Wake-on-LAN on Liangweidong's bloghttps://liangweidonggood.github.io/tags/wake-on-lan/Recent content in Wake-on-LAN on Liangweidong's blogHugo -- gohugo.iozh-cnWed, 15 Mar 2017 00:00:00 +0800Linux 远程登录与安全实践:SSH 公私钥、scp 免密、Wake-on-LAN 远程开机与网络配置https://liangweidonggood.github.io/p/linux-yuan-cheng-deng-lu-yu-an-quan-2017/Wed, 15 Mar 2017 00:00:00 +0800https://liangweidonggood.github.io/p/linux-yuan-cheng-deng-lu-yu-an-quan-2017/<img src="https://liangweidonggood.github.io/p/linux-yuan-cheng-deng-lu-yu-an-quan-2017/image/cover.jpg" alt="Featured image of post Linux 远程登录与安全实践:SSH 公私钥、scp 免密、Wake-on-LAN 远程开机与网络配置" /><h2 id="一为什么是-2017-年这一份">一、为什么是 2017 年这一份 </h2><p>2017 年这个时间点前后,Linux 远程管理进入&quot;工具标准化&quot;阶段:</p> <ul> <li><strong>OpenSSH 7.x</strong>(2016-2017 时代)已修复大量历史漏洞,sshd 默认配置趋于安全</li> <li><strong>Wake-on-LAN</strong> 仍是有线网卡机器远程开机的主流方案</li> <li><strong>Debian/Ubuntu 的网络配置正经历重构</strong>——Debian 9 (2017-06) 仍用 <code>/etc/network/interfaces</code>,但 Ubuntu 18.04 (2018-04) 起改用 netplan</li> <li><strong>systemd-resolved</strong> 在 Ubuntu 17.10 (2017-10) 起成为默认 DNS 解析</li> </ul> <p>这一篇<strong>覆盖远程登录、远程拷贝、远程开机、网卡配置、DNS 配置</strong>——一个系统管理员日常要用的&quot;远程&quot;工具箱。</p> <blockquote> <p><strong>阅读建议</strong>:本文分四块——远程登录(SSH)、远程拷贝(SCP)、远程开机(WoL)、网络配置。<strong>强烈建议</strong>所有公开服务器<strong>禁止密码登录</strong>,只用密钥。</p> </blockquote> <h2 id="二ssh-远程登录">二、SSH 远程登录 </h2><h3 id="21-sshpass脚本里的免密登录">2.1 sshpass:脚本里的免密登录 </h3><p><code>sshpass</code> 允许在<strong>一条命令</strong>里把密码带上——典型场景是自动化脚本里临时用一下,<strong>生产环境请用 SSH 公私钥</strong>。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 安装(CentOS)</span> </span></span><span class="line"><span class="cl">yum install -y sshpass </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 安装(Debian/Ubuntu)</span> </span></span><span class="line"><span class="cl">apt install -y sshpass </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 免密 SSH 登录</span> </span></span><span class="line"><span class="cl">sshpass -p <span class="s1">&#39;your-password&#39;</span> ssh root@&lt;host-ip&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># sshpass + ssh 不提示 yes/no</span> </span></span><span class="line"><span class="cl">sshpass -p <span class="s1">&#39;your-password&#39;</span> ssh <span class="se">\ </span></span></span><span class="line"><span class="cl"> -o <span class="nv">StrictHostKeyChecking</span><span class="o">=</span>no user@&lt;host-ip&gt; </span></span></code></pre></td></tr></table> </div> </div><h3 id="22-优化去掉是否连接的提示">2.2 优化:去掉&quot;是否连接&quot;的提示 </h3><p>第一次 SSH 连接到新主机时,会问&quot;是否信任该主机(yes/no)&quot;。在自动化场景下这个交互很烦。两种解决方案:</p> <p><strong>客户端配置</strong>(影响本机的所有 SSH 客户端):</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">vim /etc/ssh/ssh_config </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 加上这一行</span> </span></span><span class="line"><span class="cl">StrictHostKeyChecking no </span></span></code></pre></td></tr></table> </div> </div><p><strong>服务端配置</strong>(影响所有客户端连这台机器):</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">vim /etc/ssh/sshd_config </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">GSSAPIAuthentication no </span></span><span class="line"><span class="cl">UseDNS no </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">service sshd restart </span></span></code></pre></td></tr></table> </div> </div><h2 id="三ssh-公私钥登录生产环境标配">三、SSH 公私钥登录:生产环境标配 </h2><p><strong>强烈推荐</strong>:所有公开服务器<strong>禁止密码登录</strong>,只用密钥。</p> <h3 id="31-生成密钥对">3.1 生成密钥对 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ssh-keygen -t rsa </span></span><span class="line"><span class="cl"><span class="c1"># 默认 2048 位 RSA,公私钥存在 ~/.ssh/</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 当前目录下多出两个文件</span> </span></span><span class="line"><span class="cl"><span class="c1"># id_rsa ← 私钥(**绝不能泄露**)</span> </span></span><span class="line"><span class="cl"><span class="c1"># id_rsa.pub ← 公钥(要上传到服务器)</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="32-上传公钥到服务器">3.2 上传公钥到服务器 </h3><p><strong>方法一</strong>:手动复制</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 假设你已经在服务器上</span> </span></span><span class="line"><span class="cl">mkdir -p ~/.ssh </span></span><span class="line"><span class="cl">chmod <span class="m">700</span> ~/.ssh </span></span><span class="line"><span class="cl">touch ~/.ssh/authorized_keys </span></span><span class="line"><span class="cl">chmod <span class="m">600</span> ~/.ssh/authorized_keys </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 把本地公钥内容粘贴进去</span> </span></span><span class="line"><span class="cl">cat id_rsa.pub &gt;&gt; ~/.ssh/authorized_keys </span></span></code></pre></td></tr></table> </div> </div><p><strong>方法二</strong>:<code>ssh-copy-id</code>(如果装了)</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ssh-copy-id -i ~/.ssh/id_rsa.pub user@&lt;host-ip&gt; </span></span></code></pre></td></tr></table> </div> </div><h3 id="33-服务端配置">3.3 服务端配置 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">vim /etc/ssh/sshd_config </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 启用 RSA 认证(默认是 yes)</span> </span></span><span class="line"><span class="cl">RSAAuthentication yes </span></span><span class="line"><span class="cl">PubkeyAuthentication yes </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 指定公钥文件位置</span> </span></span><span class="line"><span class="cl">AuthorizedKeysFile .ssh/authorized_keys </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 允许 root 登录(视业务)</span> </span></span><span class="line"><span class="cl">PermitRootLogin yes </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># **关键:禁用密码登录**</span> </span></span><span class="line"><span class="cl">PasswordAuthentication no </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 重启 sshd</span> </span></span><span class="line"><span class="cl">service sshd restart </span></span></code></pre></td></tr></table> </div> </div> <blockquote> <p><strong>顺序很重要</strong>:先确认<strong>至少有一个账号能用公钥登录</strong>了,再去禁密码。否则一旦失联,就只能接显示器登录。</p> </blockquote> <h3 id="34-多个公钥">3.4 多个公钥 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">cat other_id_rsa.pub &gt;&gt; ~/.ssh/authorized_keys </span></span></code></pre></td></tr></table> </div> </div><p>一行一个公钥,OpenSSH 按顺序匹配。</p> <h2 id="四scp-远程拷贝">四、scp 远程拷贝 </h2><h3 id="41-本地--远程">4.1 本地 → 远程 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 文件</span> </span></span><span class="line"><span class="cl">scp /local/file.txt user@&lt;host&gt;:/remote/path/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 目录(加 -r)</span> </span></span><span class="line"><span class="cl">scp -r /local/dir user@&lt;host&gt;:/remote/path/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 携带密码(自动化场景)</span> </span></span><span class="line"><span class="cl">sshpass -p <span class="s1">&#39;your-password&#39;</span> scp -r /local/dir user@&lt;host&gt;:/remote/path/ </span></span></code></pre></td></tr></table> </div> </div><h3 id="42-远程--本地">4.2 远程 → 本地 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 文件</span> </span></span><span class="line"><span class="cl">scp user@&lt;host&gt;:/remote/file.txt /local/path/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 目录</span> </span></span><span class="line"><span class="cl">scp -r user@&lt;host&gt;:/remote/dir /local/path/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 携带密码</span> </span></span><span class="line"><span class="cl">sshpass -p <span class="s1">&#39;your-password&#39;</span> scp user@&lt;host&gt;:/remote/file.txt /local/path/ </span></span></code></pre></td></tr></table> </div> </div><h3 id="43-常用选项">4.3 常用选项 </h3><table> <thead> <tr> <th>选项</th> <th>含义</th> </tr> </thead> <tbody> <tr> <td><code>-P port</code></td> <td>指定端口(<strong>大写 P</strong>,不是 <code>-p</code>)</td> </tr> <tr> <td><code>-q</code></td> <td>去掉进度显示</td> </tr> <tr> <td><code>-l limit</code></td> <td>限速(单位 Kbit/s)</td> </tr> <tr> <td><code>-C</code></td> <td>压缩传输</td> </tr> <tr> <td><code>-i keyfile</code></td> <td>指定私钥文件</td> </tr> </tbody> </table> <blockquote> <p><strong>更现代的替代</strong>:<code>rsync</code> 和 <code>sftp</code> 都已经基本替代 <code>scp</code> 在生产环境的位置。<code>rsync</code> 增量传输、<code>sftp</code> 支持断点续传,<code>scp</code> 适合&quot;小文件、临时一次性&quot;的场景。</p> </blockquote> <h2 id="五wake-on-lan-远程开机">五、Wake-on-LAN 远程开机 </h2><p>WoL(Wake-on-LAN)允许<strong>通过网络发一个&quot;魔术包&quot;</strong>,让关机状态下的机器开机。要求机器的有线网卡和主板都支持。</p> <h3 id="51-检查网卡是否支持-wol">5.1 检查网卡是否支持 WoL </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ethtool eno1 </span></span><span class="line"><span class="cl"><span class="c1"># 找到 &#34;Supports Wake-on:&#34; 和 &#34;Wake-on:&#34; 两行</span> </span></span><span class="line"><span class="cl"><span class="c1"># Supports Wake-on: pumbg</span> </span></span><span class="line"><span class="cl"><span class="c1"># Wake-on: d ← d = 禁用</span> </span></span></code></pre></td></tr></table> </div> </div><table> <thead> <tr> <th>字段值</th> <th>含义</th> </tr> </thead> <tbody> <tr> <td><code>p</code></td> <td>Wake on PHY activity</td> </tr> <tr> <td><code>u</code></td> <td>Wake on unicast messages</td> </tr> <tr> <td><code>m</code></td> <td>Wake on multicast messages</td> </tr> <tr> <td><code>b</code></td> <td>Wake on broadcast messages</td> </tr> <tr> <td><code>a</code></td> <td>Wake on ARP</td> </tr> <tr> <td><code>g</code></td> <td>Wake on MagicPacket(<strong>最常用</strong>)</td> </tr> <tr> <td><code>s</code></td> <td>Enable SecureOn password for MagicPacket</td> </tr> <tr> <td><code>d</code></td> <td>Disable(默认)</td> </tr> </tbody> </table> <h3 id="52-启用-wol">5.2 启用 WoL </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 立即启用(重启后失效)</span> </span></span><span class="line"><span class="cl">ethtool -s eno1 wol g </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 永久启用:写进网卡配置</span> </span></span><span class="line"><span class="cl"><span class="c1"># CentOS/RHEL</span> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;ETHTOOL_OPTS=&#39;-s eno1 wol g&#39;&#34;</span> &gt;&gt; /etc/sysconfig/network-scripts/ifcfg-eno1 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Debian/Ubuntu</span> </span></span><span class="line"><span class="cl"><span class="c1"># 在 /etc/network/interfaces 里加</span> </span></span><span class="line"><span class="cl"><span class="c1"># up ethtool -s eno1 wol g</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="53-查网卡物理地址mac">5.3 查网卡物理地址(MAC) </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ip a </span></span><span class="line"><span class="cl"><span class="c1"># link/ether 58:11:22:c3:1b:4d</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="54-安装并发送魔术包">5.4 安装并发送魔术包 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 安装 wakeonlan</span> </span></span><span class="line"><span class="cl">apt install wakeonlan <span class="c1"># Debian/Ubuntu</span> </span></span><span class="line"><span class="cl">yum install wakeonlan <span class="c1"># CentOS(需 EPEL)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 在同一局域网内发送</span> </span></span><span class="line"><span class="cl">wakeonlan 58:11:22:c3:1b:4d </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 指定目标 IP(跨网段需要中继)</span> </span></span><span class="line"><span class="cl">wakeonlan -i 10.8.33.5 58:11:22:c3:1b:4d </span></span></code></pre></td></tr></table> </div> </div><h3 id="55-bios-也要打开-wol">5.5 BIOS 也要打开 WoL </h3><p>掉电恢复来电后 WoL 经常失效——这是<strong>主板 BIOS 没开</strong>。</p> <p>开机进 BIOS → <code>Power Management Setup</code>:</p> <ul> <li>找 <code>Wake On LAN</code> → 设为 <code>Enable</code></li> <li>没有就找 <code>Wake On PCI Card</code> → 设为 <code>Enable</code>(<strong>注意</strong>:PCI 选项可能有两个,确保只开一个,否则循环重启)</li> <li>找 <code>PME Event Wake Up</code> → 设为 <code>Enabled</code></li> </ul> <p><strong>两种 WoL 模式的区别</strong>:</p> <ul> <li><code>Wake On LAN</code> —— 完全关机也能唤醒</li> <li><code>Wake On PCI Card</code> —— 深度休眠(hibernate)才能唤醒</li> </ul> <h3 id="56-远程关机">5.6 远程关机 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 立即关机</span> </span></span><span class="line"><span class="cl">shutdown now </span></span><span class="line"><span class="cl"><span class="c1"># 或</span> </span></span><span class="line"><span class="cl">shutdown --poweroff now </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 取消关机</span> </span></span><span class="line"><span class="cl">shutdown -c </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 预关机(带警告)</span> </span></span><span class="line"><span class="cl">shutdown --poweroff </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 深度睡眠</span> </span></span><span class="line"><span class="cl">pm-hibernate </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 重启</span> </span></span><span class="line"><span class="cl">shutdown --reboot </span></span></code></pre></td></tr></table> </div> </div><h2 id="六debian--ubuntu-网络配置">六、Debian / Ubuntu 网络配置 </h2><h3 id="61-debian-910etcnetworkinterfaces">6.1 Debian 9/10:<code>/etc/network/interfaces</code> </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 重启网络</span> </span></span><span class="line"><span class="cl">/etc/init.d/networking restart </span></span><span class="line"><span class="cl">systemctl restart networking </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 网卡配置</span> </span></span><span class="line"><span class="cl">vim /etc/network/interfaces </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl"># This file describes the network interfaces available on your system </span></span><span class="line"><span class="cl"># and how to activate them. For more information, see interfaces(5). </span></span><span class="line"><span class="cl">source /etc/network/interfaces.d/* </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"># 环回口 </span></span><span class="line"><span class="cl">auto lo </span></span><span class="line"><span class="cl">iface lo inet loopback </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"># DHCP 自动获取 </span></span><span class="line"><span class="cl">auto eth0 </span></span><span class="line"><span class="cl">iface eth0 inet dhcp </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"># 静态 IP </span></span><span class="line"><span class="cl">auto eth0 </span></span><span class="line"><span class="cl">iface eth0 inet static </span></span><span class="line"><span class="cl">address 192.168.1.122 </span></span><span class="line"><span class="cl">netmask 255.255.255.0 </span></span><span class="line"><span class="cl">gateway 192.168.1.2 </span></span></code></pre></td></tr></table> </div> </div><h3 id="62-查看-dns">6.2 查看 DNS </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 临时配置</span> </span></span><span class="line"><span class="cl">cat /etc/resolv.conf </span></span><span class="line"><span class="cl"><span class="c1"># nameserver 8.8.8.8</span> </span></span><span class="line"><span class="cl"><span class="c1"># nameserver 114.114.114.114</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 永久配置</span> </span></span><span class="line"><span class="cl">sudo apt install resolvconf </span></span></code></pre></td></tr></table> </div> </div><h3 id="63-ubuntu-1804netplan">6.3 Ubuntu 18.04+:<code>netplan</code> </h3><p>Ubuntu 18.04 起改用 <strong>netplan</strong>(YAML 格式):</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 配置</span> </span></span><span class="line"><span class="cl">vim /etc/netplan/00-installer-config.yaml </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">network</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ethernets</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">eno1</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">dhcp4</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">addresses</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="m">192.168.10.127</span><span class="l">/24</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">routes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">to</span><span class="p">:</span><span class="w"> </span><span class="l">default</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">via</span><span class="p">:</span><span class="w"> </span><span class="m">192.168.10.1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">nameservers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">addresses</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="m">211.138.24.66</span><span class="p">,</span><span class="w"> </span><span class="m">114.114.114.114</span><span class="p">,</span><span class="w"> </span><span class="m">192.168.10.1</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">eno2</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">dhcp4</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">eno3</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">dhcp4</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">eno4</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">dhcp4</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">version</span><span class="p">:</span><span class="w"> </span><span class="m">2</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 应用配置</span> </span></span><span class="line"><span class="cl">netplan apply </span></span></code></pre></td></tr></table> </div> </div> <blockquote> <p><strong>从 interfaces 迁移到 netplan</strong>:2017-2018 是过渡期,老教程仍是 interfaces,新机器按 netplan 走。</p> </blockquote> <h3 id="64-dnssystemd-resolved">6.4 DNS:<code>systemd-resolved</code> </h3><p>Ubuntu 17.10 起默认启用 systemd-resolved。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">vim /etc/systemd/resolved.conf </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>Resolve<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="c1"># 几个公开 DNS(示例)</span> </span></span><span class="line"><span class="cl"><span class="c1">#DNS=1.1.1.1 8.8.8.8</span> </span></span><span class="line"><span class="cl"><span class="nv">DNS</span><span class="o">=</span>114.114.114.114 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">systemctl restart systemd-resolved </span></span></code></pre></td></tr></table> </div> </div> <blockquote> <p><strong><code>/etc/resolv.conf</code> 经常被覆盖</strong>:<code>/etc/resolv.conf</code> 实际上是软链接到 <code>/run/systemd/resolve/stub-resolv.conf</code>,手动改 <code>/etc/resolv.conf</code> 重启后会失效。<strong>正确做法是改 <code>/etc/systemd/resolved.conf</code></strong>。</p> </blockquote> <h2 id="七debian-静态-ip-实际案例">七、Debian 静态 IP 实际案例 </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 1. 查当前 IP</span> </span></span><span class="line"><span class="cl">ip a </span></span><span class="line"><span class="cl"><span class="c1"># 或</span> </span></span><span class="line"><span class="cl">ifconfig </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 2. 备份原配置</span> </span></span><span class="line"><span class="cl">cp /etc/network/interfaces /etc/network/interfaces.bak </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 3. 改成静态</span> </span></span><span class="line"><span class="cl">cat &gt; /etc/network/interfaces &lt;&lt; <span class="s2">&#34;EOF&#34;</span> </span></span><span class="line"><span class="cl">auto lo </span></span><span class="line"><span class="cl">iface lo inet loopback </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">auto eth0 </span></span><span class="line"><span class="cl">iface eth0 inet static </span></span><span class="line"><span class="cl">address 192.168.1.122 </span></span><span class="line"><span class="cl">netmask 255.255.255.0 </span></span><span class="line"><span class="cl">gateway 192.168.1.2 </span></span><span class="line"><span class="cl">EOF </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 4. 重启</span> </span></span><span class="line"><span class="cl">systemctl restart networking </span></span></code></pre></td></tr></table> </div> </div><h2 id="八前置知识--下一步">八、前置知识 / 下一步 </h2><ul> <li>想了解 SSH 高级用法(端口转发、代理)→ 翻独立文章</li> <li>想了解 <code>fail2ban</code> 防爆破 → 翻本系列《Linux 用户管理与安全加固》</li> <li>想了解 Wake-on-LAN 跨网段(需要路由器支持)→ 翻独立文章</li> <li>想了解 <code>rsync</code> 增量同步替代 <code>scp</code> → 翻独立文章</li> <li>想了解 <code>ufw</code> 防火墙配置 → 翻本系列《Ubuntu 发行版实战》</li> </ul> <h2 id="九参考资源">九、参考资源 </h2><ul> <li>OpenSSH 官方文档:<a class="link" href="https://www.openssh.com/manual.html" target="_blank" rel="noopener" >https://www.openssh.com/manual.html</a></li> <li>Ubuntu Netplan 文档:<a class="link" href="https://netplan.io/" target="_blank" rel="noopener" >https://netplan.io/</a></li> <li>Debian 网络配置 wiki:<a class="link" href="https://wiki.debian.org/NetworkConfiguration" target="_blank" rel="noopener" >https://wiki.debian.org/NetworkConfiguration</a></li> <li>Wake-on-LAN 原理(Wikipedia):<a class="link" href="https://en.wikipedia.org/wiki/Wake-on-LAN" target="_blank" rel="noopener" >https://en.wikipedia.org/wiki/Wake-on-LAN</a></li> <li>ethtool 手册:<code>man ethtool</code></li> </ul> <hr> <h2 id="2024-视角7-年后远程管理的新王和新坑">2024 视角:7 年后远程管理的&quot;新王&quot;和&quot;新坑&quot; </h2><p>2017 那篇的 SSH 公私钥、scp、Wake-on-LAN 在 2024 仍管用——但有 3 个新趋势必须知道:</p> <h3 id="一ed25519-全面替代-rsa-2048">一、ed25519 全面替代 RSA 2048 </h3><p>2017 那篇示范 <code>ssh-keygen -t rsa</code>(默认 2048 位)。<strong>2024 实际项目里</strong> ed25519 已经是事实标准:</p> <table> <thead> <tr> <th>算法</th> <th>密钥长度</th> <th>性能</th> <th>抗量子</th> <th>兼容性</th> </tr> </thead> <tbody> <tr> <td>RSA 2048</td> <td>2048 位</td> <td>慢(签名/验签 1-3ms)</td> <td>弱(量子 Shor 算法秒破)</td> <td>全平台</td> </tr> <tr> <td>RSA 4096</td> <td>4096 位</td> <td>极慢(10-30ms)</td> <td>较弱</td> <td>全平台</td> </tr> <tr> <td><strong>ed25519</strong></td> <td>256 位</td> <td><strong>极快(&lt; 0.1ms)</strong></td> <td>中(仍是椭圆曲线)</td> <td>OpenSSH 6.5+(2014)</td> </tr> <tr> <td>ECDSA P-256</td> <td>256 位</td> <td>快</td> <td>中</td> <td>OpenSSH 5.7+(2008)</td> </tr> <tr> <td>ML-DSA(Dilithium)</td> <td>1312 字节</td> <td>慢</td> <td><strong>强(抗量子)</strong></td> <td>OpenSSH 9.x 实验中</td> </tr> </tbody> </table> <p><strong>2024 默认推荐</strong>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># ed25519</span> </span></span><span class="line"><span class="cl">ssh-keygen -t ed25519 -C <span class="s2">&#34;lwd@&lt;your-host&gt;&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 加 passphrase(用 ssh-agent / GNOME Keyring 记)</span> </span></span><span class="line"><span class="cl">ssh-keygen -t ed25519 -a <span class="m">100</span> -C <span class="s2">&#34;lwd@&lt;your-host&gt;&#34;</span> </span></span><span class="line"><span class="cl"><span class="c1"># -a 100 = 100 轮 KDF,增强私钥文件抗爆破</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="二ssh-配置的现代化补充">二、SSH 配置的&quot;现代化&quot;补充 </h3><ul> <li><strong><code>Include /etc/ssh/sshd_config.d/*.conf</code></strong>:<strong>2024 推荐</strong>——把配置拆到 <code>/etc/ssh/sshd_config.d/</code> 目录,sshd 8.0+ 已支持。</li> <li><strong>KDF rounds on private key</strong>:私钥 KDF 迭代次数(<code>-a</code> 参数)。</li> <li><strong><code>Include ~/.ssh/config.d/*.conf</code></strong>:客户端也可以 <code>Include</code> 拆分。</li> <li><strong>GSSAPI / DNS</strong> 关闭默认已 ok。</li> <li><strong><code>Include</code> 路径匹配</strong>:</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 客户端 ~/.ssh/config</span> </span></span><span class="line"><span class="cl">Include config.d/*.conf </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># /etc/ssh/sshd_config.d/00-hardening.conf</span> </span></span><span class="line"><span class="cl">PasswordAuthentication no </span></span><span class="line"><span class="cl">PermitRootLogin prohibit-password </span></span><span class="line"><span class="cl">MaxAuthTries <span class="m">3</span> </span></span><span class="line"><span class="cl">X11Forwarding no </span></span><span class="line"><span class="cl">AllowAgentForwarding no </span></span></code></pre></td></tr></table> </div> </div><h3 id="三scp-全面弃用改用-sftp--rsync">三、scp 全面弃用,改用 sftp / rsync </h3><ul> <li><strong>OpenSSH 9.0</strong>(2022-04)开始打印 <code>WARNING: scp is deprecated</code>。</li> <li><strong>sftp</strong>(基于 SSH 的 FTP)支持<strong>断点续传</strong>、<strong>目录浏览</strong>:</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 上传</span> </span></span><span class="line"><span class="cl">sftp user@host <span class="o">&lt;&lt;&lt;</span> <span class="s1">&#39;put -r /local/dir /remote/path&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 下载</span> </span></span><span class="line"><span class="cl">sftp user@host <span class="o">&lt;&lt;&lt;</span> <span class="s1">&#39;get -r /remote/path /local/&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><ul> <li><strong>rsync</strong>(增量同步)做&quot;两台机器同步&quot;:</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">rsync -avz --progress /local/dir/ user@host:/remote/dir/ </span></span><span class="line"><span class="cl"><span class="c1"># -a 归档模式</span> </span></span><span class="line"><span class="cl"><span class="c1"># -v 详细</span> </span></span><span class="line"><span class="cl"><span class="c1"># -z 传输时压缩</span> </span></span><span class="line"><span class="cl"><span class="c1"># --progress 显示进度</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="四wake-on-lan-在云时代的替代方案">四、Wake-on-LAN 在云时代的&quot;替代方案&quot; </h3><ul> <li>2017 那篇 WoL 在<strong>家用 / 局域网</strong>场景仍管用。</li> <li>但 2024 <strong>云服务器根本没 WoL 概念</strong>——开机通过云厂商 API。</li> <li><strong>远程开机</strong>的现代姿势: <ul> <li><strong>AWS</strong>:Lambda + CloudWatch Events + EC2 API</li> <li><strong>阿里云</strong>:函数计算 + 定时触发器 + ECS StartInstance</li> <li><strong>小米插座 / 智能插线板</strong>:远程给机器上电(家里老台式机)</li> </ul> </li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="c1"># 阿里云 SDK 远程开机</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">aliyunsdkcore.client</span> <span class="kn">import</span> <span class="n">AcsClient</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">aliyunsdkecs.request.v20140526</span> <span class="kn">import</span> <span class="n">StartInstanceRequest</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">client</span> <span class="o">=</span> <span class="n">AcsClient</span><span class="p">(</span><span class="s1">&#39;&lt;access-key-id&gt;&#39;</span><span class="p">,</span> <span class="s1">&#39;&lt;access-key-secret&gt;&#39;</span><span class="p">,</span> <span class="s1">&#39;cn-hangzhou&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">request</span> <span class="o">=</span> <span class="n">StartInstanceRequest</span><span class="o">.</span><span class="n">StartInstanceRequest</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="n">request</span><span class="o">.</span><span class="n">set_InstanceIds</span><span class="p">([</span><span class="s1">&#39;i-bp1xxxxxxxxxxxxxx&#39;</span><span class="p">])</span> </span></span><span class="line"><span class="cl"><span class="n">client</span><span class="o">.</span><span class="n">do_action_with_exception</span><span class="p">(</span><span class="n">request</span><span class="p">)</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="五wireguard-替代-ssh-隧道--frp">五、WireGuard 替代 SSH 隧道 + frp </h3><ul> <li>2017 那篇没提 SSH 端口转发 <code>-L</code> / <code>-R</code>。2024 的&quot;点对点 VPN&quot;首选是 <strong>WireGuard</strong>:</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 装</span> </span></span><span class="line"><span class="cl">apt install wireguard </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 生成密钥</span> </span></span><span class="line"><span class="cl">wg genkey <span class="p">|</span> tee /etc/wireguard/privatekey <span class="p">|</span> wg pubkey &gt; /etc/wireguard/publickey </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 配置 /etc/wireguard/wg0.conf</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>Interface<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="nv">Address</span> <span class="o">=</span> 10.0.0.1/24 </span></span><span class="line"><span class="cl"><span class="nv">PrivateKey</span> <span class="o">=</span> &lt;server-private-key&gt; </span></span><span class="line"><span class="cl"><span class="nv">ListenPort</span> <span class="o">=</span> <span class="m">51820</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>Peer<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="nv">PublicKey</span> <span class="o">=</span> &lt;client-public-key&gt; </span></span><span class="line"><span class="cl"><span class="nv">AllowedIPs</span> <span class="o">=</span> 10.0.0.2/32 </span></span></code></pre></td></tr></table> </div> </div><ul> <li><strong>优势</strong>:内核态实现(性能是 OpenVPN 4 倍)、配置极简(单文件)、roaming 友好(IP 变化不重连)。</li> <li><strong>SSH 隧道还在用</strong>:但主要是&quot;临时单端口转发&quot;,<strong>长期组网</strong>全部走 WireGuard / Tailscale / ZeroTier。</li> </ul> <h3 id="六网络配置networkmanager-已成事实上默认">六、网络配置:NetworkManager 已成&quot;事实上默认&quot; </h3><ul> <li>2017 那篇给的 <code>/etc/network/interfaces</code> 写法,在 <strong>Debian 12+</strong>(2023-06)已经<strong>被 NetworkManager 取代</strong>:</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 看现有连接</span> </span></span><span class="line"><span class="cl">nmcli connection show </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 改 IP</span> </span></span><span class="line"><span class="cl">nmcli connection modify <span class="s2">&#34;Wired connection 1&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> ipv4.addresses 192.168.1.100/24 <span class="se">\ </span></span></span><span class="line"><span class="cl"> ipv4.gateway 192.168.1.1 <span class="se">\ </span></span></span><span class="line"><span class="cl"> ipv4.dns <span class="s2">&#34;1.1.1.1,8.8.8.8&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> ipv4.method manual </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">nmcli connection up <span class="s2">&#34;Wired connection 1&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><ul> <li><strong>Ubuntu 22.04+ / Debian 12+</strong>:服务器版仍可装 <code>ifupdown</code> 用 <code>interfaces</code>,但<strong>新项目默认 NetworkManager</strong>。</li> <li><strong>nmcli / nmtui</strong> 比手写 YAML 更易维护。</li> </ul> <h3 id="七tailscale--zerotier-终结内网穿透">七、Tailscale / ZeroTier 终结&quot;内网穿透&quot; </h3><ul> <li>2017 那篇 SSH 远程登录到&quot;内网&quot;用 frp(2017 那篇还没提 frp,那篇主要是 SSH)。<strong>2024 趋势</strong>: <ul> <li><strong>Tailscale</strong>(基于 WireGuard,5 分钟建全球组网)—— 个人免费 100 台设备</li> <li><strong>ZeroTier</strong>(P2P + 控制器)—— 同样免费 25 台</li> <li><strong>Cloudflare Tunnel</strong>(云原生时代)—— <code>cloudflared</code> 一行命令把内网服务暴露公网</li> </ul> </li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Tailscale(2024 年最易上手)</span> </span></span><span class="line"><span class="cl">curl -fsSL https://tailscale.com/install.sh <span class="p">|</span> sh </span></span><span class="line"><span class="cl">tailscale up </span></span><span class="line"><span class="cl"><span class="c1"># 自动获得 100.x.x.x 虚拟 IP,全网互通</span> </span></span></code></pre></td></tr></table> </div> </div>