document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2025-03-21 02:10:11 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2921 from KayGuoWhu/master

Browse Source 
[Translated]20150610 How to secure your Linux server
This commit is contained in:
ictlyh 2015-06-13 17:51:22 +08:00
commit d967d8d4f0
2 changed files with 236 additions and 234 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

234
sources/tech/20150610 How to secure your Linux server.md
View File

@ -1,234 +0,0 @@
[translating by KayGuoWhu]
How to secure your Linux server
================================================================================
> A server is made up of so many different components that makes it hard to offer one solution for everyone's needs. This articles tries to cover some useful tips and tricks to help you keep your server and users protected.
No doubt improving server security is one of the most important things system administrators should always look for. This of course has been a topic of many different articles, blogs and forum threads.
A server is made up of so many different components that makes it hard to offer one solution for everyones needs. This articles tries to cover some useful tips and tricks to help you keep your server and users protected.
There are a few things that every system administrator should know and there is no way to talk about security without mentioning:
- Keep your system **up to date**
- Change passwords frequently use numeric, alphabetical and non-alphabetical symbols
- Give users the **minimum** permissions they need to do their job.
- Install only packages that you really need
Here comes the more interesting part:
### Change default SSH port ###
The first thing that I would like to change when setting up a new server is the default SSH port. This simple change can save your server from thousands of brute force attempts.
To change the default SSH port, open your sshd_config:
sudo vim /etc/ssh/sshd_config
Find the following line:
#Port 22
The “#” symbol means that this line is a comment. Remove the # symbol then change the port to a number of your choice. The port number should not be larger than 65535. Make sure not to use any port already used by your system or other services. You can see a list of commonly used ports in [Wikipedia][1]. For the purpose of this article I will use:
Port 16543
Now save the file and close it for a moment.
Next important step is to:
### Use SSH Keys ###
It is extremely important to use SSH keys when accessing the server over SSH. This adds additional protection and ensure that only people who have the key can access the server.
To generate SSH key on your local computer run:
ssh-keygen -t rsa
You will receive an output asking you to setup the file name where the key should be written as well as setup a password:
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): my_key
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in my_key.
Your public key has been saved in my_key.pub.
The key fingerprint is:
SHA256:MqD/pzzTRsCjZb6mpfjyrr5v1pJLBcgprR5tjNoI20A
When compete, you will have two files:
my_key
my_key.pub
Now copy the my_key.pub to ~/.ssh/authorized_keys
cp my_key.pub ~/.ssh/authorized_keys
Now upload your key on the server by using:
scp -P16543 authorized_keys user@yourserver-ip:/home/user/.ssh/
Now you can access the server from the same local machine without having to enter any password.
### Disable password authentication for SSH ###
Now that we have SSH keys, it is safe to disable the password authentication for SSH. Open again the sshd_config file and set the following changes:
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no
### Disable Root login ###
The next important step is to disable direct access with root user. Instead you should use sudo or su to perform administrative jobs. To do this you will need to add a new user that has root privileges. To do this you will need to edit the sudoers file located in:
/etc/sudoers/
You may edit that file with command such as **visudo**. I would recommend you using this command as it will check the file for any syntax errors prior closing the file. This is useful if you have wrongly edited the file.
Now to give root privileges to a user. For the purpose of this tutorial I will use user **sysadmin**. Make sure you are using an existing user on your system when you edit your own file. Now find the following line:
root ALL=(ALL) ALL
Copy that line and paste it below. In the new line change “root” with “sysadmin”. You should now have these two lines:
root ALL=(ALL) ALL
sysadmin ALL=(ALL) ALL
I would like to explain what each of the options in the above line represents:
(1) root (2)ALL=(3)(ALL) (4)ALL
(1) User
(2) Terminal from which user can use sudo
(3) Which users User may act as
(4) Which commands he may use
You can use this settings to give access to users to some of the system tools.
At this point it is safe to save your file.
To disable direct root access over SSH open again the **sshd_config** file and find the following line:
#PermitRootLogin yes
and change it to:
PermitRootLogin no
Now save the file and restart the sshd daemon so the changes can take effect. Simply run the following command:
sudo /etc/init.d/sshd restart
### Setup firewall ###
A firewall can help you block incoming and outgoing ports as well as block brute force login attempts. I like using SCF (Config Server Firewall) as it a powerful solution that uses iptables, its easy to manage and has a web interface for people who dont like typing too many commands.
To install CSF access your server and navigate to:
cd /usr/local/src/
Then execute the following commands as root:
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
csf
sh install.sh
You will need to wait for the installer to finish its job. We will edit CSF configuration by editing:
/etc/csf/csf.conf
By default CSF will be started in testing mode. You will need to set it to product by changing the “TESTING” value to 0
TESTING = "0"
Next thing you can edit are the allowed ports on your server. For that purpose find the following section of the csf.conf file and modify the ports per your needs:
# Allow incoming TCP ports
TCP_IN = "20,21,25,53,80,110,143,443,465,587,993,995,16543"
# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995,16543"
# Allow incoming UDP ports
UDP_IN = "20,21,53"
# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "20,21,53,113,123"
Setup these per your requirements. I would recommend you using only the ports you need and avoiding allowing huge ranges of ports. Additionally you can avoid using the unsecured services unsecured ports. For example instead of allowing the default SMTP port 25 you can only allow ports 465 and 587 for outgoing emails.
**IMPORTANT**: Do not forget to allow your customized SSH port.
It is important to allow your IP address so it will never get blocked. Such IP addresses can be defined in:
/etc/csf/csf.ignore
The blocked IP address will appear in:
/etc/csf/csf.deny
When you have finished making changes restart csf with:
sudo /etc/init.d/csf restart
Just to show you how useful CSF is I will show you part of csf.deny on one of my servers:
211.216.48.205 # lfd: (sshd) Failed SSH login from 211.216.48.205 (KR/Korea, Republic of/-): 5 in the last 3600 secs - Fri Mar 6 00:30:35 2015
103.41.124.53 # lfd: (sshd) Failed SSH login from 103.41.124.53 (HK/Hong Kong/-): 5 in the last 3600 secs - Fri Mar 6 01:06:46 2015
103.41.124.42 # lfd: (sshd) Failed SSH login from 103.41.124.42 (HK/Hong Kong/-): 5 in the last 3600 secs - Fri Mar 6 01:59:04 2015
103.41.124.26 # lfd: (sshd) Failed SSH login from 103.41.124.26 (HK/Hong Kong/-): 5 in the last 3600 secs - Fri Mar 6 02:48:26 2015
109.169.74.58 # lfd: (sshd) Failed SSH login from 109.169.74.58 (GB/United Kingdom/mail2.algeos.com): 5 in the last 3600 secs - Fri Mar 6 03:49:03 2015
The IP addresses that performed the brute force login attempt got blocked and they will not bother me again.
#### Lock accounts ####
In case an account is not going to be used for a long period of time you can lock it in order to prevent access to it. You can do this with:
passwd -l accountName
Account can still be used by the root user.
### Know your services ###
The whole idea of a server is to provide access to different services. Limit those to only the ones you need and disable the unused ones. This will not only free some resources, but will make your server a little bit more secured. For example if you are running a headless server you will definitely not need X display or a desktop environment. If there are no Windows network shares, you can safely disable Samba.
You can use the commands below to see which services are started upon system boot:
chkconfig --list | grep "3:on"
If your system runs with **systemd**:
systemctl list-unit-files --type=service | grep enabled
To disable a service you can use commands such as:
chkconfig service off
systemctl disable service
In the above example change “service” with the name of the actual service you wish to stop. Here is an example:
chkconfig httpd off
systemctl disable httpd
### Conclusion ###
This article was meant to cover some of the general security steps you can take to start securing your server. You can always take additional actions to increase the server protection. Remember that it is your responsibility to keep your server secured and make the wise decision while doing it. Unfortunately there is no easy way to do this and the “perfect” setup requires lots of time and tests until you achieve the desired result.
--------------------------------------------------------------------------------
via: http://www.linuxveda.com/2015/06/03/secure-linux-server/
作者:[Marin Todorow][a]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:http://www.linuxveda.com/author/marin_todorov/
[1]:http://en.wikipedia.org/wiki/Port_%28computer_networking%29#Common_port_numbers

236
translated/tech/20150610 How to secure your Linux server.md Normal file
View File

@ -0,0 +1,236 @@
Linux服务器安全攻略
================================================================================
> 一台服务器由大量功能各异的部件组成,这一点使得很难根据每个人的需求去提供定制的解决方案。这篇文章尽可能涵盖一些有所裨益的小技巧来帮助管理员保证服务器和用户安全。
毋庸置疑,对于系统管理员,提高服务器的安全性是最重要的事情之一。因此,也就有了许多针对这个话题而生的文章、博客和论坛帖子。
一台服务器由大量功能各异的部件组成,这一点使得很难根据每个人的需求去提供定制的解决方案。这篇文章尽可能涵盖一些有所裨益的小技巧来帮助管理员保证服务器和用户安全。
有一些常识是每个系统管理员都应该烂熟于心的,所以下面的几点在后文将不会提及:
- 务必保证系统是**最新的**
- 经常更换密码 - 使用数字、阿拉伯字母和非阿拉伯字母的符号组合
- 给予用户**最小**的权限,满足他们日常使用所需即可
- 只安装那些真正需要的软件包
下面是一些更有意思的内容:
### 更改SSH默认端口 ###
在搭建好一台全新的服务器后要做的第一件事情就是更改SSH的默认端口。这个小小单的改动能够使你的服务器避免受到成千上万的暴力攻击译者注不更改默认端口相当于黑客们知道你家的门牌号这样他们只需要一把一把的试钥匙就可能打开你家的锁
要更改默认的SSH端口先打开sshd_config文件
sudo vim /etc/ssh/sshd_config
找到下面这行:
#Port 22
“#”号表示这行是注释。首先删除#号然后把端口号改成目的端口。端口号不能超过65535确保要指定的端口号没有被系统或其它服务占用。建议在[维基百科]上查看常用端口号列表。在本文中,使用这个端口号:
Port 16543
然后保存并关闭文件,等待更改生效。
接下来的一步是:
### 使用SSH密钥 ###、
在通过SSH访问服务器时使用SSH密钥进行认证是尤其重要的。这样做为服务器增加了额外的保护确保只有那些拥有密钥的人才能访问服务器。
在本地机器上运行下面命令以生成SSH密钥
ssh-keygen -t rsa
你会看到下面的输出,询问要将密钥写到哪一个文件,并且设置一个密码:
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): my_key
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in my_key.
Your public key has been saved in my_key.pub.
The key fingerprint is:
SHA256:MqD/pzzTRsCjZb6mpfjyrr5v1pJLBcgprR5tjNoI20A
完成之后,就得到两个文件:
my_key
my_key.pub
接下来把my_key.pub拷贝到~/.ssh/authorized_key中
cp my_key.pub ~/.ssh/authorized_keys
然后使用下面命令将密钥上传到服务器:
scp -P16543 authorized_keys user@yourserver-ip:/home/user/.ssh/
至此,你就可以从这台本地机器上无密码地访问服务器了。
### 关闭SSH的密码认证 ###
既然已经有了SSH密钥那么关闭SSH的密码认证就很安全了。再次打开并编辑sshd_config按如下设置
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no
### 关闭Root登录 ###
下面关键的一步是关闭root用户的直接访问而使用sudo或su来执行管理员任务。首先需要添加一个有root权限的新用户所以编辑这个路径下的sudoers文件
/etc/sudoers/
可以使用如**visudo**这样的命令编辑文件,推荐使用这个命令,因为它会在关闭文件之前检查任何可能出现的语法错误。当你在编辑文件时出错了,这就很有用了。
接下来赋予某个用户root权限。在本文中使用用户**sysadmin**。确保在编辑后这个文件时使用的用户是系统已有的用户。找到下面这行:
root ALL=(ALL) ALL
拷贝这行然后粘贴在下一行然后把root更改为“sysadmin”如下所示
root ALL=(ALL) ALL
sysadmin ALL=(ALL) ALL
现在解释一下这行的每一个选项的含义:
(1) root (2)ALL=(3)(ALL) (4)ALL
(1) 指定用户
(2) 指定用户使用sudo的终端
(3) 指定用户可以担任的用户角色
(4) 这个用户可以使用的命令
使用这个配置可以给用户访问一些系统工具的权限。
这时,可以放心保存文件了。
为了关闭通过SSH直接访问root需要再次打开**sshd_config**,找到下面这行:
#PermitRootLogin yes
更改为:
PermitRootLogin no
然后保存文件重启sshd守护进程使改动生效。执行下面命令即可
sudo /etc/init.d/sshd restart
### 设置防火墙 ###
防火墙有助于过滤出入端口和阻止使用暴力法的登录尝试。我倾向于使用SCF(Config Server Firewall)这个强力防火墙。它使用了iptables易于管理而且对于不擅于输入命令的用户提供了web界面。
要安装CSF先登录到服务器切换到这个目录下
cd /usr/local/src/
然后以root权限执行下面命令
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
csf
sh install.sh
只需等待安装程序完成然后编辑CSF的配置文件
/etc/csf/csf.conf
默认情况下CSF是以测试模式运行。通过将“TESTING”的值设置成0切换到product模式。
TESTING = "0"
下面要设置的就是服务器上允许通过的端口。在csf.conf中定位到下面的部分根据需要修改端口
# Allow incoming TCP ports
TCP_IN = "20,21,25,53,80,110,143,443,465,587,993,995,16543"
# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995,16543"
# Allow incoming UDP ports
UDP_IN = "20,21,53"
# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "20,21,53,113,123"
请根据需要逐一设置推荐只使用那些需要的端口避免设置对端口进行大范围设置。此外也要避免使用不安全服务的不安全端口。比如只允许端口465和587来发送电子邮件取代默认的SMTP端口25.
**重要**千万不要忘记允许自定义SHH端口。
允许防火墙通过你的IP地址使其不被屏蔽这一点很重要。IP地址定义在下面的文件中
/etc/csf/csf.ignore
被屏蔽的IP地址会出现在这个文件中
/etc/csf/csf.deny
一旦完成更改使用这个命令重启csf
sudo /etc/init.d/csf restart
下面是在某台服务器上的csf.deny文件的部分内容来说明CSF是很有用的
211.216.48.205 # lfd: (sshd) Failed SSH login from 211.216.48.205 (KR/Korea, Republic of/-): 5 in the last 3600 secs - Fri Mar 6 00:30:35 2015
103.41.124.53 # lfd: (sshd) Failed SSH login from 103.41.124.53 (HK/Hong Kong/-): 5 in the last 3600 secs - Fri Mar 6 01:06:46 2015
103.41.124.42 # lfd: (sshd) Failed SSH login from 103.41.124.42 (HK/Hong Kong/-): 5 in the last 3600 secs - Fri Mar 6 01:59:04 2015
103.41.124.26 # lfd: (sshd) Failed SSH login from 103.41.124.26 (HK/Hong Kong/-): 5 in the last 3600 secs - Fri Mar 6 02:48:26 2015
109.169.74.58 # lfd: (sshd) Failed SSH login from 109.169.74.58 (GB/United Kingdom/mail2.algeos.com): 5 in the last 3600 secs - Fri Mar 6 03:49:03 2015
可以看到尝试通过暴力法登录的IP地址都被屏蔽了真是眼不见心不烦啊
#### 锁住账户 ####
如果某个账户在很长一段时间内都不会被使用了,那么可以将其锁住以防止其它人访问。使用如下命令:
passwd -l accountName
当然这个账户依然可以被root用户使用。
### 了解服务器上的服务 ###
服务器的本质是为各种服务提供访问功能。使服务器只运行所需的服务关闭没有使用的服务。这样做不仅会释放一些系统资源而且也会使服务器变得更加安全。比如如果只是运行一个简单的服务器显然不需要X显示或者桌面环境。如果不需要Windows网络共享功能则可以放心关闭Samba。
使用下面的命令能查看伴随系统启动而启动的服务:
chkconfig --list | grep "3:on"
如果系统运行了**systemd**,执行这条命令:
systemctl list-unit-files --type=service | grep enabled
然后使用下面的命令关闭服务:
chkconfig service off
systemctl disable service
在上面的例子中把“service”替换成真正想要停止的服务名称。实例如下
chkconfig httpd off
systemctl disable httpd
### 小结 ###
这篇文章的目的是涵盖一些通用的安全步骤以便帮助你保护服务器。你可以采取额外的方式去增强对服务器的保护。请记住保证服务器安全是你的责任,在维护服务器安全时尽量做出明智的选择,尽管并没有什么容易的方式去完成这件事情,而建立“完善的”安全需要花费大量的时间和测试直到达到想要的结果。
--------------------------------------------------------------------------------
via: http://www.linuxveda.com/2015/06/03/secure-linux-server/
作者:[Marin Todorow][a]
译者:[KayGuoWhu](https://github.com/KayGuoWhu)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:http://www.linuxveda.com/author/marin_todorov/
[1]:http://en.wikipedia.org/wiki/Port_%28computer_networking%29#Common_port_numbers