安全Linux服务器环境配置指南

基础安全配置

1. 系统更新与补丁管理

# 更新软件包列表
sudo apt update && sudo apt upgrade -y  # Debian/Ubuntu
sudo yum update -y                      # CentOS/RHEL

# 设置自动安全更新
sudo apt install unattended-upgrades    # Debian/Ubuntu
sudo dpkg-reconfigure unattended-upgrades

2. 用户账户安全

# 创建新管理员用户
sudo adduser newadmin
sudo usermod -aG sudo newadmin  # Debian/Ubuntu
sudo usermod -aG wheel newadmin # CentOS/RHEL

# 禁用root远程登录
sudo sed -i 's/^PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
sudo systemctl restart sshd

# 设置密码策略
sudo apt install libpam-pwquality  # Debian/Ubuntu
sudo yum install pam_pwquality     # CentOS/RHEL

# 编辑密码策略
sudo nano /etc/security/pwquality.conf
# 添加或修改以下内容：
# minlen = 12
# minclass = 3
# maxrepeat = 3
# reject_username = yes

SSH安全加固

# 修改SSH默认端口
sudo sed -i 's/^#Port 22/Port 2222/' /etc/ssh/sshd_config

# 禁用密码认证，仅允许密钥登录
sudo sed -i 's/^#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config

# 限制SSH访问IP
echo "sshd: 192.168.1.0/24" | sudo tee -a /etc/hosts.allow
echo "sshd: ALL" | sudo tee -a /etc/hosts.deny

# 启用2FA认证
sudo apt install libpam-google-authenticator  # Debian/Ubuntu
sudo yum install google-authenticator        # CentOS/RHEL

# 在sshd_config中添加：
# AuthenticationMethods publickey,keyboard-interactive

# 重启SSH服务
sudo systemctl restart sshd

防火墙配置

UFW (Ubuntu/Debian)

sudo apt install ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 2222/tcp  # SSH端口
sudo ufw enable

Firewalld (CentOS/RHEL)

sudo systemctl start firewalld
sudo systemctl enable firewalld
sudo firewall-cmd --permanent --add-port=2222/tcp
sudo firewall-cmd --reload

入侵检测与防护

Fail2Ban安装配置

sudo apt install fail2ban  # Debian/Ubuntu
sudo yum install fail2ban  # CentOS/RHEL

# 创建本地配置文件
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

# 编辑配置
sudo nano /etc/fail2ban/jail.local
# 修改以下参数：
# [sshd]
# enabled = true
# port = 2222
# maxretry = 3
# bantime = 1h

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Rootkit检测工具

# 安装rkhunter和chkrootkit
sudo apt install rkhunter chkrootkit  # Debian/Ubuntu
sudo yum install rkhunter chkrootkit  # CentOS/RHEL

# 更新并运行扫描
sudo rkhunter --update
sudo rkhunter --propupd
sudo rkhunter --check --sk

sudo chkrootkit

文件系统安全

文件权限检查

# 查找全局可写文件
find / -xdev -type f -perm -0002 -exec ls -l {} \;

# 查找无主文件
find / -xdev -nouser -o -nogroup

# 设置敏感文件权限
sudo chmod 600 /etc/shadow
sudo chmod 644 /etc/passwd
sudo chmod 600 /etc/ssh/sshd_config

文件完整性监控

# 安装aide
sudo apt install aide  # Debian/Ubuntu
sudo yum install aide  # CentOS/RHEL

# 初始化数据库
sudo aideinit

# 设置每日检查
echo "0 5 * * * root /usr/bin/aide --check" | sudo tee -a /etc/crontab

日志监控

# 安装logwatch
sudo apt install logwatch  # Debian/Ubuntu
sudo yum install logwatch  # CentOS/RHEL

# 配置每日日志报告
sudo nano /etc/logwatch/conf/logwatch.conf
# 设置Output = mail
# MailTo = your@email.com

# 安装并配置auditd
sudo apt install auditd  # Debian/Ubuntu
sudo yum install audit   # CentOS/RHEL

# 启用审计规则
sudo auditctl -e 1
sudo systemctl enable auditd
sudo systemctl start auditd

其他安全措施

禁用不必要的服务

# 查看运行的服务
sudo systemctl list-units --type=service --state=running

# 禁用不必要服务示例
sudo systemctl disable avahi-daemon
sudo systemctl disable cups
sudo systemctl disable rpcbind

内核参数加固

# 编辑sysctl配置
sudo nano /etc/sysctl.conf

# 添加以下内容：
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
net.ipv4.tcp_syncookies=1
net.ipv4.conf.all.accept_redirects=0
net.ipv6.conf.all.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.all.accept_source_route=0
net.ipv6.conf.all.accept_source_route=0
kernel.exec-shield=1
kernel.randomize_va_space=2

# 应用配置
sudo sysctl -p

定期安全审计

# 使用Lynis进行安全审计
sudo apt install lynis  # Debian/Ubuntu
sudo yum install lynis  # CentOS/RHEL

sudo lynis audit system

通过实施这些安全措施，您可以显著提高Linux服务器的安全性。请记住，安全是一个持续的过程，需要定期审查和更新这些配置以应对新的威胁。