Complete Guide to Linux Server Security: Building a Fortress from Scratch


转自:IT之家

🛡️ Complete Guide to Linux Server Security: Building a Fortress from Scratch

💡 Introduction: As a DevOps engineer, I have seen too many servers compromised due to improper security configurations. This article will share my practical experience accumulated over the years, teaching you how to build a complete Linux server security protection system.

🚨 Real Case: A Thrilling Intrusion Incident

Last year, one night, I received a monitoring alert: the CPU usage of a company web server spiked abnormally. After logging in, I found suspicious processes running in the system, and further investigation revealed that the server had been implanted with a mining trojan. This incident made me deeply realize the importance of server security protection.

Attack Path Review:

  • • The attacker gained root access through SSH brute force
  • • Implanted a backdoor program and established a persistent connection
  • • Downloaded mining software to consume server resources
  • • Attempted lateral penetration into other hosts in the internal network

🔐 Core Protection Strategy: Multi-layer Security Defense

First Layer: SSH Security Hardening

1. Change the default port

# Edit SSH configuration file
vim /etc/ssh/sshd_config

# Change port (recommended range 10000-65535)
Port 22022

# Restart SSH service
systemctl restart sshd

2. Disable root direct login

# Set in sshd_config
PermitRootLogin no

# Create a normal user and add to sudo group
useradd -m -s /bin/bash admin
usermod -aG sudo admin

3. Configure key authentication

# Generate SSH key pair
ssh-keygen -t ed25519 -C "[email protected]"

# Create authorized_keys on the server
mkdir -p ~/.ssh
chmod 700 ~/.ssh
echo "your_public_key" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

# Disable password authentication
echo "PasswordAuthentication no" >> /etc/ssh/sshd_config
systemctl restart sshd

Second Layer: Fail2Ban Anti-Brute Force

Install and configure Fail2Ban

# Ubuntu/Debian
apt update && apt install fail2ban -y

# CentOS/RHEL
yum install epel-release -y && yum install fail2ban -y

Custom SSH protection rules

# Create local configuration file
cat > /etc/fail2ban/jail.local << 'EOF'
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 3
ignoreip = 127.0.0.1/8 192.168.0.0/16

[sshd]
enabled = true
port = 22022
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 86400
EOF

# Start service
systemctl enable fail2ban && systemctl start fail2ban

Check ban status

# View banned IPs
fail2ban-client status sshd

# Manually unban IP
fail2ban-client set sshd unbanip 192.168.1.100

Third Layer: Firewall Configuration

UFW Simple Firewall

# Enable UFW
ufw enable

# Set default policies
ufw default deny incoming
ufw default allow outgoing

# Allow SSH connections (using custom port)
ufw allow 22022/tcp

# Allow web services
ufw allow 80/tcp
ufw allow 443/tcp

# View rules
ufw status verbose

iptables Advanced Configuration

#!/bin/bash
# Clear existing rules
iptables -F
iptables -X
iptables -Z

# Set default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Allow local loopback
iptables -A INPUT -i lo -j ACCEPT

# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# SSH rate limiting (anti-brute force)
iptables -A INPUT -p tcp --dport 22022 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22022 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
iptables -A INPUT -p tcp --dport 22022 -j ACCEPT

# Web services
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Save rules
iptables-save > /etc/iptables/rules.v4

Fourth Layer: Intrusion Detection System

Deploy OSSEC-HIDS

# Download and install OSSEC
wget https://github.com/ossec/ossec-hids/archive/3.6.0.tar.gz
tar -xzf 3.6.0.tar.gz && cd ossec-hids-3.6.0
./install.sh

# Configure monitoring rules
vim /var/ossec/etc/ossec.conf

Custom monitoring script

#!/bin/bash
# System anomaly detection script
LOG_FILE="/var/log/security_check.log"

# Check for suspicious processes
check_suspicious_processes() {
    echo "[$(date)] Checking for suspicious processes..." >> $LOG_FILE
    
    # Check for processes with abnormal CPU usage
    ps aux --sort=-%cpu | head -10 | while read line; do
        cpu=$(echo $line | awk '{print $3}')
        if (( $(echo "$cpu > 80" | bc -l) )); then
            echo "Warning: High CPU usage process found: $line" >> $LOG_FILE
        fi
    done
}

# Check for abnormal network connections
check_network_connections() {
    echo "[$(date)] Checking network connections..." >> $LOG_FILE
    
    # Check for suspicious port listening
    netstat -tlnp | grep -E ':(1234|4444|5555|8080)' && {
        echo "Warning: Suspicious port listening found" >> $LOG_FILE
    }
}

# Execute checks
check_suspicious_processes
check_network_connections

Fifth Layer: File Integrity Monitoring

Using AIDE Tool

# Install AIDE
apt install aide -y  # Ubuntu/Debian
yum install aide -y  # CentOS/RHEL

# Initialize database
aide --init
mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

# Create check script
cat > /usr/local/bin/aide_check.sh << 'EOF'
#!/bin/bash
aide --check | tee /var/log/aide_check.log
if [ $? -ne 0 ]; then
    echo "File integrity check found anomalies, please check the log file"
    # You can add email notifications here
fi
EOF

chmod +x /usr/local/bin/aide_check.sh

# Add cron job
echo "0 2 * * * /usr/local/bin/aide_check.sh" | crontab -

🚀 Advanced Protection Techniques

1. Port Knocking Technique

# Install knockd
apt install knockd -y

# Configure port knocking
cat > /etc/knockd.conf << 'EOF'
[options]
    UseSyslog

[openSSH]
    sequence    = 7000,8000,9000
    seq_timeout = 5
    command     = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22022 -j ACCEPT
    tcpflags    = syn

[closeSSH]
    sequence    = 9000,8000,7000
    seq_timeout = 5
    command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22022 -j ACCEPT
    tcpflags    = syn
EOF

# Start service
systemctl enable knockd && systemctl start knockd

2. Honeypot Deployment (Confuse Attackers)

# Install Cowrie SSH Honeypot
pip3 install cowrie

# Configure fake SSH service to listen on port 22
# Real SSH service uses a non-standard port

3. Automated Log Analysis

#!/bin/bash
# Automated log analysis script
LOGFILE="/var/log/auth.log"
ALERT_EMAIL="[email protected]"

# Analyze SSH login failures
failed_attempts=$(grep "Failed password" $LOGFILE | grep "$(date '+%b %d')" | wc -l)

if [ $failed_attempts -gt 50 ]; then
    echo "Warning: Today's SSH login failures reached $failed_attempts times" | \
    mail -s "SSH Security Alert - $(hostname)" $ALERT_EMAIL
fi

# Check for new user creation
new_users=$(grep "new user" /var/log/auth.log | grep "$(date '+%b %d')")
if [ ! -z "$new_users" ]; then
    echo "Warning: Detected new user creation: $new_users" | \
    mail -s "User Management Alert - $(hostname)" $ALERT_EMAIL
fi

📊 Monitoring and Alerting System

Set Up Lightweight Monitoring

# Install Netdata real-time monitoring
bash <(curl -Ss https://my-netdata.io/kickstart.sh)

# Configure alerts
vim /etc/netdata/health_alarm_notify.conf

# Set email notifications
SEND_EMAIL="YES"
DEFAULT_RECIPIENT_EMAIL="[email protected]"

Custom Alert Script

#!/usr/bin/env python3
import psutil
import smtplib
from email.mime.text import MIMEText
import time

def check_system_health():
    alerts = []
    
    # Check CPU usage
    cpu_percent = psutil.cpu_percent(interval=1)
    if cpu_percent > 80:
        alerts.append(f"CPU usage too high: {cpu_percent}%")
    
    # Check memory usage
    memory = psutil.virtual_memory()
    if memory.percent > 85:
        alerts.append(f"Memory usage too high: {memory.percent}%")
    
    # Check disk usage
    for partition in psutil.disk_partitions():
        disk_usage = psutil.disk_usage(partition.mountpoint)
        if disk_usage.percent > 90:
            alerts.append(f"Disk {partition.mountpoint} usage too high: {disk_usage.percent}%")
    
    return alerts

def send_alert(alerts):
    if not alerts:
        return
    
    msg = MIMEText('\n'.join(alerts))
    msg['Subject'] = f'Server Health Alert - {time.strftime("%Y-%m-%d %H:%M")}'
    msg['From'] = '[email protected]'
    msg['To'] = '[email protected]'
    
    # Email sending logic
    print("Sending alert:", '\n'.join(alerts))

if __name__ == "__main__":
    alerts = check_system_health()
    send_alert(alerts)

🔧 Emergency Response Plan

Steps to Take After Discovering an Intrusion

  1. 1. Immediately Isolate
# Disconnect from the network (keep SSH connection)
iptables -A INPUT -j DROP
iptables -I INPUT 1 -s YOUR_IP -j ACCEPT
  1. 2. Preserve Evidence
# Backup critical logs
tar -czf evidence_$(date +%Y%m%d_%H%M).tar.gz \
    /var/log/auth.log \
    /var/log/syslog \
    /var/log/messages
  1. 3. Clean Up Backdoors
# Check scheduled tasks
crontab -l
cat /etc/crontab
ls -la /etc/cron.*

# Check startup items
systemctl list-unit-files --state=enabled
ls -la /etc/init.d/

🎯 Practical Drills

Simulated Attack Testing

# Use Nmap to scan your server
nmap -sS -O YOUR_SERVER_IP

# Use Hydra to test SSH brute force protection
hydra -l admin -P /usr/share/wordlists/rockyou.txt \
    ssh://YOUR_SERVER_IP:22022 -t 4

Performance Optimization

# Optimize SSH configuration performance
echo "ClientAliveInterval 60" >> /etc/ssh/sshd_config
echo "ClientAliveCountMax 3" >> /etc/ssh/sshd_config
echo "MaxAuthTries 3" >> /etc/ssh/sshd_config
echo "MaxSessions 5" >> /etc/ssh/sshd_config

💎 Advanced Tips Sharing

1. Use PAM to Enhance Authentication

# Configure Google Authenticator two-factor authentication
apt install libpam-google-authenticator -y
google-authenticator

# Modify PAM configuration
echo "auth required pam_google_authenticator.so" >> /etc/pam.d/sshd

2. Automated Security Checks

# Create security check checklist script
cat > /usr/local/bin/security_audit.sh << 'EOF'
#!/bin/bash
echo "=== Linux Server Security Check Report ==="
echo "Check Time: $(date)"
echo ""

# Check user accounts
echo "1. User Account Check:"
awk -F: '$3==0{print "Warning: " $1 " has root privileges"}' /etc/passwd

# Check for empty password accounts
echo "2. Empty Password Account Check:"
awk -F: '$2==""{print "Warning: " $1 " has an empty password"}' /etc/shadow

# Check file permissions
echo "3. Critical File Permission Check:"
ls -l /etc/passwd /etc/shadow /etc/sudoers

# Check network listening
echo "4. Network Listening Ports:"
netstat -tlnp | grep LISTEN

echo "=== Check Complete ==="
EOF

chmod +x /usr/local/bin/security_audit.sh

📈 Summary and Recommendations

Through the above multi-layer protection measures, the security of Linux servers can be significantly enhanced:

Security Level Assessment:

  • • 🔴 Basic Level: Change SSH port + Key authentication
  • • 🟡 Standard Level: + Fail2Ban + Firewall configuration
  • • 🟢 Advanced Level: + Intrusion detection + File monitoring
  • • 🔵 Expert Level: + Honeypot + Automated response

Best Practice Recommendations:

  1. 1. Regularly update systems and packages
  2. 2. Principle of least privilege
  3. 3. Regular audits and log analysis
  4. 4. Develop an emergency response plan
  5. 5. Regularly conduct security drills

(Copyright belongs to the original author, infringement will be deleted)

Disclaimer: The content of this article is sourced from the internet, and the information provided is for reference only. Reproduction is for learning and communication purposes. If it inadvertently infringes on your legal rights, please contact the Docker Chinese community in a timely manner!

Leave a Comment