´î½¨Çå¾²µÄLinuxЧÀÍÆ÷ÇéÐΣºÕÆÎÕÕâЩÏÂÁî
´î½¨Çå¾²µÄLinuxЧÀÍÆ÷ÇéÐΣºÕÆÎÕÕâЩÏÂÁî
ÔÚÄ¿½ñÐÅϢʱ´ú£¬ÍøÂçÇå¾²ÎÊÌâ³ÉΪÁËÒ»¸öºÜÊÇÖ÷ÒªµÄ»°Ìâ¡£×÷ΪЧÀÍÆ÷ÖÎÀíÔ±»òÕßÔÆÅÌËã´ÓÒÃ÷ÈÕߣ¬´î½¨Ò»¸öÇå¾²¿É¿¿µÄЧÀÍÆ÷ÇéÐÎÊÇÖÁ¹ØÖ÷ÒªµÄ¡£±¾ÎĽ«ÏÈÈÝһЩ±Ø±¸µÄLinuxÏÂÁ×ÊÖúÄã´î½¨Ò»¸öÇå¾²µÄLinuxЧÀÍÆ÷ÇéÐΡ£
¸üÐÂϵͳºÍÈí¼þ
Ê×ÏÈ£¬¼á³Ö²Ù×÷ϵͳºÍÈí¼þ×îÐÂÊÇÒ»¸öºÜÖ÷ÒªµÄ°ì·¨¡£Ê¹ÓÃÒÔÏÂÏÂÁî¿ÉÒÔ¸üÐÂϵͳºÍÈí¼þ£º
sudo apt update sudo apt upgrade
µÇ¼ºó¸´ÖÆ
×°Ö÷À»ðǽ
·À»ðǽÊDZ£»¤Ð§ÀÍÆ÷ÃâÊÜδ¾ÊÚȨ»á¼ûµÄÖ÷Òª¹¤¾ß¡£Í¨¹ýÏÞÖÆÈëÕ¾ºÍ³öÕ¾Á÷Á¿£¬·À»ðǽ¿ÉÒÔ¼ì²âºÍ×èֹDZÔڵĹ¥»÷¡£ÔÚLinuxϵͳÖУ¬¿ÉÒÔʹÓÃiptablesÏÂÁîÀ´ÉèÖ÷À»ðǽ¹æÔò¡£ÒÔÏÂÊÇһЩ³£ÓõķÀ»ðǽÏÂÁ
sudo apt install iptables sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT sudo iptables -A INPUT -j DROP sudo iptables-save | sudo tee /etc/iptables/rules.v4
µÇ¼ºó¸´ÖÆ
ÕâЩÏÂÁÔÊÐíSSH»á¼û£¬²¢ÇÒ×èÖ¹ÈκÎÆäËûÈëÕ¾ÅþÁ¬¡£ËäÈ»£¬Äã¿ÉÒÔƾ֤×Ô¼ºµÄÐèÇó¾ÙÐж¨ÖÆ¡£
ÆôÓÃSELinux
SELinux£¨Security-Enhanced Linux£©ÊÇÒ»ÖÖLinuxÄÚºËÇ徲ģ¿é£¬ÓÃÓÚÇ¿ÖÆ»á¼û¿ØÖÆ¡£ÆôÓÃSELinux¿ÉÒÔÌṩÌØÁíÍâÇå¾²²ã¡£ÒÔÏÂÊÇһЩÓëSELinuxÏà¹ØµÄÏÂÁ
sudo apt install selinux-utils selinux-basics selinux-policy-default sudo selinux-activate sudo reboot
µÇ¼ºó¸´ÖÆ
Ö´ÐÐÒÔÉÏÏÂÁîºó£¬ÏµÍ³½«ÆôÓÃSELinux²¢ÖØÐÂÆô¶¯¡£
ÉèÖÃSSHÇå¾²
SSH£¨Secure Shell£©ÊÇÒ»ÖÖ¼ÓÃܵÄÔ¶³ÌµÇ¼ÐÒ飬·Ç¾³£ÓÃÓÚЧÀÍÆ÷ÖÎÀí¡£ÒÔÏÂÊÇһЩÉèÖÃSSHÇå¾²µÄÏÂÁ
sudo nano /etc/ssh/sshd_config
µÇ¼ºó¸´ÖÆ
ÔÚ·¿ªµÄÎļþÖУ¬ÐÞ¸ÄÒÔϲÎÊý£º
Port 2222 PermitEmptyPasswords no PermitRootLogin no PasswordAuthentication no
µÇ¼ºó¸´ÖÆ
ÉúÑIJ¢Í˳öÎļþºó£¬ÖØÆôSSHЧÀÍ£º
sudo systemctl restart ssh
µÇ¼ºó¸´ÖÆ
ÕâЩÏÂÁÐÞ¸ÄĬÈÏSSH¶Ë¿ÚΪ2222£¬Õ¥È¡¿ÕÃÜÂëµÇ¼£¬Õ¥È¡rootµÇ¼£¬²¢ÇÒեȡÃÜÂëÈÏÖ¤¡£
×°ÖÃFail2ban
Fail2banÊÇÒ»¸öÓÃÓÚ±£»¤SSHЧÀÍÃâÊܱ©Á¦Æƽ⹥»÷µÄ¹¤¾ß¡£Ëü¼àÊÓÈÕÖ¾ÎļþÖеĵǼʵÑ飬²¢Æ¾Ö¤ÉèÖõĹæÔò×Ô¶¯·â½û¶ñÒâIPµØµã¡£Ê¹ÓÃÒÔÏÂÏÂÁî×°ÖÃFail2ban£º
sudo apt install fail2ban
µÇ¼ºó¸´ÖÆ
×°ÖÃÍê³Éºó£¬ÐèÒª¶ÔFail2ban¾ÙÐÐһЩÉèÖá£ÔÚ/etc/fail2ban/jail.localÎļþÖУ¬Ìí¼ÓÒÔÏÂÄÚÈÝ£º
[sshd] enabled = true port = 2222 maxretry = 3
µÇ¼ºó¸´ÖÆ
ÕâЩÉèÖý«ÆôÓÃFail2ban²¢¼àÊӶ˿Ú2222ÉϵÄSSHµÇ¼ʵÑé¡£µ±ÊµÑéµÇ¼´ÎÊýÁè¼Ý3´Îʱ£¬Fail2ban»á×Ô¶¯·â½ûIPµØµã¡£
×°Öò¡¶¾É¨Ãè³ÌÐò
ΪÁ˱£»¤Ð§ÀÍÆ÷ÃâÊܲ¡¶¾ºÍ¶ñÒâÈí¼þµÄË𺦣¬¿ÉÒÔ×°ÖÃÒ»¸ö²¡¶¾É¨Ãè³ÌÐò¡£ClamAVÊÇÒ»¸ö¿ªÔ´µÄ²¡¶¾É¨ÃèÒýÇ棬¿ÉÒÔʹÓÃÒÔÏÂÏÂÁî¾ÙÐÐ×°Öãº
sudo apt install clamav sudo freshclam
µÇ¼ºó¸´ÖÆ
×°ÖÃÍê³Éºó£¬¿ÉÒÔʹÓÃÒÔÏÂÏÂÁî¶ÔЧÀÍÆ÷¾ÙÐÐɨÃ裺
sudo clamscan -r /
µÇ¼ºó¸´ÖÆ
ÕâÊÇÒ»¸öºÜÊǺÄʱµÄÀú³Ì£¬Òò´Ë¿ÉÒÔʹÓÃÑ¡Ïî-rÀ´Ö¸¶¨ÐèҪɨÃèµÄĿ¼¡£
ͨ¹ýÕÆÎÕÉÏÊöÕâЩÏÂÁÄã¿ÉÒԴһ¸öÏà¶ÔÇå¾²µÄLinuxЧÀÍÆ÷ÇéÐΡ£ËäÈ»£¬ÔÚÏÖʵӦÓÃÖУ¬½ö½öʹÓÃÕâЩÏÂÁîÊÇÔ¶Ô¶²»·óµÄ£¬»¹ÐèÒª¶ÔЧÀÍÆ÷¾ÙÐа´Æڵļì²éºÍ¸üС£Í¬Ê±£¬½¨Òé´ÓÔÆЧÀÍÌṩÉÌÄÇÀïÏàʶ¸ü¶àµÄÖ÷»úÇå¾²²½·¥¡£
×£Äã´î½¨Ò»¸öÇå¾²¿É¿¿µÄЧÀÍÆ÷ÇéÐΣ¡
ÒÔÉϾÍÊǴÇå¾²µÄLinuxЧÀÍÆ÷ÇéÐΣºÕÆÎÕÕâЩÏÂÁîµÄÏêϸÄÚÈÝ£¬¸ü¶àÇë¹Ø×¢±¾ÍøÄÚÆäËüÏà¹ØÎÄÕ£¡