内容简介:本文风哥教程参考Linux官方文档、Red Hat Enterprise Linux官方文档、Ansible Automation Platform官方文档、Docker官方文档、Kubernetes官方文档和Podman官方文档等内容,详细介绍了相关技术的配置和使用方法。
<
风哥提示:
p>本文档介绍Linux系统安全加固的实战案例。
Part01-Web服务器加固
1.1 Web服务器安全加固
# Web服务器加固脚本
$ cat > /usr/local/bin/web-server-hardening.sh << 'EOF' #!/bin/bash log() { echo "$(date): $1" } configure_nginx() { log "Configuring Nginx security..." cat > /etc/nginx/conf.d/security.conf << 'NGINX' server_tokens off; client_body_buffer_size 16k; client_header_buffer_size 1k; client_max_body_size 8m; large_client_header_buffers 4 8k; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "no-referrer-when-downgrade" always; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;学习交流加群风哥微信: itpux-com ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; limit_req_zone $binary_remote_addr zone=req_limit:10m rate=10r/s; limit_conn_zone $binary_remote_addr zone=conn_limit:10m; NGINX systemctl restart nginx } configure_php() { log "Configuring PHP security..." cat > /etc/php.d/security.ini << 'PHP' expose_php = Off display_errors = Off log_errors = On error_log = /var/log/php/error.log disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source,symlink allow_url_fopen = Off allow_url_include = Off file_uploads = On upload_max_filesize = 10M post_max_size = 10M upload_tmp_dir = /tmp/php_upload session.cookie_httponly = 1 session.cookie_secure = 1 session.use_strict_mode = 1 PHP mkdir -p /tmp/php_upload chmod 1733 /tmp/php_upload systemctl restart php-fpm } configure_mysql() { log "Configuring MySQL security..." mysql -u root << 'MYSQL' DELETE FROM mysql.user WHERE User=''; DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.更多视频教程www.fgedu.net.cn1', '::1'); DROP DATABASE IF EXISTS test; DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%'; FLUSH PRIVILEGES; MYSQL cat > /etc/my.cnf.d/security.cnf << 'MYSQL' [mysqld] local_infile = 0 skip-symbolic-links bind-address = 127.0.0.1 MYSQL systemctl restart mysqld } configure_更多学习教程公众号风哥教程itpux_comfirewall() { log "Configuring firewall..." firewall-cmd --permanent --add-service=http firewall-cmd --permanent --add-service=https firewall-cmd --permanent --remove-service=ssh firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="ssh" accept' firewall-cmd --reload } main() { log "Starting web server hardening..." configure_nginx configure_php configure_mysql configure_firewall log "Web server hardening completed!" } main EOF chmod +x /usr/local/bin/web-server-hardening.sh
$ cat > /usr/local/bin/web-server-hardening.sh << 'EOF' #!/bin/bash log() { echo "$(date): $1" } configure_nginx() { log "Configuring Nginx security..." cat > /etc/nginx/conf.d/security.conf << 'NGINX' server_tokens off; client_body_buffer_size 16k; client_header_buffer_size 1k; client_max_body_size 8m; large_client_header_buffers 4 8k; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "no-referrer-when-downgrade" always; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;学习交流加群风哥微信: itpux-com ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; limit_req_zone $binary_remote_addr zone=req_limit:10m rate=10r/s; limit_conn_zone $binary_remote_addr zone=conn_limit:10m; NGINX systemctl restart nginx } configure_php() { log "Configuring PHP security..." cat > /etc/php.d/security.ini << 'PHP' expose_php = Off display_errors = Off log_errors = On error_log = /var/log/php/error.log disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source,symlink allow_url_fopen = Off allow_url_include = Off file_uploads = On upload_max_filesize = 10M post_max_size = 10M upload_tmp_dir = /tmp/php_upload session.cookie_httponly = 1 session.cookie_secure = 1 session.use_strict_mode = 1 PHP mkdir -p /tmp/php_upload chmod 1733 /tmp/php_upload systemctl restart php-fpm } configure_mysql() { log "Configuring MySQL security..." mysql -u root << 'MYSQL' DELETE FROM mysql.user WHERE User=''; DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.更多视频教程www.fgedu.net.cn1', '::1'); DROP DATABASE IF EXISTS test; DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%'; FLUSH PRIVILEGES; MYSQL cat > /etc/my.cnf.d/security.cnf << 'MYSQL' [mysqld] local_infile = 0 skip-symbolic-links bind-address = 127.0.0.1 MYSQL systemctl restart mysqld } configure_更多学习教程公众号风哥教程itpux_comfirewall() { log "Configuring firewall..." firewall-cmd --permanent --add-service=http firewall-cmd --permanent --add-service=https firewall-cmd --permanent --remove-service=ssh firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="ssh" accept' firewall-cmd --reload } main() { log "Starting web server hardening..." configure_nginx configure_php configure_mysql configure_firewall log "Web server hardening completed!" } main EOF chmod +x /usr/local/bin/web-server-hardening.sh
Part02-数据库服务器加固
2.1 数据库服务器安全加固
# 数据库服务器加固脚本
$ cat > /usr/local/bin/database-hardening.sh << 'EOF' #!/bin/bash log() { echo "$(date): $1" } configure_mysql() { log "Configuring MySQL security..." mysql_secure_installation << 'MYSQL' y StrongPassword123! y y y y MYSQL cat > /etc/my.cnf.d/security.cnf << 'MYSQL' [mysqld] bind-address = 127.0.0.1 port = 3306 skip-networking = 0 skip-show-database local_infile = 0 secure-file-priv = /var/lib/mysql-files max_connections = 100 max_user_connections = 50 wait_timeout = 600 interactive_timeout = 600 log_error = /var/log/mysql/error.log log_queries_not_using_indexes = 1 slow_query_log = 1 slow_query_log_file = /var/log/mysql/slow.log long_query_time = 2 ssl-ca = /etc/mysql/ssl/ca.pem ssl-cert = /etc/mysql/ssl/server-cert.pem ssl-key = /etc/mysql/ssl/server-key.pem require_secure_transport = ON MYSQL systemctl restart mysqld } configure_postgresql() { log "Configuring PostgreSQL security..." cat > /var/lib/pgsql/data/postgresql.conf << 'PG' listen_addresses = 'localhost' port = 5432 max_connections = 100 ssl = on ssl_cert_file = '/var/lib/pgsql/data/server.crt' ssl_key_file = '/var/lib/pgsql/data/server.key' log_connections = on log_disconnections = on log_statement = 'ddl' log_line_prefix = '%t [%p]: [%l-1] user=%u,db=%d,app=%a,client=%h ' PG cat > /var/lib/pgsql/data/pg_hba.conf << 'PG' local all postgres peer local all all md5 hos学习交流加群风哥QQ113257174t all all 127.0.0.1/32 md5 host all all ::1/128 md5 hostssl all all 192.168.2.0/24 md5 PG systemctl restart postgresql } configure_firewall() { log "Configuring firewall..." firewall-cmd --permanent --zone=trusted --add-source=192.168.2.0/24 firewall-cmd --permanent --zone=trusted --add-service=mysql firewall-cmd --permanent --zone=trusted --add-service=postgresql firewall-cmd --reload } main() { log "Starting database server hardening..." configure_mysql configure_postgresql configure_firewall log "Database server hardening completed!" } main EOF chmod +x /usr/local/bin/database-hardening.sh
$ cat > /usr/local/bin/database-hardening.sh << 'EOF' #!/bin/bash log() { echo "$(date): $1" } configure_mysql() { log "Configuring MySQL security..." mysql_secure_installation << 'MYSQL' y StrongPassword123! y y y y MYSQL cat > /etc/my.cnf.d/security.cnf << 'MYSQL' [mysqld] bind-address = 127.0.0.1 port = 3306 skip-networking = 0 skip-show-database local_infile = 0 secure-file-priv = /var/lib/mysql-files max_connections = 100 max_user_connections = 50 wait_timeout = 600 interactive_timeout = 600 log_error = /var/log/mysql/error.log log_queries_not_using_indexes = 1 slow_query_log = 1 slow_query_log_file = /var/log/mysql/slow.log long_query_time = 2 ssl-ca = /etc/mysql/ssl/ca.pem ssl-cert = /etc/mysql/ssl/server-cert.pem ssl-key = /etc/mysql/ssl/server-key.pem require_secure_transport = ON MYSQL systemctl restart mysqld } configure_postgresql() { log "Configuring PostgreSQL security..." cat > /var/lib/pgsql/data/postgresql.conf << 'PG' listen_addresses = 'localhost' port = 5432 max_connections = 100 ssl = on ssl_cert_file = '/var/lib/pgsql/data/server.crt' ssl_key_file = '/var/lib/pgsql/data/server.key' log_connections = on log_disconnections = on log_statement = 'ddl' log_line_prefix = '%t [%p]: [%l-1] user=%u,db=%d,app=%a,client=%h ' PG cat > /var/lib/pgsql/data/pg_hba.conf << 'PG' local all postgres peer local all all md5 hos学习交流加群风哥QQ113257174t all all 127.0.0.1/32 md5 host all all ::1/128 md5 hostssl all all 192.168.2.0/24 md5 PG systemctl restart postgresql } configure_firewall() { log "Configuring firewall..." firewall-cmd --permanent --zone=trusted --add-source=192.168.2.0/24 firewall-cmd --permanent --zone=trusted --add-service=mysql firewall-cmd --permanent --zone=trusted --add-service=postgresql firewall-cmd --reload } main() { log "Starting database server hardening..." configure_mysql configure_postgresql configure_firewall log "Database server hardening completed!" } main EOF chmod +x /usr/local/bin/database-hardening.sh
Part03-邮件服务器加固
3.1 邮件服务器安全加固
# 邮件服务器加固脚本
$ cat > /usr/local/bin/mail-server-hardening.sh << 'EOF' #!/bin/bash log() { echo "$(date): $1" } configure_postfix() { log "Configuring Postfix security..." postconf -e 'smtpd_tls_security_level = may' postconf -e 'smtpd_tls_cert_file = /etc/pki/tls/certs/mail.crt' postconf -e 'smtpd_tls_key_file = /etc/pki/tls/private/mail.key' postconf -e 'smtpd_tls_protocols = !SSLv2, !SSLv3' postconf -e 'smtpd_tls_ciphers = high' postconf -e 'smtpd_tls_received_header = yes' postconf -e 'smtpd_sasl_auth_enable = yes' postconf -e 'smtpd_sasl_security_options = noanonymous, noplaintext' postconf -e 'smtpd_sasl_tls_security_options = noanonymous' postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination' postconf -e 'smtpd_client_restrictions = permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org' postconf -e 'smtpd_helo_required = yes' postconf -e 'smtpd_delay_reject = yes' postconf -e 'disable_vrfy_command = yes' systemctl restart postfix } configure_dovecot() { log "Configuring Dovecot security..." cat > /etc/dovecot/conf.d/10-ssl.conf << 'DOVECOT' ssl = required ssl_cert = /etc/dovecot/conf.d/10-auth.conf << 'DOVECOT' disable_plaintext_auth = yes auth_mechanisms = plain login DOVECOT systemctl restart dovecot } configure_spamassassin() { log "Configuring SpamAssassin..." dnf install -y from PG视频:www.itpux.comspamassassin cat > /etc/mail/spamassassin/local.cf << 'SA' required_hits 5.0 report_safe 0 required_score 5.0 rewrite_header Subject *****SPAM***** use_bayes 1 bayes_auto_learn 1 skip_rbl_checks 0 use_razor2 1 use_pyzor 1 SA systemctl enable spamassassin systemctl start spamassassin } configure_firewall() { log "Configuring firewall..." firewall-cmd --permanent --add-service=smtp firewall-cmd --permanent --add-service=smtps firewall-cmd --permanent --add-service=imap firewall-cmd --permanent --add-service=imaps firewall-cmd --permanent --add-service=pop3 firewall-cmd --permanent --add-service=pop3s firewall-cmd --reload } main() { log "Starting mail server hardening..." configure_postfix configure_dovecot configure_spamassassin configure_firewall log "Mail server hardening completed!" } main EOF chmod +x /usr/local/bin/mail-server-hardening.sh
$ cat > /usr/local/bin/mail-server-hardening.sh << 'EOF' #!/bin/bash log() { echo "$(date): $1" } configure_postfix() { log "Configuring Postfix security..." postconf -e 'smtpd_tls_security_level = may' postconf -e 'smtpd_tls_cert_file = /etc/pki/tls/certs/mail.crt' postconf -e 'smtpd_tls_key_file = /etc/pki/tls/private/mail.key' postconf -e 'smtpd_tls_protocols = !SSLv2, !SSLv3' postconf -e 'smtpd_tls_ciphers = high' postconf -e 'smtpd_tls_received_header = yes' postconf -e 'smtpd_sasl_auth_enable = yes' postconf -e 'smtpd_sasl_security_options = noanonymous, noplaintext' postconf -e 'smtpd_sasl_tls_security_options = noanonymous' postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination' postconf -e 'smtpd_client_restrictions = permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org' postconf -e 'smtpd_helo_required = yes' postconf -e 'smtpd_delay_reject = yes' postconf -e 'disable_vrfy_command = yes' systemctl restart postfix } configure_dovecot() { log "Configuring Dovecot security..." cat > /etc/dovecot/conf.d/10-ssl.conf << 'DOVECOT' ssl = required ssl_cert = /etc/dovecot/conf.d/10-auth.conf << 'DOVECOT' disable_plaintext_auth = yes auth_mechanisms = plain login DOVECOT systemctl restart dovecot } configure_spamassassin() { log "Configuring SpamAssassin..." dnf install -y from PG视频:www.itpux.comspamassassin cat > /etc/mail/spamassassin/local.cf << 'SA' required_hits 5.0 report_safe 0 required_score 5.0 rewrite_header Subject *****SPAM***** use_bayes 1 bayes_auto_learn 1 skip_rbl_checks 0 use_razor2 1 use_pyzor 1 SA systemctl enable spamassassin systemctl start spamassassin } configure_firewall() { log "Configuring firewall..." firewall-cmd --permanent --add-service=smtp firewall-cmd --permanent --add-service=smtps firewall-cmd --permanent --add-service=imap firewall-cmd --permanent --add-service=imaps firewall-cmd --permanent --add-service=pop3 firewall-cmd --permanent --add-service=pop3s firewall-cmd --reload } main() { log "Starting mail server hardening..." configure_postfix configure_dovecot configure_spamassassin configure_firewall log "Mail server hardening completed!" } main EOF chmod +x /usr/local/bin/mail-server-hardening.sh
风哥针对安全加固建议:
1. 根据服务类型加固
2. 配置访问控制
3. 启用加密通信
4. 限制服务权限
5. 定期安全审计
1. 根据服务类型加固
2. 配置访问控制
3. 启用加密通信
4. 限制服务权限
5. 定期安全审计
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
