服务器安全配置
建立管理员用户
一些云服务器厂商售卖的服务器默认登录用户是 root,一般建议使用普通用户登录并禁止 root 用户登录。
创建用户:
useradd -mG sudo USER # 创建新用户并加入 sudo 组
passwd USER # 为新用户设置密码
在 Ubuntu 中,管理员属于 sudo 组,而在 CentOS 中,管理员属于 wheel 组
接下来,拷贝 .ssh 目录到新用户的主目录:
rsync -a --chown=USER:USER ~/.ssh /home/USER
现在就可以使用普通用户登录服务器了。
SSH 安全设置
-
编辑 SSH 配置文件:
sudoedit /etc/ssh/ssh_config.d/10-custom.confPermitRootLogin no # 禁止 root 帐户登录 PasswordAuthentication no # 禁止密码登录 PermitEmptyPasswords no # 禁止空密码 Port 2222 # 更改 SSH 服务端口 -
重启 SSH 服务以使更改生效:
sudo systemctl restart ssh # RHEL 使用 sshd -
检查有效配置是否正确:
sudo sshd -T
参考:
Fail2Ban
曾经我有次好奇用
sudo lastb看了下 SSH 登录失败记录,发现一秒内竟然有近 30 条登录失败记录。几天下来,日志已经堆成山了。看来就算不考虑服务器安全,也要考虑一下服务器性能了。遂果断安装了 fail2ban。
-
安装
fail2ban:sudo apt install fail2ban -
启动
fail2ban:sudo systemctl enable fail2ban sudo systemctl start fail2ban -
检查
fail2ban服务运行情况:sudo systemctl status fail2ban # 查看 fail2ban 服务运行情况 sudo fail2ban-client status # 列出所有 jail
配置 jail:
sudoedit /etc/fail2ban/jail.local
[ssh]
enabled = true
maxretry = 3
bantime = 3600
port = 22
filter = sshd
backend = systemd
logpath = /var/log/auth.log
bantime设置为-1表示永久封禁(不建议)
参考:How to install fail2ban packages | fail2ban/fail2ban Wiki
其他命令:
sudo fail2ban-client status sshd # 查看 jail [sshd] 的情况
sudo fail2ban-client set sshd unbanip 192.168.1.2 # 将 IP 移出 jail [sshd]
sudo fail2ban-client set sshd banip 192.168.1.2 # 将 IP 移入 jail [sshd]
管理面板
管理面板集常用服务器操作于一身。我推荐的管理面板是 1Panel。
sudo bash -c "$(curl -sSL https://resource.fit2cloud.com/1panel/package/v2/quick_start.sh)"
关于 1Panel 的使用参见:命令行工具 | 1Panel 文档
防病毒
使用 ClamAV
-
安装 ClamAV:
sudo apt install clamav clamav-daemon -
首次安装后,必须先手动更新病毒库:
sudo freshclam -
设置后台自动升级病毒库:
sudo systemctl start clamav-freshclam sudo systemctl enable clamav-freshclam -
手动扫描指定目录:
clamscan -r -i / # 扫描根目录 -
启动 clamd 服务:
sudo systemctl start clamav-daemon -
验证实时监控运行状态:
clamdtop -
验证实时防护:
echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > eicar.virus cat eicar.virus
配置 ClamAV
配置自动更新病毒库频率
-
编辑配置:
sudoedit /etc/clamav/freshclam.conf# 每天更新 1 次病毒库 Checks 1 -
重启服务:
sudo systemctl restart clamav-freshclam
配置 clamd
-
编辑配置:
sudoedit /etc/clamav/clamd.conf# Path to a local socket file the daemon will listen on. # Default: disabled (must be specified by a user) LocalSocket /tmp/clamd.socket # Sets the group ownership on the unix socket. # Default: disabled (the primary group of the user running clamd) LocalSocketGroup clamscan # Sets the permissions on the unix socket to the specified mode. # Default: disabled (socket is world accessible) LocalSocketMode 660 # Modifies fanotify blocking behaviour when handling permission events. # If off, fanotify will only notify if the file scanned is a virus, # and not perform any blocking. # Default: no OnAccessPrevention yes # This option allows exclusions via user names when using the on-access # scanning client. It can be used multiple times. # It has the same potential race condition limitations of the # OnAccessExcludeUID option. # Default: disabled OnAccessExcludeUname clamscan # Set the include paths (all files inside them will be scanned). You can have # multiple OnAccessIncludePath directives but each directory must be added # in a separate line. # Default: disabled OnAccessIncludePath /home # Uncomment this option to enable logging. # LogFile must be writable for the user running daemon. # A full path is required. # Default: disabled LogFile /var/log/clamd.scan # Maximum size of the log file. # Value of 0 disables the limit. # You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) # and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size # in bytes just don't use modifiers. If LogFileMaxSize is enabled, log # rotation (the LogRotate option) will always be enabled. # Default: 1M LogFileMaxSize 20M # Log time with each message. # Default: no LogTime yes -
重启服务:
sudo systemctl restart clamav-daemon
参考:
浙公网安备 33010602011771号