如何保证Linux服务器的安全.docx

1、如何保证Linux服务器的安全如何保证Linux服务器的安全很少见有人马上为一台新安装的服务器做安全措施，然而我们生活所在的这个社会使得这件事情是必要的。不过为什么仍旧这么多人把它拖在最后？我也做过相同的事，这通常可以归结为我们想要马上去折腾那些有趣的东西。希望这篇文章将向大家展示，确保服务器安全没有你想得那样难。在攻击开始后，俯瞰你的“堡垒”，也相当享受。这篇文章为 Ubuntu 12.04.2 LTS 而写，你也可以在任何其他 Linux 分发版上做相同的事情。我从哪儿开始？如果服务器已经有了一个公有IP，你会希望立即锁定 root 访问。事实上，你得锁定整个ssh访问，并确保只有你可以访

2、问。增加一个新用户，把它加入admin组（在/etc/sudoers预配置以拥有sudo访问权限）。1234567891011121314151617181920212223$ sudo addgroup adminAdding group admin (GID 1001)Done. $ sudo adduser spenserjAdding user spenserj .Adding new group spenserj (1002) .Adding new user spenserj (1001) with group spenserj .Creating home directory /

3、home/spenserj .Copying files from /etc/skel .Enter new UNIX password:Retype new UNIX password:passwd: password updated successfullyChanging the user information for spenserjEnter the new value, or press ENTER for the default Full Name : Spenser Jones Room Number : Work Phone : Home Phone : Other :Is

4、 the information correct? Y/n y $ sudo usermod -a -G admin spenserj你也将希望在你电脑上创建一个私有key，并且在服务器上禁用讨厌的密码验证。12$ mkdir /.ssh$ echo ssh-rsa your public key /.ssh/authorized_keys/etc/ssh/sshd_config1234PermitRootLogin noPermitEmptyPasswords noPasswordAuthentication noAllowUsers spenserj重新加载SSH，使用修改生效，之后尝试在

5、一个新会话中登陆来确保所有事情正常工作。如果你不能登陆，你将仍然拥有你的原始会话来做修改。123$ sudo service ssh restartssh stop/waitingssh start/running, process 1599更新服务器既然你是访问服务器的唯一用户，你就不用担心黑客鬼鬼祟祟进入，再次正常呼吸。当有一些针对你服务器的更新时，正是修补的机会，所以动手吧，就现在。12345678910111213141516171819202122232425262728293031323334$ sudo apt-get update.Hit precise-updates/uni

6、verse Translation-en_CAHit precise-updates/universe Translation-enHit precise-backports/main Translation-enHit precise-backports/multiverse Translation-enHit precise-backports/restricted Translation-enHit precise-backports/universe Translation-enFetched 3,285 kB in 5s (573 kB/s)Reading package lists

7、. Done $ sudo apt-get upgradeReading package lists. DoneBuilding dependency treeReading state information. DoneThe following packages have been kept back: linux-headers-generic-lts-quantal linux-image-generic-lts-quantalThe following packages will be upgraded: accountsservice apport apt apt-transpor

8、t-https apt-utils aptitude bash .73 upgraded, 0 newly installed, 0 to remove and 2 not upgraded.Need to get 61.0 MB of archives.After this operation, 151 kB of additional disk space will be used.Do you want to continue Y/n? Y.Setting up libisc83 (1:9.8.1.dfsg.P1-4ubuntu0.6) .Setting up libdns81 (1:9

9、.8.1.dfsg.P1-4ubuntu0.6) .Setting up libisccc80 (1:9.8.1.dfsg.P1-4ubuntu0.6) .Setting up libisccfg82 (1:9.8.1.dfsg.P1-4ubuntu0.6) .Setting up libbind9-80 (1:9.8.1.dfsg.P1-4ubuntu0.6) .Setting up liblwres80 (1:9.8.1.dfsg.P1-4ubuntu0.6) .Setting up bind9-host (1:9.8.1.dfsg.P1-4ubuntu0.6) .Setting up d

10、nsutils (1:9.8.1.dfsg.P1-4ubuntu0.6) .Setting up iptables (1.4.12-1ubuntu5) . 安装防火墙安装现在正最流行的防火墙软件？好，行动吧。那就配置一个防火墙。之后你总是可以增加另一个异常，几分钟额外的工作并不会折腾死你。Iptables在Ubuntu里预装了，所以去设置一些规则吧。1$ sudo mkdir /etc/iptables/etc/iptables/rules123456789101112131415161718192021222324252627282930313233*filter:INPUT DROP 0:

11、0:FORWARD DROP 0:0:OUTPUT DROP 0:0 # Accept any related or established connections-I INPUT 1 -m state -state RELATED,ESTABLISHED -j ACCEPT-I OUTPUT 1 -m state -state RELATED,ESTABLISHED -j ACCEPT # Allow all traffic on the loopback interface-A INPUT -i lo -j ACCEPT-A OUTPUT -o lo -j ACCEPT # Allow o

12、utbound DHCP request - Some hosts (Linode) automatically assign the primary IP#-A OUTPUT -p udp -dport 67:68 -sport 67:68 -j ACCEPT # Outbound DNS lookups-A OUTPUT -o eth0 -p udp -m udp -dport 53 -j ACCEPT # Outbound PING requests-A OUTPUT -p icmp -j ACCEPT # Outbound Network Time Protocol (NTP) req

13、uest-A OUTPUT -p udp -dport 123 -sport 123 -j ACCEPT # SSH-A INPUT -i eth0 -p tcp -m tcp -dport 22 -m state -state NEW -j ACCEPT # Outbound HTTP-A OUTPUT -o eth0 -p tcp -m tcp -dport 80 -m state -state NEW -j ACCEPT-A OUTPUT -o eth0 -p tcp -m tcp -dport 443 -m state -state NEW -j ACCEPT COMMIT通过 ipt

14、ables-apply 命令为规则集生效。如果你丢失连接，修补你的规则，在继续之前再试一下1234$ sudo iptables-apply /etc/iptables/rulesApplying new ruleset. done.Can you establish NEW connections to the machine? (y/N) y. then my job is done. See you next time.创建文件 /etc/network/if-pre-up.d/iptables，然后写入下面内容。当你启动服务器的时候，将自动载入你的iptables规则。/etc/net

15、work/if-pre-up.d/iptables12#!/bin/shiptables-restore /etc/iptables/rules现在给它执行权限，执行文件，以确保它正常载入12$ sudo chmod +x /etc/network/if-pre-up.d/iptables$ sudo /etc/network/if-pre-up.d/iptables 用 Fail2ban 处理潜在黑客当谈到安全的时，Fail2ban 是我最喜欢的工具之一，它将监控你的日志文件，并且可以临时禁止那些正在滥用你资源，或者正在强制肆虐你的SSH连接，或者正在dos攻击你web服务器的用户。Inst

16、all Fail2ban12345678910111213141516$ sudo apt-get install fail2bansudo password for sjones:Reading package lists. DoneBuilding dependency treeReading state information. DoneThe following extra packages will be installed: gamin libgamin0 python-central python-gamin python-support whoisSuggested packa

17、ges: mailxThe following NEW packages will be installed: fail2ban gamin libgamin0 python-central python-gamin python-support whois0 upgraded, 7 newly installed, 0 to remove and 2 not upgraded.Need to get 254 kB of archives.After this operation, 1,381 kB of additional disk space will be used.Do you wa

18、nt to continue Y/n? y.虽然 Fail2ban 安装一个默认配置(/etc/fail2ban/jail.conf)，但我们希望在 /etc/fail2ban/jail.local 写配置，所以把它拷贝到那儿。1sudo cp /etc/fail2ban/jail.conf,local 配置把 ignoreip 行修改为你的ip，并且可以设置禁止恶意用户的时间量(默认是10分钟)。你也将希望设置一个destemail，这里我通常输入我自已的email地址，再在后面加上 ,fail2banblocklist.de。BlockList.de 是一个跟踪并且自动报告黑客IP的系统。

19、/etc/fail2ban/jail.local1234567891011121314151617DEFAULT # ignoreip can be an IP address, a CIDR mask or a DNS hostignoreip = 127.0.0.1/8bantime = 600maxretry = 3 # backend specifies the backend used to get files modification. Available# options are gamin, polling and auto.# yoh: For some reason Deb

20、ian shipped python-gamin didnt work as expected# This issue left ToDo, so polling is default backend for nowbackend = auto # Destination email address used solely for the interpolations in# jail.conf,local configuration files.destemail = rootlocalhost,fail2banblocklist.de这有一些其他的你想检查的配置，尽管缺省配置已经相当不错了

21、，所以，快速浏览这些，直到你读到Actions章节。 ActionsActions 允许你对恶意行为作出反应，然而当我们想要它禁止和发邮件的时候，默认是禁用了 iptables。值得感谢的是，有一个预配置文件 action_wml，它恰恰是做这个的。/etc/fail2ban/jail.local1234# Choose default action. To change, just override value of action with the# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl

22、, etc) in jail.local# globally (section DEFAULT) or per specific sectionaction = %(action_mwl)s Jails 监控为了让Fail2ban工作，需要了解要监控哪些东西。这些已在Jails部分的配置文件，并且这有一些预载入而未启用的例子。既然到目前为止，你仅仅在服务器上启用了SSH访问，那我们就只启用SSH和SSH-DDos 监控，然而你还是会想给安装在这台服务器上的公共访问服务增加新的监控。/etc/fail2ban/jail.local123456789101112sshenabled = truep

23、ort = sshfilter = sshdlogpath = /var/log/auth.logmaxretry = 6ssh-ddosenabled = trueport = sshfilter = sshd-ddoslogpath = /var/log/auth.logmaxretry = 6 让变化生效既然我们已经配置了Fail2ban，你将希望重新载入它，并且确保向iptables增加了合适的规则。1234567891011121314151617$ sudo service fail2ban restart * Restarting authentication failure m

24、onitor fail2ban .done. $ sudo iptables -LChain INPUT (policy DROP)target prot opt source destinationfail2ban-ssh-ddos tcp - anywhere anywhere multiport dports sshfail2ban-ssh tcp - anywhere anywhere multiport dports ssh.Chain fail2ban-ssh (1 references)target prot opt source destinationRETURN all -

25、anywhere anywhere Chain fail2ban-ssh-ddos (1 references)target prot opt source destinationRETURN all - anywhere anywhere在任何时间，你都可以使用sudo iptables -L 来列出你的规则，随后列出所有当前禁止的 IP。此时，Fail2ban正在处理两个恶意的用户。Banned IPs12DROP all - 204.50.33.22 anywhereDROP all - 195.128.126.114 anywhere 保持最新更新你可能现在拥有一个已经锁定并且准备投入使用的服务器，然而这并不是你安全之旅的终点。保持最新更新(并且总是首先在非产品环境下测试)，总是关闭你不需要的端口，定期检查你的日志，并且由内而外了解你的服务器。