作为IT工程师,我将为您提供一套全面的Linux服务器Web接口安全部署策略,涵盖从系统层面到应用层面的多层次防护措施。
定期执行安全更新:
# CentOS/RHEL
yum update --security -y
# Ubuntu/Debian
apt-get update && apt-get upgrade --only-upgrade security -y
修改/etc/sysctl.conf:
# 防止SYN洪水攻击
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
# 禁用IP转发和源路由
net.ipv4.ip_forward = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# 防止IP欺骗
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
bash
useradd -r -s /sbin/nologin webuser/etc/ssh/sshd_config):
conf
PermitRootLogin no# 清空现有规则
iptables -F
# 默认策略
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# 允许已建立的连接
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# 允许SSH(修改为您的SSH端口)
iptables -A INPUT -p tcp --dport 2222 -j ACCEPT
# 允许HTTP/HTTPS
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# 允许本地回环
iptables -A INPUT -i lo -j ACCEPT
# 保存规则(根据发行版选择)
service iptables save
# 安装
yum install fail2ban # CentOS
apt-get install fail2ban # Ubuntu
# 配置示例(/etc/fail2ban/jail.local)
[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/secure
maxretry = 3
bantime = 3600
server {
listen 80;
server_name api.example.com;
# 禁用不必要的HTTP方法
if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE)$ ) {
return 405;
}
# 隐藏服务器信息
server_tokens off;
# 安全头部
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header Content-Security-Policy "default-src 'self'";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# 限制请求体大小
client_max_body_size 1m;
# API特定配置
location /api/ {
# 限制请求速率
limit_req zone=api_limit burst=20 nodelay;
# 认证与授权配置
auth_basic "Restricted API";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://backend;
}
}
# 请求限制区域
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;
<VirtualHost *:80>
ServerName api.example.com
# 禁用服务器签名
ServerSignature Off
ServerTokens Prod
# 限制HTTP方法
<LimitExcept GET POST PUT DELETE>
Deny from all
</LimitExcept>
# 安全头部
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
Header always set Content-Security-Policy "default-src 'self'"
# API特定配置
<Location "/api/">
# 认证配置
AuthType Basic
AuthName "Restricted API"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
# 请求限制
SetEnvIf X-Forwarded-For "^(\d+\.\d+\.\d+\.\d+)" client_ip=$1
SetEnvIfNoCase User-Agent "^$" bad_bot
Deny from env=bad_bot
</Location>
</VirtualHost>
使用ModSecurity(开源WAF):
# 安装
yum install mod_security # CentOS
apt-get install libapache2-mod-security2 # Ubuntu
# 配置核心规则集(CRS)
git clone https://github.com/coreruleset/coreruleset /etc/modsecurity/crs/
# 使用rsyslog发送日志到中央服务器
*.* @logs.example.com:514
bash
# 安装
yum install ossec-hids-server # CentOS
apt-get install ossec-hids # Ubuntu# 使用Lynis进行系统审计
wget https://downloads.cisofy.com/lynis/lynis-3.0.0.tar.gz
tar xvf lynis-3.0.0.tar.gz
cd lynis
./lynis audit system
通过实施以上多层次的安全策略,可以显著提升Linux服务器上Web接口的安全性,有效防御常见网络攻击,同时保持系统的可用性和性能。