# 更新软件包列表
sudo apt update && sudo apt upgrade -y # Debian/Ubuntu
sudo yum update -y # CentOS/RHEL
sudo dnf update -y # Fedora
# 设置自动安全更新
sudo apt install unattended-upgrades # Debian/Ubuntu
sudo dpkg-reconfigure unattended-upgrades
# 创建新管理员用户
sudo useradd -m -s /bin/bash adminuser
sudo passwd adminuser
sudo usermod -aG sudo adminuser # Debian/Ubuntu
sudo usermod -aG wheel adminuser # CentOS/RHEL
# 禁用root远程登录
sudo sed -i 's/^PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
sudo systemctl restart sshd
# 设置密码策略
sudo apt install libpam-pwquality # Debian/Ubuntu
sudo yum install pam_pwquality # CentOS/RHEL
# 编辑/etc/pam.d/common-password或/etc/pam.d/system-auth添加:
# password requisite pam_pwquality.so retry=3 minlen=12 difok=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
# 编辑SSH配置文件
sudo nano /etc/ssh/sshd_config
# 推荐设置:
Port 2222 # 更改默认端口
Protocol 2 # 仅使用SSHv2
PermitRootLogin no # 禁用root登录
MaxAuthTries 3 # 最大尝试次数
ClientAliveInterval 300 # 超时设置
ClientAliveCountMax 0
LoginGraceTime 60
AllowUsers adminuser # 只允许特定用户
X11Forwarding no # 禁用X11转发
# 重启SSH服务
sudo systemctl restart sshd
# 使用密钥认证
ssh-keygen -t rsa -b 4096 # 客户端生成密钥
ssh-copy-id -p 2222 adminuser@your_server_ip
# UFW (Ubuntu)
sudo ufw enable
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 2222/tcp # SSH端口
sudo ufw allow 80/tcp # HTTP
sudo ufw allow 443/tcp # HTTPS
sudo ufw status verbose
# FirewallD (CentOS/RHEL)
sudo systemctl start firewalld
sudo systemctl enable firewalld
sudo firewall-cmd --permanent --add-port=2222/tcp
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload
sudo firewall-cmd --list-all
# 检查敏感文件权限
sudo chmod 600 /etc/shadow
sudo chmod 644 /etc/passwd
sudo chmod 600 /etc/ssh/sshd_config
# 禁用不需要的文件系统
sudo nano /etc/modprobe.d/blacklist.conf
# 添加以下内容:
blacklist usb-storage
blacklist firewire-core
blacklist thunderbolt
# 禁用核心转储
sudo nano /etc/security/limits.conf
# 添加:
* hard core 0
# 安装日志分析工具
sudo apt install auditd fail2ban logwatch # Debian/Ubuntu
sudo yum install audit fail2ban logwatch # CentOS/RHEL
# 配置auditd
sudo nano /etc/audit/audit.rules
# 添加监控规则:
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/sudoers -p wa -k identity
# 启动auditd
sudo systemctl enable auditd
sudo systemctl start auditd
# 配置fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local
# 修改SSH端口设置:
[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 86400
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
# 编辑sysctl配置
sudo nano /etc/sysctl.conf
# 添加以下内容:
# 禁用IP转发
net.ipv4.ip_forward = 0
# 禁用源路由
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# 启用SYN Cookie保护
net.ipv4.tcp_syncookies = 1
# 禁用ICMP重定向
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
# 记录可疑数据包
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
# 应用设置
sudo sysctl -p
# 安装Lynis安全审计工具
sudo apt install lynis # Debian/Ubuntu
sudo yum install lynis # CentOS/RHEL
# 运行安全扫描
sudo lynis audit system
# 安装rkhunter检查rootkit
sudo apt install rkhunter
sudo rkhunter --update
sudo rkhunter --propupd
sudo rkhunter --check --sk
# 查看运行的服务
sudo systemctl list-units --type=service --state=running
# 禁用不必要的服务
sudo systemctl stop [service_name]
sudo systemctl disable [service_name]
# 常见可禁用的服务:
# bluetooth, cups, avahi-daemon, rpcbind, nfs-server
# 设置定期安全更新检查
sudo crontab -e
# 添加:
0 3 * * * /usr/bin/apt update && /usr/bin/apt upgrade -y
0 4 * * 0 /usr/bin/rkhunter --check --cronjob --report-warnings-only
0 5 * * 0 /usr/bin/lynis audit system --cronjob
# 检查日志文件
sudo journalctl -xe
sudo tail -f /var/log/auth.log
sudo tail -f /var/log/syslog
通过以上步骤,您可以显著提高Linux服务器的安全性。请根据您的具体需求调整这些设置,并定期审查安全配置。