# 定期更新系统
sudo apt update && sudo apt upgrade -y # Debian/Ubuntu
sudo yum update -y # CentOS/RHEL
# 配置自动安全更新
sudo apt install unattended-upgrades # Debian/Ubuntu
sudo dpkg-reconfigure unattended-upgrades
# 使用UFW (Ubuntu)
sudo ufw enable
sudo ufw default deny incoming
sudo ufw allow 22/tcp # SSH
sudo ufw allow 80/tcp # HTTP
sudo ufw allow 443/tcp # HTTPS
# 使用firewalld (CentOS/RHEL)
sudo systemctl start firewalld
sudo systemctl enable firewalld
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload
server {
listen 443 ssl;
server_name api.example.com;
# SSL配置
ssl_certificate /etc/ssl/certs/api.example.com.crt;
ssl_certificate_key /etc/ssl/private/api.example.com.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384...';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# 安全头
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header Content-Security-Policy "default-src 'self'";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
# API限制
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=100r/s;
location /api/ {
limit_req zone=api_limit burst=200 nodelay;
proxy_pass http://localhost:8000;
# 认证头传递
proxy_set_header Authorization $http_authorization;
proxy_pass_header Authorization;
}
}
<VirtualHost *:443>
ServerName api.example.com
SSLEngine on
SSLCertificateFile /etc/ssl/certs/api.example.com.crt
SSLCertificateKeyFile /etc/ssl/private/api.example.com.key
# 安全头
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
Header always set Content-Security-Policy "default-src 'self'"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
# API限制
<Location "/api/">
SetEnvIf X-Forwarded-For "^(\d+\.\d+\.\d+\.\d+)" client_ip=$1
SetEnvIf client_ip ^(.*)$ client_ip=$1
<LimitExcept GET POST>
Deny from all
</LimitExcept>
# 速率限制
mod_ratelimit_rate 100
</Location>
</VirtualHost>
# 生成强密钥
openssl rand -base64 32 > /etc/ssl/private/jwt_secret.key
chmod 600 /etc/ssl/private/jwt_secret.key
# 使用Certbot获取Let's Encrypt证书
sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d api.example.com
# 编辑pg_hba.conf
sudo nano /etc/postgresql/12/main/pg_hba.conf
# 仅允许本地连接
host all all 127.0.0.1/32 md5
host all all ::1/128 md5
sudo mysql_secure_installation
# 安装Fail2Ban
sudo apt install fail2ban
# 创建自定义jail
sudo nano /etc/fail2ban/jail.d/api.conf
[nginx-http-auth]
enabled = true
filter = nginx-http-auth
port = http,https
logpath = /var/log/nginx/error.log
maxretry = 3
bantime = 3600
# 编辑logrotate配置
sudo nano /etc/logrotate.d/nginx
/var/log/nginx/*.log {
daily
missingok
rotate 14
compress
delaycompress
notifempty
create 0640 www-data adm
sharedscripts
postrotate
/usr/sbin/nginx -s reload
endscript
}
FROM node:16-alpine
# 创建非root用户
RUN addgroup -S appgroup && adduser -S appuser -G appgroup
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
COPY . .
# 切换用户
USER appuser
EXPOSE 3000
CMD ["node", "server.js"]
# 限制容器资源
docker run -d --name api \
--memory=512m \
--cpus=1 \
--security-opt=no-new-privileges \
-p 3000:3000 \
api-image
# 扫描镜像漏洞
docker scan api-image
# 运行ZAP基线扫描
docker run -v $(pwd):/zap/wrk/:rw \
-t owasp/zap2docker-stable zap-baseline.py \
-t https://api.example.com \
-g gen.conf -r testreport.html
nikto -h https://api.example.com -ssl -Tuning x56789 -o nikto_scan.txt
# 检查异常进程
ps aux | grep -E '(sh|bash|perl|python|php|wget|curl)'
# 检查异常网络连接
netstat -tulnp
ss -tulnp
# 检查最近修改的文件
find / -type f -mtime -1 -print
# 检查SUID/SGID文件
find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -l {} \;
通过实施这些安全措施,您可以显著提高Linux服务器上Web接口的安全性。定期审计和更新您的安全配置,以应对新出现的威胁。