# 更新软件包列表并升级所有已安装的软件包
sudo apt update && sudo apt upgrade -y # Debian/Ubuntu
sudo yum update -y # CentOS/RHEL
sudo dnf upgrade -y # Fedora
# 设置自动安全更新
sudo apt install unattended-upgrades # Debian/Ubuntu
sudo dpkg-reconfigure unattended-upgrades
# 检查空密码账户
sudo awk -F: '($2 == "") {print}' /etc/shadow
# 强制密码复杂性要求
sudo apt install libpam-pwquality # Debian/Ubuntu
sudo yum install pam_pwquality # CentOS/RHEL
# 编辑密码策略
sudo nano /etc/security/pwquality.conf
# 设置参数如:
# minlen = 12
# minclass = 3
# maxrepeat = 3
# 设置密码过期策略
sudo nano /etc/login.defs
# 修改:
# PASS_MAX_DAYS 90
# PASS_MIN_DAYS 7
# PASS_WARN_AGE 14
# 锁定不必要账户
sudo passwd -l <username>
# 编辑SSH配置文件
sudo nano /etc/ssh/sshd_config
# 推荐修改项:
Port 2222 # 更改默认端口
PermitRootLogin no # 禁止root直接登录
PasswordAuthentication no # 禁用密码认证,仅用密钥
MaxAuthTries 3 # 最大尝试次数
ClientAliveInterval 300 # 超时设置
ClientAliveCountMax 2
AllowUsers user1 user2 # 只允许特定用户登录
# 重启SSH服务
sudo systemctl restart sshd
# 检查SSH配置
sudo sshd -t
# 使用UFW (Ubuntu)
sudo ufw enable
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 2222/tcp # 允许SSH新端口
sudo ufw allow 80/tcp # HTTP
sudo ufw allow 443/tcp # HTTPS
sudo ufw status verbose
# 使用firewalld (CentOS/RHEL)
sudo firewall-cmd --permanent --add-port=2222/tcp
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload
sudo firewall-cmd --list-all
# 检查文件权限
find / -type f -perm /o+w -exec ls -l {} \; # 全局可写文件
find / -type d -perm /o+w -exec ls -ld {} \; # 全局可写目录
# 设置敏感文件权限
sudo chmod 600 /etc/shadow
sudo chmod 644 /etc/passwd
sudo chmod 600 /home/*/.ssh/authorized_keys
# 检查SUID/SGID文件
find / -type f -perm /6000 -exec ls -l {} \;
# 使用文件完整性检查工具
sudo apt install aide # Debian/Ubuntu
sudo yum install aide # CentOS/RHEL
sudo aideinit
sudo aide --check
# 检查系统日志
sudo tail -f /var/log/syslog # Debian/Ubuntu
sudo tail -f /var/log/messages # CentOS/RHEL
# 检查认证日志
sudo tail -f /var/log/auth.log # Debian/Ubuntu
sudo tail -f /var/log/secure # CentOS/RHEL
# 安装并配置logwatch
sudo apt install logwatch # Debian/Ubuntu
sudo yum install logwatch # CentOS/RHEL
sudo nano /etc/logwatch/conf/logwatch.conf
# 安装fail2ban防止暴力破解
sudo apt install fail2ban # Debian/Ubuntu
sudo yum install fail2ban # CentOS/RHEL
# 配置fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local
# 修改参数如:
# bantime = 1h
# maxretry = 3
# findtime = 1h
# 启动fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
# 编辑sysctl配置文件
sudo nano /etc/sysctl.conf
# 添加或修改以下参数:
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.conf.all.accept_redirects=0
net.ipv6.conf.all.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_max_syn_backlog=2048
net.ipv4.tcp_synack_retries=2
kernel.exec-shield=1
kernel.randomize_va_space=2
# 应用更改
sudo sysctl -p
# 查看所有运行中的服务
sudo systemctl list-units --type=service --state=running
# 禁用不必要的服务
sudo systemctl stop <service-name>
sudo systemctl disable <service-name>
# 常见可禁用的服务示例:
# bluetooth, cups, avahi-daemon, rpcbind
# 使用Lynis进行安全审计
sudo apt install lynis # Debian/Ubuntu
sudo yum install lynis # CentOS/RHEL
sudo lynis audit system
# 使用OpenSCAP
sudo apt install openscap-scanner # Debian/Ubuntu
sudo yum install openscap-scanner # CentOS/RHEL
sudo oscap xccdf eval --profile stig-rhel7-server /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml
通过以上命令行工具的配置和使用,您可以显著提高Linux服务器的安全性。请根据您的具体环境和需求调整这些配置,并定期审查安全设置以应对新的威胁。