SSH 安全
- 禁用 root 登录:PermitRootLogin no
- 禁用密码登录,只用密钥:PasswordAuthentication no
- 修改默认端口:Port 22222(非必须,但可降低扫描噪声)
防火墙配置(UFW)
ufw default deny incoming
ufw default allow outgoing
ufw allow 22222/tcp # SSH
ufw allow 80/tcp # HTTP
ufw allow 443/tcp # HTTPS
ufw enableFail2ban 防暴力破解
apt install fail2ban
# /etc/fail2ban/jail.local
[sshd]
enabled = true
maxretry = 5
bantime = 3600定期更新
配置 unattended-upgrades 自动安装安全补丁:apt install unattended-upgrades && dpkg-reconfigure -plow unattended-upgrades