服务器应用安全措施_建议的安全措施来保护您的服务器

服务器应用安全措施

介绍 (Introduction)

Getting your applications up and running will often be your primary concern when you’re working on cloud infrastructure. As part of your setup and deployment process, it is important to include building in robust and thorough security measures for your systems and applications before they are publicly available. Implementing the security measures in this tutorial before you deploy your applications will ensure that any software that you run on your infrastructure has a secure base configuration, as opposed to ad-hoc measures that may be implemented post-deploy.

在云基础架构上工作时，启动和运行应用程序通常是您的主要关注点。 在设置和部署过程中，重要的是要在系统和应用程序公开可用之前，为它们建立可靠而全面的安全措施。 在部署应用程序之前实施本教程中的安全措施将确保在基础结构上运行的任何软件都具有安全的基本配置，而不是在部署后可能实施的临时措施。

This guide highlights some practical security measures that you can take while you are configuring and setting up your server infrastructure. This list is not an exhaustive list of everything that you can do to secure your servers, but this offers you a starting point that you can build upon. Over time you can develop a more tailored security approach that suits the specific needs of your environments and applications.

本指南重点介绍了在配置和设置服务器基础结构时可以采取的一些实用安全措施。 该列表并不是您可以保护服务器安全的所有操作的详尽列表，但这为您提供了可以建立的起点。 随着时间的流逝，您可以开发出更适合您的安全方法，以满足您的环境和应用程序的特定需求。

SSH密钥 (SSH Keys)

SSH, or secure shell, is an encrypted protocol used to administer and communicate with servers. When working with a server, you’ll likely spend most of your time in a terminal session connected to your server through SSH. A more secure alternative to password-based logins, SSH keys use encryption to provide a secure way of logging into your server and are recommended for all users.

SSH(或安全外壳)是用于管理服务器并与服务器通信的加密协议。 使用服务器时，您可能会花费大部分时间在通过SSH连接到服务器的终端会话中。 SSH密钥是基于密码的登录的一种更安全的替代方法，它使用加密来提供一种安全的登录服务器的方式，建议所有用户使用。

With SSH keys, a private and public key pair are created for the purpose of authentication. The private key is kept secret and secure by the user, while the public key can be shared.

使用SSH密钥，将创建私钥和公钥对，以进行身份​​验证。 用户将私钥保持秘密和安全，而可以共享公钥。

To configure SSH key authentication, you must place your public SSH key on the server in its proper directory. When your client first connects to the server, the server will ask for proof that you have the associated private key. It does this by generating a random value and sending it to your SSH client. Your SSH client will then use your private key to encrypt the response and then send the encrypted reply to the server. The server then decrypts your client’s reply using your public key. If the server can decrypt the random value, then it means that your client possesses the private key andthe server will let you connect without a password.

要配置SSH密钥认证，必须将公共SSH密钥放置在服务器的正确目录中。 当您的客户端首次连接到服务器时，服务器将要求您提供具有关联私钥的证据。 它通过生成随机值并将其发送到SSH客户端来实现。 然后，您的SSH客户端将使用您的私钥来加密响应，然后将加密后的回复发送到服务器。 然后，服务器使用您的公钥解密客户的回复。 如果服务器可以解密随机值，则意味着您的客户端拥有私钥，并且服务器将允许您不使用密码进行连接。

To learn more about how SSH-key-based authentication works, check out our article, Understanding the SSH Encryption and Connection Process.

要了解有关基于SSH密钥的身份验证如何工作的更多信息，请查看我们的文章“ 了解SSH加密和连接过程” 。

SSH密钥如何增强安全性？ (How Do SSH Keys Enhance Security?)

With SSH, any kind of authentication — including password authentication — is completely encrypted. However, when password-based logins are allowed, malicious users can repeatedly attempt to access a server, especially if it has a public-facing IP address. With modern computing power, it is possible to gain entry to a server by automating these attempts and trying combination after combination until the right password is found.

使用SSH，任何类型的身份验证(包括密码身份验证)都被完全加密。 但是，当允许基于密码的登录时，恶意用户可以反复尝试访问服务器，尤其是当它具有面向公众的IP地址时。 利用现代的计算能力，可以通过自动执行这些尝试并在组合之后尝试组合直到找到正确的密码来获得进入服务器的权限。

Setting up SSH key authentication allows you to disable password-based authentication. SSH keys generally have many more bits of data than a password, meaning that there are significantly more possible combinations that an attacker would have to run through. Many SSH key algorithms are considered uncrackable by modern computing hardware because they would require too much time to run through all of the feasible matches.

设置SSH密钥身份验证可让您禁用基于密码的身份验证。 SSH密钥通常比密码具有更多的数据位，这意味着攻击者必须经历更多的可能组合。 现代计算硬件认为许多SSH密钥算法不可破解，因为它们需要太多时间才能完成所有可行的匹配。

如何实施SSH密钥 (How to Implement SSH Keys)

SSH keys are the recommended way to log into any Linux server environment remotely. A pair of SSH keys can be generated on your local machine and you can transfer the public key to your servers within a few minutes.

推荐使用SSH密钥远程登录任何Linux服务器环境。 可以在本地计算机上生成一对SSH密钥，您可以在几分钟之内将公共密钥传输到服务器。

To set up SSH key on your server follow our distribution specific guides How To Set Up SSH Keys for Ubuntu, Debian, or CentOS.

要在服务器上设置SSH密钥，请遵循我们针对发行版的指南如何为Ubuntu，Debian或CentOS 设置SSH密钥 。

If you would still like password authentication, consider implementing a solution like fail2ban on your servers to limit password guesses.

如果您仍希望密码认证，请考虑在服务器上实施诸如fail2ban之类的解决方案以限制密码猜测。

In either case, it is a best practice to not allow the root user to login directly over SSH. Instead, login as an unprivileged user and then escalate privileges as needed using a tool like sudo. This approach to limiting permissions is known as the principle of least privilege. Once you have connected to your server and created an unprivileged account that you have verified works with SSH, you can disable root logins by setting the PermitRootLogin no directive in /etc/ssh/sshd_config on your server and then restarting the server’s SSH process with a command like sudo systemctl restart sshd.

无论哪种情况，最佳做法都是不允许root用户直接通过SSH登录。 而是以非特权用户身份登录，然后根据需要使用sudo类的工具升级特权。 这种限制权限的方法称为最小特权原则 。 连接到服务器并创建已验证可用于SSH的非特权帐户后，您可以通过在服务器上的/etc/ssh/sshd_config设置PermitRootLogin no指令来禁用root登录，然后使用以下命令重新启动服务器的SSH进程：像sudo systemctl restart sshd这样的sudo systemctl restart sshd 。

防火墙 (Firewalls)

A firewall is a software or hardware device that controls how services are exposed to the network, and what types of traffic are allowed in and out of a given server or servers. A properly configured firewall will ensure that only services that should be publicly available can be reached from outside your servers or network.

防火墙是一种软件或硬件设备，它控制如何将服务公开到网络以及允许进出给定服务器的哪种类型的通信。 正确配置的防火墙将确保只能从服务器或网络外部访问应该公开可用的服务。

On a typical server, a number of services may be running by default. These can be categorized into the following groups:

在典型的服务器上，默认情况下可能会运行许多服务。 这些可以分为以下几类：

• Public services that can be accessed by anyone on the internet, often anonymously. An example of this is a web server that may allow access to your site.
  互联网上的任何人都可以匿名访问的公共服务。 一个示例是Web服务器，它可能允许访问您的站点。

• Private services that should only be accessed by a select group of authorized accounts or from certain locations. For example, a database control panel like phpMyAdmin.

  只能由选定的一组授权帐户或从某些位置访问的私人服务。 例如， 像phpMyAdmin这样的数据库控制面板。

• Internal services that should be accessible only from within the server itself, without exposing the service to the public internet. For example, a database that should only accept local connections.
  内部服务只能从服务器内部访问，而不能将服务暴露给公共互联网。 例如，一个只应接受本地连接的数据库。

Firewalls can ensure that access to your software is restricted according to the categories above with varying degrees of granularity. Public services can be left open and available to the internet, and private services can be restricted based on different criteria, such as connection types. Internal services can be made completely inaccessible to the internet. For ports that are not being used, access is blocked entirely in most configurations.

防火墙可以确保按照上述类别以不同程度的粒度限制对软件的访问。 公共服务可以保持开放状态并可以访问Internet，而私人服务则可以基于不同的标准(例如连接类型)进行限制。 内部服务可以完全无法访问Internet。 对于未使用的端口，在大多数配置中，访问被完全阻止。

防火墙如何增强安全性？ (How Do Firewalls Enhance Security?)

Even if your services implement security features or are restricted to the interfaces you’d like them to run on, a firewall serves as a base layer of protection by limiting connections to and from your services before traffic is handled by an application.

即使您的服务实现了安全功能或仅限于您希望它们在其上运行的接口，防火墙也可以通过在应用程序处理流量之前限制与服务之间的连接来作为保护的基础层。

A properly configured firewall will restrict access to everything except the specific services you need to remain open. Exposing only a few pieces of software reduces the attack surface of your server, limiting the components that are vulnerable to exploitation.

正确配置的防火墙将限制对除保持打开状态所需的特定服务之外的所有内容的访问。 仅公开一些软件可以减少服务器的攻击面，从而限制易于利用的组件。

如何实施防火墙 (How to Implement Firewalls)

There are many firewalls available for Linux systems, some are more complex than others. In general though, setting up the firewall should only take a few minutes and will only need to happen during your server’s initial setup or when you make changes to the services running on your server. Here are some options to get up and running:

Linux系统有许多可用的防火墙，其中一些比其他的更复杂。 但是，一般而言，设置防火墙仅需几分钟，并且仅需要在服务器的初始设置过程中或对服务器上运行的服务进行更改时进行。 以下是一些启动和运行的选项：

• UFW, or Uncomplicated Firewall, is installed by default in some Linux distributions like Ubuntu. A popular firewall, you can learn more about it in our tutorial How To Set Up a Firewall with UFW on Ubuntu 20.04

  在某些Linux发行版(例如Ubuntu)中，默认情况下会安装UFW(即简单防火墙)。 流行的防火墙，您可以在我们的教程如何在Ubuntu 20.04上使用UFW设置防火墙中了解更多信息。

• If you are using CentOS, you can follow How To Set Up a Firewall Using firewalld on CentOS 8

  如果您使用的是CentOS，则可以遵循如何在CentOS 8上使用firewalld设置防火墙。

• If you would like to learn how to use Iptables, our Iptables Essentials: Common Firewall Rules and Commands tutorial demonstrates how to use Iptables directly

  如果您想学习如何使用Iptables，我们的《 Iptables Essentials：通用防火墙规则和命令》教程将演示如何直接使用Iptables

info If you are using DigitalOcean, you can also leverage the Cloud Firewall at no additional cost, which can be set up in minutes.

info如果您使用的是DigitalOcean，则还可以免费使用Cloud Firewall， 它可以在几分钟内完成设置 。

With any of the tutorials mentioned here, be sure that your firewall configuration defaults to blocking unknown traffic. That way any new services that you deploy will not be inadvertently exposed to the Internet. Instead you will have to allow access explicitly, which will force you to evaluate how the service is run, accessed, and who should be able to use it.

使用此处提到的任何教程，请确保您的防火墙配置默认为阻止未知流量。 这样，您部署的任何新服务都不会无意间暴露给Internet。 相反，您将必须明确允许访问，这将迫使您评估服务的运行方式，访问方式以及应由谁使用。

VPC网络 (VPC Networks)

Virtual Private Cloud (VPC) networks are private networks for your infrastructure’s resources. VPC networks provide a more secure connection among resources because the network’s interfaces are inaccessible from the public internet and other VPC networks in the cloud.

虚拟专用云(VPC)网络是用于基础结构资源的专用网络。 VPC网络在资源之间提供了更安全的连接，因为公共Internet和云中的其他VPC网络无法访问网络接口。

VPC网络如何增强安全性 (How Do VPC Networks Enhance Security)

Using private instead of public networking for internal communication is preferable given the choice between the two, as VPC networks allow you to isolate groups of resources into specific private networks. VPC networks will only connect to each other using their private network interfaces over an internal network, which means that the traffic among your systems will not be routed through the public internet where it could be exposed or intercepted. VPC networks can also be used to isolate execution environments and tenants.

考虑到两者之间的选择，最好使用私有而不是公共网络进行内部通信，因为VPC网络允许您将资源组隔离到特定的私有网络中。 VPC网络只能通过内部网络使用其专用网络接口相互连接，这意味着系统之间的流量不会通过可能暴露或拦截的公共互联网进行路由。 VPC网络还可用于隔离执行环境和租户。

Additionally, you can set up internet gateways as the single point of access between your VPC network’s resources and the public internet, giving you more control and visibility into the public traffic connecting to your resources.

此外，您可以将Internet网关设置为VPC网络资源与公共Internet之间的单点访问，从而使您可以更好地控制和查看连接到资源的公共流量。

如何实施VPC网络 (How to Implement VPC Networks)

Many cloud infrastructure providers enable you to create and add resources to a VPC network inside their data centers.

许多云基础架构提供程序使您能够在其数据中心内创建资源并将资源添加到VPC网络。

info If you are using DigitalOcean and would like to set up your own VPC gateway, you can follow our How to Configure a Droplet as a VPC Gateway guide to learn how on Debian, Ubuntu, and CentOS based servers.

如果您使用DigitalOcean并希望设置自己的VPC网关，则可以按照我们的《 如何将Droplet配置为VPC网关》指南来了解如何在基于Debian，Ubuntu和CentOS的服务器上进行操作。

DigitalOcean places each applicable resource (Droplets, load balancers, Kubernetes Clusters, and databases) into a VPC upon creation at no additional cost

创建后，DigitalOcean会将每个适用的资源(Droplet，负载平衡器，Kubernetes集群和数据库)放置到VPC中，而无需支付额外费用

Manually configuring your own private network can require advanced server configurations and networking knowledge. An alternative to setting up a VPC network is to use a VPN connection between your servers. If you are using Ubuntu or CentOS, you can follow this How To Set Up and Configure an OpenVPN Server on Ubuntu 20.04 tutorial.

手动配置自己的专用网络可能需要高级服务器配置和网络知识。 设置VPC网络的另一种方法是在服务器之间使用VPN连接。 如果您使用的是Ubuntu或CentOS，则可以遵循此“ 如何在Ubuntu 20.04上设置和配置OpenVPN服务器”教程。

For a less complex VPN between Ubuntu servers follow this How to Install Tinc and Set Up a Basic VPN on Ubuntu 18.04 tutorial.

对于Ubuntu服务器之间较不复杂的VPN，请遵循此“ 如何在Ubuntu 18.04上安装Tinc和设置基本VPN”教程。

服务审核 (Service Auditing)

A big portion of security involves analyzing our systems, understanding the available attack surfaces, and locking down the components as best as we can.

安全性的很大一部分涉及分析我们的系统，了解可用的攻击面以及尽可能地锁定组件。

Service auditing is a way of knowing what services are running on a given system, which ports they are using for communication, and what protocols are accepted. This information can help you configure which services should be publicly accessible, firewall settings, and monitoring and alerting.

服务审核是一种了解给定系统上正在运行哪些服务，它们使用哪些端口进行通信以及接受哪些协议的方法。 此信息可以帮助您配置哪些服务应该可以公开访问，防火墙设置以及监视和警报。

服务审核如何增强安全性？ (How Does Service Auditing Enhance Security?)

Servers can run processes for internal purposes and to handle external clients. Each running service, whether it is intended to be internal or public, represents an expanded attack surface for malicious users. The more services that you have running, the greater the chance of a vulnerability affecting your software.

服务器可以运行用于内部目的的进程并处理外部客户端。 每个正在运行的服务(无论是内部服务还是公共服务)都代表了针对恶意用户的扩展攻击面。 您运行的服务越多，漏洞影响您的软件的可能性就越大。

Once you have a good idea of what network services are running on your machine, you can begin to analyze these services. When you perform a service audit, ask yourself the following questions about each running service:

一旦知道计算机上正在运行哪些网络服务，就可以开始分析这些服务。 在执行服务审核时，请问自己有关每个正在运行的服务的以下问题：

• Should this service be running?
  该服务应该运行吗？
• Is the service running on network interfaces that it shouldn’t be running on?
  服务是否在不应运行的网络接口上运行？
• Should the service be bound to a public or private network interface?
  服务应该绑定到公共网络接口还是专用网络接口？
• Are my firewall rules structured to pass legitimate traffic to this service?
  我的防火墙规则是否构造为将合法流量传递给该服务？
• Are my firewall rules blocking traffic that is not legitimate?
  我的防火墙规则是否阻止了不合法的流量？
• Do I have a method of receiving security alerts about vulnerabilities for each of these services?
  我是否有一种方法可以接收有关每个服务漏洞的安全警报？

This type of service audit should be standard practice when configuring any new server in your infrastructure. Performing service audits every few months will also help you catch any services with configurations that may have changed unintentionally.

在基础架构中配置任何新服务器时，这种类型的服务审核应该是标准做法。 每隔几个月执行一次服务审核也将帮助您捕获配置可能意外更改的任何服务。

如何执行服务审核 (How to Perform Service Audits)

To audit network services that are running on your system, use the ss command to list all the TCP and UDP ports that are in use on a server. An example command that shows the program name, PID, and addresses being used for listening for TCP and UDP traffic is:

要审核系统上正在运行的网络服务，请使用ss命令列出服务器上正在使用的所有TCP和UDP端口。 显示用于侦听TCP和UDP流量的程序名称，PID和地址的示例命令是：

• sudo ss -plunt
  须藤ss -plunt

You will receive output similar to this:

您将收到类似于以下的输出：

   
   

    
    Output
   
   
Netid       State        Recv-Q       Send-Q             Local Address:Port             Peer Address:Port      Process
tcp         LISTEN       0            128                      0.0.0.0:22                    0.0.0.0:*         users:(("sshd",pid=812,fd=3))
tcp         LISTEN       0            511                      0.0.0.0:80                    0.0.0.0:*         users:(("nginx",pid=69226,fd=6),("nginx",pid=69225,fd=6))
tcp         LISTEN       0            128                         [::]:22                       [::]:*         users:(("sshd",pid=812,fd=4))
tcp         LISTEN       0            511                         [::]:80                       [::]:*         users:(("nginx",pid=69226,fd=7),("nginx",pid=69225,fd=7))

The main columns that need your attention are the Netid, Local Address:Port, and Process name columns. If the Local Address:Port is 0.0.0.0, then the service is accepting connections on all IPv4 network interfaces. If the address is [::] then the service is accepting connections on all IPv6 interfaces. In the example output above, SSH and Nginx are both listening on all public interfaces, on both IPv4 and IPv6 networking stacks.

需要注意的主要列是Netid，Local Address：Port和Process name列。 如果Local Address：Port为0.0.0.0 ，则该服务正在所有IPv4网络接口上接受连接。 如果地址为[::]则该服务正在所有IPv6接口上接受连接。 在上面的示例输出中，SSH和Nginx都在IPv4和IPv6网络堆栈上的所有公共接口上侦听。

With this example output, you could decide if you want to allow SSH and Nginx to listen on both interfaces, or only on one or the other. Generally you should disable services that are running on unused interfaces. For example if your site should only be reachable via IPv4, you would explicitly prevent a service from listening on IPv6 interfaces to reduce the number of exposed services.

使用此示例输出，您可以决定是否要允许SSH和Nginx在两个接口上侦听，或仅在一个或另一个上侦听。 通常，您应该禁用在未使用的接口上运行的服务。 例如，如果您的站点只能通过IPv4进行访问，则应明确阻止服务监听IPv6接口，以减少公开的服务数量。

无人值守更新 (Unattended Updates)

Keeping your servers up to date with patches is a must to ensure a good base level of security. Servers that run out of date and insecure versions of software are responsible for the majority of compromises, but regular updates can mitigate vulnerabilities and prevent attackers from gaining a foothold on your servers.

必须确保服务器具有最新的补丁程序，以确保良好的基本安全级别。 服务器过时和软件版本不安全是造成大多数漏洞的原因，但是定期更新可以缓解漏洞并阻止攻击者在您的服务器上立足。

Traditional updates require an administrator to manually check for and install updates for the various packages on their server; this can be time-intensive and it’s possible to forget or miss a major update. By contrast, unattended updates allow the system to update a majority of packages automatically.

传统更新需要管理员手动检查并在其服务器上安装各种软件包的更新。 这可能会耗费大量时间，并且有可能忘记或错过主要更新。 相比之下，无人值守更新允许系统自动更新大多数软件包。

无人参与的更新如何增强安全性？ (How Do Unattended Updates Enhance Security?)

Implementing unattended updates lowers the level of effort required to keep your servers secure and shortens the amount of time that your servers may be vulnerable to known bugs. In the event of a vulnerability that affects software on your servers, your servers will be vulnerable for however long it takes for you to run updates. Daily unattended upgrades will ensure that you don’t miss any packages, and that any vulnerable software is patched as soon as fixes are available.

实施无人参与的更新降低了确保服务器安全所需的工作量，并缩短了服务器可能遭受已知错误的时间。 如果存在影响服务器上软件的漏洞，则无论您花费多长时间运行更新，服务器都将容易受到攻击。 每日无人值守升级将确保您不会错过任何软件包，并且只要有可用的修补程序，便会修补所有易受攻击的软件。

In conjunction with the service auditing previously mentioned, performing updates automatically can greatly reduce your exposure to attacks and lower the amount of time spent on maintaining the security of your server

结合前面提到的服务审核，自动执行更新可以极大地降低遭受攻击的风险，并减少维护服务器安全性所花费的时间

如何实施无人值守更新 (How to Implement Unattended Updates)

Most server distributions now feature unattended updates as an option. For example, on Ubuntu an administrator can run:

现在，大多数服务器发行版都可以选择无人参与的更新。 例如，在Ubuntu上，管理员可以运行：

• sudo apt install unattended-upgrades
  sudo apt安装无人值守升级

For more details on how to implement unattended updates, check out these guides for Ubuntu (under Automatic Updates) and Fedora.

有关如何实施无人值守更新的更多详细信息，请查看Ubuntu (在Automatic Updates下 )和Fedora的这些指南。

[note] Note: These mechanisms will only auto-update software that is installed through your system’s package manager. Make sure that any additional software you may be running like web applications are either configured for automatic updates or checked manually on a regular basis.

[note] 注意：这些机制只会自动更新通过系统的程序包管理器安装的软件。 确保将可能正在运行的任何其他软件(例如Web应用程序)配置为自动更新，或者定期进行手动检查。

禁用目录索引 (Disable Directory Indexes)

Most web servers are configured by default to display directory indexes when a user accesses a directory that lacks an index file. For example, if you were to create a directory called downloads on your web server without any additional configuration, all of the files would be visible to anyone browsing the directory. For many cases, this is not a security concern, but it’s very possible that something confidential could be exposed. For example, if you were to create an index directory on your web server for your website, the directory may contain the file for your website’s homepage and a configuration file that contains credentials to the website’s backend database. Without disabling the directory’s indexes, both of the files in the folder would be visible to anyone browsing the directory.

默认情况下，大多数Web服务器都配置为在用户访问缺少索引文件的目录时显示目录索引。 例如，如果要在Web服务器上创建一个名为downloads的目录，而无需进行任何其他配置，则浏览目录的任何人都可以看到所有文件。 在许多情况下，这不是安全问题，但是很有可能会暴露一些机密信息。 例如，如果要在Web服务器上为网站创建索引目录，则该目录可能包含网站主页的文件和包含网站后端数据库凭据的配置文件。 如果不禁用目录的索引，则浏览目录的任何人都可以看到该文件夹​​中的两个文件。

禁用目录索引如何增强安全性？ (How Does Disabling Directory Indexes Enhance Security?)

Directory indexes have legitimate purposes, but they often unintentionally expose files to visitors. Disabling directory indexes as the default for your web server eliminates the risk of accidental data loss, leakage, or exploitation by making the directory files invisible to visitors. Visitors can still reach the files if they exist in the directory, but disabling indexing makes the files much more difficult to discover unintentionally.

目录索引具有合法目的，但它们通常无意间将文件暴露给访问者。 禁用目录索引作为Web服务器的默认设置，可以使访问者看不到目录文件，从而消除了意外数据丢失，泄漏或利用的风险。 如果文件存在于目录中，访问者仍然可以访问它们，但是禁用索引编制会使文件无意间发现变得更加困难。

如何禁用目录索引 (How to Disable Directory Indexes)

For most cases, disabling directory indexes is a matter of adding one line to your web server configuration.

在大多数情况下，禁用目录索引只需在Web服务器配置中添加一行即可。

• Nginx disables directory indexes by default, so if you are using Nginx you should not need to make any changes.
  Nginx默认情况下禁用目录索引，因此，如果您使用的是Nginx，则无需进行任何更改。

• The DirectoryListings page on the Apache Wiki explains how to disable directory listings. Make sure to use the Options -Indexes option listed there for any of your Apache Directory configuration blocks.

  Apache Wiki上的DirectoryListings页面介绍了如何禁用目录列表。 确保对您的任何Apache Directory配置块使用此处列出的Options -Indexes选项。

经常备份 (Back Up Frequently)

While not strictly a security measure, backups can be crucial in saving compromised systems and data, and in analyzing how the system was compromised. For instance, if your server is compromised by ransomware (a malicious tool or virus that encrypts files and will only decrypt them if the attacker is paid some sum of money), a lack of backups may mean your only choice is to pay to get your data back. If your systems and data are regularly and securely backed up, you will be able to access and recover your data without interacting with the compromised system.

备份虽然不是严格的安全措施，但对于保存受感染的系统和数据以及分析系统受到的损坏至关重要。 例如，如果您的服务器受到勒索软件 (一种加密文件的恶意工具或病毒，并且只有在支付了一定金额的攻击者的情况下才会解密)的恶意软件破坏，则缺少备份可能意味着您唯一的选择就是付费以获取勒索。数据返回。 如果定期安全地备份了系统和数据，则无需与受感染的系统进行交互即可访问和恢复数据。

频繁备份如何增强安全性？ (How Do Frequent Backups Enhance Security?)

Frequent backups help recover data in the case of accidental deletions, and in the event of an attack where your data is deleted or corrupted. In either case, they help mitigate the risk of data loss by retaining copies of data from before an accidental deletion or before an attack occurred.

频繁备份有助于在意外删除的情况下以及在数据被删除或损坏的攻击中恢复数据。 无论哪种情况，它们都通过保留意外删除之前或攻击发生之前的数据副本来帮助减轻数据丢失的风险。

In addition to ransomware cases, regular backups can help with forensic analysis of long-term attacks. If you don’t have a history of your data, it can be difficult or even impossible to determine when an attack began and what data was compromised.

除了勒索软件外，定期备份还可以帮助对长期攻击进行法医分析。 如果您没有数据的历史记录，则可能很难甚至无法确定攻击何时开始以及哪些数据受到了破坏。

如何实施频繁备份 (How to Implement Frequent Backups)

When implementing backups for your systems, treat verifiable recovery of compromised or deleted data as the goal. Ask yourself: if my server disappears tomorrow, what steps need to be taken to get it back up and running securely with the least amount of work?

为您的系统实施备份时，将可验证的受损或已删除数据恢复作为目标。 问问自己：如果我的服务器明天消失了，需要采取什么步骤来以最少的工作量使它备份并安全运行？

Here are a few other questions to consider when developing a disaster recovery plan:

在制定灾难恢复计划时，还需要考虑以下其他问题：

• Should the latest backup always be used? Depending on how frequently your data changes and when a compromise or deletion occurs, it may reduce risk to instead default to an older backup.
  是否应始终使用最新备份？ 根据数据更改的频率以及何时发生破坏或删除，它可能会降低风险，而是默认使用较旧的备份。
• What is the actual process for restoring the backup? Do you need to create a new server or restore over the existing one?
  恢复备份的实际过程是什么？ 您需要创建一个新服务器还是在现有服务器上进行还原？
• How long can you survive without this server in action?
  如果没有运行此服务器，您可以生存多长时间？

• Do you need offsite backups?

  您是否需要异地备份 ？

info If you are using DigitalOcean Droplets, you can enable weekly backups from the control panel by following this guide.

如果您使用的是DigitalOcean Droplet，则可以按照本指南从控制面板启用每周备份。

How To Back Up Data to an Object Storage Service with the Restic Backup Client is a tutorial that you can use to design your own backup system that will encrypt your backups and store them off of your production systems. The tutorial will work with servers, or even local desktop and laptop computers.

如何使用Restic Backup Client将数据备份到对象存储服务是一本教程，您可以用来设计自己的备份系统，该系统将对备份进行加密并将其存储在生产系统之外。 本教程将适用于服务器，甚至本地台式机和便携式计算机。

VPN和专用网络 (VPNs and Private Networking)

Private networks are networks that are only available to certain servers or users. A VPN, or virtual private network, is a way to create secure connections between remote computers and present the connection as if it were a local private network. This provides a way to configure your services as if they were on a private network and connect remote servers over secure connections.

专用网络是仅对某些服务器或用户可用的网络。 VPN或虚拟专用网络是一种在远程计算机之间创建安全连接并将连接呈现为本地专用网络的方式。 这提供了一种配置服务的方式，就好像它们在专用网络上一样，并通过安全连接来连接远程服务器。

For example, DigitalOcean private networks enable isolated communication between servers in the same account or team within the same region.

例如，DigitalOcean专用网络可在同一帐户或同一区域内的团队中的服务器之间实现隔离的通信 。

他们如何增强安全性？ (How Do They Enhance Security?)

Using private instead of public networking for internal communication is almost always preferable given the choice between the two. However, since other users within the data center are able to access the same network, you still must implement additional measures to secure communication between your servers.

考虑到两者之间的选择，使用私有而不是公共网络进行内部通信几乎总是可取的。 但是，由于数据中心内的其他用户可以访问同一网络，因此您仍然必须实施其他措施以保护服务器之间的通信。

Using a VPN is, effectively, a way to map out a private network that only your servers can see. Communication will be fully private and secure. Other applications can be configured to pass their traffic over the virtual interface that the VPN software exposes. This way, only services that are meant to be consumable by clients on the public internet need to be exposed on the public network.

有效地，使用VPN是一种映射只有您的服务器可以看到的专用网络的方法。 通信将完全保密和安全。 可以将其他应用程序配置为通过VPN软件公开的虚拟接口传递其流量。 这样，只有本应由客户在公共Internet上消费的服务才需要在公共网络上公开。

实施起来有多困难？ (How Difficult Is This to Implement?)

Using private networks in a datacenter that has this capability is as simple as enabling the interface during your server’s creation and configuring your applications and firewall to use the private network. Keep in mind that data center-wide private networks share space with other servers that use the same network.

在具有此功能的数据中心中使用专用网络就像在服务器创建过程中启用接口以及配置应用程序和防火墙以使用专用网络一样简单。 请记住，数据中心范围的专用网络与使用同一网络的其他服务器共享空间。

As for VPN, the initial setup is a bit more involved, but the increased security is worth it for most use-cases. Each server on a VPN must have the shared security and configuration data needed to establish the secure connection installed and configured. After the VPN is up and running, applications must be configured to use the VPN tunnel. To learn about setting up a VPN to securely connect your infrastructure, check out our OpenVPN tutorial.

对于VPN，初始设置要复杂一些，但是对于大多数用例而言，提高安全性是值得的。 VPN上的每个服务器都必须具有安装和配置建立安全连接所需的共享安全性和配置数据。 VPN启动并运行后，必须将应用程序配置为使用VPN隧道。 要了解有关设置VPN以安全连接基础架构的信息，请查看我们的OpenVPN教程 。

公钥基础结构和SSL / TLS加密 (Public Key Infrastructure and SSL/TLS Encryption)

Public key infrastructure, or PKI, refers to a system that is designed to create, manage, and validate certificates for identifying individuals and encrypting communication. SSL or TLS certificates can be used to authenticate different entities to one another. After authentication, they can also be used to establish encrypted communication.

公钥基础结构(PKI)是指旨在创建，管理和验证用于识别个人并加密通信的证书的系统。 SSL或TLS证书可用于相互认证不同的实体。 验证后，它们也可以用于建立加密通信。

他们如何增强安全性？ (How Do They Enhance Security?)

Establishing a certificate authority (CA) and managing certificates for your servers allows each entity within your infrastructure to validate the other members’ identities and encrypt their traffic. This can prevent man-in-the-middle attacks where an attacker imitates a server in your infrastructure to intercept traffic.

建立证书颁发机构(CA)和管理服务器的证书，可以使基础结构中的每个实体验证其他成员的身份并加密其流量。 这可以防止中间人攻击 ，其中攻击者在您的基础结构中模仿服务器来拦截流量。

Each server can be configured to trust a centralized certificate authority. Afterwards, any certificate that the authority signs can be implicitly trusted. If the applications and protocols you are using to communicate support TLS/SSL encryption, this is a way of encrypting your system without the overhead of a VPN tunnel (which also often uses SSL internally).

可以将每个服务器配置为信任集中式证书颁发机构。 之后，可以隐式信任权威机构签署的任何证书。 如果您用于通信的应用程序和协议支持TLS / SSL加密，则这是一种对系统进行加密的方式，而不会增加VPN隧道的开销(该隧道也经常在内部使用SSL)。

实施起来有多困难？ (How Difficult Is This to Implement?)

Configuring a certificate authority and setting up the rest of the public key infrastructure can involve quite a bit of initial effort. Furthermore, managing certificates can create an additional administration burden when new certificates need to be created, signed, or revoked.

配置证书颁发机构并设置其余的公共密钥基础结构可能需要大量的初始工作。 此外，当需要创建，签名或吊销新证书时，管理证书可能会增加管理负担。

For many users, implementing a full-fledged public key infrastructure will make more sense as their infrastructure needs grow. Securing communications between components using VPN may be a good stop-gap measure until you reach a point where PKI is worth the extra administration costs.

对于许多用户而言，随着他们的基础设施需求的增长，实施成熟的公钥基础设施将变得更加有意义。 使用VPN保护组件之间的通信可能是一个很好的权宜之计，直到达到PKI值得额外管理成本的地步。

If you would like to create your own certificate authority, you can refer to one of our How To Set Up and Configure a Certificate Authority (CA) guides depending on the Linux distribution that you are using.

如果您想创建自己的证书颁发机构，则可以根据所使用的Linux发行版，参考我们的“ 如何设置和配置证书颁发机构(CA)”指南之一。

文件审核和入侵检测系统 (File Auditing and Intrusion Detection Systems)

File auditing is the process of comparing the current system against a record of the files and file characteristics of your system when it is a known-good state. This is used to detect changes to the system that may have been authorized.

文件审核是在系统处于良好状态时将当前系统与文件记录和系统文件特征进行比较的过程。 这用于检测可能已授权的系统更改。

An intrusion detection system, or IDS, is a piece of software that monitors a system or network for unauthorized activity. Many host-based IDS implementations use file auditing as a method of checking whether the system has changed.

入侵检测系统(IDS)是一种软件，可以监视系统或网络是否存在未经授权的活动。 许多基于主机的IDS实现都使用文件审核作为检查系统是否已更改的方法。

他们如何增强安全性？ (How Do They Enhance Security?)

Similar to the above service-level auditing, if you are serious about ensuring a secure system, it is very useful to be able to perform file-level audits of your system. This can be done periodically by the administrator or as part of an automated process in an IDS.

与上述服务级别审核类似，如果您认真考虑确保系统安全，则能够对系统执行文件级别审核非常有用。 这可以由管理员定期完成，也可以作为IDS中自动过程的一部分来完成。

These strategies are some of the only ways to be absolutely sure that your filesystem has not been altered by some user or process. For many reasons, intruders often wish to remain hidden so that they can continue to exploit the server for an extended period of time. They might replace binaries with compromised versions. Doing an audit of the filesystem will tell you if any of the files have been altered, allowing you to be confident in the integrity of your server environment.

这些策略是绝对确保某些用户或进程未更改文件系统的唯一方法。 由于许多原因，入侵者通常希望保持隐藏状态，以便他们可以继续长时间利用服务器。 他们可能会用受损版本替换二进制文件。 对文件系统进行审核将告诉您是否有任何文件被更改，从而使您对服务器环境的完整性充满信心。

实施起来有多困难？ (How Difficult Is This to Implement?)

Implementing an IDS or conducting file audits can be quite an intensive process. The initial configuration involves telling the auditing system about any non-standard changes you’ve made to the server and defining paths that should be excluded to create a baseline reading.

实施IDS或进行文件审核可能是一个非常密集的过程。 初始配置包括将您对服务器所做的任何非标准更改告知审核系统，并定义创建基线读数应排除的路径。

It also makes day-to-day operations more involved. It complicates updating procedures as you will need to re-check the system prior to running updates and then recreate the baseline after running the update to catch changes to the software versions. You will also need to offload the reports to another location so that an intruder cannot alter the audit to cover their tracks.

这也使日常操作更加复杂。 它使更新过程变得复杂，因为您需要在运行更新之前重新检查系统，然后在运行更新后重新创建基准以捕获对软件版本的更改。 您还需要将报告卸载到另一个位置，以使入侵者无法更改审核以覆盖其跟踪记录。

While this may increase your administration load, being able to check your system against a known-good copy is one of the only ways of ensuring that files have not been altered without your knowledge. Some popular file auditing / intrusion detection systems are Tripwire and Aide.

尽管这可能会增加您的管理负担，但是能够根据已知有效的副本检查系统是确保在您不知情的情况下不会更改文件的唯一方法之一。 Tripwire和Aide是一些流行的文件审核/入侵检测系统。

隔离的执行环境 (Isolated Execution Environments)

Isolating execution environments refers to any method in which individual components are run within their own dedicated space.

隔离执行环境是指任何一种方法，其中单个组件在其专用空间内运行。

This can mean separating out your discrete application components to their own servers or may refer to configuring your services to operate in chroot environments or containers. The level of isolation depends heavily on your application’s requirements and the realities of your infrastructure.

这可能意味着将离散的应用程序组件分离到它们自己的服务器，或者可能是指配置服务以在chroot环境或容器中运行。 隔离级别在很大程度上取决于您的应用程序要求和基础架构的实际情况。

他们如何增强安全性？ (How Do They Enhance Security?)

Isolating your processes into individual execution environments increases your ability to isolate any security problems that may arise. Similar to how bulkheads and compartments can help contain hull breaches in ships, separating your individual components can limit the access that an intruder has to other pieces of your infrastructure.

将流程隔离到单独的执行环境中，可以增强隔离可能出现的任何安全问题的能力。 类似于舱壁和舱室如何帮助防止船舶破损，分离各个组件可能会限制入侵者对基础设施其他部分的访问权限。

实施起来有多困难？ (How Difficult Is This to Implement?)

Depending on the type of containment you choose, isolating your applications can have varying levels of complexity. By packaging your individual components in containers, you can quickly achieve some measure of isolation, but note that Docker does not consider its containerization a security feature.

根据您选择的容纳类型，隔离应用程序可能具有不同的复杂性级别。 通过将各个组件包装在容器中，可以快速实现某种程度的隔离，但是请注意，Docker并不将其容器化视为安全功能。

Setting up a chroot environment for each piece can provide some level of isolation as well, but this also is not a foolproof method of isolation as there are often ways of breaking out of a chroot environment. Moving components to dedicated machines is the best level of isolation, and in many cases may be the least complex, but incur additional costs due to the need for additional machines.

为每个组件设置chroot环境也可以提供一定程度的隔离，但这也不是万无一失的隔离方法，因为通常有许多方法可以打破chroot环境。 将组件移动到专用计算机是最好的隔离级别，并且在许多情况下可能是最简单的隔离，但是由于需要额外的机器而导致额外的成本。

结论 (Conclusion)

The strategies outlined in this tutorial are an overview of some of the steps that you can take to improve the security of your systems. It is important to recognize that security measures decrease in their effectiveness the longer you wait to implement them. Accordingly, security should not be an afterthought and must be implemented when you first provision your infrastructure. Once you have a secure base to build upon, you can then start deploying your services and applications with some assurances that they are running in a secure environment by default.

本教程中概述的策略概述了可以用来提高系​​统安全性的某些步骤。 重要的是要认识到，安全措施的有效性会降低，您等待的时间越长。 因此，安全性不是事后的想法，必须在您首次配置基础结构时实施。 一旦有了可靠的基础，您就可以开始部署服务和应用程序，并确保它们在默认情况下在安全环境中运行。

Even with a secure starting environment, keep in mind that security is an ongoing and iterative process. Good security requires a mindset of constant vigilance and awareness. Always be sure to ask yourself what the security implications of any change might be, and what steps you can take to ensure that you are always creating secure default configurations and environments for your software.

即使有一个安全的启动环境，也要记住安全性是一个持续不断的迭代过程。 良好的安全性需要不断保持警惕和警觉的心态。 始终确保问自己，任何更改可能对安全产生影响，以及可以采取哪些步骤来确保始终为软件创建安全的默认配置和环境。

翻译自: https://www.digitalocean.com/community/tutorials/recommended-security-measures-to-protect-your-servers

服务器应用安全措施