Linux

起步

VPS

VPS 供应商,选择 Linux 发行版,配置磁盘空间,Boot。

一般还会配置 root 用户的登录密码

SSH 连接服务器

SSH 即是一个协议,又是客户端/服务器模式的一套软件。

在启动系统后,一般系统已经默认开启了 SSH 端口 22,并提供 SSH 服务。

我们可以从本地通过浏览器命令行接口或者 Command Line 来访问,不过首先你要有个 SSH 客户端。Linux 和 Mac 用户一般系统自带命令行 SSH,Windows 用户建议使用软件 PuTTY,下面以命令行 SSH 客户端为例来介绍使用方法:

登录服务器,root用户登录

ssh root@123.456.78.90

首次登陆将得到如下授权警告信息,输入 yes 并敲击回车键继续即可

The authenticity of host '123.456.78.90 (123.456.78.90)' can't be established.
RSA key fingerprint is 11:eb:57:f3:a5:c3:e0:77:47:c4:15:3a:3c:df:6c:d2.
Are you sure you want to continue connecting (yes/no)?

然后会提示要求输入密码

root@123.456.78.90's password:

看到类似如下所示,表明已经连接到了远程服务器的命令行

root@li123-456:~#

接下来就可以通过该命令行来管理配置服务器啦

每次登陆服务器都使用 IP 会比较繁琐,可以利用计算机本地 DNS 文件来为 IP 映射一个容易记住的名字。

更新系统

配置的 Linux 系统发行软件一般都是之前发布的,而在系统发布之后,针对该系统的漏洞等会用新的更新可用。从安全的角度来考虑,进入服务器后首先需要更新系统软件。并且更新系统应该作为一个日常的系统安全防范措施,应该定期更新系统才行。

This applies the latest security patches and bug fixes to help protect your Linode against unauthorized access.

Installing software updates should be performed regularly. If you need help remembering, try creating a monthly alert with the calendar application on your desktop computer.

各个常用发行版更新系统的命令如下:

Debian/Ubuntu

apt-get update && apt-get upgrade

CentOS

yum update

Fedora

dnf upgrade

Arch Linux

pacman -Syu

设置 Hostname

疑惑?

A fully qualified domain name (FQDN) contains both a host name and a domain name.

The host name represents the network or system used to deliver a user to a certain address or location. The domain name represents the site or project that the user is accessing.

DNS 服务商处注册的域名,以及映射的 www.example.com 123.456.78.90 ,以及 blog.example.com 90.78.45.6123。跟自己服务器上设置的 hostname 有什么关系?Note that the hostname has no relationship to websites or email services hosted on it, aside from providing a name for the system itself.

疑惑?

为系统指定 hostname,该 hostname 跟托管在系统上的网站和邮件服务无关,最好不要起太常用的名字。

各个系统命令:

Arch / CentOS 7 / Debian 8 / Fedora / Ubuntu 16.04

hostnamectl set-hostname example_hostname

Debian 7 / Slackware / Ubuntu 14.04

echo "example_hostname" > /etc/hostname
hostname -F /etc/hostname

CentOS 6

echo "HOSTNAME=example_hostname" >> /etc/sysconfig/network
hostname "hostname"

为系统指定 fully qualified domain name

编辑 /etc/hosts 文件,在 127.0.0.1 localhost 后面添加一行:127.0.1.1 sub.example.com system_hostname

设置 Timezone

By default, a Linode’s Linux image will be set to UTC time (also known as Greenwich Mean Time), but this can be changed. It may be better to use the same timezone which a majority of your users are located in, or that you live in to make log file timestamps more sensible.

Debian / Ubuntu

dpkg-reconfigure tzdata

Arch Linux / CentOS 7

查看可用时区

timedatectl list-timezones

设置时区

timedatectl set-timezone 'Asia/Shanghai'

检查时间设置的结果,使用命令:

date

安全防护

保护主机避免未授权访问的攻击

定期更新系统

Keeping your software up to date is the single biggest security precaution you can take for any operating system. Software updates range from critical vulnerability patches to minor bug fixes, and many software vulnerabilities are actually patched by the time they become public.

系统自动更新富有争论:

There are arguments for and against automatic updates on servers. Fedora’s Wiki has a good breakdown of the pros and cons, but the risk of automatic updates will be minimal if you limit them to security updates. Not all package managers make that easy or possible, though.

The practicality of automatic updates is something you must judge for yourself because it comes down to what you do with your Linode. Bear in mind that automatic updates apply only to packages sourced from repositories, not self-compiled applications. You may find it worthwhile to have a test environment that replicates your production server. Updates can be applied there and reviewed for issues before being applied to the live environment.

  • CentOS uses yum-cron for automatic updates.
  • Debian and Ubuntu use unattended upgrades.
  • Fedora uses dnf-automatic.

添加普通用户

在安装系统时,系统默认会创建一个 root 用户,该用户是根用户,又叫超级用户,对系统用户无限制的任意权利,可以执行任何命令,处理任何资源。为了避免使用该用户时的误操作,我们要再自己创建一个权限受限的普通用户,以供平时跟系统的交互。

临时提升普通用户的权限:

Administrative tasks will be done using sudo to temporarily elevate your limited user’s privileges so you can administer your server. 如果系统没有安装 sudo,则需要先安装它。

CentOS / Fedora

创建用户

useradd newusername

修改密码

passwd newusername

添加到 wheel 组已获得 sudo 权限

usermod -aG wheel newusername

注:对于 CentOS 6 需要手动编辑配置文件 /usr/sbin/visudo 为 whell 组开启 sudo 权限

Ubuntu / Debian

创建用户,随后自动提示输入密码

adduser newusername

为用户添加 sudo 权限

adduser newusername sudo

退出系统,以普通用户的身份尝试 SSH 登录:

exit
ssh newusername@123.456.78.90

关闭 SSH 密码登录

By default, password authentication is used to connect to your Linode via SSH. A cryptographic key-pair is more secure because a private key takes the place of a password, which is generally much more difficult to brute-force.

首先需要创建一个授权的秘钥对

在创建之前,先检查一下用户家目录有没有秘钥对存在,防止创建时覆盖之前的秘钥对,一般位于 ~/.ssh/id_rsa*

Linux / Mac 创建

ssh-keygen -b 4096

生成 id_rsa 私钥,id_rsa.pub 公钥

Windows 创建参见https://linode.com/docs/security/authentication/use-public-key-authentication-with-ssh/

创建秘钥对时,会提示输入一个 passphrase,虽然不是必须的,但建议设一个,这样别人就不能用你的私钥进行登录的

然后需要上传刚刚创建的公钥文件(注意不是私钥)

Linux

ssh-copy-id yourusername@123.456.78.90

Mac

首先需要在远程主机创建目录

mkdir -p ~/.ssh && sudo chmod -R 700 ~/.ssh/

然后在本机进行上传

scp ~/.ssh/id_rsa.pub yourusername@123.456.78.90:~/.ssh/authorized_keys

Windows

使用 WinSCP 本地的公钥文件上传到远程服务器,需要注意的是要上传到服务器的路径:/home/yourusername/.ssh/authorized_keys

或者直接通过命令行登录远程服务器,创建目录和文件,并利用文本编辑器将公钥内容粘贴到上述文件中。

上传完成后,记得登录远程服务器,对目录和文件的权限进行修改:

sudo chmod 700 -R ~/.ssh && chmod 600 ~/.ssh/authorized_keys

退出系统,尝试以非密码方式登录一下 SSH,如果设置了 passphrase,会提示你输入

配置 SSH 守护进程

编辑文件 /etc/ssh/sshd_config,添加或取消注释配置项

禁止根用户通过 SSH 进行登录

仅允许普通用户通过 SSH 进行登录,根用户的权限,要么通过 sudo,要么登陆后使用 su - 命令来切换

PermitRootLogin no

禁止所有用户通过密码授权方式登录,看情况,如果经常从多台设备登录的话,应该保留密码登录方式

PasswordAuthentication no

限制仅接受 IPv4 或 IPv6 连接

# listen only on IPv4
AddressFamily inet
# listen only on IPv6
AddressFamily inet6

完成以上配置后,重启 SSH 服务以使配置立即生效:

CentOS 7 / Debian 8 / Fedora / Ubuntu 15.10

sudo systemctl restart sshd

CentOS 6 / Debian 7 / Unbuntu 14.04

sudo service ssh restart

分析 SSH 被暴力破解

CentOS 的 sshd 进程日志位于 /var/log/secure,其它发行版的 Linux 也许在 /var/log/auth.log

查看有哪些 IP 在破解 root 密码及其次数

sudo grep "Failed password for root" /var/log/secure | awk '{print $11}' | uniq -c | sort -nr | more

再来看破解猜测了哪些用户名

sudo grep "Failed password for invalid user" /var/log/secure | awk '{print $11}' | uniq -c | sort -nr | more

使用 DenyHosts 对 SSH 进行保护

使用 Fail2Ban 对 SSH 进行保护

Fail2Ban is an application that bans IP addresses from logging into your server after too many failed login attempts. Since legitimate logins usually take no more than three tries to succeed (and with SSH keys, no more than one), a server being spammed with unsuccessful logins indicates attempted malicious access.

Fail2Ban can monitor a variety of protocols including SSH, HTTP, and SMTP. By default, Fail2Ban monitors SSH only, and is a helpful security deterrent for any server since the SSH daemon is usually configured to run constantly and listen for connections from any remote IP address.

正常登录的话,尝试若干次就可以成功登陆了。但恶意攻击的登录,往往会尝试许多次,Fail2Ban 可以监控 SSH 的登录行为,对恶意尝试登录的进行屏蔽

很有用,以后配置一下

https://linode.com/docs/security/using-fail2ban-for-security/

移除无用的网络服务

Most Linux distributions install with running network services which listen for incoming connections from the internet, the loopback interface, or a combination of both. Network-facing services which are not needed should be removed from the system to reduce the attack surface of both running processes and installed packages.

查看网络服务

sudo ss -atpu

输出内容解读

Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp LISTEN 0 128 *:ssh *:* users:(("sshd",pid=3675,fd=3))

sshd 进程监听来自任何地址任何端口的 IPv 4 连接

Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp LISTEN 0 128 :::ssh :::* users:(("sshd",pid=3675,fd=4))

sshd 进程监听来自任何地址任何端口的 IPv 6 连接

移除软件命令

Arch

sudo pacman -Rs package_name

CentOS

sudo yum remove package_name

Debian / Ubuntu

sudo apt purge package_name

Fedora

sudo dnf remove package_name

防火墙

Using a firewall to block unwanted inbound traffic to your Linode provides a highly effective security layer. By being very specific about the traffic you allow in, you can prevent intrusions and network mapping. A best practice is to allow only the traffic you need, and deny everything else.

最常见的几款防火墙应用

  • Iptables is the controller for netfilter, the Linux kernel’s packet filtering framework. Iptables is included in most Linux distributions by default.
  • FirewallD is the iptables controller available for the CentOS / Fedora family of distributions.
  • UFW provides an iptables frontend for Debian and Ubuntu.

留在以后详细配置。

Next