Linux服务器Web接口应用安全性加固指南

1. 基础系统安全加固

1.1 系统更新与补丁管理

# 定期更新系统
sudo apt update && sudo apt upgrade -y  # Debian/Ubuntu
sudo yum update -y                     # CentOS/RHEL

# 配置自动安全更新
sudo apt install unattended-upgrades   # Debian/Ubuntu
sudo dpkg-reconfigure unattended-upgrades

1.2 最小化安装与服务管理

# 禁用不必要的服务
sudo systemctl list-unit-files --type=service | grep enabled
sudo systemctl disable <unnecessary_service>

# 移除不必要的软件包
sudo apt autoremove --purge <unnecessary_packages>

2. Web服务器安全配置

2.1 Nginx安全配置示例

server {
    listen 80;
    server_name yourdomain.com;

    # 重定向所有HTTP到HTTPS
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name yourdomain.com;

    # SSL配置
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384...';
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    # 安全头
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-Content-Type-Options "nosniff";
    add_header X-XSS-Protection "1; mode=block";
    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.example.com;";
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

    # 限制请求方法
    if ($request_method !~ ^(GET|HEAD|POST)$ ) {
        return 405;
    }

    # 其他安全配置...
}

2.2 Apache安全配置示例

<VirtualHost *:80>
    ServerName yourdomain.com
    Redirect permanent / https://yourdomain.com/
</VirtualHost>

<VirtualHost *:443>
    ServerName yourdomain.com

    SSLEngine on
    SSLCertificateFile /path/to/cert.pem
    SSLCertificateKeyFile /path/to/key.pem

    # 安全头
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

    # 限制HTTP方法
    <LimitExcept GET POST HEAD>
        Deny from all
    </LimitExcept>
</VirtualHost>

3. 应用层安全措施

3.1 Web应用防火墙(WAF)

# 安装ModSecurity for Nginx/Apache
sudo apt install libapache2-mod-security2 -y  # Apache
sudo apt install nginx-module-security -y     # Nginx

# 配置OWASP核心规则集
git clone https://github.com/coreruleset/coreruleset /etc/nginx/modsec/

3.2 速率限制

# Nginx速率限制
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;

location /api/ {
    limit_req zone=api_limit burst=20 nodelay;
    # 其他配置...
}

4. 认证与授权安全

4.1 强化SSH访问

# 禁用root SSH登录
sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config

# 使用密钥认证
sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config

# 限制SSH访问IP
echo "AllowUsers youruser@your.ip.address" | sudo tee -a /etc/ssh/sshd_config

# 重启SSH服务
sudo systemctl restart sshd

4.2 API认证最佳实践

• 使用OAuth 2.0或JWT进行认证
• 实现短期有效的访问令牌
• 强制使用HTTPS传输认证信息
• 实施多因素认证(MFA)关键操作

5. 监控与日志管理

5.1 集中式日志收集

# 安装Filebeat发送日志到ELK
sudo apt install filebeat
sudo filebeat modules enable system nginx apache

# 配置Filebeat
output.elasticsearch:
  hosts: ["your.elasticsearch.host:9200"]

5.2 实时监控工具

# 安装Prometheus Node Exporter
wget https://github.com/prometheus/node_exporter/releases/download/v1.3.1/node_exporter-1.3.1.linux-amd64.tar.gz
tar xvfz node_exporter-*.*-amd64.tar.gz
sudo mv node_exporter-*.*-amd64/node_exporter /usr/local/bin/

6. 弹性与灾难恢复

6.1 自动化备份

# 每日数据库备份示例
0 3 * * * /usr/bin/mysqldump -u backupuser -p'password' --all-databases | gzip > /backups/mysql/db_$(date +\%Y\%m\%d).sql.gz

# 配置文件备份
0 4 * * * tar -czf /backups/config/config_$(date +\%Y\%m\%d).tar.gz /etc/nginx /etc/apache2

6.2 高可用性配置

• 使用负载均衡器(Nginx, HAProxy)
• 实现数据库主从复制
• 配置自动故障转移
• 使用容器编排(Kubernetes)实现自动扩展

7. 定期安全审计

7.1 自动化漏洞扫描

# 使用Lynis进行系统审计
sudo apt install lynis
sudo lynis audit system

# 使用OpenVAS进行漏洞扫描
sudo apt install openvas
sudo gvm-setup

7.2 渗透测试工具

# OWASP ZAP基础扫描
docker run -it owasp/zap2docker-stable zap-baseline.py -t https://yourdomain.com

# Nikto Web扫描
nikto -h yourdomain.com -ssl

通过实施以上措施，您的Linux服务器上的Web接口应用将具备更强的安全性和弹性，能够有效抵御常见攻击并快速从故障中恢复。