Linux 服务器初始化与安全加固指南
作者: CaoZH
日期: 2026-04-20
本文为原创教程
拿到一台全新的 Linux 服务器后,直接部署应用是不安全的。本文整理了一套标准化的初始化流程,覆盖用户管理、SSH 加固、防火墙、Fail2Ban、自动更新等关键环节。
一、初始登录
1
2
3
4
5
6
7
8
9
10
11
12
13
|
ssh root@your-server-ip
apt update && apt upgrade -y
yum update -y
uname -a
cat /etc/os-release
free -h
df -h
|
二、创建普通用户
1
2
3
4
5
6
7
8
9
10
11
12
|
adduser deploy
usermod -aG sudo deploy
su - deploy
sudo whoami
|
三、SSH 安全加固
1
2
|
sudo vim /etc/ssh/sshd_config
|
1
2
3
4
5
6
7
8
9
| # 修改以下配置
Port 2222 # 修改默认端口(22 → 自定义)
PermitRootLogin no # 禁止 root 登录
PasswordAuthentication no # 禁止密码登录(使用密钥)
PubkeyAuthentication yes # 启用密钥认证
AllowUsers deploy # 只允许指定用户登录
MaxAuthTries 3 # 最大认证尝试次数
ClientAliveInterval 300 # 客户端超时(秒)
ClientAliveCountMax 2 # 超时重试次数
|
1
2
3
4
5
6
7
8
|
ssh-copy-id -p 2222 deploy@your-server-ip
sudo systemctl restart sshd
ssh -p 2222 deploy@your-server-ip
|
四、配置防火墙
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
sudo apt install -y ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 2222/tcp comment 'SSH'
sudo ufw allow 80/tcp comment 'HTTP'
sudo ufw allow 443/tcp comment 'HTTPS'
sudo ufw allow 8080/tcp comment 'API'
sudo ufw enable
sudo ufw status verbose
|
1
2
3
4
5
6
|
sudo firewall-cmd --permanent --add-port=2222/tcp
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload
sudo firewall-cmd --list-all
|
五、安装 Fail2Ban
1
2
3
4
5
|
sudo apt install -y fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 5
[sshd]
enabled = true
port = 2222
logpath = %(sshd_log)s
maxretry = 3
bantime = 86400
[nginx-http-auth]
enabled = true
port = http,https
logpath = /var/log/nginx/error.log
|
1
2
3
4
5
6
7
|
sudo systemctl start fail2ban
sudo systemctl enable fail2ban
sudo fail2ban-client status
sudo fail2ban-client status sshd
|
六、自动安全更新
1
2
3
4
5
6
7
8
9
|
sudo apt install -y unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades
sudo cat /etc/apt/apt.conf.d/20auto-upgrades
|
1
2
3
4
|
sudo yum install -y yum-cron
sudo systemctl start yum-cron
sudo systemctl enable yum-cron
|
七、安装常用工具
1
2
3
4
5
6
7
8
9
10
11
12
|
sudo apt install -y htop iotop net-tools sysstat
sudo apt install -y curl wget netcat
sudo apt install -y vim git
curl -fsSL https://get.docker.com | sh
sudo usermod -aG docker deploy
|
八、SWAP 配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
swapon --show
sudo fallocate -l 2G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab
vm.swappiness=10
|
九、日志与审计
1
2
3
4
5
6
7
8
9
10
|
sudo last
sudo lastb
sudo journalctl -xe
sudo journalctl -u sshd -n 50
sudo tail -f /var/log/auth.log
|
十、一键初始化脚本
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
| #!/bin/bash
set -e
SSH_PORT=${1:-2222}
DEPLOY_USER=${2:-deploy}
echo "🚀 开始服务器初始化..."
apt update && apt upgrade -y
adduser --gecos "" $DEPLOY_USER
usermod -aG sudo $DEPLOY_USER
sed -i "s/#Port 22/Port $SSH_PORT/" /etc/ssh/sshd_config
sed -i "s/PermitRootLogin yes/PermitRootLogin no/" /etc/ssh/sshd_config
sed -i "s/#PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config
systemctl restart sshd
apt install -y ufw
ufw default deny incoming
ufw default allow outgoing
ufw allow $SSH_PORT/tcp
ufw allow 80/tcp
ufw allow 443/tcp
ufw --force enable
apt install -y fail2ban
systemctl enable --now fail2ban
apt install -y htop curl wget git vim unattended-upgrades
fallocate -l 2G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
echo '/swapfile none swap sw 0 0' >> /etc/fstab
echo "✅ 初始化完成!"
echo "请使用新端口登录:ssh -p $SSH_PORT $DEPLOY_USER@<服务器IP>"
|
十一、总结
1
2
3
4
5
6
7
8
9
10
11
| ## 安全加固清单
□ 创建普通用户,禁止 root 登录
□ 修改 SSH 端口(22 → 自定义)
□ 仅允许密钥登录
□ 配置防火墙(UFW / firewalld)
□ 安装 Fail2Ban 防暴力破解
□ 启用自动安全更新
□ 配置 SWAP
□ 安装监控工具
□ 定期查看日志
|
首发于 CaoZH 的笔记
