# 保持系统更新
sudo apt update && sudo apt upgrade -y # Debian/Ubuntu
sudo yum update -y # CentOS/RHEL
# 禁用不必要的服务
sudo systemctl disable <unnecessary_service>
# 配置防火墙
sudo ufw enable # Ubuntu
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload # CentOS/RHEL
# 禁用root SSH登录
sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sudo systemctl restart sshd
# 创建专用web服务用户
sudo useradd -r -s /sbin/nologin webuser
# 禁用server tokens
server_tokens off;
# 安全头部设置
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header Content-Security-Policy "default-src 'self'";
add_header Referrer-Policy "no-referrer-when-downgrade";
# SSL配置(使用最新TLS版本)
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384...';
# 禁用服务器签名
ServerSignature Off
ServerTokens Prod
# 安全头部
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
# 安装依赖
sudo apt install libmodsecurity3 libmodsecurity-dev -y
# 编译Nginx连接器
git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
nginx -V # 获取nginx版本
wget http://nginx.org/download/nginx-<version>.tar.gz
./configure --add-dynamic-module=../ModSecurity-nginx
make modules
wget https://github.com/coreruleset/coreruleset/archive/v3.3.0.tar.gz
tar -xvzf v3.3.0.tar.gz
sudo mv coreruleset-3.3.0 /etc/nginx/modsec/
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=100r/m;
location /api/ {
limit_req zone=api_limit burst=50 nodelay;
proxy_pass http://api_backend;
}
# 使用开源工具如lua-resty-jwt进行验证
location /protected/ {
access_by_lua_block {
local jwt = require("resty.jwt")
local validators = require("resty.jwt-validators")
local auth_header = ngx.var.http_Authorization
if auth_header == nil then
ngx.exit(ngx.HTTP_UNAUTHORIZED)
end
local jwt_token = string.match(auth_header, "Bearer%s+(.+)")
if jwt_token == nil then
ngx.exit(ngx.HTTP_UNAUTHORIZED)
end
local jwt_obj = jwt:verify("your-secret-key", jwt_token)
if not jwt_obj["verified"] then
ngx.exit(ngx.HTTP_FORBIDDEN)
end
}
}
log_format json_combined escape=json
'{'
'"time_local":"$time_local",'
'"remote_addr":"$remote_addr",'
'"request":"$request",'
'"status":"$status",'
'"body_bytes_sent":"$body_bytes_sent",'
'"http_referer":"$http_referer",'
'"http_user_agent":"$http_user_agent",'
'"http_x_forwarded_for":"$http_x_forwarded_for",'
'"request_time":"$request_time",'
'"upstream_response_time":"$upstream_response_time"'
'}';
access_log /var/log/nginx/access.log json_combined;
# 安装
sudo apt install fail2ban -y
# 自定义规则
sudo nano /etc/fail2ban/jail.d/nginx-api.conf
[nginx-api-abuse]
enabled = true
port = http,https
filter = nginx-api-abuse
logpath = /var/log/nginx/access.log
maxretry = 100
findtime = 300
bantime = 86400
# 使用lynis进行系统审计
sudo apt install lynis -y
sudo lynis audit system
# 使用Nikto进行web扫描
sudo apt install nikto -y
nikto -h https://yourserver.com
# 安装certbot
sudo apt install certbot python3-certbot-nginx -y
# 设置自动续期
sudo certbot --nginx -d yourdomain.com
sudo certbot renew --dry-run # 测试自动续期
# 创建备份脚本
sudo nano /usr/local/bin/backup_configs.sh
#!/bin/bash
BACKUP_DIR="/backups/configs"
DATE=$(date +%Y%m%d)
mkdir -p $BACKUP_DIR/$DATE
cp -r /etc/nginx $BACKUP_DIR/$DATE/
cp -r /etc/ssh $BACKUP_DIR/$DATE/
cp -r /etc/fail2ban $BACKUP_DIR/$DATE/
# 保留最近7天备份
find $BACKUP_DIR -type d -mtime +7 -exec rm -rf {} \;
sudo crontab -e
0 3 * * * /usr/local/bin/backup_configs.sh
通过实施以上措施,您的Linux服务器上的Web接口将获得全面的安全防护。请记住定期审查和更新这些配置,以应对新出现的安全威胁。