document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2025-01-13 22:30:37 +08:00
Code Issues Packages Projects Releases Wiki Activity

translated

Browse Source
This commit is contained in:
geekpi 2016-12-29 20:28:28 +08:00
parent d786031775
commit bb34add13e
2 changed files with 378 additions and 382 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

382
sources/tech/20160516 Securing Your Server.md
View File

@ -1,382 +0,0 @@
translating---geekpi
Securing Your Server
============================================================
### Update Your SystemFrequently
Keeping your software up to date is the single biggest security precaution you can take for any operating system. Software updates range from critical vulnerability patches to minor bug fixes, and many software vulnerabilities are actually patched by the time they become public.
### Automatic Security Updates
There are arguments for and against automatic updates on servers. [Fedoras Wiki][15] has a good breakdown of the pros and cons, but the risk of automatic updates will be minimal if you limit them to security updates.
The practicality of automatic updates is something you must judge for yourself because it comes down to what _you_ do with your Linode. Bear in mind that automatic updates apply only to packages sourced from repositories, not self-compiled applications. You may find it worthwhile to have a test environment that replicates your production server. Updates can be applied there and reviewed for issues before being applied to the live environment.
* CentOS uses _[yum-cron][2]_ for automatic updates.
* Debian and Ubuntu use _[unattended upgrades][3]_.
* Fedora uses _[dnf-automatic][4]_.
### Add a Limited User Account
Up to this point, you have accessed your Linode as the `root` user, which has unlimited privileges and can execute _any_ commandeven one that could accidentally disrupt your server. We recommend creating a limited user account and using that at all times. Administrative tasks will be done using `sudo` to temporarily elevate your limited users privileges so you can administer your server.
> Not all Linux distributions include `sudo` on the system by default, but all the images provided by Linode have sudo in their package repositories. If you get the output `sudo: command not found`, install sudo before continuing.
To add a new user, first [log in to your Linode][16] via SSH.
### CentOS / Fedora
1. Create the user, replacing `example_user` with your desired username, and assign a password:
```
useradd example_user && passwd example_user
```
2. Add the user to the `wheel` group for sudo privileges:
```
usermod -aG wheel example_user
```
### Ubuntu
1. Create the user, replacing `example_user` with your desired username. Youll then be asked to assign the user a password:
```
adduser example_user
```
2. Add the user to the `sudo` group so youll have administrative privileges:
```
adduser example_user sudo
```
### Debian
1. Debian does not include `sudo` among their default packages. Use `apt-get` to install it:
```
apt-get install sudo
```
2. Create the user, replacing `example_user` with your desired username. Youll then be asked to assign the user a password:
```
adduser example_user
```
3. Add the user to the `sudo` group so youll have administrative privileges:
```
adduser example_user sudo
```
After creating your limited user, disconnect from your Linode:
```
exit
```
Log back in as your new user. Replace `example_user` with your username, and the example IP address with your Linodes IP address:
```
ssh example_user@203.0.113.10
```
Now you can administer your Linode from your new user account instead of `root`. Nearly all superuser commands can be executed with `sudo` (example: `sudo iptables -L -nv`) and those commands will be logged to `/var/log/auth.log`.
### Harden SSH Access
By default, password authentication is used to connect to your Linode via SSH. A cryptographic key-pair is more secure because a private key takes the place of a password, which is generally much more difficult to brute-force. In this section well create a key-pair and configure the Linode to not accept passwords for SSH logins.
### Create an Authentication Key-pair
1. This is done on your local computer, **not** your Linode, and will create a 4096-bit RSA key-pair. During creation, you will be given the option to encrypt the private key with a passphrase. This means that it cannot be used without entering the passphrase, unless you save it to your local desktops keychain manager. We suggest you use the key-pair with a passphrase, but you can leave this field blank if you dont want to use one.
**Linux / OS X**
> If youve already created an RSA key-pair, this command will overwrite it, potentially locking you out of other systems. If youve already created a key-pair, skip this step. To check for existing keys, run `ls ~/.ssh/id_rsa*`.
```
ssh-keygen -b 4096
```
Press **Enter** to use the default names `id_rsa` and `id_rsa.pub` in `/home/your_username/.ssh` before entering your passphrase.
**Windows**
This can be done using PuTTY as outlined in our guide: [Use Public Key Authentication with SSH][6].
2. Upload the public key to your Linode. Replace `example_user` with the name of the user you plan to administer the server as, and `203.0.113.10` with your Linodes IP address.
**Linux**
From your local computer:
```
ssh-copy-id example_user@203.0.113.10
```
**OS X**
On your Linode (while signed in as your limited user):
```
mkdir -p ~/.ssh && sudo chmod -R 700 ~/.ssh/
```
From your local computer:
```
scp ~/.ssh/id_rsa.pub example_user@203.0.113.10:~/.ssh/authorized_keys
```
> `ssh-copy-id` is available in [Homebrew][5] if you prefer it over SCP. Install with `brew install ssh-copy-id`.
**Windows**
* **Option 1**: This can be done using [WinSCP][1]. In the login window, enter your Linodes public IP address as the hostname, and your non-root username and password. Click _Login_ to connect.
Once WinSCP has connected, youll see two main sections. The section on the left shows files on your local computer and the section on the right shows files on your Linode. Using the file explorer on the left, navigate to the file where youve saved your public key, select the public key file, and click _Upload_ in the toolbar above.
Youll be prompted to enter a path where youd like to place the file on your Linode. Upload the file to `/home/example_user/.ssh/authorized_keys`, replacing `example_user` with your username.
* **Option 2:** Copy the public key directly from the PuTTY key generator into the terminal emulator connected to your Linode (as a non-root user):
```
mkdir ~/.ssh; nano ~/.ssh/authorized_keys
```
The above command will open a blank file called `authorized_keys` in a text editor. Copy the public key into the text file, making sure it is copied as a single line exactly as it was generated by PuTTY. Press **CTRL+X**, then **Y**, then **Enter** to save the file.
Finally, youll want to set permissions for the public key directory and the key file itself:
```
sudo chmod 700 -R ~/.ssh && chmod 600 ~/.ssh/authorized_keys
```
These commands provide an extra layer of security by preventing other users from accessing the public key directory as well as the file itself. For more information on how this works, see our guide on [how to modify file permissions][7].
3. Now exit and log back into your Linode. If you specified a passphrase for your private key, youll need to enter it.
### SSH Daemon Options
1. **Disallow root logins over SSH.** This requires all SSH connections be by non-root users. Once a limited user account is connected, administrative privileges are accessible either by using `sudo` or changing to a root shell using `su -`.
```
# Authentication:
...
PermitRootLogin no
```
2. **Disable SSH password authentication.** This requires all users connecting via SSH to use key authentication. Depending on the Linux distribution, the line `PasswordAuthentication` may need to be added, or uncommented by removing the leading `#`.
```
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
```
> You may want to leave password authentication enabled if you connect to your Linode from many different computers. This will allow you to authenticate with a password instead of generating and uploading a key-pair for every device.
3. **Listen on only one internet protocol.** The SSH daemon listens for incoming connections over both IPv4 and IPv6 by default. Unless you need to SSH into your Linode using both protocols, disable whichever you do not need. _This does not disable the protocol system-wide, it is only for the SSH daemon._
Use the option:
* `AddressFamily inet` to listen only on IPv4.
* `AddressFamily inet6` to listen only on IPv6.
The `AddressFamily` option is usually not in the `sshd_config` file by default. Add it to the end of the file:
```
echo 'AddressFamily inet' | sudo tee -a /etc/ssh/sshd_config
```
4. Restart the SSH service to load the new configuration.
If youre using a Linux distribution which uses systemd (CentOS 7, Debian 8, Fedora, Ubuntu 15.10+)
```
sudo systemctl restart sshd
```
If your init system is SystemV or Upstart (CentOS 6, Debian 7, Ubuntu 14.04):
```
sudo service ssh restart
```
### Use Fail2Ban for SSH Login Protection
[_Fail2Ban_][17] is an application that bans IP addresses from logging into your server after too many failed login attempts. Since legitimate logins usually take no more than three tries to succeed (and with SSH keys, no more than one), a server being spammed with unsuccessful logins indicates attempted malicious access.
Fail2Ban can monitor a variety of protocols including SSH, HTTP, and SMTP. By default, Fail2Ban monitors SSH only, and is a helpful security deterrent for any server since the SSH daemon is usually configured to run constantly and listen for connections from any remote IP address.
For complete instructions on installing and configuring Fail2Ban, see our guide: [Securing Your Server with Fail2ban][18].
### Remove Unused Network-Facing Services
Most Linux distributions install with running network services which listen for incoming connections from the internet, the loopback interface, or a combination of both. Network-facing services which are not needed should be removed from the system to reduce the attack surface of both running processes and installed packages.
### Determine Running Services
To see your Linodes running network services:
```
sudo netstat -tulpn
```
> If netstat isnt included in your Linux distribution by default, install the package `net-tools` or use the `ss -tulpn`command instead.
The following is an example of netstats output. Note that because distributions run different services by default, your output will differ:
```
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 7315/rpcbind
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3277/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3179/exim4
tcp 0 0 0.0.0.0:42526 0.0.0.0:* LISTEN 2845/rpc.statd
tcp6 0 0 :::48745 :::* LISTEN 2845/rpc.statd
tcp6 0 0 :::111 :::* LISTEN 7315/rpcbind
tcp6 0 0 :::22 :::* LISTEN 3277/sshd
tcp6 0 0 ::1:25 :::* LISTEN 3179/exim4
udp 0 0 127.0.0.1:901 0.0.0.0:* 2845/rpc.statd
udp 0 0 0.0.0.0:47663 0.0.0.0:* 2845/rpc.statd
udp 0 0 0.0.0.0:111 0.0.0.0:* 7315/rpcbind
udp 0 0 192.0.2.1:123 0.0.0.0:* 3327/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 3327/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 3327/ntpd
udp 0 0 0.0.0.0:705 0.0.0.0:* 7315/rpcbind
udp6 0 0 :::111 :::* 7315/rpcbind
udp6 0 0 fe80::f03c:91ff:fec:123 :::* 3327/ntpd
udp6 0 0 2001:DB8::123 :::* 3327/ntpd
udp6 0 0 ::1:123 :::* 3327/ntpd
udp6 0 0 :::123 :::* 3327/ntpd
udp6 0 0 :::705 :::* 7315/rpcbind
udp6 0 0 :::60671 :::* 2845/rpc.statd
```
Netstat tells us that services are running for [Remote Procedure Call][19] (rpc.statd and rpcbind), SSH (sshd), [NTPdate][20] (ntpd) and [Exim][21] (exim4).
#### TCP
See the **Local Address** column of the netstat readout. The process `rpcbind` is listening on `0.0.0.0:111` and `:::111` for a foreign address of `0.0.0.0:*` or `:::*`. This means that its accepting incoming TCP connections from other RPC clients on any external address, both IPv4 and IPv6, from any port and over any network interface. We see similar for SSH, and that Exim is listening locally for traffic from the loopback interface, as shown by the `127.0.0.1` address.
#### UDP
UDP sockets are _[stateless][14]_, meaning they are either open or closed and every processs connection is independent of those which occurred before and after. This is in contrast to TCP connection states such as _LISTEN_, _ESTABLISHED_ and _CLOSE_WAIT_.
Our netstat output shows that NTPdate is: 1) accepting incoming connections on the Linodes public IP address; 2) communicates over localhost; and 3) accepts connections from external sources. These are over port 123, and both IPv4 and IPv6\. We also see more sockets open for RPC.
### Determine Which Services to Remove
If you were to do a basic TCP and UDP [nmap][22] scan of your Linode without a firewall enabled, SSH, RPC and NTPdate would be present in the result with ports open. By [configuring a firewall][23] you can filter those ports, with the exception of SSH because it must allow your incoming connections. Ideally, however, the unused services should be disabled.
* You will likely be administering your server primarily through an SSH connection, so that service needs to stay. As mentioned above, [RSA keys][8] and [Fail2Ban][9] can help protect SSH.
* NTP is necessary for your servers timekeeping but there are alternatives to NTPdate. If you prefer a time synchronization method which does not hold open network ports, and you do not need nanosecond accuracy, then you may be interested in replacing NTPdate with [OpenNTPD][10].
* Exim and RPC, however, are unnecessary unless you have a specific use for them, and should be removed.
> This section focused on Debian 8\. Different Linux distributions have different services enabled by default. If you are unsure of what a service does, do an internet search to understand what it is before attempting to remove or disable it.
### Uninstall the Listening Services
How to remove the offending packages will differ depending on your distributions package manager.
**Arch**
```
sudo pacman -Rs package_name
```
**CentOS**
```
sudo yum remove package_name
```
**Debian / Ubuntu**
```
sudo apt-get purge package_name
```
**Fedora**
```
sudo dnf remove package_name
```
Run `sudo netstat -tulpn` again. You should now only see listening services for SSH (sshd) and NTP (ntpdate, network time protocol).
### Configure a Firewall
Using a _firewall_ to block unwanted inbound traffic to your Linode provides a highly effective security layer. By being very specific about the traffic you allow in, you can prevent intrusions and network mapping. A best practice is to allow only the traffic you need, and deny everything else. See our documentation on some of the most common firewall applications:
* [Iptables][11] is the controller for netfilter, the Linux kernels packet filtering framework. Iptables is included in most Linux distributions by default.
* [FirewallD][12] is the iptables controller available for the CentOS / Fedora family of distributions.
* [UFW][13] provides an iptables frontend for Debian and Ubuntu.
### Next Steps
These are the most basic steps to harden any Linux server, but further security layers will depend on its intended use. Additional techniques can include application configurations, using [intrusion detection][24] or installing a form of [access control][25].
Now you can begin setting up your Linode for any purpose you choose. We have a library of documentation to assist you with a variety of topics ranging from [migration from shared hosting][26] to [enabling two-factor authentication][27] to [hosting a website][28].
--------------------------------------------------------------------------------
via: https://www.linode.com/docs/security/securing-your-server/
作者:[Phil Zona ][a]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:https://www.linode.com/docs/security/securing-your-server/
[1]:http://winscp.net/
[2]:https://fedoraproject.org/wiki/AutoUpdates#Fedora_21_or_earlier_versions
[3]:https://help.ubuntu.com/lts/serverguide/automatic-updates.html
[4]:https://dnf.readthedocs.org/en/latest/automatic.html
[5]:http://brew.sh/
[6]:https://www.linode.com/docs/security/use-public-key-authentication-with-ssh#windows-operating-system
[7]:https://www.linode.com/docs/tools-reference/modify-file-permissions-with-chmod
[8]:https://www.linode.com/docs/security/securing-your-server/#create-an-authentication-key-pair
[9]:https://www.linode.com/docs/security/securing-your-server/#use-fail2ban-for-ssh-login-protection
[10]:https://en.wikipedia.org/wiki/OpenNTPD
[11]:https://www.linode.com/docs/security/firewalls/control-network-traffic-with-iptables
[12]:https://www.linode.com/docs/security/firewalls/introduction-to-firewalld-on-centos
[13]:https://www.linode.com/docs/security/firewalls/configure-firewall-with-ufw
[14]:https://en.wikipedia.org/wiki/Stateless_protocol
[15]:https://fedoraproject.org/wiki/AutoUpdates#Why_use_Automatic_updates.3F
[16]:https://www.linode.com/docs/getting-started#logging-in-for-the-first-time
[17]:http://www.fail2ban.org/wiki/index.php/Main_Page
[18]:https://www.linode.com/docs/security/using-fail2ban-for-security
[19]:https://en.wikipedia.org/wiki/Open_Network_Computing_Remote_Procedure_Call
[20]:http://support.ntp.org/bin/view/Main/SoftwareDownloads
[21]:http://www.exim.org/
[22]:https://nmap.org/
[23]:https://www.linode.com/docs/security/securing-your-server/#configure-a-firewall
[24]:https://linode.com/docs/security/ossec-ids-debian-7
[25]:https://en.wikipedia.org/wiki/Access_control#Access_Control
[26]:https://www.linode.com/docs/migrate-to-linode/migrate-from-shared-hosting
[27]:https://www.linode.com/docs/security/linode-manager-security-controls
[28]:https://www.linode.com/docs/websites/hosting-a-website

378
translated/tech/20160516 Securing Your Server.md Normal file
View File

@ -0,0 +1,378 @@
保护你的服务器
============================================================
### 经常升级系统
保持最新的软件是任何操作系统可以采取的最大的安全预防措施。软件更新的范围从关键漏洞补丁到小bug的修复许多软件漏洞实际上是在它们公开的时候修补的。
### 自动安全更新
服务器上有自动更新的参数。[Fedora的Wiki][15]上有一篇很棒的关于故障的正反两方的文章,但是如果你把它限制到安全更新,自动更新的风险将是最小的。
自动更新的可行性必须你自己判断因为它归结为_你_在你的Linode上做什么。请记住自动更新仅适用于来自仓库的包而不是自编译的程序。你可能会发现一个复制了生产服务器的测试环境是很值得的。可以在测试环境更新并在部署到生产环境之前检查问题。
* CentOS使用_[yum-cron][2]_进行自动更新。
* Debian和Ubuntu使用_[无人值守升级][3]_。
* Fedora使用_[dnf-automatic][4]_。
### 添加一个受限用户账户
到目前为止,你已经作为`root`用户访问了你的Linode它有无限的权限可以执行_任何_命令 - 甚至可能意外中断你的服务器。 我们建议创建有限权限的用户帐户,并始终使用它。 管理任务使用`sudo`来完成,它可以临时提升用户的权限,以便管理你的服务器。
>不是所有的Linux发行版都在系统上默认包含`sudo`但Linode提供的所有镜像都在其软件包仓库中有sudo。 如果得到输出`sudocommand not found`请在继续之前安装sudo。
要添加新用户首先通过SSH[登录到你的Linode][16]。
### CentOS / Fedora
1. 创建用户,用你想要的名字替换`example_user`,并分配一个密码:
```
useradd example_user && passwd example_user
```
2. 将用户添加到具有sudo权限的`wheel`组:
```
usermod -aG wheel example_user
```
### Ubuntu
1. 创建用户,用你想要的名字替换`example_user`。你将被要求输入用户密码:
```
adduser example_user
```
2. 添加用户到`sudo`组,这样你就有管理员权限了:
```
adduser example_user sudo
```
### Debian
1. Debian默认的包中没有`sudo` 使用`apt-get`来安装:
```
apt-get install sudo
```
2. 创建用户,用你想要的名字替换`example_user`。你将被要求输入用户密码:
```
adduser example_user
```
3. 添加用户到`sudo`组,这样你就有管理员权限了:
```
adduser example_user sudo
```
创建完有限权限的用户后断开你的Linode
```
exit
```
重新用你的新用户登录。用你的用户名代替`example_user`用你的IP地址代替例子中的IP地址
```
ssh example_user@203.0.113.10
```
现在你可以用你的新用户帐户管理你的Linode而不是`root`。 几乎所有超级用户命令都可以用`sudo`(例如:`sudo iptables -L -nv`)来执行,这些命令将被记录到/var/log/auth.log中。
### 加固SSH访问
默认情况下密码认证用于通过SSH连接到您的Linode。加密密钥对更安全因为用私钥代替了密码这通常更难以暴力破解。在本节中我们将创建一个密钥对并将Linode配置为不接受SSH密码登录。
###创建验证密钥对
1.这是在你本机上完成的,**不是**你的Linode这里将创建一个4096位的RSA密钥对。在创建过程中您可以选择使用密码加密私钥。这意味着它不能在没有输入密码的情况下使用除非将其保存到本机桌面的密钥管理器中。我们建议您使用带有密码的密钥对但如果你不想使用密码则可以将此字段留空。
    ** Linux / OS X **
    >如果你已经创建了RSA密钥对则用这个命令将覆盖它这可能会不能访问其他系统。如果你已创建密钥对请跳过此步骤。要检查现有的密钥请运行`ls〜/ .ssh / id_rsa *`。
```
ssh-keygen -b 4096
```
在输入密码之前,按下** 回车 **在`/home/your_username/.ssh`中使用默认名称`id_rsa`和`id_rsa.pub`。
**Windows**
这可以使用PuTTY完成在我们指南中已有描述[使用SSH公钥验证][6]。
2.将公钥上传到您的Linode上。 将`example_user`替换为管理服务器的用户的名称,将`203.0.113.10`替换为你的Linode的IP地址。
**Linux**
在本机上:
```
ssh-copy-id example_user@203.0.113.10
```
**OS X**
在你的Linode上用你的有限权限用户登录
```
mkdir -p ~/.ssh && sudo chmod -R 700 ~/.ssh/
```
在本机上:
```
scp ~/.ssh/id_rsa.pub example_user@203.0.113.10:~/.ssh/authorized_keys
```
> 如果对于scp你更喜欢`ssh-copy-id`,那么它可以在[Homebrew][5]中找到。使用`brew install ssh-copy-id`安装。
**Windows**
* **选择1 **:使用[WinSCP][1]来完成。 在登录窗口中输入你的Linode的IP地址作为主机名以及非root的用户名和密码。单击_登录_连接。
         一旦WinSCP连接后你会看到两个主要部分。 左边显示本机上的文件右边显示Linode上的文件。 使用左侧的文件浏览器导航到你已保存公钥的文件选择公钥文件然后点击上面工具栏中的_上传_。
         系统会提示你输入要将文件放在Linode上的路径。 将文件上传到`/home/example_user/.ssh /authorized_keys`,用你的用户名替换`example_user`。
     * **选择2**将公钥直接从PuTTY键生成器复制到连接到你的Linode中作为非root用户
```
mkdir ~/.ssh; nano ~/.ssh/authorized_keys
```
上面命令将在文本编辑器中打开一个名为“authorized_keys”的空白文件。 将公钥复制到文本文件中确保复制的与PuTTY生成的完全一样。 按下** CTRL + X **,然后按下** Y **,然后**回车**保存文件。
最后,你需要为公钥目录和密钥文件本身设置权限:
```
sudo chmod 700 -R ~/.ssh && chmod 600 ~/.ssh/authorized_keys
```
这些命令通过阻止其他用户访问公钥目录以及文件本身来提供额外的安全性。有关它如何工作的更多信息,请参阅我们的指南[如何修改文件权限][7]。
3. 现在退出并重新登录你的Linode。如果你为私钥指定了密码则需要输入密码。
### SSH守护进程选项
1. **不允许通过SSH登录。** 这需要所有SSH连接都是非root用户。一旦连接了有限权限的用户帐户可以通过使用`sudo`或使用`su -`改为root shell来使用管理员权限。
```
# Authentication:
...
PermitRootLogin no
```
2. **禁用SSH密码认证。** 这要求所有通过SSH连接的用户使用密钥认证。根据Linux发行版它可能需要添加`PasswordAuthentication`这行,或者删除前面的“#”来取消注释。
```
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
```
> 如果你从许多不同的计算机连接到Linode你可能想要启用密码验证。这将允许你使用密码进行身份验证而不是为每个设备生成和上传密钥对。
3. **只监听一个互联网协议。** 在默认情况下SSH守护进程同时监听IPv4和IPv6上的传入连接。除非你需要使用这两种协议进入你的Linode否则就禁用你不需要的。 _这不会禁用系统范围的协议它只用于SSH守护进程。_
使用选项:
* `AddressFamily inet` 只监听IPv4。
* `AddressFamily inet6` 只监听IPv6。
默认情况下,`AddressFamily`选项通常不在`sshd_config`文件中。将它添加到文件的末尾:
```
echo 'AddressFamily inet' | sudo tee -a /etc/ssh/sshd_config
```
4. 重新启动SSH服务以加载新配置。
如果你使用的Linux发行版使用systemdCentOS 7、Debian 8、Fedora、Ubuntu 15.10+
```
sudo systemctl restart sshd
```
如果您的init系统是SystemV或UpstartCentOS 6、Debian 7、Ubuntu 14.04
```
sudo service ssh restart
```
### 使用Fail2Ban保护SSH登录
[_Fail2Ban _][17]是一个应用程序它会在太多的失败登录尝试后禁止IP地址登录到你的服务器。由于合法登录通常只需要三次尝试成功如果使用SSH密钥那不会不超过一个因此如果服务器充满了登录失败的请求那就表示有恶意访问。
Fail2Ban可以监视各种协议包括SSH、HTTP和SMTP。默认情况下Fail2Ban仅监视SSH并且对任何服务器都是有帮助的安全威慑因为SSH守护程序通常配置为持续运行并监听来自任何远程IP地址的连接。
有关安装和配置Fail2Ban的完整说明请参阅我们的指南[使用Fail2ban保护服务器][18]。
### 删除未使用的面向网络的服务
大多数Linux发行版都安装并运行了网络服务监听来自互联网回环接口或两者的组合的传入连接。 将不需要的面向网络的服务从系统中删除,以减少运行进程和对已安装软件包攻击的概率。
### 查明运行的服务
要查看Linode中运行的服务
```
sudo netstat -tulpn
```
> 如果默认情况下netstat不包含在你的Linux发行版中请安装软件包`net-tools`或使用`ss -tulpn`命令。
以下是netstat的输出示例。 请注意,因为默认情况下不同发行版会运行不同的服务,你的输出将有所不同:
```
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 7315/rpcbind
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3277/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3179/exim4
tcp 0 0 0.0.0.0:42526 0.0.0.0:* LISTEN 2845/rpc.statd
tcp6 0 0 :::48745 :::* LISTEN 2845/rpc.statd
tcp6 0 0 :::111 :::* LISTEN 7315/rpcbind
tcp6 0 0 :::22 :::* LISTEN 3277/sshd
tcp6 0 0 ::1:25 :::* LISTEN 3179/exim4
udp 0 0 127.0.0.1:901 0.0.0.0:* 2845/rpc.statd
udp 0 0 0.0.0.0:47663 0.0.0.0:* 2845/rpc.statd
udp 0 0 0.0.0.0:111 0.0.0.0:* 7315/rpcbind
udp 0 0 192.0.2.1:123 0.0.0.0:* 3327/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 3327/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 3327/ntpd
udp 0 0 0.0.0.0:705 0.0.0.0:* 7315/rpcbind
udp6 0 0 :::111 :::* 7315/rpcbind
udp6 0 0 fe80::f03c:91ff:fec:123 :::* 3327/ntpd
udp6 0 0 2001:DB8::123 :::* 3327/ntpd
udp6 0 0 ::1:123 :::* 3327/ntpd
udp6 0 0 :::123 :::* 3327/ntpd
udp6 0 0 :::705 :::* 7315/rpcbind
udp6 0 0 :::60671 :::* 2845/rpc.statd
```
netstat告诉我们服务正在运行[远程过程调用][19]rpc.statd和rpcbind、SSHsshd、[NTPdate][20]ntpd和[Exim][21]exim4
#### TCP
请参阅netstat输出的** Local Address **哪列。进程`rpcbind`正在侦听`0.0.0.0:111`和`:::111`,外部地址是 `0.0.0.0:*`或者`:::*`。这意味着它从任何端口和任何网络接口接受来自任何外部地址IPv4和IPv6上的其他RPC客户端的传入TCP连接。 我们看到类似的SSHExim正在侦听来自回环接口的流量如所示的`127.0.0.1`地址。
#### UDP
UDP套接字是_[无状态][14]_的这意味着它们只有打开或关闭并且每个进程的连接独立于前后发生的连接。这与TCP的连接状态例如_LISTEN__ESTABLISHED_和_CLOSE_WAIT_形成对比。
我们的netstat输出说明NTPdate1接受Linode的公共IP地址的传入连接; 2通过本地主机进行通信; 3接受来自外部的连接。这些是通过端口123同时支持IPv4和IPv6。我们还看到了更多的RPC套接字。
### 查明该移除哪个服务
如果你在没有启用防火墙的情况下对Linode进行基本的TCP和UDP的[nmap][22]扫描那么在打开端口的结果中将出现SSH、RPC和NTPdate。通过[配置防火墙][23]你可以过滤掉这些端口但SSH除外因为它必须允许你的传入连接。但是理想情况下应该禁用未使用的服务。
* 你可能主要通过SSH连接管理你的服务器所以让这个服务需要保留。如上所述[RSA密钥][8]和[Fail2Ban][9]可以帮助保护SSH。
* NTP是服务器计时所必需的但有NTPdate的替代方法。如果你喜欢不开放网络端口的时间同步方法并且你不需要纳秒精度那么你可能有兴趣用[OpenNTPD][10]来代替NTPdate。
* 然而Exim和RPC是不必要的除非你有特定的用途否则应该删除它们。
> 本节重点介绍Debian 8。默认情况下不同的Linux发行版具有不同的服务。如果你不确定某项服务的功能请尝试搜索互联网以了解该功能是什么然后再尝试删除或禁用它。
### 卸载监听的服务
如何移除包取决于发行版的包管理器:
**Arch**
```
sudo pacman -Rs package_name
```
**CentOS**
```
sudo yum remove package_name
```
**Debian / Ubuntu**
```
sudo apt-get purge package_name
```
**Fedora**
```
sudo dnf remove package_name
```
再次运行`sudo netstat -tulpn`你看到监听的服务就只会有SSHsshd和NTPntpdate网络时间协议
### 配置防火墙
使用_防火墙_阻止不需要的入站流量能为你的Linode提供一个高效的安全层。 通过指定入站流量,你可以阻止入侵和网络映射。 最佳做法是只允许你需要的流量,并拒绝一切其他流量。请参阅我们的一些关于最常见的防火墙程序的文档:
* [iptables][11]是netfilter的控制器它是Linux内核的包过滤框架。 默认情况下iptables包含在大多数Linux发行版中。
* [firewallD][12]是可用于CentOS/Fedora系列发行版的iptables控制器。
* [UFW][13]为Debian和Ubuntu提供了一个iptables前端。
### 接下来
这些是加固Linux服务器的最基本步骤但是进一步的安全层将取决于其预期用途。 其他技术可以包括应用程序配置,使用[入侵检测][24]或者安装某个形式的[访问控制][25]。
现在你可以按你的需求开始设置你的Linode了。 我们有一个文档库来以帮助你从[从共享主机迁移][26]到[启用两步验证][27]到[托管网站] [28]等各种主题。
--------------------------------------------------------------------------------
via: https://www.linode.com/docs/security/securing-your-server/
作者:[Phil Zona ][a]
译者:[geekpi](https://github.com/geekpi)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:https://www.linode.com/docs/security/securing-your-server/
[1]:http://winscp.net/
[2]:https://fedoraproject.org/wiki/AutoUpdates#Fedora_21_or_earlier_versions
[3]:https://help.ubuntu.com/lts/serverguide/automatic-updates.html
[4]:https://dnf.readthedocs.org/en/latest/automatic.html
[5]:http://brew.sh/
[6]:https://www.linode.com/docs/security/use-public-key-authentication-with-ssh#windows-operating-system
[7]:https://www.linode.com/docs/tools-reference/modify-file-permissions-with-chmod
[8]:https://www.linode.com/docs/security/securing-your-server/#create-an-authentication-key-pair
[9]:https://www.linode.com/docs/security/securing-your-server/#use-fail2ban-for-ssh-login-protection
[10]:https://en.wikipedia.org/wiki/OpenNTPD
[11]:https://www.linode.com/docs/security/firewalls/control-network-traffic-with-iptables
[12]:https://www.linode.com/docs/security/firewalls/introduction-to-firewalld-on-centos
[13]:https://www.linode.com/docs/security/firewalls/configure-firewall-with-ufw
[14]:https://en.wikipedia.org/wiki/Stateless_protocol
[15]:https://fedoraproject.org/wiki/AutoUpdates#Why_use_Automatic_updates.3F
[16]:https://www.linode.com/docs/getting-started#logging-in-for-the-first-time
[17]:http://www.fail2ban.org/wiki/index.php/Main_Page
[18]:https://www.linode.com/docs/security/using-fail2ban-for-security
[19]:https://en.wikipedia.org/wiki/Open_Network_Computing_Remote_Procedure_Call
[20]:http://support.ntp.org/bin/view/Main/SoftwareDownloads
[21]:http://www.exim.org/
[22]:https://nmap.org/
[23]:https://www.linode.com/docs/security/securing-your-server/#configure-a-firewall
[24]:https://linode.com/docs/security/ossec-ids-debian-7
[25]:https://en.wikipedia.org/wiki/Access_control#Access_Control
[26]:https://www.linode.com/docs/migrate-to-linode/migrate-from-shared-hosting
[27]:https://www.linode.com/docs/security/linode-manager-security-controls
[28]:https://www.linode.com/docs/websites/hosting-a-website