LNMP (Linux + Nginx + MySQL + PHP) 是一种常见的Web服务器架构组合。为了确保LNMP环境的安全性,以下是一份全面的安全设置指南:
# 定期更新系统
sudo apt update && sudo apt upgrade -y # Debian/Ubuntu
sudo yum update -y # CentOS/RHEL
# 创建专用web服务用户
sudo useradd -r -s /sbin/nologin webuser
# 禁用root SSH登录
sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sudo systemctl restart sshd
# 启用防火墙(UFW示例)
sudo ufw enable
sudo ufw allow 22
sudo ufw allow 80
sudo ufw allow 443
sudo ufw deny 3306 # 禁止外部访问MySQL
# 隐藏Nginx版本号
server_tokens off;
# 限制HTTP方法
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 405;
}
# 禁用不必要的HTTP头
more_clear_headers 'Server';
more_clear_headers 'X-Powered-By';
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305';
ssl_ecdh_curve secp384r1;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
# 防止点击劫持
add_header X-Frame-Options "SAMEORIGIN";
# 启用XSS保护
add_header X-XSS-Protection "1; mode=block";
# 内容安全策略(CSP)
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.example.com; img-src 'self' data: https://*.example.com;";
# 防止MIME类型混淆
add_header X-Content-Type-Options "nosniff";
# 运行安全安装脚本
sudo mysql_secure_installation
# 创建专用数据库用户
CREATE USER 'webuser'@'localhost' IDENTIFIED BY 'StrongPassword123!';
GRANT SELECT, INSERT, UPDATE, DELETE ON dbname.* TO 'webuser'@'localhost';
FLUSH PRIVILEGES;
# /etc/mysql/my.cnf 或 /etc/my.cnf
[mysqld]
skip-name-resolve
local-infile=0
symbolic-links=0
secure-file-priv=/var/lib/mysql-files
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
expose_php = Off
allow_url_fopen = Off
allow_url_include = Off
display_errors = Off
log_errors = On
error_log = /var/log/php_errors.log
cgi.fix_pathinfo=0
session.cookie_httponly = 1
session.cookie_secure = 1
[www]
user = webuser
group = webuser
listen.owner = webuser
listen.group = webuser
pm = dynamic
pm.max_children = 50
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 35
# 设置网站目录权限
sudo chown -R webuser:webuser /var/www/html
sudo find /var/www/html -type d -exec chmod 750 {} \;
sudo find /var/www/html -type f -exec chmod 640 {} \;
# 保护配置文件
sudo chmod 600 /etc/mysql/my.cnf
sudo chmod 600 /etc/php/7.4/fpm/php.ini
# 配置日志轮转
# /etc/logrotate.d/nginx
/var/log/nginx/*.log {
daily
missingok
rotate 14
compress
delaycompress
notifempty
create 0640 www-data adm
sharedscripts
postrotate
/usr/sbin/service nginx reload > /dev/null
endscript
}
# 安装fail2ban防止暴力破解
sudo apt install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
# 设置自动安全更新
sudo apt install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades
# 定期检查rootkit
sudo apt install rkhunter chkrootkit
sudo rkhunter --update
sudo rkhunter --propupd
sudo rkhunter --check
# 数据库备份
mysqldump -u root -p --all-databases | gzip > /backup/mysql_$(date +%Y%m%d).sql.gz
# 网站文件备份
tar -czvf /backup/website_$(date +%Y%m%d).tar.gz /var/www/html
# 配置备份
tar -czvf /backup/config_$(date +%Y%m%d).tar.gz /etc/nginx /etc/mysql /etc/php
通过实施以上安全措施,您的LNMP环境将具备更强的安全防护能力。请记住,安全是一个持续的过程,需要定期审查和更新安全配置。