Debian GNU/Linux 12 (bookworm)和Ubuntu 24.04.1 LTS是现阶段(2024年9月26日)两个发行版的最新版本。Ubuntu Server版本默认就不带桌面(ubuntu-24.04-live-server-amd64.iso),这个默认就是最小化安装(安装包量:500左右);Debian 虽带桌面了(debian-12.7.0-amd64-DVD-1.iso),但是在安装选择安装包阶段,可以选择是否要安装桌面;最简安装,安装包量不到400

默认未安装启用防火墙

如果"最小化安装"或者"去桌面环境安装",这俩发行版默认是不带防火墙的。需要安装完毕后,登录系统选装(ufw、firewalld),个人使用firewalld习惯了,所以选装了firewalld:

1、先更新可用包列表,然后将系统更新到最新

 sudo apt update
 sudo apt upgrade

注:

  • update - update list of available packages

  • upgrade - upgrade the system by installing/upgrading packages

  • full-upgrade - upgrade the system by removing/installing/upgrading packages

2、安装firewalld防火墙

 sudo apt -y install firewalld

默认没安装旧的一套网络管理工具

例如:ifconfig、netstat、arp、route等,需要手动安装才会有。

 sudo apt -y install net-tools

默认未安装NetworkManager网络管理器

习惯了使用nmcli、nmtui命令管理和配置IP地址等信息,没有安装感觉就不习惯了。

Debian12*还好,可以使用老方法配置

1、通过/etc/network/interfaces配置IP等

 ~# cat /etc/network/interfaces
 # This file describes the network interfaces available on your system
 # and how to activate them. For more information, see interfaces(5).
 ​
 source /etc/network/interfaces.d/*
 ​
 # The loopback network interface
 auto lo
 iface lo inet loopback
 ​
 # The primary network interface
 allow-hotplug ens192
 iface ens192 inet static
         address 192.168.xx.217/24
         gateway 192.168.xx.1
         # dns-* options are implemented by the resolvconf package, if installed
         dns-nameservers 192.168.xx.1 223.5.5.5 8.8.8.8

 2、重启networking服务

 ~# systemctl restart networking
 ~# systemctl status networking
 * networking.service - Raise network interfaces
      Loaded: loaded (/lib/systemd/system/networking.service; enabled; preset: enabled)
      Active: active (exited) since Thu 2024-09-26 16:33:41 CST; 1h 43min ago
        Docs: man:interfaces(5)
    Main PID: 1053 (code=exited, status=0/SUCCESS)
         CPU: 197ms
 ​
 Sep 26 16:33:41 debian127-xx-215 systemd[1]: Starting networking.service -
 Raise network interfaces...
 Sep 26 16:33:41 debian127-xx-215 systemd[1]: Finished networking.service -
 Raise network interfaces.
Ubuntu Server 24.04就略有不同(引入了netplan 工具)

1、修改配置文件/etc/netplan/50-cloud-init.yaml

 ~# cat /etc/netplan/50-cloud-init.yaml 
 # This file is generated from information provided by the datasource.  Changes
 # to it will not persist across an instance reboot.  To disable cloud-init's
 # network configuration capabilities, write a file
 # /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
 # network: {config: disabled}
 network:
     ethernets:
         ens192:
             addresses:
             - 192.168.xx.152/24
             nameservers:
                 addresses:
                 - 223.5.5.5
                 search: []
             routes:
             -   to: default
                 via: 192.168.xx.1
     version: 2

2、执行sudo netplan apply应用;

默认未安装密码复杂度策略

通过如下命令可以验证是否安装相关lib库

~$ dpkg -l|egrep 'libpam-passwdqc|libpam-cracklib|libpam-pwquality'

推荐使用pam_pwquality.so或pam_cracklib.so pam模块实现,密码复杂度控制;

 提醒:Debian11版本的pwquality才有minclass参数,早期版本仍然需要配置dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1,所以加固前请通过“man pwquality.conf”查看支持情况。
1、安装相关pam模块
apt -y install libpam-pwquality
2、修改前备份配置文件/etc/pam.d/common-password
cp -p /etc/pam.d/common-password /etc/pam.d/common-password_bak
vi /etc/pam.d/common-password
password    requisite     pam_pwquality.so minlen=8 minclass=3 enforce_for_root retry=3 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1

3、修改前备份配置文件/etc/security/pwquality.conf
cp -p /etc/security/pwquality.conf /etc/security/pwquality.conf_bak
vi /etc/security/pwquality.conf
minlen = 8
dcredit = -1
ucredit = -1
lcredit = -1
ocredit = -1
minclass = 3
enforce_for_root

默认Debian12.7的最简安装没有装sudo

~# apt -y install sudo

配置Debian12.7的网络镜像站

如果安装时,没有配置,那么Debian默认不会生成可用的sources.list文件。需要手动配置一下:一般我喜欢使用阿里镜像站,但是在其debian镜像站配置帮助页面,只有11.*及一下版本的,没有12.*的。

1、拷贝或者使用11.*的sources.list文件

2、执行如下命令进行替换,以适用12.*

 sed -i 's/bullseye/bookworm/g' /etc/apt/sources.list
 sed -i 's/non-free contrib/non-free non-free-firmware/g' /etc/apt/sources.list

 3、执行apt update验证

Logo

开放原子开发者工作坊旨在鼓励更多人参与开源活动,与志同道合的开发者们相互交流开发经验、分享开发心得、获取前沿技术趋势。工作坊有多种形式的开发者活动,如meetup、训练营等,主打技术交流,干货满满,真诚地邀请各位开发者共同参与!

更多推荐