CentOS 7 Web服务器网络安全加固指南

基础系统加固

1. 系统更新与补丁管理

   yum update -y
   yum install yum-cron -y
   systemctl enable yum-cron
   systemctl start yum-cron
   

2. 禁用不必要的服务

   systemctl stop postfix
   systemctl disable postfix
   # 根据实际需求禁用其他不需要的服务
   

3. 配置防火墙 (firewalld)

   systemctl enable firewalld
   systemctl start firewalld
   # 只开放必要端口
   firewall-cmd --permanent --add-service=http
   firewall-cmd --permanent --add-service=https
   firewall-cmd --permanent --remove-service=dhcpv6-client
   firewall-cmd --reload
   

SSH安全配置

1. 修改SSH默认端口

   sed -i 's/#Port 22/Port 2222/' /etc/ssh/sshd_config
   

2. 禁用root直接登录

   sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
   

3. 启用密钥认证，禁用密码认证

   sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
   

4. 限制SSH访问IP

   echo "AllowUsers youruser@your.ip.address" >> /etc/ssh/sshd_config
   

5. 应用SSH更改

   systemctl restart sshd
   

Web服务器安全 (以Apache为例)

1. 隐藏服务器信息

   echo "ServerTokens Prod" >> /etc/httpd/conf/httpd.conf
   echo "ServerSignature Off" >> /etc/httpd/conf/httpd.conf
   

2. 禁用目录浏览

   sed -i 's/Options Indexes FollowSymLinks/Options -Indexes +FollowSymLinks/' /etc/httpd/conf/httpd.conf
   

3. 安装并配置ModSecurity

   yum install mod_security -y
   systemctl restart httpd
   

4. 配置HTTP严格传输安全(HSTS)

   echo "Header always set Strict-Transport-Security \"max-age=63072000; includeSubDomains; preload\"" >> /etc/httpd/conf.d/ssl.conf
   

数据库安全 (以MySQL为例)

1. 运行安全安装脚本

   mysql_secure_installation
   

2. 禁用远程root访问

   DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');
   FLUSH PRIVILEGES;
   

3. 删除测试数据库

   DROP DATABASE IF EXISTS test;
   DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';
   FLUSH PRIVILEGES;
   

文件系统安全

1. 设置适当的文件权限

   chown -R root:apache /var/www/html/
   chmod -R 750 /var/www/html/
   find /var/www/html/ -type f -exec chmod 640 {} \;
   

2. 配置敏感文件的权限

   chmod 600 /etc/passwd /etc/shadow /etc/group /etc/gshadow
   chmod 700 /root
   

日志与监控

1. 启用并配置auditd

   yum install audit -y
   systemctl enable auditd
   systemctl start auditd
   

2. 配置日志轮转

   yum install logrotate -y
   

3. 安装并配置Fail2Ban

   yum install epel-release -y
   yum install fail2ban -y
   systemctl enable fail2ban
   systemctl start fail2ban
   

定期维护任务

1. 设置自动安全更新

   yum install yum-plugin-security -y
   

2. 定期检查rootkit

   yum install rkhunter -y
   rkhunter --update
   rkhunter --propupd
   echo "0 0 * * * root /usr/bin/rkhunter --cronjob --update --quiet" >> /etc/crontab
   

3. 设置AIDE进行文件完整性检查

   yum install aide -y
   aide --init
   mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
   echo "0 5 * * * root /usr/sbin/aide --check" >> /etc/crontab
   

高级安全措施

1. SELinux配置

   setenforce 1
   sed -i 's/SELINUX=permissive/SELINUX=enforcing/' /etc/selinux/config
   

2. 内核参数加固

   echo "net.ipv4.conf.all.rp_filter=1" >> /etc/sysctl.conf
   echo "net.ipv4.conf.default.rp_filter=1" >> /etc/sysctl.conf
   echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.conf
   sysctl -p
   

3. 安装并配置ClamAV防病毒

   yum install clamav clamd -y
   freshclam
   systemctl enable clamd@scan
   systemctl start clamd@scan
   

完成以上配置后，建议重启服务器以确保所有更改生效，并进行全面的安全测试。