# 配置Nginx安全选项
$ sudo tee /etc/nginx/nginx.conf << 'EOF' user nginx; worker_processes auto; error_log /var/log/nginx/error.log; pid /run/nginx.pid; events { worker_connections 1024; } http { log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 4096;学习交流加群风哥QQ113257174 include /etc/nginx/mime.types; default_type application/octet-stream; server_tokens off; client_body_buffer_size 16k; client_header_buffer_size 1k; client_max_body_size 8m; large_client_header_buffers 4 8k; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X更多学习教程公众号风哥教程itpux_com-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "no-referrer-when-downgrade" always; add_header Content-Security-Policy "default-src 'self'" always; gzip on; gzip_vary on; gzip_min_length 1024; gzip_types text/plain text/css text/xml text/javascript application/javascript application/json; limit_req_zone $binary_remote_addr zone=req_limit:10m rate=10r/s; limit_conn_zonefrom PG视频:www.itpux.com $binary_remote_addr zone=conn_limit:10m; include /etc/nginx/conf.d/*.conf; } EOF # 配置虚拟主机 $ sudo tee /etc/nginx/conf.d/example.conf << 'EOF' server { listen 80; server_name fgedu.net.cn www.fgedu.net.cn; return 301 https://$server_name$request_uri; } server { listen 443 ssl http2; server_name fgedu.net.cn www.fgedu.net.cn; ssl_certificate /etc/nginx/ssl/fgedu.net.cn.crt; ssl_certificate_key /etc/nginx/ssl/fgedu.net.cn.key; root /var/www/html; index index.html index.htm; location / { limit_req zone=req_limit burst=20 nodelay; limit_conn conn_limit 10; try_files $uri $uri/ =404; } location ~ /\. { deny all; } location ~* \.(htaccess|htpasswd|ini|log|sh|sql)$ { deny all; } location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ { expires 30d; add_header Cache-Control "public, immutable"; } error_page 404 /404.html; error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } } EOF # 测试配置 $ sudo nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful # 重启Nginx $ sudo systemctl restart nginx

# 运行安全脚本
$ sudo mysql_secure_installation

Securing the MySQL server deployment.

Enter password for user root:
VALIDATE PASSWORD COMPONENT can be used to test passwords
and improve security. It checks the strength of password
and allows the users to set only those passwords which are
secure enough. Would you like to setup VALIDATE PASSWORD component?

Press y|Y for Yes, any other key for No: y

There are three levels of password validation policy:

LOW Length >= 8
MEDIUM Length >= 8, numeric, mixed case, and special characters
STRONG Length >= 8, numeric, mixed case, special characters and dictionary file

Please enter 0 = LOW, 1 = MEDIUM and 2 = STRONG: 2

New password:
Re-enter new password:

Remove anonymous users? (Press y|Y for Yes, any other key for No) : y
Success.

Disallow root login remotely? (Press y|Y for Yes, any other key for No) : y
Success.

Remove test database and access to it? (Press y|Y for Yes, any other key for No) : y
– Dropping test database…
Success.

Reload privilege tables now? (Press y|Y for Yes, any other key for No) : y
Success.

# 配置MySQL
$ sudo tee /etc/my.cnf.d/mysql-server.cnf << 'EOF' [mysqld] bind-address = 127.0.0.1 port = 3306 datadir = /var/lib/mysql socket = /var/lib/mysql/mysql.sock user = mysql max_connections = 100 max_user_connections = 50 local_infile = 0 skip-symbolic-links log_error = /var/log/mysql/mysqld.log log_queries_not_using_indexes = 1 slow_query_log = 1 slow_query_log_file = /var/log/mysql/slow.log long_query_time = 2 ssl-ca = /etc/mysql/ssl/ca.pem ssl-cert = /etc/mysql/ssl/server-cert.pem ssl-key = /etc/mysql/ssl/server-key.pem require_secure_transport = ON plugin-load-add = validate_password.so validate_password_length = 12 validate_password_policy = STRONG [mysql] socket = /var/lib/mysql/mysql.sock EOF # 创建管理用户 $ mysql -u root -p mysql> CREATE USER ‘admin’@’localhost’ IDENTIFIED BY ‘StrongPassword123!’;
mysql> GRANT ALL PRIVILEGES ON *.* TO ‘admin’@’localhost’ WITH GRANT OPTION;
mysql> FLUSH PRIVILEGES;

# 创建应用用户
mysql> CREATE USER ‘webapp’@’localhost’ IDENTIFIED BY ‘AppPassword123!’;
mysql> GRANT SELECT, INSERT, UPDATE, DELETE ON webapp.* TO ‘webapp’@’localhost’;
mysql> FLUSH PRIVILEGES;

# 查看用户权限
mysql> SHOW GRANTS FOR ‘webapp’@’localhost’;

# 删除空用户
mysql> DELETE FROM mysql.user WHERE User=”;
mysql> FLUSH PRIVILEGES;

# 重启MySQL
$ sudo systemctl restart mysqld

# 配置BIND安全选项
$ sudo tee /etc/named.conf << 'EOF' options { listen-on port 53 { 127.0.0.1; 192.168.1.10; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; secroots-file "/var/named/data/named.secroots"; recursing-file "/var/named/data/named.recursing"; allow-query { localhost; 192.168.1.0/24; }; allow-recursion { localhost; 192.168.1.0/24; }; allow-transfer { none; }; recursion yes; dnssec-validation yes; dnssec-enable yes; dnssec-lookaside auto; version "not disclosed"; hostname "dns.fgedu.net.cn"; server-id "dns1"; rate-limit { responses-per-second 10; window 5; }; querylog yes; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; channel security_log { file "data/named.security" versions 3 size 5m; severity info; print-time yes; print-category yes; }; category security { security_log; }; }; zone "." IN { type hint; file "named.ca"; }; zone "fgedu.更多视频教程www.fgedu.net.cnnet.cn" IN { type master; 学习交流加群风哥微信: itpux-com file "fgedu.net.cn.zone"; allow-update { none; }; allow-transfer { 192.168.1.11; }; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; EOF # 配置区域文件 $ sudo tee /var/named/fgedu.net.cn.zone << 'EOF' $TTL 86400 @ IN SOA ns1.fgedu.net.cn. admin.fgedu.net.cn. ( 2026040401 ; Serial 3600 ; Refresh 1800 ; Retry 604800 ; Expire 86400 ; Minimum ) @ IN NS ns1.fgedu.net.cn. @ IN NS ns2.fgedu.net.cn. @ IN A 192.168.1.100 @ IN MX 10 mail.fgedu.net.cn. @ IN TXT "v=spf1 mx -all" ns1 IN A 192.168.1.10 ns2 IN A 192.168.1.11 www IN A 192.168.1.100 mail IN A 192.168.1.101 ftp IN CNAME www EOF # 设置权限 $ sudo chown root:named /var/named/fgedu.net.cn.zone $ sudo chmod 640 /var/named/fgedu.net.cn.zone # 检查配置 $ sudo named-checkconf $ sudo named-checkzone fgedu.net.cn /var/named/fgedu.net.cn.zone # 重启BIND $ sudo systemctl restart named