/boot - 1GB (ext4)
/ - 10-20GB (ext4/XFS)
/var - 单独分区 (日志和可变数据)
/tmp - 单独分区 (noexec,nosuid)
/home - 单独分区 (如果适用)
# 设置主机名
hostnamectl set-hostname secure-server
# 更新系统
apt update && apt upgrade -y # Debian/Ubuntu
yum update -y # RHEL/CentOS
# 安装基本安全工具
apt install fail2ban rkhunter chkrootkit unattended-upgrades -y
# 禁用root SSH登录
sed -i 's/^PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
# 创建管理员用户
useradd -m -s /bin/bash admin
passwd admin
usermod -aG sudo admin # Debian/Ubuntu
usermod -aG wheel admin # RHEL/CentOS
# 设置密码策略
apt install libpam-pwquality -y # Debian/Ubuntu
yum install pam_pwquality -y # RHEL/CentOS
# 编辑/etc/pam.d/common-password或/etc/pam.d/system-auth添加:
password requisite pam_pwquality.so retry=3 minlen=12 difok=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
# 限制sudo命令记录
echo 'Defaults logfile=/var/log/sudo.log' >> /etc/sudoers
echo 'Defaults log_input,log_output' >> /etc/sudoers
# 设置sudo超时
echo 'Defaults timestamp_timeout=5' >> /etc/sudoers
# UFW (Ubuntu)
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw enable
# Firewalld (RHEL/CentOS)
systemctl start firewalld
systemctl enable firewalld
firewall-cmd --permanent --add-service=ssh
firewall-cmd --reload
# 编辑/etc/ssh/sshd_config
Port 2222 # 更改默认端口
Protocol 2 # 仅使用SSHv2
PermitRootLogin no # 禁用root登录
MaxAuthTries 3 # 最大尝试次数
ClientAliveInterval 300 # 超时设置
ClientAliveCountMax 0
AllowUsers admin # 仅允许特定用户
PasswordAuthentication no # 禁用密码认证
PubkeyAuthentication yes # 启用密钥认证
ssh-keygen -t ed25519 -a 100
# 将公钥复制到服务器
ssh-copy-id -i ~/.ssh/id_ed25519.pub admin@server -p 2222
# 编辑/etc/sysctl.conf
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
kernel.exec-shield = 1
kernel.randomize_va_space = 2
# 应用设置
sysctl -p
# 关键目录权限
chmod 700 /root
chmod 600 /etc/shadow
chmod 644 /etc/passwd
chmod 600 /etc/ssh/ssh_host*key
chmod 644 /etc/ssh/ssh_host*key.pub
# 挂载选项优化
# 编辑/etc/fstab
/tmp /tmp tmpfs defaults,nosuid,nodev,noexec 0 0
/dev/shm /dev/shm tmpfs defaults,nosuid,nodev,noexec 0 0
# 安装并配置logwatch
apt install logwatch -y
cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/
# 配置rsyslog
# 编辑/etc/rsyslog.conf
*.emerg :omusrmsg:*
auth.* /var/log/auth.log
authpriv.* /var/log/secure
# 安装AIDE (高级入侵检测环境)
apt install aide -y
aideinit
mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
# 每日检查
echo '0 5 * * * /usr/bin/aide --check' | crontab -
# Debian/Ubuntu
apt install unattended-upgrades -y
dpkg-reconfigure unattended-upgrades
# RHEL/CentOS
yum install yum-cron -y
systemctl enable yum-cron
systemctl start yum-cron
# Lynis系统审计
apt install lynis -y
lynis audit system
# RKHunter rootkit检测
rkhunter --update
rkhunter --propupd
rkhunter --check
# 使用rsync进行增量备份
apt install rsync -y
rsync -avz --delete /etc /backup/etc-$(date +%F)
rsync -avz --delete /home /backup/home-$(date +%F)
# 设置cron任务
0 2 * * * /usr/bin/rsync -avz --delete /etc /backup/etc-$(date +\%F)
0 3 * * * /usr/bin/rsync -avz --delete /home /backup/home-$(date +\%F)
# 使用非root用户运行容器
groupadd docker
usermod -aG docker admin
# 配置Docker守护进程
# 编辑/etc/docker/daemon.json
{
"userns-remap": "default",
"log-driver": "json-file",
"log-opts": {
"max-size": "10m",
"max-file": "3"
},
"live-restore": true,
"no-new-privileges": true
}
通过实施这些最佳实践,您可以显著提高Linux服务器的安全性。请记住,安全是一个持续的过程,需要定期审查和更新您的安全措施。