注册
登录控制台
→
➔
➔
| ➔ | Ubuntu是使用最广泛的Linux发行版之一。本文以Ubuntu 22.04为例,介绍从系统安装到安全加固的完整流程。 |
▶▶▶一、初始安全配置
code
code
code
# 创建管理用户
adduser admin
usermod -aG sudo admin
# 配置SSH密钥登录
mkdir -p ~/.ssh
chmod 700 ~/.ssh
# 修改SSH配置
Port 2222
PermitRootLogin no
PasswordAuthentication no
systemctl restart ssh▶▶▶二、UFW防火墙配置
code
code
code
ufw default deny incoming
ufw default allow outgoing
ufw allow 2222/tcp comment 'SSH管理端口'
ufw allow 80/tcp comment 'HTTP'
ufw allow 443/tcp comment 'HTTPS'
ufw enable
ufw status verbose▶▶▶三、AppArmor强制访问控制
AppArmor通过配置文件定义程序可以访问的资源:
code
code
code
# 查看AppArmor状态
aa-status
# 安装工具
apt install -y apparmor-utils
# 查看已加载的profile
ls /etc/apparmor.d/
# 以Nginx为例创建自定义profile
# 配置文件位于 /etc/apparmor.d/usr.sbin.nginx
# 定义Nginx可访问的文件和目录权限
# 加载profile
apparmor_parser -r /etc/apparmor.d/usr.sbin.nginx
# 设置为强制模式
aa-enforce /usr/sbin/nginx▶▶▶四、自动安全更新
code
code
code
apt install -y unattended-upgrades
dpkg-reconfigure --priority=low unattended-upgrades▶▶▶五、日志监控
code
code
code
apt install -y auditd
# 安装AIDE文件完整性检查
apt install -y aide
aideinit
mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db▶▶▶六、网络参数优化
code
code
code
cat > /etc/sysctl.d/99-security.conf << 'EOF'
net.ipv4.tcp_syncookies = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 1
kernel.randomize_va_space = 2
EOF
sysctl --system▶▶▶七、fail2ban详细配置
code
code
code
# 安装fail2ban
apt install -y fail2ban
# 创建本地配置
cat > /etc/fail2ban/jail.local << 'EOF'
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 5
ignoreip = 127.0.0.1/8 192.168.0.0/16
[sshd]
enabled = true
port = 2222
logpath = %(sshd_log)s
maxretry = 3
[ufw]
enabled = true
logpath = /var/log/ufw.log
maxretry = 3
EOF
systemctl restart fail2ban
fail2ban-client status
fail2ban-client status sshd▶▶▶八、系统安全配置加固
code
code
code
# 1. 禁用root登录控制台
# passwd -l root # 锁定root密码
# 2. 设置umask
echo 'umask 027' >> /etc/profile
# 3. 限制su命令
dpkg-statoverride --update --add root admin 4750 /bin/su
# 4. 禁用不必要的服务
systemctl disable --now whoopsie.service 2>/dev/null
systemctl disable --now cups.service 2>/dev/null
# 5. 文件完整性检查
apt install -y debsums
debsums -c # 检查已修改的文件▶▶▶九、Snort/入侵检测配置
code
code
code
# 安装Snort IDS
apt install -y snort
# 配置 /etc/snort/snort.conf
ipvar HOME_NET 服务器IP/24
ipvar EXTERNAL_NET !$HOME_NET
# 添加规则 /etc/snort/rules/local.rules
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SSH暴力破解检测"; flow:to_server; detection_filter:track by_src, count 10, seconds 60; sid:1000001; rev:1;)
# 启动Snort
systemctl enable --now snort