服务器加固思路
1.修改root 密码
passwd root
修改hostname vi /etc/hosts
127.0.0.1 localhost
x.x.x.x test test.com
2.软件更新至最新状态
apt-get update
apt-get upgrade
apt-get dist-upgrade
3.创建用户并设置对应权限
useradd deploy
mkdir /home/deploy
mkdir /home/deploy/.ssh
chmod 700 /home/deploy.ssh
4.配置用户主目录
usermod -s /bin/bash deploy
5.记录登陆用户的SSH公钥,实现免密登陆,并修改修改权限及所属
(Win10 可使用自带的SSH工具进行管理)
开启方式:设置--应用--应用和功能--管理可选功能--添加功能--OpenSSH客户端
在用户侧生成公钥,在cmd界面中输入ssh-keygen生成,生成位置为
C:\Users\UserName\.ssh\id_rsa.pub
将生成的公钥内容复制到下述路径中当
vim /home/deploy/.ssh/authorized_keys
修改权限
chmod 400 /home/deploy/.ssh/authorized_keys
chown deploy:deploy /home/deploy -R
6.修改用户的密码 passwd deploy
7.强制ssh密钥登陆,并关闭密码登陆
vim /etc/ssh/sshd_config
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
AllowUsers deploy@172.31.190.45 (前面是登陆的账号,后面是登陆的用户)
(183.62.176.59/113.81.232.215/133.139.70.96)
重启以生效
service ssh restart
8.安装防火墙
https://help.ubuntu.com/community/UFW
apt-get install ufw
sudo ufw allow from 172.31.190.45 to any port 22
sudo ufw allow 80
sudo ufw allow 443
sudo ufw disable
sudo ufw enable
sudo ufw status numbered
sudo ufw delete 1
sudo ufw app list
sudo ufw status/reset
9.自动应用安全更新
https://help.ubuntu.com/community/AutomaticSecurityUpdates
apt-get install unattended-upgrades
vim /etc/apt/apt.conf.d/10periodic
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
vim /etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
"${distro_id}ESM:${distro_codename}";
//"${distro_id}:${distro_codename}-updates";
};
Unattended-Upgrade::Mail "you@example.com";
日志记录
cat /var/log/unattended-upgrades/unattended-upgrades.log
cat /var/log/unattended-upgrades/unattended-upgrades-dpkg.log
10.防止暴力破解 (fail2ban)
https://help.ubuntu.com/community/Fail2ban
http://www.fail2ban.org/wiki/index.php/Manual
apt-get install fail2ban
apt-get install sendmail
apt-get install mailutils
邮件告警
vi /etc/fail2ban/jail.conf
destemail = your@example.com
mta = mail
maxretry = 3
action = action = %(action_mwl)s
日志记录
cat /var/log/fail2ban.log
解锁被囚禁的IP
fail2ban-client set sshd unbanip x.x.x.x
配置时区信息
ln -sf /usr/share/zoneinfo/Hongkong /etc/localtime
date 确认是否正确
lastlog 所有用户
last 登陆成功记录
lastb 登陆失败记录
11.二重认证 (google-authenticator) Time-based One-Time Password algorithm
apt-get install libpam-google-authenticator
vi /etc/pam.d/common-auth
找到红字内容,在红字内容上添加蓝字信息,并保存
auth required pam_google_authenticator.so
auth [success=1 default=ignore] pam_unix.so nullok_secure
输入google-authenticatitor 进行设置
五项内容全选Y即可
1.身份令牌基于时间
2.认证文件位置
3.禁止多用户使用同样的认证码登陆
4.时间扩展
5.速度限制,每三十秒不超过3次登陆尝试
记录emergency scratch codes,每个只能用一次,用于应急使用
vi /etc/ssh/sshd_config
ChallengeResponseAuthentication yes
12.日志监视(logwatch)
https://help.ubuntu.comi/community/Logwatch
apt-get install logwatch
apt-get install sendmail
apt-get install mailutils
修改配置
vi /usr/share/logwatch/default.conf/logwatch.conf
MailTo = you@example.com
mailer = "mail -t"
修改执行定期任务
vim /etc/cron.daily/00logwatch
/usr/sbin/logwatch --output mail --mailto your@example.com --detail high
增加定时计划(可以不用添加)
crontab -e
00 15 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
------------------------------------
参考命令
用 mail 命令可以查看你有多少邮件未读
mail
删除邮件
cat /dev/null > /var/spool/mail/root
禁止系统检查邮件
echo "unset MAILCHECK" >> /etc/profile
服务器检测设备端口的状态
nc -zvu 192.168.1.1 161
nc -zv 192.168.1.1 10050