document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2024-12-26 21:30:55 +08:00
Code Issues Packages Projects Releases Wiki Activity

TSL&PRF

Browse Source
This commit is contained in:
Xingyu Wang 2021-04-14 23:47:02 +08:00
parent 931e35285d
commit c30436fe32
2 changed files with 191 additions and 202 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

202
sources/tech/20210412 6 open source tools and tips to securing a Linux server for beginners.md
View File

@ -1,202 +0,0 @@
[#]: subject: (6 open source tools and tips to securing a Linux server for beginners)
[#]: via: (https://opensource.com/article/21/4/securing-linux-servers)
[#]: author: (Sahana Sreeram https://opensource.com/users/sahanasreeram01gmailcom)
[#]: collector: (lujun9972)
[#]: translator: (wxy)
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
6 open source tools and tips to securing a Linux server for beginners
======
Use open source tools to protect your Linux environment from breaches.
![People work on a computer server with devices][1]
Because so much of our personal and professional data is available online today, it is important for everyone—from professionals to general internet users—to learn the basics of security and privacy. As a student, I've been able to gain experience in this area through my school's CyberPatriot initiative, where I've had the opportunity to interact with industry experts to learn about cyber breaches and the basic steps to establish a system's security.
This article details six simple steps to improve the security of your Linux environment for personal use, based on what I have learned thus far as a beginner. Throughout my journey, I have utilized open source tools to accelerate my learning process and familiarize myself with higher-level concepts related to securing my Linux server.
I have tested these steps using Ubuntu 18.04, the version I am most familiar with, but these steps will also work for other Linux distributions.
### 1\. Run updates
Developers are constantly finding ways to make servers more stable, fast, and secure by patching known vulnerabilities. Running updates regularly is a good habit to get into to maximize security. Run them with:
```
`sudo apt-get update && apt-get upgrade`
```
### 2\. Enable firewall protection
[Enabling a firewall][2] makes it easier to control incoming and outgoing traffic on your server. There are many firewall applications you can use on Linux, including [firewall-cmd][3] and Uncomplicated Firewall ([UFW][4]). I use UFW, so my examples are specific to it, but these principles apply to any interface you choose.
Install UFW:
```
`sudo apt-get install ufw`
```
If you want to secure your server even more, you can deny incoming and outgoing connections. Be warned: This cuts your server off from the world, so once you've blocked all traffic, you must specify which outgoing connections are allowed from your system:
```
sudo ufw default deny incoming
sudo ufw default allow outgoing
```
You can also write rules for allowing incoming connections you need for personal use:
```
`ufw allow <service>`
```
For example, to allow SSH connections:
```
`ufw allow ssh`
```
Finally, enable your firewall with:
```
`sudo ufw enable`
```
### 3\. Strengthen password protection
Implementing a strong password policy is an important aspect of keeping a server secure from cyberattacks and data breaches. Some best practices for password policies include enforcing a minimum length and specifying password age. I use the libpam-cracklib package to accomplish these tasks.
Install the libpam-cracklib package:
```
`sudo apt-get install libpam-cracklib`
```
To enforce password length:
* Open the `/etc/pam.d/common-password` file.
* Change the minimum character length of all passwords by changing the `minlen=12` line to however many characters you want.
To prevent password reuse:
* In the same file (`/etc/pam.d/common-password`), add the line `remember=x`.
* For example, if you want to prevent a user from reusing one of their last five passwords, use: `remember=5`.
To enforce password age:
* Find the following lines in the `/etc/login.defs` file and replace them with your preferred amount of time (days). For example: [code] PASS_MIN_AGE: 3
PASS_MAX_AGE: 90
PASS_WARN_AGE: 14
```
To enforce character specifications:
* The four parameters to enforce character specifications in passwords are `lcredit` (lowercase), `ucredit` (uppercase), `dcredit` (digit), and `ocredit` (other characters).
* In the same file (`/etc/pam.d/common-password`), locate the line containing `pam_cracklib.so`.
* Add the following to the end of this line: [code]`lcredit=-a ucredit=-b dcredit=-c ocredit=-d`
```
* For example, the following line requires passwords to contain _one_ of each parameter. You can change the numbers based on your preferred level of password security: [code]`lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1`
```
## 4\. Disable nonessential services that are prone to exploitation
It's a best practice to disable unnecessary services. This allows fewer ports to be open for exploitation.
Install the systemd package:
```
`sudo apt-get install systemd`
```
See which services are running:
```
`systemctl list-units`
```
[Recognize][5] which services could cause potential vulnerabilities to your system. For each service:
* Stop the service if it's currently running: [code]`systemctl stop <service>`
```
* Disable the service from starting on boot: [code]`systemctl disable <service>`
```
* After running these commands, check the status of the service: [code]`systemctl status <service>`
```
### 5\. Check for listening ports
Open ports might pose security risks, so it's important to check for ports that are listening on your server. I use the [netstat][6] command to show all network connections:
```
`netstat -tulpn`
```
Look at the address columns to determine the [port number][7]. Once you've found open ports, review them to make sure they're all necessary. If they aren't, [adjust what services you have running][8], or adjust your firewall settings.
### 6\. Scan for malware
Antivirus scanning software can be useful to keep viruses out of your system. Using them is a simple way to keep your server free from malware. My preferred tool is the open source software [ClamAV][9].
Install ClamAV:
```
`sudo apt-get install clamav`
```
Update virus signatures:
```
`sudo freshclam`
```
Scan all files and print out infected files, ringing a bell when one is found:
```
`sudo clamscan -r --bell -i /`
```
You can and should automate scans so that you don't have to remember or spend time doing them manually. For simple automation like this, you can use [systemd timers][10] or your [favorite cron][11].
### Keep your server safe
We cannot leave the responsibility for securing servers to a single person or organization. As the threat landscape continues to expand rapidly, it is up to each of us to be aware of the importance of server security and to employ some simple, effective security best practices.
These are just a few of the many steps you can take to keep your Linux server safe. Of course, prevention is only part of the solution. These policies should be combined with rigorous monitoring for denial of service attacks, doing system analysis with [Lynis][12], and creating frequent backups.
What open source tools do you use to keep your server safe? Tell us about them in the comments.
--------------------------------------------------------------------------------
via: https://opensource.com/article/21/4/securing-linux-servers
作者:[Sahana Sreeram][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://opensource.com/users/sahanasreeram01gmailcom
[b]: https://github.com/lujun9972
[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/rh_003499_01_linux11x_cc.png?itok=XMDOouJR (People work on a computer server with devices)
[2]: https://www.redhat.com/sysadmin/secure-linux-network-firewall-cmd
[3]: https://opensource.com/article/20/2/firewall-cheat-sheet
[4]: https://wiki.ubuntu.com/UncomplicatedFirewall
[5]: http://www.yorku.ca/infosec/Administrators/UNIX_disable.html
[6]: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/netstat
[7]: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
[8]: https://opensource.com/article/20/5/systemd-units
[9]: https://www.clamav.net/
[10]: https://opensource.com/article/20/7/systemd-timers
[11]: https://opensource.com/article/21/2/linux-automation
[12]: https://opensource.com/article/20/5/linux-security-lynis

191
translated/tech/20210412 6 open source tools and tips to securing a Linux server for beginners.md Normal file
View File

@ -0,0 +1,191 @@
[#]: subject: (6 open source tools and tips to securing a Linux server for beginners)
[#]: via: (https://opensource.com/article/21/4/securing-linux-servers)
[#]: author: (Sahana Sreeram https://opensource.com/users/sahanasreeram01gmailcom)
[#]: collector: (lujun9972)
[#]: translator: (wxy)
[#]: reviewer: (wxy)
[#]: publisher: ( )
[#]: url: ( )
6 个提升 Linux 服务器的安全开源工具和技巧
======
> 使用开源工具来保护你的 Linux 环境不被入侵。
![人们在带设备的计算机服务器上工作][1]
由于如今我们的许多个人和专业数据都可以在网上获得,因此无论是专业人士还是普通互联网用户,学习安全和隐私的基本知识是非常重要的。作为一名学生,我通过学校的 CyberPatriot 活动获得了这方面的经验,在那里我有机会与行业专家交流,了解网络漏洞和建立系统安全的基本步骤。
本文基于我作为初学者迄今所学的知识,详细介绍了六个简单的步骤,以提高个人使用的 Linux 环境的安全性。在我的整个旅程中,我利用开源工具来加速我的学习过程,并熟悉了与提升 Linux 服务器安全有关的更高层次的概念。
我使用我最熟悉的 Ubuntu 18.04 版本测试了这些步骤,但这些步骤也适用于其他 Linux 发行版。
### 1、运行更新
开发者们不断地寻找方法,通过修补已知的漏洞,使服务器更加稳定、快速、安全。定期运行更新是一个好习惯,可以最大限度地提高安全性。运行它们:
```
sudo apt-get update && apt-get upgrade
```
### 2、启用防火墙保护
[启用防火墙][2] 可以更容易地控制服务器上的进站和出站流量。在 Linux 上有许多防火墙应用程序可以使用,包括 [firewall-cmd][3] 和 <ruby>简单防火墙<rt>Uncomplicated Firewall</rt></ruby>[UFW][4])。我使用 UFW所以我的例子是专门针对它的但这些原则适用于你选择的任何防火墙。
安装 UFW
```
sudo apt-get install ufw
```
如果你想进一步保护你的服务器,你可以拒绝传入和传出的连接。请注意,这将切断你的服务器与世界的联系,所以一旦你封锁了所有的流量,你必须指定哪些出站连接是允许从你的系统中发出的:
```
sudo ufw default deny incoming
sudo ufw default allow outgoing
```
你也可以编写规则来允许你个人使用所需要的传入连接:
```
ufw allow <service>
```
例如,允许 SSH 连接:
```
ufw allow ssh
```
最后,启用你的防火墙:
```
sudo ufw enable
```
### 3、加强密码保护
实施强有力的密码政策是保持服务器安全、防止网络攻击和数据泄露的一个重要方面。密码策略的一些最佳实践包括强制要求最小长度和指定密码年龄。我使用 libpam-cracklib 软件包来完成这些任务。
安装 libpam-cracklib 软件包:
```
sudo apt-get install libpam-cracklib
```
强制要求密码的长度:
* 打开 `/etc/pam.d/common-password` 文件。
* 将 `minlen=12` 行改为你需要的任意字符数,从而改变所有密码的最小字符长度要求。
为防止密码重复使用:
* 在同一个文件(`/etc/pam.d/common-password`)中,添加 `remember=x` 行。
* 例如,如果你想防止用户重复使用他们最后 5 个密码中的一个,使用 `remember=5`
要强制要求密码年龄:
* 在 `/etc/login.defs` 文件中找到以下几行,并用你喜欢的时间(天数)替换。例如:
```
PASS_MIN_AGE: 3
PASS_MAX_AGE: 90
PASS_WARN_AGE: 14
```
强制要求字符规格:
* 在密码中强制要求字符规格的四个参数是 `lcredit`(小写)、`ucredit`(大写)、`dcredit`(数字)和 `ocredit`(其他字符)。
* 在同一个文件(`/etc/pam.d/common-password`)中,找到包含 `pam_cracklib.so` 的行。
* 在该行末尾添加以下内容:`lcredit=-a ucredit=-b dcredit=-c ocredit=-d`。
* 例如,下面这行要求密码必须至少包含一个每种字符。你可以根据你喜欢的密码安全级别来改变数字。`lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1`。
### 4、停用容易被利用的非必要服务。
停用不必要的服务是一种最好的做法。这样可以减少开放的端口,以便被利用。
安装 systemd 软件包:
```
sudo apt-get install systemd
```
查看哪些服务正在运行:
```
systemctl list-units
```
[识别][5] 哪些服务可能会导致你的系统出现潜在的漏洞。对于每个服务可以:
* 停止当前正在运行的服务:`systemctl stop <service>`。
* 禁止服务在系统启动时启动:`systemctl disable <service>`。
* 运行这些命令后,检查服务的状态:`systemctl status <service>`。
### 5、检查监听端口
开放的端口可能会带来安全风险,所以检查服务器上的监听端口很重要。我使用 [netstat][6] 命令来显示所有的网络连接:
```
netstat -tulpn
```
查看 “address” 列,确定 [端口号][7]。一旦你找到了开放的端口,检查它们是否都是必要的。如果不是,[调整你正在运行的服务][8],或者调整你的防火墙设置。
### 6、扫描恶意软件
杀毒扫描软件可以有用的防止病毒进入你的系统。使用它们是一种简单的方法,可以让你的服务器免受恶意软件的侵害。我首选的工具是开源软件 [ClamAV][9]。
安装 ClamAV
```
sudo apt-get install clamav
```
更新病毒签名:
```
sudo freshclam
```
扫描所有文件,并打印出被感染的文件,发现一个就会响铃:
```
sudo clamscan -r --bell -i /
```
你可以而且应该设置为自动扫描,这样你就不必记住或花时间手动进行扫描。对于这样简单的自动化,你可以使用 [systemd 定时器][10] 或者你的 [喜欢的 cron][11] 来做到。
### 保证你的服务器安全
我们不能把保护服务器安全的责任只交给一个人或一个组织。随着威胁环境的不断迅速扩大,我们每个人都应该意识到服务器安全的重要性,并采用一些简单、有效的安全最佳实践。
这些只是你提升 Linux 服务器的安全可以采取的众多步骤中的一部分。当然,预防只是解决方案的一部分。这些策略应该与严格监控拒绝服务攻击、用 [Lynis][12] 做系统分析以及创建频繁的备份相结合。
你使用哪些开源工具来保证服务器的安全?在评论中告诉我们它们的情况。
--------------------------------------------------------------------------------
via: https://opensource.com/article/21/4/securing-linux-servers
作者:[Sahana Sreeram][a]
选题:[lujun9972][b]
译者:[wxy](https://github.com/wxy)
校对:[wxy](https://github.com/wxy)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://opensource.com/users/sahanasreeram01gmailcom
[b]: https://github.com/lujun9972
[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/rh_003499_01_linux11x_cc.png?itok=XMDOouJR (People work on a computer server with devices)
[2]: https://www.redhat.com/sysadmin/secure-linux-network-firewall-cmd
[3]: https://opensource.com/article/20/2/firewall-cheat-sheet
[4]: https://wiki.ubuntu.com/UncomplicatedFirewall
[5]: http://www.yorku.ca/infosec/Administrators/UNIX_disable.html
[6]: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/netstat
[7]: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
[8]: https://opensource.com/article/20/5/systemd-units
[9]: https://www.clamav.net/
[10]: https://opensource.com/article/20/7/systemd-timers
[11]: https://opensource.com/article/21/2/linux-automation
[12]: https://opensource.com/article/20/5/linux-security-lynis