【Homelab 筆記】Ubuntu 清理 ,Fail2ban 安裝

作者:

清理硬碟空間:

首先:
sudo apt update
sudo apt dist-upgrade

檢查空間:
全域:
sudo du -sh /* | sort -hr
5.3G /var
3.6G /usr
2.9G /snap
1.3G /home
274M /boot

檢查 /var:
sudo du -sh /var/* | sort -hr
2.4G /var/lib
1.6G /var/log
1.3G /var/www
131M /var/cache

先檢查 /var/log:
sudo du -sh /var/log/* | sort -hr
1.5G /var/log/journal

systemd journal 日誌:Ubuntu 24.04 預設用 journald 取代傳統 /var/log/syslog,Apache/Fail2Ban/SSH 等全寫這裡,時間久了就爆。

sudo journalctl –disk-usage
Archived and active journals take up 1.4G in the file system.

占用 1.4G

有四個清理方式:

# 保留最近 7 天(推薦)
sudo journalctl –vacuum-time=7d

# 限制總大小 500M
sudo journalctl –vacuum-size=500M

# 只留最近 10 個檔案
sudo journalctl –vacuum-files=10

# 一次全清(小心用)
sudo journalctl –vacuum-size=100M

sudo journalctl –vacuum-time=7d
sudo journalctl –disk-usage
Archived and active journals take up 32.0M in the file system.

1.4G –> 32M,不錯。

永久限制(避免再爆)
sudo nano /etc/systemd/journald.conf

修改:
SystemMaxUse=128M
SystemKeepFree=512M
RuntimeMaxUse=64M

儲存後套用:
sudo systemctl restart systemd-journald

檢查效果
watch -n 5 “df -h / && sudo journalctl –disk-usage”

讓他自動清理:
sudo crontab -e
# 每日凌晨 2 點清理
0 2 * * * /usr/bin/journalctl –vacuum-time=7d –vacuum-size=200M > /dev/null 2>&1

下一個:

Snapd 1.6G
是 Ubuntu 預裝套件累積!

Snapd 空間檢查 + 清理

1. 查看所有 Snap(含舊版)

snap list –all

Name Version Rev Tracking Publisher Notes
certbot 5.2.2 5234 latest/stable certbot-eff✓ disabled,classic
certbot 5.3.0 5361 latest/stable certbot-eff✓ classic
core20 20250822 2682 latest/stable canonical✓ base,disabled
core20 20251031 2686 latest/stable canonical✓ base
core22 20251125 2216 latest/stable canonical✓ base,disabled
core22 20260113 2292 latest/stable canonical✓ base
core24 20251026 1243 latest/stable canonical✓ base,disabled
core24 20251210 1267 latest/stable canonical✓ base
lxd 6.6-a89d075 37006 latest/stable/… canonical✓ disabled
lxd 6.6-2dcd56e 37188 latest/stable/… canonical✓ –
snapd 2.72 25577 latest/stable canonical✓ snapd,disabled
snapd 2.73 25935 latest/stable canonical✓ snapd

或者:

2.
snap list –all | grep disabled

certbot 5.2.2 5234 latest/stable certbot-eff** disabled,classic
core20 20250822 2682 latest/stable canonical** base,disabled
core22 20251125 2216 latest/stable canonical** base,disabled
core24 20251026 1243 latest/stable canonical** base,disabled
lxd 6.6-a89d075 37006 latest/stable/… canonical** disabled
snapd 2.72 25577 latest/stable canonical** snapd,disabled

or

snap list –all | awk ‘/disabled/{print $1, $3}’

certbot 5234
core20 2682
core22 2216
core24 1243
lxd 37006
snapd 25577

執行:
snap list –all | awk ‘/disabled/{print $1, $3}’ | while read snapname snaprev; do
sudo snap remove “$snapname” –revision=”$snaprev”
done

certbot (revision 5234) removed
core20 (revision 2682) removed
core22 (revision 2216) removed
core24 (revision 1243) removed
lxd (revision 37006) removed
snapd (revision 25577) removed

徹底移除 –purge(徹底清資料)

snap list –all | awk ‘/disabled/{print $1, $3}’ | while read snapname snaprev; do
sudo snap remove –purge “$snapname” –revision=”$snaprev”
done

sudo du -sh /var/lib/snapd
1.6G /var/lib/snapd

sudo snap set system refresh.retain=2
sudo rm -rf /var/lib/snapd/cache/*
sudo snap remove –purge snap-store firefox gnome-* 2>/dev/null || true
du -sh /var/lib/snapd

689M /var/lib/snapd

立即清理(1 秒釋放 1.4G)
1. 安全刪 cache(snapd 會重造)
sudo rm -rf /var/lib/snapd/cache/*
# 或全刪
sudo rm -rf /var/lib/snapd/cache

sudo du -sh /var/lib/snapd/* | sort -hr
439M /var/lib/snapd/snaps

1.6G 剩下 439M

1. 限制 Snap 更新保留

sudo snap set system refresh.retain=2 # 只留 2 版
sudo snap refresh –amend # 套用

下一個, mysql, 用 root 進入目錄。

/var/lib/mysql# ls -l

total 229608
-rw-r—– 1 mysql mysql 56 Mar 8 2023 auto.cnf
-rw-r—– 1 mysql mysql 6676669 Jan 6 00:00 binlog.002009
-rw-r—– 1 mysql mysql 742906 Jan 6 03:56 binlog.002010
-rw-r—– 1 mysql mysql 2986201 Jan 7 00:00 binlog.002011
-rw-r—– 1 mysql mysql 744073 Jan 7 03:56 binlog.002012
-rw-r—– 1 mysql mysql 2968956 Jan 8 00:00 binlog.002013
-rw-r—– 1 mysql mysql 796288 Jan 8 03:56 binlog.002014
-rw-r—– 1 mysql mysql 3017223 Jan 9 00:00 binlog.002015
-rw-r—– 1 mysql mysql 772984 Jan 9 03:56 binlog.002016
-rw-r—– 1 mysql mysql 2946761 Jan 10 00:00 binlog.002017
-rw-r—– 1 mysql mysql 790247 Jan 10 03:56 binlog.002018
-rw-r—– 1 mysql mysql 2980201 Jan 11 00:00 binlog.002019
-rw-r—– 1 mysql mysql 802881 Jan 11 03:56 binlog.002020
-rw-r—– 1 mysql mysql 3878200 Jan 12 00:00 binlog.002021
-rw-r—– 1 mysql mysql 800391 Jan 12 03:56 binlog.002022
-rw-r—– 1 mysql mysql 5781799 Jan 13 00:00 binlog.002023
-rw-r—– 1 mysql mysql 778354 Jan 13 03:56 binlog.002024
-rw-r—– 1 mysql mysql 3303759 Jan 14 00:00 binlog.002025
-rw-r—– 1 mysql mysql 783992 Jan 14 03:56 binlog.002026
-rw-r—– 1 mysql mysql 2983524 Jan 15 00:00 binlog.002027
-rw-r—– 1 mysql mysql 802822 Jan 15 03:56 binlog.002028
-rw-r—– 1 mysql mysql 3020068 Jan 16 00:00 binlog.002029
-rw-r—– 1 mysql mysql 766506 Jan 16 03:56 binlog.002030
-rw-r—– 1 mysql mysql 2969460 Jan 17 00:00 binlog.002031
-rw-r—– 1 mysql mysql 782877 Jan 17 03:56 binlog.002032
-rw-r—– 1 mysql mysql 2991180 Jan 18 00:00 binlog.002033
-rw-r—– 1 mysql mysql 738312 Jan 18 03:56 binlog.002034
-rw-r—– 1 mysql mysql 3020650 Jan 19 00:00 binlog.002035
-rw-r—– 1 mysql mysql 768975 Jan 19 03:56 binlog.002036
-rw-r—– 1 mysql mysql 3345073 Jan 20 00:00 binlog.002037
-rw-r—– 1 mysql mysql 780785 Jan 20 03:56 binlog.002038
-rw-r—– 1 mysql mysql 2925131 Jan 21 00:00 binlog.002039
-rw-r—– 1 mysql mysql 780277 Jan 21 03:56 binlog.002040
-rw-r—– 1 mysql mysql 2988761 Jan 22 00:00 binlog.002041
-rw-r—– 1 mysql mysql 765999 Jan 22 03:56 binlog.002042
-rw-r—– 1 mysql mysql 3500946 Jan 23 00:00 binlog.002043
-rw-r—– 1 mysql mysql 738763 Jan 23 03:56 binlog.002044
-rw-r—– 1 mysql mysql 3557441 Jan 24 00:00 binlog.002045
-rw-r—– 1 mysql mysql 759584 Jan 24 03:56 binlog.002046
-rw-r—– 1 mysql mysql 3349993 Jan 25 00:00 binlog.002047
-rw-r—– 1 mysql mysql 986170 Jan 25 03:56 binlog.002048
-rw-r—– 1 mysql mysql 3020729 Jan 26 00:00 binlog.002049
-rw-r—– 1 mysql mysql 764545 Jan 26 03:56 binlog.002050
-rw-r—– 1 mysql mysql 3032335 Jan 27 00:00 binlog.002051
-rw-r—– 1 mysql mysql 729490 Jan 27 03:56 binlog.002052
-rw-r—– 1 mysql mysql 2951946 Jan 28 00:00 binlog.002053
-rw-r—– 1 mysql mysql 786949 Jan 28 03:56 binlog.002054
-rw-r—– 1 mysql mysql 2952376 Jan 29 00:00 binlog.002055
-rw-r—– 1 mysql mysql 773785 Jan 29 03:56 binlog.002056
-rw-r—– 1 mysql mysql 3016638 Jan 30 00:00 binlog.002057
-rw-r—– 1 mysql mysql 767325 Jan 30 03:56 binlog.002058
-rw-r—– 1 mysql mysql 3302787 Jan 31 00:00 binlog.002059
-rw-r—– 1 mysql mysql 771436 Jan 31 03:56 binlog.002060
-rw-r—– 1 mysql mysql 3030109 Feb 1 00:00 binlog.002061
-rw-r—– 1 mysql mysql 739059 Feb 1 03:56 binlog.002062
-rw-r—– 1 mysql mysql 3027655 Feb 2 00:00 binlog.002063
-rw-r—– 1 mysql mysql 1171971 Feb 2 03:56 binlog.002064
-rw-r—– 1 mysql mysql 2974584 Feb 3 00:00 binlog.002065
-rw-r—– 1 mysql mysql 789734 Feb 3 03:56 binlog.002066
-rw-r—– 1 mysql mysql 6348754 Feb 4 00:00 binlog.002067
-rw-r—– 1 mysql mysql 1025019 Feb 4 03:56 binlog.002068
-rw-r—– 1 mysql mysql 2514652 Feb 4 15:09 binlog.002069
-rw-r—– 1 mysql mysql 976 Feb 4 03:56 binlog.index

一堆 binlog 檔!

1. 登入 MySQL 清 binlog

mysql -u root -p

— 清 2026/2/1 前所有 binlog(保留最近的)
PURGE BINARY LOGS BEFORE ‘2026-02-01 00:00:00’;

— 檢查剩餘的binlog
SHOW BINARY LOGS;

— 退出
EXIT;

2. 驗證空間釋放

cd /var/lib/mysql
sudo du -sh * | sort -hr | head -5
df -h /

永久防止再爆(設定保留 7 天)

sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf

加到 [mysqld] 區段:

[mysqld]
binlog_expire_logs_seconds = 604800 # 7 天自動清
max_binlog_size = 50M # 單檔上限 50M

儲存後重啟:

sudo systemctl restart mysql

檢查:
mysql -u root -p -e “SHOW VARIABLES LIKE ‘binlog_expire_logs_seconds’;”

Enter password:
+—————————-+——–+
| Variable_name | Value |
+—————————-+——–+
| binlog_expire_logs_seconds | 604800 |
+—————————-+——–+

ok. 清空。

下一個,裝 fail2ban
我有台 VM,一直被測試 ssh port. 不裝不行。

Ubuntu 24.04 apt install 的 fail2ban 會有問題。操作如下:

# 1) 下載:
cd /tmp/
wget -O fail2ban.deb https://github.com/fail2ban/fail2ban/releases/download/1.1.0/fail2ban_1.1.0-1.upstream1_all.deb
wget -O fail2ban.deb.asc https://github.com/fail2ban/fail2ban/releases/download/1.1.0/fail2ban_1.1.0-1.upstream1_all.deb.asc

# 2) 查驗:
gpg –verify fail2ban.deb.asc fail2ban.deb

# 3) 檢查內容:
dpkg -I fail2ban.deb

# 4) 停掉現有 fail2ban 服務
sudo service fail2ban stop

# 5a) 安裝:
sudo dpkg -i fail2ban.deb
sudo apt -f install (強制安裝)

# 啟動服務:
sudo systemctl start fail2ban

# 檢查:
sudo systemctl status fail2ban

自訂配置(建立 jail.local)

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

關鍵修改:

[DEFAULT]
bantime = 1h # 封鎖 1 小時
findtime = 10m # 10 分內
maxretry = 3 # 3 次失敗封鎖

[sshd]
enabled = true
port = 22,2222 # 你的 SSH 埠
logpath = /var/log/auth.log

完工!

 

發佈留言

這個網站採用 Akismet 服務減少垃圾留言。進一步了解 Akismet 如何處理網站訪客的留言資料