项目简介
本指南提供Linux服务器安全加固的分步说明,涵盖SSH安全、防火墙配置、入侵检测等内容。内容由社区贡献并持续更新。
README 预览
# How To Secure A Linux Server\n\nAn evolving how-to guide for securing a Linux server that, hopefully, also teaches you a little about security and why it matters.\n\n[](#license)\n\n## Table of Contents\n\n- [Introduction](#introduction)\n - [Guide Objective](#guide-objective)\n - [Why Secure Your Server](#why-secure-your-server)\n - [Why Yet Another Guide](#why-yet-another-guide)\n - [Other Guides](#other-guides)\n - [To Do / To Add](#to-do--to-add)\n- [Guide Overview](#guide-overview)\n - [About This Guide](#about-this-guide)\n - [My Use-Case](#my-use-case)\n - [Editing Configuration Files - For The Lazy](#editing-configuration-files---for-the-lazy)\n - [Contributing](#contributing)\n- [Before You Start](#before-you-start)\n - [Identify Your Principles](#identify-your-principles)\n - [Picking A Linux Distribution](#picking-a-linux-distribution)\n - [Installing Linux](#installing-linux)\n - [Pre/Post Installation Requirements](#prepost-installation-requirements)\n - [Other Important Notes](#other-important-notes)\n - [Using Ansible Playbooks to secure your Linux Server](#using-ansible-playbooks-to-secure-your-linux-server)\n- [The SSH Server](#the-ssh-server)\n - [Important Note Before You Make SSH Changes](#important-note-before-you-make-ssh-changes)\n - [SSH Public/Private Keys](#ssh-publicprivate-keys)\n - [Create SSH Group For AllowGroups](#create-ssh-group-for-allowgroups)\n - [Secure `/etc/ssh/sshd_config`](#secure-etcsshsshd_config)\n - [Remove Short Diffie-Hellman Keys](#remove-short-diffie-hellman-keys)\n - [2FA/MFA for SSH](#2famfa-for-ssh)\n- [The Basics](#the-basics)\n - [Limit Who Can Use sudo](#limit-who-can-use-sudo)\n - [Limit Who Can Use su](#limit-who-can-use-su)\n - [Run applications in a sandbox with FireJail](#run-applications-in-a-sandbox-with-firejail)\n - [NTP Client](#ntp-client)\n - [Securing /proc](#securing-proc)\n - [Force Accounts To Use Secure Passwords](#force-accounts-to-use-secure-passwords)\n - [Autom
常见问题 (4)
配置我是否应该在 SSH 客户端配置中启用 'HashKnownHosts yes'?
是的,在 /etc/ssh/ssh_config 或 ~/.ssh/config 中设置 'HashKnownHosts yes' 会对 known_hosts 文件中的主机名和地址进行哈希处理。这可以防止文件被泄露时服务器身份以明文方式暴露,从而减轻 SSH 蠕虫攻击和随意窥探的风险。在相关配置文件中添加一行 'HashKnownHosts yes',然后重新建立 SSH 连接。
故障排除如何在使用移动互联网连接(LTE)时防止SSH断开连接?
禁用 TCPKeepAlive(可被伪造的安全风险),改用 ClientAliveInterval 和 ClientAliveCountMax。对于 NAT 超时低至 25 秒的 LTE 网络,在 /etc/ssh/sshd_config 中设置 ClientAliveInterval 25 和 ClientAliveCountMax 3。重启SSH:sudo systemctl restart sshd。这将在每25秒发送加密的保活信号,并在断开连接前最多容忍3次未响应。
故障排除如何修复因低熵导致的无头Linux服务器上可预测的SSH密钥?
安装 rng-tools 以增加熵源。在 Debian/Ubuntu 上:sudo apt-get install rng-tools。如需硬件熵源,可考虑 Infinite Noise TRNG。更多详情请参阅 https://hackaday.com/2017/11/02/what-is-entropy-and-how-do-i-get-more-of-it/ 和 https://www.2uo.de/myths-about-urandom。
故障排除更改SSH默认端口如何减少暴力攻击尝试?
将SSH端口从22更改为随机高位端口(例如6222),修改/etc/ssh/sshd_config文件中的Port 6222,然后通过UFW放行该端口:sudo ufw allow 6222/tcp。重启SSH服务:sudo systemctl restart sshd。这会将自动化的暴力破解尝试从数百次降低至每分钟几次。若要彻底消除,可结合禁用密码认证(PasswordAuthentication no)并使用SSH密钥。端口敲门(例如knockd)可完全隐藏该端口。