Linux服务器安全加固指南

1. 系统更新与补丁管理

# 更新软件包列表
sudo apt update && sudo apt upgrade -y  # Debian/Ubuntu
sudo yum update -y                     # CentOS/RHEL

# 自动安全更新配置 (Debian/Ubuntu)
sudo apt install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades

2. 用户与权限管理

# 创建新管理员用户
sudo adduser newadmin
sudo usermod -aG sudo newadmin  # Debian/Ubuntu
sudo usermod -aG wheel newadmin # CentOS/RHEL

# 禁用root直接登录
sudo passwd -l root
# 或修改SSH配置(见下文)

# 检查空密码账户
sudo awk -F: '($2 == "") {print $1}' /etc/shadow

# 设置密码策略
sudo apt install libpam-pwquality  # Debian/Ubuntu
# 编辑/etc/pam.d/common-password添加:
# password requisite pam_pwquality.so retry=3 minlen=12 difok=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1

3. SSH安全配置

# 编辑SSH配置文件
sudo nano /etc/ssh/sshd_config

# 推荐修改以下参数:
Port 2222                     # 更改默认端口
PermitRootLogin no            # 禁用root登录
MaxAuthTries 3                # 最大尝试次数
ClientAliveInterval 300       # 超时断开
ClientAliveCountMax 0
AllowUsers newadmin           # 只允许特定用户
PasswordAuthentication no     # 禁用密码认证，仅用密钥

# 重启SSH服务
sudo systemctl restart sshd

4. 防火墙配置

# UFW (Ubuntu)
sudo ufw enable
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 2222/tcp  # 替换为你的SSH端口

# FirewallD (CentOS/RHEL)
sudo systemctl start firewalld
sudo systemctl enable firewalld
sudo firewall-cmd --permanent --add-port=2222/tcp
sudo firewall-cmd --reload

5. 文件系统安全

# 检查重要文件权限
sudo chmod 600 /etc/shadow
sudo chmod 644 /etc/passwd
sudo chmod 600 /home/*/.ssh/authorized_keys

# 查找SUID/SGID文件
sudo find / -perm /4000 -type f -exec ls -ld {} \;
sudo find / -perm /2000 -type f -exec ls -ld {} \;

# 查找可写文件
sudo find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print

6. 日志与监控

# 启用审计日志 (RHEL/CentOS)
sudo yum install auditd
sudo systemctl enable auditd
sudo systemctl start auditd

# 配置日志轮转
sudo nano /etc/logrotate.conf

# 安装并配置fail2ban
sudo apt install fail2ban  # Debian/Ubuntu
sudo yum install fail2ban  # CentOS/RHEL
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

7. 内核参数加固

# 编辑sysctl配置文件
sudo nano /etc/sysctl.conf

# 添加以下内容:
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
kernel.exec-shield = 1
kernel.randomize_va_space = 2

# 应用配置
sudo sysctl -p

8. 定期安全扫描

# 安装Lynis进行安全审计
sudo apt install lynis  # Debian/Ubuntu
sudo yum install lynis  # CentOS/RHEL

# 运行审计
sudo lynis audit system

# 安装rkhunter检查rootkit
sudo apt install rkhunter  # Debian/Ubuntu
sudo yum install rkhunter  # CentOS/RHEL
sudo rkhunter --update
sudo rkhunter --propupd
sudo rkhunter --check

9. 服务管理

# 查看运行的服务
sudo systemctl list-units --type=service --state=running

# 禁用不必要的服务
sudo systemctl stop <service_name>
sudo systemctl disable <service_name>

# 检查监听端口
sudo netstat -tulnp
sudo ss -tulnp

10. 备份重要配置

# 备份关键配置文件
sudo tar -czvf /backup/config_backup_$(date +%Y%m%d).tar.gz /etc/ssh/sshd_config /etc/passwd /etc/shadow /etc/group /etc/sudoers /etc/hosts.allow /etc/hosts.deny

实施这些安全措施后，您的Linux服务器将显著增强抵御常见攻击的能力。请根据您的具体环境调整这些命令，并在生产环境实施前进行充分测试。