提高Web接口安全性的Linux服务器设置指南

1. 基础系统安全加固

1.1 系统更新与补丁管理

# 定期更新系统
sudo apt update && sudo apt upgrade -y  # Debian/Ubuntu
sudo yum update -y                      # CentOS/RHEL

1.2 最小化安装原则

# 移除不必要的软件包
sudo apt autoremove --purge
sudo yum autoremove

1.3 防火墙配置

# 使用UFW (Ubuntu)
sudo ufw enable
sudo ufw default deny incoming
sudo ufw allow 22/tcp   # SSH
sudo ufw allow 80/tcp   # HTTP
sudo ufw allow 443/tcp  # HTTPS

# 使用firewalld (CentOS/RHEL)
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload

2. Web服务器安全配置

2.1 Nginx安全配置示例

server {
    listen 443 ssl http2;

    # SSL配置
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    # 安全头部
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";
    add_header Content-Security-Policy "default-src 'self'";
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

    # 其他安全设置
    server_tokens off;
    client_max_body_size 1m;
    limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;
}

2.2 Apache安全配置示例

<VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile /path/to/cert.pem
    SSLCertificateKeyFile /path/to/key.pem

    # 安全头部
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set X-Content-Type-Options "nosniff"
    Header always set Content-Security-Policy "default-src 'self'"
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"

    # 其他安全设置
    ServerTokens Prod
    TraceEnable off
</VirtualHost>

3. 接口安全增强措施

3.1 速率限制

# 使用Nginx限制API请求速率
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=100r/m;

location /api/ {
    limit_req zone=api_limit burst=20 nodelay;
    # 其他配置...
}

3.2 API密钥管理

# 使用环境变量存储API密钥
echo "export API_SECRET_KEY='your_secure_key'" >> ~/.bashrc
source ~/.bashrc

3.3 输入验证与过滤

# 安装ModSecurity WAF (Nginx)
sudo apt install libnginx-mod-http-modsecurity  # Ubuntu
sudo modsecurity-enable

4. 监控与日志

4.1 日志配置

# 设置日志轮转
sudo nano /etc/logrotate.d/nginx

示例内容:

/var/log/nginx/*.log {
    daily
    missingok
    rotate 14
    compress
    delaycompress
    notifempty
    create 0640 www-data adm
    sharedscripts
    postrotate
        /usr/sbin/nginx -s reload
    endscript
}

4.2 实时监控

# 安装fail2ban防止暴力破解
sudo apt install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

5. 定期维护任务

5.1 安全扫描

# 安装和运行Lynis安全审计工具
sudo apt install lynis
sudo lynis audit system

5.2 自动化安全更新

# 设置无人值守升级 (Ubuntu)
sudo apt install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades

6. 备份策略

# 创建每日备份脚本
sudo nano /usr/local/bin/backup_web.sh

示例内容:

#!/bin/bash
DATE=$(date +%Y%m%d)
BACKUP_DIR="/backups/web"
mkdir -p $BACKUP_DIR

# 备份网站文件
tar -czf $BACKUP_DIR/web_$DATE.tar.gz /var/www/html

# 备份数据库
mysqldump -u root -p'yourpassword' --all-databases > $BACKUP_DIR/db_$DATE.sql
gzip $BACKUP_DIR/db_$DATE.sql

# 保留最近7天备份
find $BACKUP_DIR -type f -mtime +7 -delete

设置定时任务:

sudo chmod +x /usr/local/bin/backup_web.sh
sudo crontab -e

添加:

0 2 * * * /usr/local/bin/backup_web.sh

通过以上配置，您可以显著提高Web接口的安全性，防范常见攻击如DDoS、SQL注入、XSS等，同时确保系统的稳定性和可靠性。