Linux服务器安全加固命令行指南

作为IT工程师，我将为您提供一套全面的Linux服务器安全加固命令行方案，帮助您提升系统安全性。

1. 系统更新与补丁管理

# 更新软件包列表
sudo apt update && sudo apt upgrade -y  # Debian/Ubuntu
sudo yum update -y                      # CentOS/RHEL
sudo dnf upgrade -y                     # Fedora

# 自动安全更新 (Debian/Ubuntu)
sudo apt install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades

# 自动安全更新 (CentOS/RHEL)
sudo yum install yum-cron -y
sudo systemctl enable --now yum-cron

2. 用户账户安全

# 检查空密码账户
sudo awk -F: '($2 == "") {print $1}' /etc/shadow

# 强制密码复杂度要求 (Debian/Ubuntu)
sudo apt install libpam-pwquality
sudo nano /etc/security/pwquality.conf
# 修改以下参数:
# minlen = 12
# minclass = 3
# maxrepeat = 3
# reject_username = yes

# 设置密码过期策略
sudo chage -M 90 -m 7 -W 14 root
sudo chage -M 90 -m 7 -W 14 [username]

# 禁用root SSH登录
sudo sed -i 's/^PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
sudo systemctl restart sshd

# 创建新用户并授予sudo权限
sudo adduser newuser
sudo usermod -aG sudo newuser  # Debian/Ubuntu
sudo usermod -aG wheel newuser # CentOS/RHEL

3. SSH安全配置

# 更改SSH默认端口
sudo sed -i 's/^#Port 22/Port 2222/' /etc/ssh/sshd_config

# 禁用密码认证，仅允许密钥登录
sudo sed -i 's/^#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config

# 限制SSH访问IP
echo "sshd: 192.168.1.0/24" | sudo tee -a /etc/hosts.allow
echo "sshd: ALL" | sudo tee -a /etc/hosts.deny

# 启用SSH双因素认证
sudo apt install libpam-google-authenticator -y
google-authenticator
# 编辑/etc/pam.d/sshd添加:
# auth required pam_google_authenticator.so
# 编辑/etc/ssh/sshd_config设置:
# ChallengeResponseAuthentication yes
sudo systemctl restart sshd

4. 防火墙配置

# UFW (Debian/Ubuntu)
sudo ufw enable
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 2222/tcp  # 替换为你的SSH端口
sudo ufw allow http
sudo ufw allow https

# firewalld (CentOS/RHEL)
sudo systemctl enable --now firewalld
sudo firewall-cmd --permanent --add-port=2222/tcp
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload

# 查看防火墙状态
sudo ufw status verbose    # UFW
sudo firewall-cmd --list-all # firewalld

5. 文件系统安全

# 检查SUID/SGID文件
sudo find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -l {} \;

# 检查无属主文件
sudo find / -nouser -o -nogroup

# 设置重要文件权限
sudo chmod 600 /etc/shadow
sudo chmod 644 /etc/passwd
sudo chmod 600 /etc/ssh/sshd_config

# 安装并配置AIDE (文件完整性检查)
sudo apt install aide -y  # Debian/Ubuntu
sudo yum install aide -y # CentOS/RHEL
sudo aideinit
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
# 设置每日检查
sudo crontab -e
# 添加: 0 5 * * * /usr/bin/aide --check

6. 服务与进程安全

# 禁用不必要的服务
sudo systemctl list-unit-files --type=service | grep enabled
sudo systemctl disable [unnecessary_service]

# 检查监听端口
sudo netstat -tulnp
sudo ss -tulnp

# 安装和配置fail2ban
sudo apt install fail2ban -y  # Debian/Ubuntu
sudo yum install fail2ban -y  # CentOS/RHEL
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo systemctl enable --now fail2ban

7. 日志监控

# 配置日志轮转
sudo nano /etc/logrotate.conf

# 安装和配置logwatch
sudo apt install logwatch -y  # Debian/Ubuntu
sudo yum install logwatch -y  # CentOS/RHEL
sudo nano /etc/logwatch/conf/logwatch.conf

# 实时监控日志
sudo tail -f /var/log/auth.log   # Debian/Ubuntu
sudo tail -f /var/log/secure     # CentOS/RHEL

8. 内核安全加固

# 安装和配置sysctl安全参数
sudo nano /etc/sysctl.conf
# 添加以下内容:
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.tcp_syncookies=1
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0
kernel.exec-shield=1
kernel.randomize_va_space=2
sudo sysctl -p

# 安装和配置AppArmor/SELinux
# AppArmor (Debian/Ubuntu)
sudo systemctl enable --now apparmor
sudo aa-status

# SELinux (CentOS/RHEL)
sudo setenforce 1
sudo sed -i 's/SELINUX=permissive/SELINUX=enforcing/' /etc/selinux/config

9. 定期安全审计

# 使用Lynis进行安全审计
sudo apt install lynis -y  # Debian/Ubuntu
sudo yum install lynis -y  # CentOS/RHEL
sudo lynis audit system

# 使用rkhunter检查rootkit
sudo apt install rkhunter -y
sudo rkhunter --update
sudo rkhunter --propupd
sudo rkhunter --check

10. 备份策略

# 设置自动备份
sudo crontab -e
# 添加 (示例):
0 2 * * * tar -zcvf /backups/$(hostname)-$(date +\%Y\%m\%d).tar.gz /etc /home /var/www

# 检查备份
ls -lh /backups/

通过实施以上措施，您的Linux服务器将显著提高安全性。建议定期复查这些设置并根据需要进行调整，以应对新的安全威胁。