转自:IT之家
🛡️ Complete Guide to Linux Server Security: Building a Fortress from Scratch
💡 Introduction: As a DevOps engineer, I have seen too many servers compromised due to improper security configurations. This article will share my practical experience accumulated over the years, teaching you how to build a complete Linux server security protection system.
🚨 Real Case: A Thrilling Intrusion Incident
Last year, one night, I received a monitoring alert: the CPU usage of a company web server spiked abnormally. After logging in, I found suspicious processes running in the system, and further investigation revealed that the server had been implanted with a mining trojan. This incident made me deeply realize the importance of server security protection.
Attack Path Review:
- • The attacker gained root access through SSH brute force
- • Implanted a backdoor program and established a persistent connection
- • Downloaded mining software to consume server resources
- • Attempted lateral penetration into other hosts in the internal network
🔐 Core Protection Strategy: Multi-layer Security Defense
First Layer: SSH Security Hardening
1. Change the default port
# Edit SSH configuration file
vim /etc/ssh/sshd_config
# Change port (recommended range 10000-65535)
Port 22022
# Restart SSH service
systemctl restart sshd
2. Disable root direct login
# Set in sshd_config
PermitRootLogin no
# Create a normal user and add to sudo group
useradd -m -s /bin/bash admin
usermod -aG sudo admin
3. Configure key authentication
# Generate SSH key pair
ssh-keygen -t ed25519 -C "[email protected]"
# Create authorized_keys on the server
mkdir -p ~/.ssh
chmod 700 ~/.ssh
echo "your_public_key" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
# Disable password authentication
echo "PasswordAuthentication no" >> /etc/ssh/sshd_config
systemctl restart sshd
Second Layer: Fail2Ban Anti-Brute Force
Install and configure Fail2Ban
# Ubuntu/Debian
apt update && apt install fail2ban -y
# CentOS/RHEL
yum install epel-release -y && yum install fail2ban -y
Custom SSH protection rules
# Create local configuration file
cat > /etc/fail2ban/jail.local << 'EOF'
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 3
ignoreip = 127.0.0.1/8 192.168.0.0/16
[sshd]
enabled = true
port = 22022
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 86400
EOF
# Start service
systemctl enable fail2ban && systemctl start fail2ban
Check ban status
# View banned IPs
fail2ban-client status sshd
# Manually unban IP
fail2ban-client set sshd unbanip 192.168.1.100
Third Layer: Firewall Configuration
UFW Simple Firewall
# Enable UFW
ufw enable
# Set default policies
ufw default deny incoming
ufw default allow outgoing
# Allow SSH connections (using custom port)
ufw allow 22022/tcp
# Allow web services
ufw allow 80/tcp
ufw allow 443/tcp
# View rules
ufw status verbose
iptables Advanced Configuration
#!/bin/bash
# Clear existing rules
iptables -F
iptables -X
iptables -Z
# Set default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow local loopback
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# SSH rate limiting (anti-brute force)
iptables -A INPUT -p tcp --dport 22022 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22022 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
iptables -A INPUT -p tcp --dport 22022 -j ACCEPT
# Web services
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Save rules
iptables-save > /etc/iptables/rules.v4
Fourth Layer: Intrusion Detection System
Deploy OSSEC-HIDS
# Download and install OSSEC
wget https://github.com/ossec/ossec-hids/archive/3.6.0.tar.gz
tar -xzf 3.6.0.tar.gz && cd ossec-hids-3.6.0
./install.sh
# Configure monitoring rules
vim /var/ossec/etc/ossec.conf
Custom monitoring script
#!/bin/bash
# System anomaly detection script
LOG_FILE="/var/log/security_check.log"
# Check for suspicious processes
check_suspicious_processes() {
echo "[$(date)] Checking for suspicious processes..." >> $LOG_FILE
# Check for processes with abnormal CPU usage
ps aux --sort=-%cpu | head -10 | while read line; do
cpu=$(echo $line | awk '{print $3}')
if (( $(echo "$cpu > 80" | bc -l) )); then
echo "Warning: High CPU usage process found: $line" >> $LOG_FILE
fi
done
}
# Check for abnormal network connections
check_network_connections() {
echo "[$(date)] Checking network connections..." >> $LOG_FILE
# Check for suspicious port listening
netstat -tlnp | grep -E ':(1234|4444|5555|8080)' && {
echo "Warning: Suspicious port listening found" >> $LOG_FILE
}
}
# Execute checks
check_suspicious_processes
check_network_connections
Fifth Layer: File Integrity Monitoring
Using AIDE Tool
# Install AIDE
apt install aide -y # Ubuntu/Debian
yum install aide -y # CentOS/RHEL
# Initialize database
aide --init
mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
# Create check script
cat > /usr/local/bin/aide_check.sh << 'EOF'
#!/bin/bash
aide --check | tee /var/log/aide_check.log
if [ $? -ne 0 ]; then
echo "File integrity check found anomalies, please check the log file"
# You can add email notifications here
fi
EOF
chmod +x /usr/local/bin/aide_check.sh
# Add cron job
echo "0 2 * * * /usr/local/bin/aide_check.sh" | crontab -
🚀 Advanced Protection Techniques
1. Port Knocking Technique
# Install knockd
apt install knockd -y
# Configure port knocking
cat > /etc/knockd.conf << 'EOF'
[options]
UseSyslog
[openSSH]
sequence = 7000,8000,9000
seq_timeout = 5
command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22022 -j ACCEPT
tcpflags = syn
[closeSSH]
sequence = 9000,8000,7000
seq_timeout = 5
command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22022 -j ACCEPT
tcpflags = syn
EOF
# Start service
systemctl enable knockd && systemctl start knockd
2. Honeypot Deployment (Confuse Attackers)
# Install Cowrie SSH Honeypot
pip3 install cowrie
# Configure fake SSH service to listen on port 22
# Real SSH service uses a non-standard port
3. Automated Log Analysis
#!/bin/bash
# Automated log analysis script
LOGFILE="/var/log/auth.log"
ALERT_EMAIL="[email protected]"
# Analyze SSH login failures
failed_attempts=$(grep "Failed password" $LOGFILE | grep "$(date '+%b %d')" | wc -l)
if [ $failed_attempts -gt 50 ]; then
echo "Warning: Today's SSH login failures reached $failed_attempts times" | \
mail -s "SSH Security Alert - $(hostname)" $ALERT_EMAIL
fi
# Check for new user creation
new_users=$(grep "new user" /var/log/auth.log | grep "$(date '+%b %d')")
if [ ! -z "$new_users" ]; then
echo "Warning: Detected new user creation: $new_users" | \
mail -s "User Management Alert - $(hostname)" $ALERT_EMAIL
fi
📊 Monitoring and Alerting System
Set Up Lightweight Monitoring
# Install Netdata real-time monitoring
bash <(curl -Ss https://my-netdata.io/kickstart.sh)
# Configure alerts
vim /etc/netdata/health_alarm_notify.conf
# Set email notifications
SEND_EMAIL="YES"
DEFAULT_RECIPIENT_EMAIL="[email protected]"
Custom Alert Script
#!/usr/bin/env python3
import psutil
import smtplib
from email.mime.text import MIMEText
import time
def check_system_health():
alerts = []
# Check CPU usage
cpu_percent = psutil.cpu_percent(interval=1)
if cpu_percent > 80:
alerts.append(f"CPU usage too high: {cpu_percent}%")
# Check memory usage
memory = psutil.virtual_memory()
if memory.percent > 85:
alerts.append(f"Memory usage too high: {memory.percent}%")
# Check disk usage
for partition in psutil.disk_partitions():
disk_usage = psutil.disk_usage(partition.mountpoint)
if disk_usage.percent > 90:
alerts.append(f"Disk {partition.mountpoint} usage too high: {disk_usage.percent}%")
return alerts
def send_alert(alerts):
if not alerts:
return
msg = MIMEText('\n'.join(alerts))
msg['Subject'] = f'Server Health Alert - {time.strftime("%Y-%m-%d %H:%M")}'
msg['From'] = '[email protected]'
msg['To'] = '[email protected]'
# Email sending logic
print("Sending alert:", '\n'.join(alerts))
if __name__ == "__main__":
alerts = check_system_health()
send_alert(alerts)
🔧 Emergency Response Plan
Steps to Take After Discovering an Intrusion
- 1. Immediately Isolate
# Disconnect from the network (keep SSH connection)
iptables -A INPUT -j DROP
iptables -I INPUT 1 -s YOUR_IP -j ACCEPT
- 2. Preserve Evidence
# Backup critical logs
tar -czf evidence_$(date +%Y%m%d_%H%M).tar.gz \
/var/log/auth.log \
/var/log/syslog \
/var/log/messages
- 3. Clean Up Backdoors
# Check scheduled tasks
crontab -l
cat /etc/crontab
ls -la /etc/cron.*
# Check startup items
systemctl list-unit-files --state=enabled
ls -la /etc/init.d/
🎯 Practical Drills
Simulated Attack Testing
# Use Nmap to scan your server
nmap -sS -O YOUR_SERVER_IP
# Use Hydra to test SSH brute force protection
hydra -l admin -P /usr/share/wordlists/rockyou.txt \
ssh://YOUR_SERVER_IP:22022 -t 4
Performance Optimization
# Optimize SSH configuration performance
echo "ClientAliveInterval 60" >> /etc/ssh/sshd_config
echo "ClientAliveCountMax 3" >> /etc/ssh/sshd_config
echo "MaxAuthTries 3" >> /etc/ssh/sshd_config
echo "MaxSessions 5" >> /etc/ssh/sshd_config
💎 Advanced Tips Sharing
1. Use PAM to Enhance Authentication
# Configure Google Authenticator two-factor authentication
apt install libpam-google-authenticator -y
google-authenticator
# Modify PAM configuration
echo "auth required pam_google_authenticator.so" >> /etc/pam.d/sshd
2. Automated Security Checks
# Create security check checklist script
cat > /usr/local/bin/security_audit.sh << 'EOF'
#!/bin/bash
echo "=== Linux Server Security Check Report ==="
echo "Check Time: $(date)"
echo ""
# Check user accounts
echo "1. User Account Check:"
awk -F: '$3==0{print "Warning: " $1 " has root privileges"}' /etc/passwd
# Check for empty password accounts
echo "2. Empty Password Account Check:"
awk -F: '$2==""{print "Warning: " $1 " has an empty password"}' /etc/shadow
# Check file permissions
echo "3. Critical File Permission Check:"
ls -l /etc/passwd /etc/shadow /etc/sudoers
# Check network listening
echo "4. Network Listening Ports:"
netstat -tlnp | grep LISTEN
echo "=== Check Complete ==="
EOF
chmod +x /usr/local/bin/security_audit.sh
📈 Summary and Recommendations
Through the above multi-layer protection measures, the security of Linux servers can be significantly enhanced:
Security Level Assessment:
- • 🔴 Basic Level: Change SSH port + Key authentication
- • 🟡 Standard Level: + Fail2Ban + Firewall configuration
- • 🟢 Advanced Level: + Intrusion detection + File monitoring
- • 🔵 Expert Level: + Honeypot + Automated response
Best Practice Recommendations:
- 1. Regularly update systems and packages
- 2. Principle of least privilege
- 3. Regular audits and log analysis
- 4. Develop an emergency response plan
- 5. Regularly conduct security drills
(Copyright belongs to the original author, infringement will be deleted)
Disclaimer: The content of this article is sourced from the internet, and the information provided is for reference only. Reproduction is for learning and communication purposes. If it inadvertently infringes on your legal rights, please contact the Docker Chinese community in a timely manner!