# 定期更新系统软件包
sudo apt update && sudo apt upgrade -y # Debian/Ubuntu
sudo yum update -y # CentOS/RHEL
# 配置自动安全更新
sudo apt install unattended-upgrades # Debian/Ubuntu
sudo dpkg-reconfigure unattended-upgrades
# 查看已安装服务
sudo systemctl list-unit-files --type=service
# 移除不需要的服务
sudo apt purge <unnecessary-package> # Debian/Ubuntu
sudo yum remove <unnecessary-package> # CentOS/RHEL
# 使用UFW (Ubuntu)
sudo ufw enable
sudo ufw default deny incoming
sudo ufw allow 22/tcp # SSH
sudo ufw allow 80/tcp # HTTP
sudo ufw allow 443/tcp # HTTPS
# 使用firewalld (CentOS/RHEL)
sudo systemctl enable firewalld
sudo systemctl start firewalld
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload
# 编辑SSH配置文件
sudo nano /etc/ssh/sshd_config
# 推荐配置项:
Port 2222 # 更改默认端口
PermitRootLogin no # 禁止root直接登录
PasswordAuthentication no # 禁用密码认证,使用密钥
MaxAuthTries 3 # 最大尝试次数
ClientAliveInterval 300 # 客户端活动检查
ClientAliveCountMax 2 # 最大活动检查次数
AllowUsers your_username # 只允许特定用户
# 重启SSH服务
sudo systemctl restart sshd
server {
listen 80;
server_name example.com;
# 重定向HTTP到HTTPS
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name example.com;
# SSL配置
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384...';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# 安全头部
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
# 其他安全设置
server_tokens off;
client_max_body_size 10m;
location / {
# 应用安全限制
limit_except GET POST { deny all; }
# 反向代理到应用服务器
proxy_pass http://localhost:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# 禁用敏感文件访问
location ~ /\.(?!well-known) {
deny all;
}
location ~* \.(log|sql|conf|ini)$ {
deny all;
}
}
<VirtualHost *:80>
ServerName example.com
Redirect permanent / https://example.com/
</VirtualHost>
<VirtualHost *:443>
ServerName example.com
SSLEngine on
SSLCertificateFile /path/to/cert.pem
SSLCertificateKeyFile /path/to/key.pem
# 安全头部
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
# 禁用服务器信息
ServerTokens Prod
ServerSignature Off
<Directory /var/www/html>
Options -Indexes
AllowOverride None
Require all granted
# 限制HTTP方法
<LimitExcept GET POST>
Deny from all
</LimitExcept>
</Directory>
# 禁止访问敏感文件
<FilesMatch "\.(log|sql|conf|ini)$">
Require all denied
</FilesMatch>
</VirtualHost>
# Python示例 - 输入验证
from flask import request, abort
import re
@app.route('/api/user', methods=['POST'])
def create_user():
username = request.json.get('username')
if not re.match(r'^[a-zA-Z0-9_-]{3,20}$', username):
abort(400, description="Invalid username format")
# 处理逻辑...
# Nginx速率限制
http {
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=100r/m;
server {
location /api/ {
limit_req zone=api_limit burst=20 nodelay;
# 其他配置...
}
}
}
# 配置日志轮转
sudo nano /etc/logrotate.d/nginx
# 示例配置
/var/log/nginx/*.log {
daily
missingok
rotate 14
compress
delaycompress
notifempty
create 0640 www-data adm
sharedscripts
postrotate
/usr/sbin/nginx -s reload
endscript
}
# 安装配置AIDE (高级入侵检测环境)
sudo apt install aide # Debian/Ubuntu
sudo yum install aide # CentOS/RHEL
# 初始化数据库
sudo aideinit
# 配置定期检查
sudo crontab -e
# 添加以下内容
0 3 * * * /usr/bin/aide --check
# 使用OpenVAS或Nessus进行扫描
sudo apt install openvas # Debian/Ubuntu
sudo openvas-setup
通过实施以上安全实践,您可以显著提高Linux服务器上Web接口的可靠性和安全性。记住,安全是一个持续的过程,需要定期审查和更新安全措施以应对新的威胁。