#!/bin/bash # ============================================================================= # VPS 专用最终安全优化脚本 v2.1 # 特性:动态内存 conntrack + hashsize 运行时热加载 + rp_filter=2 代理/多路由兼容 # + 大厂级 limits(1M nofile + 2M file-max)+ 完全尊重现有 BDP 配置 # 更新:2026-04-20 v2.1(扩展16GB+内存分层 + 提升fs.file-max至大厂推荐值) # 兼容:已存在 /etc/sysctl.d/99-bbrv3-tune.conf 的所有基础配置(BBR + fq + 大缓冲区等) # ============================================================================= set -e echo "=== VPS 专用最终安全优化(纯内核参数 + limits,2026大厂实践版) ===" # 1. 备份原配置(仅备份99-文件,不触碰其他) if [ -f "/etc/sysctl.d/99-bbrv3-tune.conf" ]; then cp "/etc/sysctl.d/99-bbrv3-tune.conf" "/etc/sysctl.d/99-bbrv3-tune.conf.bak.$(date +%Y%m%d_%H%M%S)" echo "✅ 已备份原 99-bbrv3-tune.conf" fi # 2. 确保 nf_conntrack 模块加载 modprobe nf_conntrack 2>/dev/null || true echo "nf_conntrack" > /etc/modules-load.d/nf_conntrack.conf # 3. 动态计算 conntrack_max & hashsize(多规格VPS核心优化,扩展至16GB+) MEM_KB=$(grep MemTotal /proc/meminfo | awk '{print $2}') MEM_GB=$((MEM_KB / 1024 / 1024)) if [ "$MEM_GB" -le 1 ]; then CONNTRACK_MAX=131072 elif [ "$MEM_GB" -le 2 ]; then CONNTRACK_MAX=262144 elif [ "$MEM_GB" -le 4 ]; then CONNTRACK_MAX=524288 elif [ "$MEM_GB" -le 8 ]; then CONNTRACK_MAX=1048576 elif [ "$MEM_GB" -le 16 ]; then CONNTRACK_MAX=2097152 else CONNTRACK_MAX=4194304 # 4M,适合32GB+大规格,内存占用可控 fi HASH_SIZE=$((CONNTRACK_MAX / 4)) echo "📊 检测到物理内存: ${MEM_GB}GB → nf_conntrack_max=${CONNTRACK_MAX} | hashsize=${HASH_SIZE}" # 4. 创建 nf_conntrack modprobe 配置(仅 hashsize,max 由 sysctl 接管) mkdir -p /etc/modprobe.d cat > /etc/modprobe.d/nf_conntrack.conf << EOF # nf_conntrack 高并发优化 - 2026 大厂必配(仅 hashsize,max 由 sysctl 接管) options nf_conntrack hashsize=${HASH_SIZE} EOF # === 关键修复:运行时立即生效 hashsize === if [ -d /sys/module/nf_conntrack/parameters ]; then echo ${HASH_SIZE} > /sys/module/nf_conntrack/parameters/hashsize 2>/dev/null || true echo "✅ hashsize 已运行时热加载(当前立即生效)" else echo "⚠️ hashsize sysfs 路径不存在(模块加载异常)" fi # 5. 创建最终追加 sysctl 配置(完全尊重现有99-bbrv3-tune.conf,仅追加增强) cat > /etc/sysctl.d/100-bbrv3-extra.conf << EOF # ========================================================= # VPS 低延迟代理最终追加优化 (100-bbrv3-extra.conf) # 2026 年大厂最佳实践版 v2.1 - 多规格VPS动态适配 # 说明:已存在的基础配置(BBR/fq/大rmem/8K backlog等)全部保留,此文件仅追加 # ========================================================= net.core.optmem_max = 65536 # BBRv3 核心增强:让内核根据实际 BDP 自动调节接收缓冲(与现有大rmem完美配合) net.ipv4.tcp_moderate_rcvbuf = 1 net.ipv4.tcp_window_scaling = 1 net.ipv4.tcp_timestamps = 1 net.ipv4.tcp_sack = 1 # TCP Fast Open(2026现代节点标配,降低1个RTT) net.ipv4.tcp_fastopen = 3 # BBRv3 专属优化 net.ipv4.tcp_no_metrics_save = 1 # TCP Keepalive(快速检测中转假死,比默认快得多) net.ipv4.tcp_keepalive_time = 300 net.ipv4.tcp_keepalive_intvl = 15 net.ipv4.tcp_keepalive_probes = 5 # conntrack(多规格动态适配,hashsize 已通过 modprobe 固定) net.netfilter.nf_conntrack_max = ${CONNTRACK_MAX} net.netfilter.nf_conntrack_tcp_timeout_established = 3600 net.netfilter.nf_conntrack_tcp_timeout_close_wait = 15 net.netfilter.nf_conntrack_udp_timeout = 30 # 基础安全防护(大厂标准,兼容复杂路由/代理场景) net.ipv4.conf.all.rp_filter = 2 net.ipv4.conf.default.rp_filter = 2 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.accept_redirects = 0 # 全局文件描述符兜底(提升至大厂推荐值 2M,优于基础配置的1M,更安全) fs.file-max = 2097152 EOF # 6. 文件描述符限制(使用 limits.d 追加方式,兼容多规格) mkdir -p /etc/security/limits.d cat > /etc/security/limits.d/99-vps-nofile.conf << 'EOF' # === VPS 安全 nofile 限制(多规格兼容,大厂标准 1M)=== * soft nofile 1048576 * hard nofile 1048576 root soft nofile 1048576 root hard nofile 1048576 EOF mkdir -p /etc/systemd/system.conf.d cat > /etc/systemd/system.conf.d/99-limits.conf << EOF [Manager] DefaultLimitNOFILE=1048576 EOF # 7. 立即生效(已加入全部修复) sysctl --system systemctl daemon-reload echo "" echo "=== ✅ VPS 最终优化完成!(2026大厂完整版 v2.1) ===" echo "检测内存: ${MEM_GB}GB | conntrack_max: ${CONNTRACK_MAX} | hashsize=${HASH_SIZE}(已热加载)" echo "rp_filter 已设为 2(兼容代理/复杂路由) | TFO 已开启 | fs.file-max=2097152(已提升)" echo "" echo "验证命令(请直接复制运行并把全部输出贴给我):" echo " sysctl net.ipv4.tcp_moderate_rcvbuf net.ipv4.tcp_fastopen net.ipv4.tcp_no_metrics_save net.ipv4.conf.all.rp_filter fs.file-max" echo " sysctl net.netfilter.nf_conntrack_max" echo " cat /etc/modprobe.d/nf_conntrack.conf" echo " cat /sys/module/nf_conntrack/parameters/hashsize" echo " ulimit -n" echo " cat /etc/security/limits.d/99-vps-nofile.conf" echo "" echo "所有变更均通过 100-bbrv3-extra.conf + limits.d 追加,未修改任何现有99-基础配置。"