Linux服务器Web接口应用程序安全加固指南

1. 系统层面安全配置

1.1 最小化安装与更新

# 保持系统更新
sudo apt update && sudo apt upgrade -y  # Debian/Ubuntu
sudo yum update -y                     # CentOS/RHEL

# 移除不必要的软件包
sudo apt autoremove --purge
sudo yum autoremove

1.2 防火墙配置

# 使用UFW (Ubuntu)
sudo ufw enable
sudo ufw default deny incoming
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https

# 使用firewalld (CentOS/RHEL)
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload

1.3 SSH安全

# 编辑SSH配置
sudo nano /etc/ssh/sshd_config

# 推荐设置：
Port 2222                     # 更改默认端口
PermitRootLogin no            # 禁止root登录
PasswordAuthentication no     # 仅允许密钥认证
MaxAuthTries 3                # 最大尝试次数
ClientAliveInterval 300       # 超时设置
AllowUsers your_username      # 只允许特定用户

# 重启SSH服务
sudo systemctl restart sshd

2. Web服务器安全配置

2.1 Nginx安全配置示例

server {
    listen 80;
    server_name yourdomain.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name yourdomain.com;

    # SSL配置
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384...';
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    # 安全头部
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";
    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.example.com;";
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

    # 其他安全设置
    server_tokens off;
    client_max_body_size 10M;

    location / {
        # 应用特定的安全设置
        proxy_pass http://localhost:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # 限制HTTP方法
        limit_except GET POST PUT DELETE {
            deny all;
        }
    }

    # 禁止访问敏感文件
    location ~ /\.(?!well-known) {
        deny all;
    }
    location ~* \.(log|sql|conf|ini|bak|swp)$ {
        deny all;
    }
}

2.2 Apache安全配置示例

<VirtualHost *:80>
    ServerName yourdomain.com
    Redirect permanent / https://yourdomain.com/
</VirtualHost>

<VirtualHost *:443>
    ServerName yourdomain.com

    SSLEngine on
    SSLCertificateFile /path/to/cert.pem
    SSLCertificateKeyFile /path/to/key.pem
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384...

    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set X-Content-Type-Options "nosniff"
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

    ServerSignature Off
    TraceEnable Off

    <Directory /var/www/html>
        Options -Indexes
        AllowOverride None
        Require all granted

        <LimitExcept GET POST PUT DELETE>
            Deny from all
        </LimitExcept>
    </Directory>

    <FilesMatch "\.(log|sql|conf|ini|bak|swp)$">
        Require all denied
    </FilesMatch>
</VirtualHost>

3. 应用程序安全

3.1 输入验证与过滤

# Python示例 - 使用Flask
from flask import Flask, request, abort
import re

app = Flask(__name__)

@app.route('/api/user', methods=['POST'])
def create_user():
    username = request.form.get('username')

    # 输入验证
    if not username or not re.match(r'^[a-zA-Z0-9_-]{3,20}$', username):
        abort(400, description="Invalid username")

    # 处理逻辑...

3.2 防止SQL注入

# 使用参数化查询
cursor.execute("SELECT * FROM users WHERE username = %s AND password = %s", (username, password))

3.3 会话安全

// Express.js示例
const session = require('express-session');
const helmet = require('helmet');

app.use(helmet());
app.use(session({
    secret: 'complex_secret_key',
    resave: false,
    saveUninitialized: false,
    cookie: {
        secure: true, // 仅HTTPS
        httpOnly: true, // 防止XSS
        sameSite: 'strict', // 防止CSRF
        maxAge: 24 * 60 * 60 * 1000 // 24小时
    }
}));

4. 监控与日志

4.1 日志配置

# 设置日志轮转
sudo nano /etc/logrotate.d/yourapp

# 示例配置
/var/log/yourapp/*.log {
    daily
    missingok
    rotate 30
    compress
    delaycompress
    notifempty
    create 640 root adm
    sharedscripts
    postrotate
        systemctl reload yourapp > /dev/null
    endscript
}

4.2 入侵检测

# 安装和配置fail2ban
sudo apt install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

# 编辑配置文件
sudo nano /etc/fail2ban/jail.local

# 添加Web应用保护
[nginx-http-auth]
enabled = true
filter = nginx-http-auth
logpath = /var/log/nginx/error.log
maxretry = 3
bantime = 86400

5. 定期安全维护

5.1 自动化安全扫描

# 安装Lynis进行安全审计
sudo apt install lynis
sudo lynis audit system

# 使用OpenVAS进行漏洞扫描
sudo apt install openvas
sudo gvm-setup

5.2 备份策略

# 示例备份脚本
#!/bin/bash
DATE=$(date +%Y-%m-%d)
BACKUP_DIR="/backups"
MYSQL_USER="backup_user"
MYSQL_PASS="secure_password"

# 备份数据库
mysqldump -u$MYSQL_USER -p$MYSQL_PASS --all-databases | gzip > $BACKUP_DIR/db_$DATE.sql.gz

# 备份应用数据
tar -czf $BACKUP_DIR/app_$DATE.tar.gz /var/www/html

# 保留最近7天备份
find $BACKUP_DIR -type f -mtime +7 -delete

6. 应急响应计划

1. 识别事件：监控异常活动，如异常登录、高CPU使用率等
2. 遏制影响：隔离受影响的系统，更改密码和密钥
3. 消除威胁：修补漏洞，移除恶意代码
4. 恢复服务：从干净备份恢复，验证系统完整性
5. 事后分析：记录事件原因和响应过程，改进防御措施

通过实施以上措施，您可以显著提高Linux服务器上Web接口应用程序的安全性。请记住，安全是一个持续的过程，需要定期审查和更新安全策略。