创建最小权限用户:
sudo adduser username
sudo usermod -aG sudo username # 仅对需要管理员权限的用户
禁用root远程登录:
sudo sed -i 's/^PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sudo systemctl restart sshd
更改默认SSH端口:
sudo sed -i 's/^#Port 22/Port 2222/' /etc/ssh/sshd_config
sudo systemctl restart sshd
启用密钥认证:
ssh-keygen -t rsa -b 4096
ssh-copy-id username@server_ip -p 2222
安装配置:
sudo apt install libpam-cracklib # Debian/Ubuntu
sudo yum install pam_cracklib # RHEL/CentOS
密码策略配置 (/etc/pam.d/common-password):
password requisite pam_cracklib.so retry=3 minlen=12 difok=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
Google Authenticator:
sudo apt install libpam-google-authenticator
google-authenticator
编辑 /etc/pam.d/sshd:
auth required pam_google_authenticator.so
/etc/sudoers):
username ALL=(ALL) /usr/bin/apt update, /usr/bin/apt upgrade
%developers ALL=(ALL) NOPASSWD: /usr/bin/gitbash
sudo setfacl -m u:username:rwx /path/to/directory
sudo setfacl -m g:groupname:rx /path/to/directorySELinux基础:
sudo setenforce 1 # 启用强制模式
sudo semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
AppArmor配置:
sudo aa-genprof /path/to/program
sudo systemctl restart apparmor
sudo apt install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
配置示例 (/etc/fail2ban/jail.local):
[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 86400
sudo auditctl -a always,exit -F arch=b64 -S execve
sudo ausearch -ts today -k exec_changes
自动安全更新:
sudo apt install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades
日志监控:
sudo apt install logwatch
echo "/usr/sbin/logwatch --output mail --mailto admin@example.com --detail high" | sudo tee /etc/cron.daily/00logwatch
通过实施这些安全认证与授权措施,您的Linux服务器将获得多层保护: 1. 强化的身份验证机制 2. 精细的访问控制 3. 全面的活动监控 4. 自动化的安全维护
定期审计和更新这些配置是保持服务器长期安全的关键。