Oracle的VM.Standard.E2.1.Micro虚拟机创建后,必要的安全设置,卸snap省内存

jimy12026-05-09 9:13

todo

用在线网站、工具扫描IP,看是否有漏洞

终止实例是否已经删除了实例;

用跳板机(Bastion)访问,OCI Bastion 免费 oci官方托管

git安装新版本

更新源改为Osaka

禁止密码登录

改ssh端口

防止暴力破解

优化,eg:扩加swap,等等

提高cpu使用率的脚本,以防机器被收回

是否需要ufw,好像很重要

推荐开启 Tailscale SSH(在设置里打开),这样可以不用公钥也能直接 SSH

" 建议以 Exit Node 使用(把 Oracle VM 当作出口节点):

sudo tailscale up --advertise-exit-node --advertise-routes=你的子网/24

然后在 Tailscale 管理后台批准 Exit Node 即可。 "

0. 执行命令的时候,可以通过watch命令查看刷新的内存使用情况

1,

bash 复制代码 
watch -n 5 free -h

2,在/etc/ssh/sshd_config文件中添加:PermitRootLogin no

3, 查看cpu使用率

bash 复制代码 
watch -n 2 "top -bn1 | head -20"

一、

1. 更新内核

bash 复制代码 
ubuntu@cc:~$ sudo apt update && sudo apt upgrade -y
Get:1 http://security.ubuntu.com/ubuntu jammy-security InRelease [129 kB]
Get:2 http://ap-osaka-1-ad-1.clouds.archive.ubuntu.com/ubuntu jammy InRelease [270 kB]
Get:3 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages [3214 kB]
Get:4 http://security.ubuntu.com/ubuntu jammy-security/main Translation-en [453 kB]
Get:5 http://security.ubuntu.com/ubuntu jammy-security/restricted amd64 Packages [5704 kB]
Get:6 http://ap-osaka-1-ad-1.clouds.archive.ubuntu.com/ubuntu jammy-updates InRelease [128 kB]
Get:7 http://security.ubuntu.com/ubuntu jammy-security/restricted Translation-en [1090 kB]
Get:8 http://security.ubuntu.com/ubuntu jammy-security/universe amd64 Packages [1030 kB]
Get:9 http://ap-osaka-1-ad-1.clouds.archive.ubuntu.com/ubuntu jammy-backports InRelease [127 kB]
Get:10 http://security.ubuntu.com/ubuntu jammy-security/universe Translation-en [226 kB]
Get:11 http://security.ubuntu.com/ubuntu jammy-security/multiverse amd64 Packages [52.3 kB]
Get:12 http://security.ubuntu.com/ubuntu jammy-security/multiverse Translation-en [10.5 kB]
Get:13 http://ap-osaka-1-ad-1.clouds.archive.ubuntu.com/ubuntu jammy/main amd64 Packages [1395 kB]
Get:14 http://ap-osaka-1-ad-1.clouds.archive.ubuntu.com/ubuntu jammy/main Translation-en [510 kB]
Get:15 http://ap-osaka-1-ad-1.clouds.archive.ubuntu.com/ubuntu jammy/restricted amd64 Packages [129 kB]
Get:16 http://ap-osaka-1-ad-1.clouds.archive.ubuntu.com/ubuntu jammy/restricted Translation-en [18.6 kB]
Get:17 http://ap-osaka-1-ad-1.clouds.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages [14.1 MB]
Get:18 http://ap-osaka-1-ad-1.clouds.archive.ubuntu.com/ubuntu jammy/universe Translation-en [5652 kB]
Get:19 http://ap-osaka-1-ad-1.clouds.archive.ubuntu.com/ubuntu jammy/multiverse amd64 Packages [217 kB]
Get:20 http://ap-osaka-1-ad-1.clouds.archive.ubuntu.com/ubuntu jammy/multiverse Translation-en [112 kB]
Get:21 http://ap-osaka-1-ad-1.clouds.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages [3483 kB]
Get:22 http://ap-osaka-1-ad-1.clouds.archive.ubuntu.com/ubuntu jammy-updates/main Translation-en [524 kB]
Get:23 http://ap-osaka-1-ad-1.clouds.archive.ubuntu.com/ubuntu jammy-updates/restricted amd64 Packages [5912 kB]
Get:24 http://ap-osaka-1-ad-1.clouds.archive.ubuntu.com/ubuntu jammy-updates/restricted Translation-en [1122 kB]
Get:25 http://ap-osaka-1-ad-1.clouds.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages [1268 kB]
Get:26 http://ap-osaka-1-ad-1.clouds.archive.ubuntu.com/ubuntu jammy-updates/universe Translation-en [316 kB]
Get:27 http://ap-osaka-1-ad-1.clouds.archive.ubuntu.com/ubuntu jammy-updates/multiverse amd64 Packages [71.3 kB]
Get:28 http://ap-osaka-1-ad-1.clouds.archive.ubuntu.com/ubuntu jammy-updates/multiverse Translation-en [15.5 kB]
Get:29 http://ap-osaka-1-ad-1.clouds.archive.ubuntu.com/ubuntu jammy-backports/main amd64 Packages [70.2 kB]
Get:30 http://ap-osaka-1-ad-1.clouds.archive.ubuntu.com/ubuntu jammy-backports/main Translation-en [11.4 kB]
Get:31 http://ap-osaka-1-ad-1.clouds.archive.ubuntu.com/ubuntu jammy-backports/universe amd64 Packages [30.8 kB]
Get:32 http://ap-osaka-1-ad-1.clouds.archive.ubuntu.com/ubuntu jammy-backports/universe Translation-en [16.9 kB]
Fetched 47.4 MB in 22s (2175 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
8 packages can be upgraded. Run 'apt list --upgradable' to see them.
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following NEW packages will be installed:
  linux-headers-6.8.0-1050-oracle linux-image-6.8.0-1050-oracle linux-modules-6.8.0-1050-oracle linux-modules-extra-6.8.0-1050-oracle
  linux-oracle-6.8-headers-6.8.0-1050 linux-oracle-6.8-tools-6.8.0-1050 linux-tools-6.8.0-1050-oracle
The following packages will be upgraded:
  curl libcurl3-gnutls libcurl4 libnghttp2-14 linux-headers-oracle linux-image-oracle linux-oracle sed
8 upgraded, 7 newly installed, 0 to remove and 0 not upgraded.
8 standard LTS security updates
Need to get 143 MB of archives.
After this operation, 757 MB of additional disk space will be used.
Get:1 http://ap-osaka-1-ad-1.clouds.archive.ubuntu.com/ubuntu jammy-updates/main amd64 sed amd64 4.8-1ubuntu2.1 [188 kB]
Get:2 http://ap-osaka-1-ad-1.clouds.archive.ubuntu.com/ubuntu jammy-updates/main amd64 libnghttp2-14 amd64 1.43.0-1ubuntu0.3 [76.7 kB]
Get:3 http://ap-osaka-1-ad-1.clouds.archive.ubuntu.com/ubuntu jammy-updates/main amd64 curl amd64 7.81.0-1ubuntu1.24 [194 kB]
Get:4 http://ap-osaka-1-ad-1.clouds.archive.ubuntu.com/ubuntu jammy-updates/main amd64 libcurl4 amd64 7.81.0-1ubuntu1.24 [291 kB]
Get:5 http://ap-osaka-1-ad-1.clouds.archive.ubuntu.com/ubuntu jammy-updates/main amd64 libcurl3-gnutls amd64 7.81.0-1ubuntu1.24 [285 kB]
Get:6 http://ap-osaka-1-ad-1.clouds.archive.ubuntu.com/ubuntu jammy-updates/main amd64 linux-oracle-6.8-headers-6.8.0-1050 all 6.8.0-1050.51~22.04.1 [13.7 MB]
Get:7 http://ap-osaka-1-ad-1.clouds.archive.ubuntu.com/ubuntu jammy-updates/main amd64 linux-headers-6.8.0-1050-oracle amd64 6.8.0-1050.51~22.04.1 [3772 kB]
Get:8 http://ap-osaka-1-ad-1.clouds.archive.ubuntu.com/ubuntu jammy-updates/main amd64 linux-modules-6.8.0-1050-oracle amd64 6.8.0-1050.51~22.04.1 [26.0 MB]
Get:9 http://ap-osaka-1-ad-1.clouds.archive.ubuntu.com/ubuntu jammy-updates/main amd64 linux-image-6.8.0-1050-oracle amd64 6.8.0-1050.51~22.04.1 [14.6 MB]
Get:10 http://ap-osaka-1-ad-1.clouds.archive.ubuntu.com/ubuntu jammy-updates/main amd64 linux-oracle amd64 6.8.0-1050.51~22.04.1 [1712 B]
Get:11 http://ap-osaka-1-ad-1.clouds.archive.ubuntu.com/ubuntu jammy-updates/main amd64 linux-image-oracle amd64 6.8.0-1050.51~22.04.1 [2448 B]
Get:12 http://ap-osaka-1-ad-1.clouds.archive.ubuntu.com/ubuntu jammy-updates/main amd64 linux-headers-oracle amd64 6.8.0-1050.51~22.04.1 [2368 B]
Get:13 http://ap-osaka-1-ad-1.clouds.archive.ubuntu.com/ubuntu jammy-updates/main amd64 linux-modules-extra-6.8.0-1050-oracle amd64 6.8.0-1050.51~22.04.1 [79.6 MB]
Get:14 http://ap-osaka-1-ad-1.clouds.archive.ubuntu.com/ubuntu jammy-updates/main amd64 linux-oracle-6.8-tools-6.8.0-1050 amd64 6.8.0-1050.51~22.04.1 [4102 kB]
Get:15 http://ap-osaka-1-ad-1.clouds.archive.ubuntu.com/ubuntu jammy-updates/main amd64 linux-tools-6.8.0-1050-oracle amd64 6.8.0-1050.51~22.04.1 [1822 B]
Fetched 143 MB in 29s (4865 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
(Reading database ... 59660 files and directories currently installed.)
Preparing to unpack .../sed_4.8-1ubuntu2.1_amd64.deb ...
Unpacking sed (4.8-1ubuntu2.1) over (4.8-1ubuntu2) ...
Setting up sed (4.8-1ubuntu2.1) ...
(Reading database ... 59660 files and directories currently installed.)
Preparing to unpack .../00-libnghttp2-14_1.43.0-1ubuntu0.3_amd64.deb ...
Unpacking libnghttp2-14:amd64 (1.43.0-1ubuntu0.3) over (1.43.0-1ubuntu0.2) ...
Preparing to unpack .../01-curl_7.81.0-1ubuntu1.24_amd64.deb ...
Unpacking curl (7.81.0-1ubuntu1.24) over (7.81.0-1ubuntu1.23) ...
Preparing to unpack .../02-libcurl4_7.81.0-1ubuntu1.24_amd64.deb ...
Unpacking libcurl4:amd64 (7.81.0-1ubuntu1.24) over (7.81.0-1ubuntu1.23) ...
Preparing to unpack .../03-libcurl3-gnutls_7.81.0-1ubuntu1.24_amd64.deb ...
Unpacking libcurl3-gnutls:amd64 (7.81.0-1ubuntu1.24) over (7.81.0-1ubuntu1.23) ...
Selecting previously unselected package linux-oracle-6.8-headers-6.8.0-1050.
Preparing to unpack .../04-linux-oracle-6.8-headers-6.8.0-1050_6.8.0-1050.51~22.04.1_all.deb ...
Unpacking linux-oracle-6.8-headers-6.8.0-1050 (6.8.0-1050.51~22.04.1) ...
Selecting previously unselected package linux-headers-6.8.0-1050-oracle.
Preparing to unpack .../05-linux-headers-6.8.0-1050-oracle_6.8.0-1050.51~22.04.1_amd64.deb ...
Unpacking linux-headers-6.8.0-1050-oracle (6.8.0-1050.51~22.04.1) ...
Selecting previously unselected package linux-modules-6.8.0-1050-oracle.
Preparing to unpack .../06-linux-modules-6.8.0-1050-oracle_6.8.0-1050.51~22.04.1_amd64.deb ...
Unpacking linux-modules-6.8.0-1050-oracle (6.8.0-1050.51~22.04.1) ...
Selecting previously unselected package linux-image-6.8.0-1050-oracle.
Preparing to unpack .../07-linux-image-6.8.0-1050-oracle_6.8.0-1050.51~22.04.1_amd64.deb ...
Unpacking linux-image-6.8.0-1050-oracle (6.8.0-1050.51~22.04.1) ...
Preparing to unpack .../08-linux-oracle_6.8.0-1050.51~22.04.1_amd64.deb ...
Unpacking linux-oracle (6.8.0-1050.51~22.04.1) over (6.8.0-1049.50~22.04.1) ...
Preparing to unpack .../09-linux-image-oracle_6.8.0-1050.51~22.04.1_amd64.deb ...
Unpacking linux-image-oracle (6.8.0-1050.51~22.04.1) over (6.8.0-1049.50~22.04.1) ...
Preparing to unpack .../10-linux-headers-oracle_6.8.0-1050.51~22.04.1_amd64.deb ...
Unpacking linux-headers-oracle (6.8.0-1050.51~22.04.1) over (6.8.0-1049.50~22.04.1) ...
Selecting previously unselected package linux-modules-extra-6.8.0-1050-oracle.
Preparing to unpack .../11-linux-modules-extra-6.8.0-1050-oracle_6.8.0-1050.51~22.04.1_amd64.deb ...
Unpacking linux-modules-extra-6.8.0-1050-oracle (6.8.0-1050.51~22.04.1) ...
Selecting previously unselected package linux-oracle-6.8-tools-6.8.0-1050.
Preparing to unpack .../12-linux-oracle-6.8-tools-6.8.0-1050_6.8.0-1050.51~22.04.1_amd64.deb ...
Unpacking linux-oracle-6.8-tools-6.8.0-1050 (6.8.0-1050.51~22.04.1) ...
Selecting previously unselected package linux-tools-6.8.0-1050-oracle.
Preparing to unpack .../13-linux-tools-6.8.0-1050-oracle_6.8.0-1050.51~22.04.1_amd64.deb ...
Unpacking linux-tools-6.8.0-1050-oracle (6.8.0-1050.51~22.04.1) ...
Setting up libnghttp2-14:amd64 (1.43.0-1ubuntu0.3) ...
Setting up libcurl3-gnutls:amd64 (7.81.0-1ubuntu1.24) ...
Setting up linux-oracle-6.8-tools-6.8.0-1050 (6.8.0-1050.51~22.04.1) ...
Setting up linux-oracle-6.8-headers-6.8.0-1050 (6.8.0-1050.51~22.04.1) ...
Setting up linux-tools-6.8.0-1050-oracle (6.8.0-1050.51~22.04.1) ...
Setting up libcurl4:amd64 (7.81.0-1ubuntu1.24) ...
Setting up curl (7.81.0-1ubuntu1.24) ...
Setting up linux-headers-6.8.0-1050-oracle (6.8.0-1050.51~22.04.1) ...
Setting up linux-headers-oracle (6.8.0-1050.51~22.04.1) ...
Setting up linux-image-6.8.0-1050-oracle (6.8.0-1050.51~22.04.1) ...
I: /boot/vmlinuz is now a symlink to vmlinuz-6.8.0-1050-oracle
I: /boot/initrd.img is now a symlink to initrd.img-6.8.0-1050-oracle
Setting up linux-image-oracle (6.8.0-1050.51~22.04.1) ...
Setting up linux-modules-6.8.0-1050-oracle (6.8.0-1050.51~22.04.1) ...
Setting up linux-oracle (6.8.0-1050.51~22.04.1) ...
Setting up linux-modules-extra-6.8.0-1050-oracle (6.8.0-1050.51~22.04.1) ...
Processing triggers for libc-bin (2.35-0ubuntu3.13) ...
Processing triggers for linux-image-6.8.0-1050-oracle (6.8.0-1050.51~22.04.1) ...
/etc/kernel/postinst.d/initramfs-tools:
update-initramfs: Generating /boot/initrd.img-6.8.0-1050-oracle
/etc/kernel/postinst.d/zz-update-grub:
Sourcing file `/etc/default/grub'
Sourcing file `/etc/default/grub.d/50-cloudimg-settings.cfg'
Sourcing file `/etc/default/grub.d/init-select.cfg'
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-6.8.0-1050-oracle
Found initrd image: /boot/initrd.img-6.8.0-1050-oracle
Found linux image: /boot/vmlinuz-6.8.0-1049-oracle
Found initrd image: /boot/initrd.img-6.8.0-1049-oracle
Warning: os-prober will not be executed to detect other bootable partitions.
Systems on them will not be added to the GRUB boot configuration.
Check GRUB_DISABLE_OS_PROBER documentation entry.
Adding boot menu entry for UEFI Firmware Settings ...
done
debconf: unable to initialize frontend: Dialog
debconf: (No usable dialog-like program is installed, so the dialog based frontend cannot be used. at /usr/share/perl5/Debconf/FrontEnd/Dialog.pm line 78.)
debconf: falling back to frontend: Readline
Scanning processes...
Scanning linux images...
Pending kernel upgrade
----------------------

Newer kernel available

The currently running kernel version is 6.8.0-1049-oracle which is not the expected kernel version 6.8.0-1050-oracle.

Restarting the system to load the new kernel will not be handled automatically, so you should consider rebooting.

No services need to be restarted.
No containers need to be restarted.
No user sessions are running outdated binaries.
No VM guests are running outdated hypervisor (qemu) binaries on this host.

2. 重启系统,让新内核生效

二、限制ip 的ssh连接 ++ 关闭端口

1. 在network security group里面修改规则

2. 修改security list

a, OCI 有两层防火墙:
复制代码 
NSG(你现在改的)
Security List(子网级别)

OCI 中 NSG 和 Security List 的区别:

  • Security List(安全列表):绑定到 子网(Subnet) 级别,作用于整个子网的所有资源。
  • NSG(Network Security Group):绑定到 VNIC(虚拟网卡) 级别,更精细,只对特定实例生效。
b, private subnet的nsg规则,不用关闭
复制代码 
可以通过cloud shell的内部地址ssh 连接到实例vm

3. 关闭对外开放的端口

bash 复制代码 
ubuntu@cc:~$ ss -tlnp
State              Recv-Q             Send-Q                           Local Address:Port                           Peer Address:Port             Process
LISTEN             0                  4096                                   0.0.0.0:111                                 0.0.0.0:*
LISTEN             0                  4096                             127.0.0.53%lo:53                                  0.0.0.0:*
LISTEN             0                  128                                    0.0.0.0:22                                  0.0.0.0:*
LISTEN             0                  4096                                      [::]:111                                    [::]:*
LISTEN             0                  128                                       [::]:22                                     [::]:*
ubuntu@cc:~$ sudo ss -tlnp | grep 111
LISTEN 0      4096         0.0.0.0:111       0.0.0.0:*    users:(("rpcbind",pid=446,fd=4),("systemd",pid=1,fd=36))
LISTEN 0      4096            [::]:111          [::]:*    users:(("rpcbind",pid=446,fd=6),("systemd",pid=1,fd=38))
# 111端口的rpcbind 服务通常和 NFS、rpc.statd 等一起使用

# 停止并禁用 rpcbind 服务
ubuntu@cc:~$ sudo systemctl stop rpcbind
Warning: Stopping rpcbind.service, but it can still be activated by:
  rpcbind.socket
ubuntu@cc:~$ sudo systemctl disable rpcbind
Synchronizing state of rpcbind.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable rpcbind
Removed /etc/systemd/system/multi-user.target.wants/rpcbind.service.
Removed /etc/systemd/system/sockets.target.wants/rpcbind.socket.

#虽然已经 stop 和 disable 了 rpcbind.service,但 rpcbind.socket 还在工作,
#systemd 通过 socket activation 机制让 111 端口仍然在监听(现在显示是 systemd 自己占用的)。
ubuntu@cc:~$ sudo ss -tlnp | grep 111
LISTEN 0      4096         0.0.0.0:111       0.0.0.0:*    users:(("systemd",pid=1,fd=106))
LISTEN 0      4096            [::]:111          [::]:*    users:(("systemd",pid=1,fd=108))

# 停止 socket
ubuntu@cc:~$ sudo systemctl stop rpcbind.socket
# 彻底禁用 socket(防止开机自动启动)
sudo systemctl disable rpcbind.socket

ubuntu@cc:~$ sudo ss -tlnp | grep 111

# 把 rpcbind.socket 和 rpcbind.service 完全屏蔽(mask)
# 即使其他服务尝试启动它,也会启动失败
# 开机也不会自动激活
ubuntu@cc:~$ sudo systemctl mask rpcbind.socket rpcbind.service
Created symlink /etc/systemd/system/rpcbind.service → /dev/null.

ubuntu@ccpp:~$ sudo systemctl status rpcbind.socket --no-pager
○ rpcbind.socket
     Loaded: masked (Reason: Unit rpcbind.socket is masked.)
     Active: inactive (dead)

May 06 13:18:07 ccpp systemd[1]: rpcbind.socket: Deactivated successfully.
May 06 13:18:07 ccpp systemd[1]: Closed RPCbind Server Activation Socket.


ubuntu@cc:~$ sudo ss -tlnp
State          Recv-Q         Send-Q                 Local Address:Port                  Peer Address:Port         Process
LISTEN         0              4096                   127.0.0.53%lo:53                         0.0.0.0:*             users:(("systemd-resolve",pid=479,fd=14))
LISTEN         0              128                          0.0.0.0:22                         0.0.0.0:*             users:(("sshd",pid=586,fd=3))
LISTEN         0              128                             [::]:22                            [::]:*             users:(("sshd",pid=586,fd=4))

# 第一个是本地 DNS服务,完全安全

三、添加swap内存,关闭apport服务,

1. swap
bash 复制代码 
ubuntu@cc:~$ sudo fallocate -l 2G /swapfile
ubuntu@cc:~$ sudo chmod 600 /swapfile
ubuntu@cc:~$ sudo mkswap /swapfile
Setting up swapspace version 1, size = 1024 MiB (1073737728 bytes)
no label, UUID=b029bb92-7452-48ac-8ebc-cdba8f8f2534
ubuntu@cc:~$ sudo swapon /swapfile

#永久生效开机自动挂载
ubuntu@cc:~$ echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab
/swapfile none swap sw 0 0

#永久生效
ubuntu@cc:~$ echo "vm.swappiness=10" | sudo tee -a /etc/sysctl.conf
vm.swappiness=10
ubuntu@cc:~$ sudo sysctl -p
vm.swappiness = 10
2. apport服务
bash 复制代码 
#Ubuntu 自带的一个崩溃报告系统(crash reporter)
ubuntu@cc:~$ sudo systemctl disable --now apport.service
apport.service is not a native service, redirecting to systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable apport
ubuntu@cc:~$ systemctl is-enabled apport
apport.service is not a native service, redirecting to systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install is-enabled apport
disabled
ubuntu@cc:~$ ps aux | grep apport
ubuntu      8666  0.0  0.2   4024  2364 pts/5    S+   20:37   0:00 grep --color=auto apport
ubuntu@cc:~$ cat /etc/default/apport
#set this to 0 to disable apport, or to 1 to enable it
#you can temporarily override this with
#sudo service apport start force_start=1
enabled=1
ubuntu@ccpp:~$ sudo vim /etc/default/apport
#4L, 149B written,改1为0
3,snapd (用于安装 snap 软件,eg Firefox(部分版本)snap 商店)
bash 复制代码 
"ubuntu@cc:~$ sudo systemctl disable --now snapd.service snapd.socket
Removed /etc/systemd/system/multi-user.target.wants/snapd.service.
Removed /etc/systemd/system/sockets.target.wants/snapd.socket.

ubuntu@cc:~$ sudo apt purge snapd -y
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following package was automatically installed and is no longer required:
  apparmor
Use 'sudo apt autoremove' to remove it.
The following packages will be REMOVED:
  snapd*
0 upgraded, 0 newly installed, 1 to remove and 1 not upgraded.
After this operation, 123 MB disk space will be freed.
(Reading database ... 105558 files and directories currently installed.)
Removing snapd (2.74.1+ubuntu22.04.4) ...
Stopping snap.oracle-cloud-agent.oracle-cloud-agent-updater.service
Stopping unit snap.oracle-cloud-agent.oracle-cloud-agent-updater.service
Waiting until unit snap.oracle-cloud-agent.oracle-cloud-agent-updater.service is stopped [attempt 1]
snap.oracle-cloud-agent.oracle-cloud-agent-updater.service is stopped.
Stopping snap.oracle-cloud-agent.oracle-cloud-agent.service
Stopping unit snap.oracle-cloud-agent.oracle-cloud-agent.service
Waiting until unit snap.oracle-cloud-agent.oracle-cloud-agent.service is stopped [attempt 1]
snap.oracle-cloud-agent.oracle-cloud-agent.service is stopped.
Processing triggers for dbus (1.12.20-2ubuntu4.1) ...
(Reading database ... 105463 files and directories currently installed.)
Purging configuration files for snapd (2.74.1+ubuntu22.04.4) ...
Stopping snap.oracle-cloud-agent.oracle-cloud-agent-updater.service
Stopping unit snap.oracle-cloud-agent.oracle-cloud-agent-updater.service
Waiting until unit snap.oracle-cloud-agent.oracle-cloud-agent-updater.service is stopped [attempt 1]
snap.oracle-cloud-agent.oracle-cloud-agent-updater.service is stopped.
Removing snap.oracle-cloud-agent.oracle-cloud-agent-updater.service
Stopping snap.oracle-cloud-agent.oracle-cloud-agent.service
Stopping unit snap.oracle-cloud-agent.oracle-cloud-agent.service
Waiting until unit snap.oracle-cloud-agent.oracle-cloud-agent.service is stopped [attempt 1]
snap.oracle-cloud-agent.oracle-cloud-agent.service is stopped.
Removing snap.oracle-cloud-agent.oracle-cloud-agent.service
Stopping snap-core18-2999.mount
Stopping unit snap-core18-2999.mount
Waiting until unit snap-core18-2999.mount is stopped [attempt 1]
snap-core18-2999.mount is stopped.
Removing snap core18 and revision 2999
Removing snap-core18-2999.mount
Stopping snap-oracle\x2dcloud\x2dagent-117.mount
Stopping unit snap-oracle\x2dcloud\x2dagent-117.mount
Waiting until unit snap-oracle\x2dcloud\x2dagent-117.mount is stopped [attempt 1]
snap-oracle\x2dcloud\x2dagent-117.mount is stopped.
Removing snap oracle-cloud-agent and revision 117
Removing snap-oracle\x2dcloud\x2dagent-117.mount
Stopping snap-snapd-26865.mount
Stopping unit snap-snapd-26865.mount
Waiting until unit snap-snapd-26865.mount is stopped [attempt 1]
snap-snapd-26865.mount is stopped.
Removing snap snapd and revision 26865
Removing snap-snapd-26865.mount
Discarding preserved snap namespaces
Final directory cleanup
Removing extra snap-confine apparmor rules
Removing snapd cache
Removing snapd state

四、

1. OS Management Hub Agent(推荐启用,方便自动打补丁)

在当前创建页面里:

  • Management 部分,找到 Oracle Cloud Agent
  • 点击旁边的 Edit 或展开 Advanced options(高级选项)。
  • 在 Oracle Cloud Agent 下面,找到 OS Management Hub Agent ,把它从 Disabled 改成 Enabled
  • 如果看不到具体插件列表,可能需要先点 Show Advanced Options

如果创建时没找到,也可以创建实例后修改

  1. 实例创建完成后,进入实例详情页。
  2. 点击左侧 Oracle Cloud Agent 标签。
  3. 在插件列表中找到 OS Management Hub Agent ,点击 Actions → Enable

注意:启用后可能需要几分钟生效,且需要对应 IAM Policy(通常 root 用户没问题)。

2. Vulnerability Scanning(漏洞扫描)

创建时通常无法直接勾选,这是独立的 Vulnerability Scanning Service(VSS)。

正确启用方式(推荐在实例创建后做):

  1. 实例运行后,进入实例详情页 → Oracle Cloud Agent 标签。
  2. 找到 Vulnerability Scanning 插件,点击 Enable(如果已安装 Oracle Cloud Agent,默认应该能看到)。
  3. 全局配置(更重要):
    • 左侧菜单 → Identity & SecurityScanning
    • 创建 Scan Recipe(扫描策略),启用 Agent-based scanning。
    • 创建 Scan Target(扫描目标),把你的 Compartment 或具体实例加进去。

这属于低成本免费服务,建议启用。

3. 实例创建后立即执行的命令(SSH 进去操作)

这些只能在实例创建成功并 SSH 登录后执行:

bash 复制代码 
# 更新系统
sudo apt update && sudo apt upgrade -y

# 安装并启用 UFW 防火墙(Ubuntu 推荐)
sudo apt install ufw -y
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow from YOUR_IP to any port 22   # 替换成你的公网IP,只允许你的IP SSH
sudo ufw allow 80/tcp     # 如果需要 HTTP
sudo ufw allow 443/tcp    # 如果需要 HTTPS
sudo ufw enable
sudo ufw status

强烈建议 :把 SSH 只允许你的固定 IP,而不是 0.0.0.0/0

总结建议

  • 现在 :在创建页面试试展开 Advanced optionsOracle Cloud Agent ,把 OS Management Hub Agent 启用。
  • Vulnerability Scanning:创建完实例后再在 Agent 插件里启用 + 在 Scanning 服务里配置 Target。
  • 创建完实例后,第一时间 SSH 进去 执行更新 + 配置 UFW。

四、

bash 复制代码 
# 1. 先删除之前可能已加的规则(保险起见)
sudo ufw delete allow from 113.15.239 to any port 22
sudo ufw delete deny 22

# 2. 允许你的公网 IP
sudo ufw allow from 113.15.239 to any port 22 proto tcp

# 3. 允许 Oracle 内网整个 10 网段
sudo ufw allow from 10.0.0.0/16 to any port 22 proto tcp

# 4. 拒绝其他所有 IP 访问 22 端口
sudo ufw deny 22

# 5. 重新加载并查看规则
sudo ufw reload
sudo ufw status numbered
相关推荐
songx_991 小时前
Linux基础3
linux·运维·服务器
拾光Ծ1 小时前
【Linux系统】进程信号(下):信号处理与“操作系统运行原理”
linux·运维·服务器·信号处理·操作系统原理
Cat_Rocky1 小时前
ingress service配置解析
linux·服务器·网络
小冷爱学习!1 小时前
Apache Shiro 1.2.4 反序列化漏洞Shiro-550(CVE-2016-4437)
服务器·网络·python·安全·网络安全·apache
|_⊙1 小时前
Linux 进程知识扩展(下)
linux·运维·服务器
思麟呀1 小时前
初始MySQL数据库
服务器·数据库·mysql
跨境小彭2 小时前
Temu 批量下架工具推荐|合规安全,支持 SPU/ID 批量导入
大数据·人工智能·安全·跨境电商·temu
IMPYLH2 小时前
Linux 的 tsort 命令
linux·运维·服务器·bash
The Straggling Crow2 小时前
Linux foundation + PXE 2026-05-08
linux·运维·服务器
热门推荐
01GitHub 镜像站点02Codex 接入 DeepSeek API 完整配置文档03零基础教你claude code 接入 deepseek V404要裂开了!ChatGPT要手机号验证了?注册Codex要求验证电话号码怎么办?2026年登陆Codex要手机号验证的解决办法05Dirtyfrag漏洞:我花了一下午搞清楚这个Linux内核提权漏洞到底在搞什么06CC-Switch & Claude 基于 Linux 服务器安装使用指南07【AI】2026 年具身智能模型和世界模型总结08Linux 核弹级高危漏洞 CVE-2026-31431 完整修复指南09裂开!ChatGPT 居然开始要手机号验证,附详细解决方法102026 年 AI 辅助编程工具全景对比:Copilot、Cursor、Claude Code 与 Codex 深度解析