ubuntu25 server 服务器初始化 nginx1.26+php8.4+mariadb11+ 基础安全设置

csdn_ocheers

已于 2025-06-03 19:59:58 修改

阅读量255

点赞数 7

CC 4.0 BY-SA版权

文章标签： ubuntu linux 运维网络安全 php nginx mysql

于 2025-04-25 14:23:17 首次发布

本文链接：https://blog.youkuaiyun.com/csdn_ocheers/article/details/147501279

1、修改apt 源

阿里源

腾讯云 Ubuntu 源

sudo nano /etc/apt/sources.list.d/ubuntu.sources  

内容：

Types: deb
URIs: http://mirrors.aliyun.com/ubuntu/
Suites: plucky plucky-updates plucky-backports
Components: main restricted universe multiverse
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
 
Types: deb
URIs: http://mirrors.aliyun.com//ubuntu/
Suites: plucky-security
Components: main restricted universe multiverse
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg

sudo apt update

apt list --upgradable

sudo apt upgrade

设置nano显示行号

#sudo nano /etc/nanorc 
#sudo nano ~/.nanorc

#内容：
#set linenumbers            #取消#号

nano somefle -l

2、修改pip源

cd ~

mkdir .pip

nano pip.conf

内容：

[global]
index-url = https://mirrors.aliyun.com/pypi/simple/

#index-url = https://mirrors.tuna.tsinghua.edu.cn/pypi/web/simple
#[install]
#trusted-host = mirrors.tuna.tsinghua.edu.cn

3、安装配置zsh

sudo apt install zsh zsh-syntax-highlighting zsh-autosuggestions

chsh -s /usr/bin/zsh

重连

nano ~/.zshrc

添加内容：

setopt nonomatch

source /usr/share/zsh-autosuggestions/zsh-autosuggestions.zsh
source /usr/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh

alias ls='ls --color=auto'
alias grep='grep --color=auto'
alias fgrep='fgrep --color=auto'
alias egrep='egrep --color=auto'

alias ll='ls -alFh'
#alias ll='ls -alFhG'   #freebsd显示颜色
alias la='ls -A'
alias l='ls -CF'

alias sudo='sudo '   #解决sudo 其他别名时找不到

alias updatedb="sudo updatedb --prunepaths=\"/mnt\""

sudo cp .zshrc /etc/skel #新建用户时自动拷贝zsh配置

sudo nano /etc/adduser.conf

修改内容：DSHELL=/usr/bin/zsh #设置新加用户的默认shell

4、配置 su 权限

sudo nano /etc/pam.d/su

修改内容： auth required pam_wheel.so group=sudo #设置只有sudo组能用su

5、防火墙

sudo ufw status verbose     #显示防火墙状态

sudo ufw app list           #查看应用配置

sudo ufw allow 22
sudo ufw allow 80
sudo ufw allow 443

#sudo ufw allow 11011        #花生壳监听
#sudo ufw allow 16062

sudo ufw enable             #启用防火墙

6、设置时区校准时间

timedatectl status                                 #显示时区

sudo timedatectl set-timezone Asia/Shanghai        #设置时区
#sudo timedatectl set-local-rtc yes                #设置本地时间和系统时间相同

sudo ntpdate ntp.aliyun.com                        #校准时间

date -R

7、替代命令

sudo apt install bat                 #好看一点的 cat

sudo batcat /var/log/auth.log |grep Failed.*ssh   #查看ssh登录失败记录

htop                                 #好看一点的 top

duf                                  #好看一点的 df

tree/broot                           #好看一点的list

procs                                #好看一点的ps

fdfind                               #好看一点的find sudo apt install fd-find

sudo -i                              #提权

8、安装 Mariadb

apt list mariadb*

sudo apt install mariadb-server

sudo mariadb-secure-installation

sudo systemctl status mariadb
sudo systemctl enable mariadb
sudo systemctl start mariadb

mariadb --version

9、安装 Nginx Php

sudo apt install nginx

apt list php8*

sudo apt install php8.4-fpm php8.4-mysql php8.4-mbstring php8.4-gd php8.4-curl php8.4-xml

apt list php8.4* |grep installed

sudo systemctl start nginx
sudo systemctl enable nginx

sudo systemctl start php8.4-fpm
sudo systemctl enable php8.4-fpm

设置web上传用户：

sudo adduser userupload --ingroup www-data   #建立web上传用户
#sudo usermod userupload -g www-data         #修改用户主组

su userupload

mkdir /home/userupload/www
chmod 640 /home/userupload/www
exit


sudo nano /etc/nginx/nginx.conf

修改内容：#include /etc/nginx/sites-enabled/*;    #注释默认配置

sudo cp /etc/nginx/sites-available/default /etc/nginx/conf.d/my.conf  #复制默认配置

sudo nano /etc/nginx/conf.d/my.conf

修改Nginx my.conf内容：

server {
	listen 80 default_server;
    server_tokens off;              #隐藏nginx版本号
	root /home/userupload/www;
	index index.html index.htm index.php;
	server_name _;

	location / {
		try_files $uri $uri/ =404;
		#autoindex on;
	}

	location ~ \.php$ {
		include snippets/fastcgi-php.conf;
		fastcgi_pass unix:/run/php/php8.4-fpm.sock;      #具体位置得看你装的是哪个版本的php
	}
}

禁止一些php函数

sudo nano /etc/php/8.4/fpm/php.ini

内容：

disable_functions = checkdnsrr, chgrp, chown, disk_free_space, disk_total_space, error_log, error_reporting, exec, fsockopen, ftp_connect, ftp_get, ftp_login, ftp_pasv, getcwd, getmxrr, getservbyname, getservbyport, highlight_file, ini_alter, ini_restore, ini_set, link, openlog, parse_ini_file, passthru, pfsockopen, popen, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgroups, posix_getlast_error, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_strerror, posix_times, posix_ttyname, posix_uname, proc_close, proc_get_status, proc_open, putenv, readlink, scandir, shell_exec, show_source, socket_accept, socket_bind, socket_connect, socket_create, socket_listen, stream_socket_accept, stream_socket_client, stream_socket_server, symlink, sys_getloadavg, syslog, system, touch,dl,pcntl_exec

上传网页后设置文件、文件夹权限

chmod  750  `find ./www -type d`
chmod  640  `find ./www -type f`

10、配置内网自签名ssl 以及ssl 安全加强

建立ssl证书目录

sudo mkdir -p /etc/nginx/ssl

生成秘钥、证书；生成 Diffie-Hellman 参数

sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx-selfsigned.key -out /etc/nginx/ssl/nginx-selfsigned.crt

#sudo openssl dhparam -out /etc/nginx/dhparam.pem 4096  增强安全但会增加开销

sudo nano /etc/nginx/conf.d/my.conf

修改Nginx my.conf内容：

#https://ssl-config.mozilla.org/     mozilla配置生成器

server {
	listen 80 default_server;
	server_tokens off;
	#listen [::]:80 default_server;

	listen 443 ssl;
	http2 on;
	server_name your_domain_or_IP;

	ssl_certificate /etc/nginx/ssl/nginx-selfsigned.crt;
	ssl_certificate_key /etc/nginx/ssl/nginx-selfsigned.key;
	#ssl_dhparam /etc/nginx/ssl/dhparam.pem;

	#ssl_protocols TLSv1.3 TLSv1.2;
    ssl_protocols TLSv1.3;
	ssl_ecdh_curve X25519:prime256v1:secp384r1;
	ssl_prefer_server_ciphers off; # TLSv1.2以上设置关闭让客户机选择加密套件以提高性能
	#ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;

	# 性能优化参数
	#ssl_session_cache shared:SSL:10m;
	#ssl_session_timeout 1d;
	#ssl_session_tickets off;
    
	# 安全增强
	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_buffer_size 4k;

	#add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval'" always;
	#add_header Referrer-Policy "same-origin" always;
	#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
	#add_header X-Content-Type-Options "nosniff" always;
	#add_header X-Download-Options "noopen" always;
	#add_header X-Frame-Options "sameorigin" always;
	#add_header X-Permitted-Cross-Domain-Policies  "none" always;                                          
	#add_header X-Robots-Tag "none" always;
	#add_header X-XSS-Protection "1; mode=block" always;
	#proxy_hide_header  X-Powered-By;
	#fastcgi_hide_header X-Powered-By;
	#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
	add_header Strict-Transport-Security "max-age=63072000" always;


	#root /var/www/html;
	root /home/userupload/www;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.php;

	server_name _;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
		#autoindex on;
	}

	# pass PHP scripts to FastCGI server
	#
	location ~ \.php$ {
		include snippets/fastcgi-php.conf;
	#
	#	# With php-fpm (or other unix sockets):
		fastcgi_pass unix:/run/php/php8.4-fpm.sock;
	}

}