Linux服务器 Linux Server Security Novice Safety Hardening SSH Security Configuration Firewall Settings Permission Management 2025-12-08 51 views

As the cornerstone of the internet, Linux servers require critical security measures. However, for beginners, it can be confusing to know where to start with hardening servers and avoiding common vulnerabilities. This article addresses common pitfalls for Linux server security hardening and provides simple, easy-to-understand solutions.

Problem 1: Weak Passwords and Infrequent Rotation

Common Beginner Mistake: Using 123456 or birthdays as the root password, or never changing it.
Risk: Simple passwords are easily brute-forced (e.g., with Hydra), making unauthorized access possible within minutes.
Solutions:
- Strong Password Requirements: At least 8 characters, combining uppercase/lowercase letters, numbers, and special symbols (e.g., P@ssw0rd!).
- Regular Password Updates: Use passwd to change passwords (e.g., passwd root for root). Rotate every 3 months.
- SSH Key Authentication (More Secure):
- Generate keys locally: ssh-keygen -t rsa (press Enter to accept defaults).
- Upload public key to server: ssh-copy-id root@server-IP, then enter the password.
- Disable password login on server: Edit /etc/ssh/sshd_config to set PasswordAuthentication no and PubkeyAuthentication yes, then restart SSH: systemctl restart sshd.

Problem 2: Disabling Firewalls for Convenience

Common Beginner Mistake: Stopping firewalls with systemctl stop firewalld or iptables -F.
Risk: Firewalls act as “gatekeepers”—disabling them exposes all ports, allowing attackers to exploit vulnerabilities (e.g., unpatched Apache web vulnerabilities).
Solutions:
- Open Only Necessary Ports:
- CentOS/RHEL (firewalld):
Open port 80 (web): firewall-cmd --add-port=80/tcp --permanentfirewall-cmd --reload.
List open ports: firewall-cmd --list-ports.
- Ubuntu/Debian (ufw):
Open SSH (22): ufw allow 22/tcpufw enable.
- Disable Unused Services: Uninstall services like Telnet (use SSH instead) or FTP: systemctl disable vsftpd.

Problem 3: Exposing SSH Port to the Internet Without IP Restrictions

Common Beginner Mistake: Leaving SSH (port 22) open to the public without restrictions.
Risk: SSH is a critical entry point; open access allows brute-force attacks (e.g., 10+ attempts per second).
Solutions:
- IP Restriction:
Edit /etc/hosts.allow to allow specific IPs: sshd: 192.168.1.0/24: allow (replace with your IP range).
Edit /etc/hosts.deny to block others: sshd: ALL.
- fail2ban for Brute-Force Protection:
Install: yum install fail2ban (CentOS). It auto-bans IPs with 3+ failed login attempts in /var/log/auth.log.

Problem 4: Unupdated Systems and Software

Common Beginner Mistake: Never updating the system after installation, relying on outdated software.
Risk: Unpatched systems/software (e.g., Heartbleed, Log4j) leave vulnerabilities open to exploitation.
Solutions:
- Regular System Updates:
- CentOS/RHEL: yum update -y.
- Ubuntu/Debian: apt update && apt upgrade -y.
- Enable Automatic Updates (Optional):
Use yum-cron (CentOS) or unattended-upgrades (Ubuntu) to auto-apply security patches.

Problem 5: Permissions Mismanagement (777 Everywhere)

Common Beginner Mistake: Setting directories/files to chmod 777 for “convenience” (e.g., website files or logs).
Risk: 777 allows full read/write/execute access to all users. If compromised, attackers can delete files or plant malware.
Solutions: Follow the principle of least privilege:
- Directories: chmod 755 (owner: rwx, group/others: rx; e.g., chmod 755 /var/www/html).
- Files: chmod 644 (owner: rw, group/others: r; e.g., chmod 644 /var/www/html/index.html).
- Avoid Root Privilege Abuse: Use sudo instead of su -; only use root when absolutely necessary.

Problem 6: Ignoring Logs (No Trace of Attacks)

Common Beginner Mistake: Not configuring logs, making post-invasion investigation impossible.
Risk: Logs (e.g., /var/log/auth.log for login failures) are critical for forensic analysis. Hackers may delete logs to hide traces.
Solutions:
- Log Rotation:
CentOS uses logrotate by default (configured in /etc/logrotate.d/syslog). Adjust to compress old logs.
- Regular Log Checks:
Check failed logins: grep "Failed password" /var/log/auth.log.
Monitor system events: tail -f /var/log/messages.

Problem 7: Installing Unnecessary Services

Common Beginner Mistake: Installing unused services (e.g., FTP, Telnet, MySQL) just to “speed up setup.”
Risk: Unused services leave open ports (e.g., FTP’s port 21) for attackers to exploit.
Solutions:
- Uninstall Unused Services:
For FTP: yum remove vsftpd (CentOS) or apt remove vsftpd (Ubuntu).
- Disable Unused Services:
Disable Telnet: systemctl disable telnet.socket.
- Check Open Ports: Use netstat -tuln to identify and close unused service ports.

Summary of Security Hardening

Key principles for beginners:
1. Least Privilege: Avoid 777 and unrestricted root access.
2. Close Entry Points: Open only necessary ports and restrict access (e.g., SSH IP whitelisting).
3. Update Regularly: Patch systems/software to eliminate known vulnerabilities.
4. Audit Logs: Track attack traces and monitor critical logs (e.g., failed logins).

Start with simple steps: disable unnecessary services, restrict SSH access, and set strong passwords. Gradually explore advanced tools like iptables or fail2ban. Regular checks (e.g., last to review login history) ensure long-term security.

Related Articles

Linux Server Security Hardening: 5 Essential Tasks for Beginners 2025-12-08 Essential for Beginners: 5 Basic Linux Server Commands 2025-12-08 Zero to Hero: A Guide to Installing Linux on a Server 2025-12-08 Understanding Linux SSH Service: A Complete Guide to Configuration and Usage 2025-12-08 Setting up Apache on Linux Servers: Quick Deployment of Websites 2025-12-08
Xiaoye