node.js - AWS 上的 Ubuntu 服务器默认安全性

Question

我对 Linux 完全陌生，但多年来一直在 Windows 平台上进行开发。我想在 AWS 上设置一个 Ubuntu 服务器来存放 Node.js。如果我运行 Ubuntu 服务器的默认安装，加载 Node.js 并在端口 80 上启动一个简单的 Node.js 服务器，我还需要做些什么来保护服务器吗？

Answer 1

加固服务器的方法有很多种，我只举两个绝对必要的。在 Ubuntu 服务器上，可能已经或可能尚未激活，但您应该始终检查。

激活防火墙

iptables处理防火墙规则的最简单方法是ufw. 输入你的终端：

ufw default deny  # Silently deny access to all ports except those mentioned below
ufw allow 22/tcp  # Allow access to SSH port
ufw allow 80/tcp  # Allow access to HTTP port
ufw enable        # Enable firewall
ufw reload        # Be sure that everything was loaded right

请务必允许 SSH，否则您将被锁定在您的服务器之外。另请注意，UFW（和 iptables）允许允许或拒绝单个 IP 地址和子网。

在 SSH 中强制 pubkey 登录，禁用 root 登录并使用 fail2ban

如果攻击者可以随时尝试访问您的服务器，则密码登录很弱，除非您使用长且无法记住的伪随机序列。SSH 允许通过公钥/私钥处理身份验证，这些公钥/私钥更健壮且更不可预测，是从随机种子生成的。

首先生成你自己的一对密钥并将你的公钥添加到~/.ssh/authorized_keys服务器上，这样你就不会把自己锁在外面。之后，并且仅在之后，看看/etc/ssh/sshd_config。两个相关选项是：

PermitRootLogin no
PasswordAuthentication no

This way, the attacker must guess the username of the administrator before even trying the password, because they cannot login as root. You don't need to access as root to get root privileges, you will be able to elevate from your user account with su or sudo.

Finally, use fail2ban to temporarily ban by IP address after a certain number of wrong attempts to authenticate (so that attackers cannot brute force that easily). I said temporarily because if an attacker spoofs your legitimate IP, he/she can perform a DoS on you.

After applying all changes, restart the daemon with:

service ssh restart

I will repeat it, be careful, check everything or you will lock yourself out of your server.

Other remarks

A default Debian/Ubuntu installation is secure enough to be exposed on the Internet without fearing any major flaw. Still, you should always review security settings, gather information about software you are deploying on the server and periodically inspect logs searching for abnormal patterns.

Other tools that might be useful are Apparmor, providing MAC profiles for most system services (Postfix, HTTPd...), LXC for sandboxing, chroots, etc... It depends on how critical the infrastructure is.

Answer 2

I think this topic is too wide for a SO answer. The best place to start would be probably to start mapping the security best practices and the required knowledge for you to gain.

Knowledge Centers:

1. CSA - Cloud Security Alliance: The place to have full understanding of what is required to run a server in the cloud.
2. OWASP - Open Web Application Security Project. Deals with your web app. Take a look at the top 10 list
3. PCI - The payment card industry regulator. Though you are probably not storing credit cards - this is a good source to learn. Here is an intro.

Now you have several approaches to deal with it:

1. Enterprise approach - learn, plan, implement, test, create ongoing processes.
2. Guerrilla approach - Iterative: find the lowest hanging fruit and handle it.
3. Hybrid - combine some properties from both approaches.

Regarding your lowest hanging fruit / most critical attack vectors:

1. Your Perimeter aka Proper Firewall Configuration - since you are running on AWS you should consider using their powerful network based FW (aka Security Groups). For simple use-cases you can use their console UI. For more complex setups you might want to add dedicated security management services such as Dome9 that could assist with management of both network based and host based security policies.
2. Utilize WAF (Web application firewall) - consider either using mod-security - host based WAF that can be installed on your nginx that (hopefully) sits in front of your nodejs. OR alternatively use WAF as a service by Incapsula or Cloudflare
3. Setup proper centralized logging. Compare Splunk Cloud, Sumo Logic, LogEntries and Loggly to find your service of choice.
4. Harden your server authentication and accounts (too long to cover here)