条日志,防止日志风暴
RateLimitBurst=5000
# --- 系统日志存储 (磁盘 /var/log/journal) ---
# 系统日志最多占用 500MB
SystemMaxUse=500M
# 硬盘至少保留 100MB 给其他应用
SystemKeepFree=100M
# 单个日志文件最多 50MB
SystemMaxFileSize=50M
# 最多保留 50 个日志文件
SystemMaxFiles=50
# --- 运行时日志存储 (内存 /run/log/journal) ---
# 内存日志最多占用 200MB
RuntimeMaxUse=200M
# 内存至少留 50MB
RuntimeKeepFree=50M
# 单个内存日志文件最多 20MB
RuntimeMaxFileSize=20M
# 最多保留 20 个内存日志文件
RuntimeMaxFiles=20
# --- 日志保留与切分 ---
# 日志最多保留 1 个月
MaxRetentionSec=1month
# 单个日志文件最多保存 1 周就切分
MaxFileSec=1week
# --- 日志转发 ---
# 不转发给 syslog(避免重复)
ForwardToSyslog=no
# 不转发到内核消息缓冲区
ForwardToKMsg=no
# 不直接打印到控制台
ForwardToConsole=no
# 不广播日志给所有用户
ForwardToWall=no
# (保留默认,不使用)
TTYPath=/dev/console
# --- 日志等级过滤 ---
# 存储到日志文件的最高等级:info 及以上
MaxLevelStore=info
# 如果转发 syslog,则 info 及以上
MaxLevelSyslog=info
# kmsg 保留 notice 及以上
MaxLevelKMsg=notice
# 控制台只打印 error 及以上
MaxLevelConsole=err
# 广播只限紧急级别 (emerg)
MaxLevelWall=emerg
# socket 保留 debug(默认)
MaxLevelSocket=debug
# --- 其他 ---
# 单条日志最大长度
LineMax=48K
# 读取内核日志 (dmesg)
ReadKMsg=yes
# 接收 Linux Audit 日志
Audit=yes/etc/logrotate.conf
# see "man logrotate" for details
# global options do not affect preceding include directives
# rotate log files weekly
weekly
# keep 4 weeks worth of backlogs
rotate 4
# create new (empty) log files after rotating old ones
create
# use date as a suffix of the rotated file
dateext
# uncomment this if you want your log files compressed
compress
# packages drop log rotation information into this directory
include /etc/logrotate.d
# system-specific logs may also be configured here.