Linux服务器安全：加固Web接口的最佳实践

1. Web服务器配置加固

Nginx安全配置

# 禁用服务器令牌
server_tokens off;

# 限制HTTP方法
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
    return 405;
}

# 添加安全头
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header Content-Security-Policy "default-src 'self'";
add_header Referrer-Policy "strict-origin-when-cross-origin";

# 禁用不安全的TLS协议
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384...';

Apache安全配置

# 禁用服务器签名
ServerTokens Prod
ServerSignature Off

# 限制HTTP方法
<LimitExcept GET POST HEAD>
    Deny from all
</LimitExcept>

# 添加安全头
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"

2. 防火墙配置

UFW防火墙规则

sudo ufw enable
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp  # SSH
sudo ufw allow 80/tcp  # HTTP
sudo ufw allow 443/tcp # HTTPS
sudo ufw limit 22/tcp  # 限制SSH暴力破解

iptables高级规则

# 防止SYN洪水攻击
iptables -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT

# 限制连接数
iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 50 -j DROP

# 防止端口扫描
iptables -N PORTSCAN
iptables -A PORTSCAN -m limit --limit 1/s -j LOG --log-prefix "Portscan: "
iptables -A PORTSCAN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j PORTSCAN

3. 应用安全措施

安装和配置ModSecurity

# 安装ModSecurity
sudo apt install libapache2-mod-security2 -y

# 配置核心规则集
sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
sudo wget https://github.com/coreruleset/coreruleset/archive/v3.3.0.tar.gz
sudo tar -xvzf v3.3.0.tar.gz -C /etc/modsecurity/
sudo ln -s /etc/modsecurity/coreruleset-3.3.0 /etc/modsecurity/crs

安装Fail2Ban防暴力破解

sudo apt install fail2ban -y

# 配置Web应用防护
sudo nano /etc/fail2ban/jail.local

添加以下内容：

[nginx-http-auth]
enabled = true
filter = nginx-http-auth
port = http,https
logpath = /var/log/nginx/error.log

[nginx-botsearch]
enabled = true
filter = nginx-botsearch
port = http,https
logpath = /var/log/nginx/access.log
maxretry = 2
findtime = 3600
bantime = 86400

4. 定期安全维护

自动化安全更新

# 配置无人值守升级
sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure -plow unattended-upgrades

# 配置自动更新
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

确保包含：

Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
    "${distro_id}ESM:${distro_codename}";
};

日志监控与分析

# 安装logwatch进行日志分析
sudo apt install logwatch -y

# 配置每日报告
sudo nano /etc/logwatch/conf/logwatch.conf

设置：

Output = mail
Format = html
MailTo = admin@yourdomain.com
Detail = High

5. 高级安全措施

配置AppArmor

# 安装AppArmor
sudo apt install apparmor apparmor-utils -y

# 查看状态
sudo apparmor_status

# 为Nginx创建配置文件
sudo aa-genprof /usr/sbin/nginx

使用SELinux (CentOS/RHEL)

# 检查状态
sestatus

# 设置SELinux为强制模式
sudo setenforce 1

# 使配置永久生效
sudo sed -i 's/SELINUX=permissive/SELINUX=enforcing/g' /etc/selinux/config

# 为Web目录设置安全上下文
sudo chcon -R -t httpd_sys_content_t /var/www/html

6. 备份与恢复策略

自动化备份脚本

#!/bin/bash
# Web目录和数据库备份脚本
DATE=$(date +%Y-%m-%d_%H-%M-%S)
BACKUP_DIR="/backups/web"
MYSQL_USER="backup_user"
MYSQL_PASS="securepassword"

# 创建备份目录
mkdir -p $BACKUP_DIR/$DATE

# 备份Web文件
tar -czf $BACKUP_DIR/$DATE/web_files.tar.gz /var/www/html

# 备份MySQL数据库
mysqldump -u$MYSQL_USER -p$MYSQL_PASS --all-databases | gzip > $BACKUP_DIR/$DATE/all_databases.sql.gz

# 保留最近7天备份
find $BACKUP_DIR -type d -mtime +7 -exec rm -rf {} \;

设置cron定时任务

# 每天凌晨2点执行备份
0 2 * * * /root/scripts/web_backup.sh

通过实施这些最佳实践，您可以显著提高Linux服务器上Web接口的安全性。请记住，安全是一个持续的过程，需要定期审查和更新您的安全措施。