本文详细介绍如何在Ubuntu服务器上进行安全配置,包括以root用户登录、创建新用户、配置防火墙、设置无密码SSH认证及禁用密码认证等关键步骤。
ubuntu服务器设置
Upon successful installation of your Debian / Ubuntu server, a few configuration steps are essential in enhancing the security and functionality of the server. In this guide, we will take you through the basic steps in the initial server setup of Debian 9 / Ubuntu 18.04 server. These basic steps will fortify your server and allow the execution of subsequent operations in a seamless manner.
成功安装Debian / Ubuntu服务器后,一些配置步骤对于增强服务器的安全性和功能至关重要。 在本指南中,我们将引导您完成Debian 9 / Ubuntu 18.04服务器初始服务器设置中的基本步骤。 这些基本步骤将加强您的服务器,并允许以无缝方式执行后续操作。
以root用户身份登录 (Login as root user)
The initial step in setting up your server is to log in as the root user. But first, you need to have your server’s IP address and the Password or a private key for authentication. To log in, open your Linux terminal and execute the command below. Be sure to substitute the server’s IP address with your IP address.
设置服务器的第一步是以root用户身份登录。 但是首先,您需要具有服务器的IP地址和密码或用于身份验证的私钥。 要登录,请打开Linux终端并执行以下命令。 确保用您的IP地址替换服务器的IP地址。
ssh user@ip-addressIn this guide, we are using Ubuntu 18.04 server with a Public IP address 38.76.11.180.
在本指南中,我们使用公共IP地址为38.76.11.180 Ubuntu 18.04服务器。
To log in using ssh via the terminal, the command is
要通过终端使用ssh登录,命令为
ssh root@38.76.11.180If you are login in for the first time, you will be required to verify the server’s authenticity.
如果您是首次登录,则将需要验证服务器的真实性。
Type ‘Yes’ and hit Enter. You will then be prompted for the server’s Password. Provide the correct Password and hit Enter.
输入“是”,然后按Enter。 然后将提示您输入服务器的密码。 提供正确的密码,然后按Enter。
This will drop you into the server’s shell prompt as shown below
这将使您进入服务器的shell提示符,如下所示
Great! Now that we have successfully logged in to our server, let’s move over to the second step
大! 现在我们已经成功登录到服务器,让我们继续第二步
创建一个新用户 (Create a New user)
For best security practices, use of the root account for administrative tasks is highly discouraged. Why is that the case? Running your server as root leaves you prone to making unintentional and costly mistakes which may be detrimental to your server. You can easily do something harmful to your system which may cause irreversible damage to your system.
为了获得最佳安全性实践,强烈建议不要将root帐户用于管理任务。 为什么会这样? 以root用户身份运行服务器会使您容易犯意外的代价高昂的错误,这可能对服务器有害。 您可以轻松地做一些对您的系统有害的事情,这可能会对您的系统造成不可挽回的损害。
For this reason, we are going to create a new non-root user and later grant it administrative privileges. This way, every time you try to execute a root-level task, you will be prompted for the password. This will give you some time to pause and think about the consequences for executing the command and stop in your tracks if you notice a costly mistake in the command execution.
因此,我们将创建一个新的非root用户,并在以后为其授予管理权限。 这样,每次尝试执行根级任务时,系统都会提示您输入密码。 如果您发现命令执行中的代价高昂的错误,这将为您提供一些时间来暂停和思考执行命令的后果,并停在轨道上。
To create a new user run
创建新用户运行
adduser user_nameWe are going to add a new user ‘james’
我们将添加一个新用户“ james”
adduser jamesYou will be prompted for the user’s password and a few additional questions. provide the necessary information
系统将提示您输入用户密码和一些其他问题。 提供必要的信息
Perfect! to verify the creation of the user view the /etc/passwd and confirm the existence of the user.
完善! 要验证用户的创建,请查看/etc/passwd并确认用户的存在。
cat /etc/passwdSample Output
样本输出
The last line above displays information of the newly created user.
上方的最后一行显示新创建的用户的信息。
向新用户授予管理权限 ( Grant Administrative privileges to the New user)
So far the new user has regular account privileges. We need to setup root privileges to our newly created user so that they can perform administrative tasks by appending sudo before any operation.
到目前为止,新用户具有常规帐户特权。 我们需要为新创建的用户设置root特权,以便他们可以通过在执行任何操作之前附加sudo来执行管理任务。
To accomplish this, we need to add the user to the sudo group to avoid logging out and logging in as root every time when performing administrative tasks.
为此,我们需要将用户添加到sudo组,以避免每次执行管理任务时注销并以root用户身份登录。
The syntax for achieving this is
实现此目的的语法是
usermod -aG sudo user_nameIn this case, the command for granting sudo privileges to user ‘james’ will be
在这种情况下,向用户“ james”授予sudo特权的命令为
usermod -aG sudo jamesYou can now log out and log in with the new user using the command as indicated earlier
现在,您可以使用前面所述的命令注销并使用新用户登录
ssh james@38.76.11.180After successful login by verifying the authenticity of the server and providing the correct password, you can now you can execute any superuser tasks by preceding the command with sudo
通过验证服务器的真实性并提供正确的密码成功登录后,您现在可以通过在命令前加上sudo来执行任何超级用户任务。
For instance, to update the system using the account execute the command below
例如,要使用帐户更新系统,请执行以下命令
sudo apt updateYou will be prompted for a password and after providing it, the operation will commence.
系统将提示您输入密码,并在提供密码后开始操作。
配置基本防火墙 (Configure a basic Firewall)
Debian and Ubuntu servers use the UFW firewall to allow or deny traffic into or out of the server.
Debian和Ubuntu服务器使用UFW防火墙来允许或拒绝进出服务器的流量。
To view existing connection in the firewall execute
要查看防火墙中的现有连接,请执行
sudo ufw app listAs expected, OpenSSH will be displayed because we are currently using ssh to connect to the server
正如预期的那样,将显示OpenSSH,因为我们当前正在使用ssh连接到服务器
Output
输出量
To allow a connection via the firewall, execute the following command.
要允许通过防火墙的连接,请执行以下命令。
ufw allow service_nameFor example, to allow SSH connections for a new server run:
例如,要允许新服务器运行SSH连接:
sudo ufw allow OpenSSHOutput
输出量
To open a specific port on the firewall, use the syntax
要打开防火墙上的特定端口,请使用以下语法
sudo ufw allow port/protocolFor example
例如
sudo ufw allow 80/tcpOutput
输出量
To check the status of the firewall execute
要检查防火墙的状态,请执行
sudo ufw statusOutput
输出量
To enable the firewall, run the following command.
要启用防火墙,请运行以下命令。
sudo ufw enableWhen prompted type yes and press ‘ENTER’ to enable the firewall and effect the changes
出现提示时,键入“ yes ,然后按“ ENTER”以启用防火墙并影响更改
To view the status of the firewall again and existing connections/open ports, execute the command
要再次查看防火墙的状态以及现有的连接/打开的端口,请执行以下命令
为新用户启用无密码身份验证 (Enable Passwordless authentication for the new user)
At the moment, we are connecting to our server using the SSH protocol with password authentication. For best security practices, setting up of SSH keys without password authentication is highly recommended. SSH keys come in a pair: a public key and a private key.
The Private key resides on the client machine while the public key resides on the server we are connecting to. Once the SSH key authentication is set up, Password authentication should be disabled. This ensures that only the user with the private key can connect to the server on which the public key resides.
目前,我们正在使用带有密码验证的SSH协议连接到我们的服务器。 为了获得最佳的安全性,强烈建议您设置没有密码验证的SSH密钥。 SSH密钥成对出现:公共密钥和私有密钥。
私钥驻留在客户端计算机上,而公钥驻留在我们连接的服务器上。 设置SSH密钥身份验证后,应禁用密码身份验证。 这样可以确保只有具有私钥的用户才能连接到公钥所在的服务器。
步骤1.生成公钥 (Step 1. Generate the public key)
To generate the key pair, run the command below on the client machine
要生成密钥对,请在客户端计算机上运行以下命令
ssh-keygenYou will get the output as shown
您将得到如下所示的输出
Hit ENTER to save the key pair is .ssh/ subdirectory in your home directory. Alternatively, you can specify your own path.
按ENTER键,将密钥对保存在主目录中的.ssh/子目录中。 或者,您可以指定自己的路径。
Next, you will be prompted for a secure passphrase which is highly recommended to add an extra protective layer. If you wish to do without a passphrase, hit ENTER.
接下来,系统将提示您输入安全密码,强烈建议您添加一个额外的保护层。 如果您希望不使用密码短语,请按Enter。
Finally, you will get the following output
最后,您将获得以下输出
At this point, you have both the private and public key. They have been saved in the .ssh directory in your home directory. In this case, the path is /root.ssh
此时,您将拥有私钥和公钥。 它们已保存在主目录的.ssh目录中。 在这种情况下,路径为/root.ssh
cat /root/.sshOutput
输出量
id_rsa is the private key
id_rsa是私钥
id_rsa_pub is the public key
id_rsa_pub是公钥
步骤2.复制公钥 (Step 2. Copy the Public Key)
To copy the public key to the server, we are going to use the ssh-copy-id command.
要将公钥复制到服务器,我们将使用ssh-copy-id命令。
The Syntax will be
语法将是
ssh-copy-id user@remote-serverIn this case, we shall execute
在这种情况下,我们将执行
ssh-copy-id james@38.76.11.180You will get output similar to the one below
您将获得类似于以下内容的输出
The id_rsa.pub key which is the public key has been copied to the server.
作为公共密钥的id_rsa.pub密钥已复制到服务器。
Now if you try logging in using the syntax ssh user@server-ip , you will not be prompted for a password!
现在,如果您尝试使用ssh user@server-ip语法ssh user@server-ip ,则不会提示您输入密码!
禁用密码认证 ( Disable Password authentication)
Someone can still log in to our server if they got hold of the password. To eliminate this risk, we need to disable SSH password authentication.
如果他们掌握了密码,仍然可以登录我们的服务器。 为了消除这种风险,我们需要禁用SSH密码身份验证。
To achieve this, we are going to open SSH’s configuration file
为此,我们将打开SSH的配置文件
sudo vim /etc/ssh/sshd_configSearch for the section indicated as PasswordAuthentication .
搜索指示为PasswordAuthentication的部分。
Comment out the line and set the value to no
注释掉该行并将值设置为no
Save and Exit.
保存并退出。
To implement the changes restart the SSH daemon
要实施更改,请重新启动SSH守护程序
sudo systemctl restart sshNow you can launch a new terminal and try to log in using the password and see whether Password authentication has been disabled.
现在,您可以启动新终端并尝试使用密码登录,并查看是否已禁用密码身份验证。
最后的话 (Final word)
At this point, you should have access to the server using SSH-key based authentication configured on your remote server and not using the SSH password.
此时,您应该可以使用在远程服务器上配置的基于SSH密钥的身份验证访问服务器,而不必使用SSH密码。
Your server is now fully set up and has a solid security foundation. Ensure to keep your public key safe. Away from prying eyes 😀
您的服务器现已完全安装,并具有牢固的安全基础。 确保保持公钥安全。 远离窥视😀
翻译自: https://www.journaldev.com/24713/ubuntu-server-setup-security
ubuntu服务器设置
扫一扫
23万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
