SSH 加固
# /etc/ssh/sshd_config
Port 2222 # 改默认端口
PermitRootLogin no # 禁止 root 登录
PasswordAuthentication no # 仅密钥登录
MaxAuthTries 3 # 限制尝试次数
AllowUsers deploy # 白名单用户
systemctl restart sshd
Fail2ban 自动封禁
# /etc/fail2ban/jail.local
[sshd]
enabled = true
maxretry = 3
bantime = 3600
findtime = 600
# 自定义 Nginx 规则
[nginx-404]
enabled = true
filter = nginx-404
logpath = /var/log/nginx/access.log
maxretry = 20
UFW 防火墙
ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp # SSH (改端口后)
ufw allow 80,443/tcp # HTTP/HTTPS
ufw limit 2222/tcp # 限制 SSH 连接速率
ufw enable
应用层安全
- Nginx 安全头:CSP、HSTS、X-Frame-Options、X-Content-Type-Options
- WAF:ModSecurity / Cloudflare WAF,拦截 SQLi/XSS/CSRF
- 自动更新:
unattended-upgrades 自动安装安全补丁
- 日志审计:auditd 监控敏感文件变更
# Nginx 安全头
add_header Strict-Transport-Security "max-age=63072000" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Content-Security-Policy "default-src 'self'" always;
定期检查清单
ss -tlnp — 检查所有监听端口
last -20 — 近期登录记录
cat /var/log/auth.log | grep Failed — 失败登录
dpkg -l | grep -v ^ii — 异常软件包
crontab -l — 检查计划任务