投稿

阿里云linux服务器安全设置(防火墙策略等)

FZLHY 云主机

   
首先需要进行linux的基础安全设置

   
1、Linux系统脚本

?

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197 #!/bin/bash##########################################Function: linux drop port#Usage:  bash linux_drop_port.sh#Author:  Customer Service Department#Company:  Alibaba Cloud Computing#Version:  2.0######################################### check_os_release(){ while true do os_release=$(grep "Red Hat Enterprise Linux Server release"/etc/issue 2>/dev/null) os_release_2=$(grep "Red Hat Enterprise Linux Server release"/etc/redhat-release 2>/dev/null) if [ "$os_release" ] && [ "$os_release_2" ] then  if echo "$os_release"|grep "release 5" >/dev/null2>&1  then  os_release=redhat5  echo "$os_release"  elif echo "$os_release"|grep "release 6">/dev/null 2>&1  then  os_release=redhat6  echo "$os_release"  else  os_release=""  echo "$os_release"  fi  break fi os_release=$(grep "Aliyun Linux release" /etc/issue2>/dev/null) os_release_2=$(grep "Aliyun Linux release" /etc/aliyun-release2>/dev/null) if [ "$os_release" ] && [ "$os_release_2" ] then  if echo "$os_release"|grep "release 5" >/dev/null2>&1  then  os_release=aliyun5  echo "$os_release"  elif echo "$os_release"|grep "release 6">/dev/null 2>&1  then  os_release=aliyun6  echo "$os_release"  else  os_release=""  echo "$os_release"  fi  break fi os_release=$(grep "CentOS release" /etc/issue 2>/dev/null) os_release_2=$(grep "CentOS release" /etc/*release2>/dev/null) if [ "$os_release" ] && [ "$os_release_2" ] then  if echo "$os_release"|grep "release 5" >/dev/null2>&1  then  os_release=centos5  echo "$os_release"  elif echo "$os_release"|grep "release 6">/dev/null 2>&1  then  os_release=centos6  echo "$os_release"  else  os_release=""  echo "$os_release"  fi  break fi os_release=$(grep -i "ubuntu" /etc/issue 2>/dev/null) os_release_2=$(grep -i "ubuntu" /etc/lsb-release2>/dev/null) if [ "$os_release" ] && [ "$os_release_2" ] then  if echo "$os_release"|grep "Ubuntu 10" >/dev/null2>&1  then  os_release=ubuntu10  echo "$os_release"  elif echo "$os_release"|grep "Ubuntu 12.04">/dev/null 2>&1  then  os_release=ubuntu1204  echo "$os_release"  elif echo "$os_release"|grep "Ubuntu 12.10">/dev/null 2>&1  then  os_release=ubuntu1210  echo "$os_release"  else  os_release=""  echo "$os_release"  fi  break fi os_release=$(grep -i "debian" /etc/issue 2>/dev/null) os_release_2=$(grep -i "debian" /proc/version 2>/dev/null) if [ "$os_release" ] && [ "$os_release_2" ] then  if echo "$os_release"|grep "Linux 6" >/dev/null2>&1  then  os_release=debian6  echo "$os_release"  else  os_release=""  echo "$os_release"  fi  break fi os_release=$(grep "openSUSE" /etc/issue 2>/dev/null) os_release_2=$(grep "openSUSE" /etc/*release 2>/dev/null) if [ "$os_release" ] && [ "$os_release_2" ] then  if echo "$os_release"|grep"13.1" >/dev/null 2>&1  then  os_release=opensuse131  echo "$os_release"  else  os_release=""  echo "$os_release"  fi  break fi break done} exit_script(){ echo -e "\033[1;40;31mInstall $1 error,will exit.\n\033[0m" rm-f $LOCKfile exit 1} config_iptables(){ iptables -I OUTPUT 1 -p tcp -m multiport --dport21,22,23,25,53,80,135,139,443,445 -j DROP iptables -I OUTPUT 2 -p tcp -m multiport --dport 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186-j DROP iptables -I OUTPUT 3 -p udp -j DROP iptables -nvL} ubuntu_config_ufw(){ ufwdeny out proto tcp to any port 21,22,23,25,53,80,135,139,443,445 ufwdeny out proto tcp to any port 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186 ufwdeny out proto udp to any ufwstatus} ####################Start####################check lock file ,one time only let thescript run one timeLOCKfile=/tmp/.$(basename $0)if [ -f "$LOCKfile" ]then echo -e "\033[1;40;31mThe script is already exist,please next timeto run this script.\n\033[0m" exitelse echo -e "\033[40;32mStep 1.No lock file,begin to create lock fileand continue.\n\033[40;37m" touch $LOCKfilefi #check userif [ $(id -u) != "0" ]then echo -e "\033[1;40;31mError: You must be root to run this script,please use root to execute this script.\n\033[0m" rm-f $LOCKfile exit 1fi echo -e "\033[40;32mStep 2.Begen tocheck the OS issue.\n\033[40;37m"os_release=$(check_os_release)if [ "X$os_release" =="X" ]then echo -e "\033[1;40;31mThe OS does not identify,So this script isnot executede.\n\033[0m" rm-f $LOCKfile exit 0else echo -e "\033[40;32mThis OS is $os_release.\n\033[40;37m"fi echo -e "\033[40;32mStep 3.Begen toconfig firewall.\n\033[40;37m"case "$os_release" inredhat5|centos5|redhat6|centos6|aliyun5|aliyun6) service iptables start config_iptables ;;debian6) config_iptables ;;ubuntu10|ubuntu1204|ubuntu1210) ufwenable <<EOFyEOF ubuntu_config_ufw ;;opensuse131) config_iptables ;;esac echo -e "\033[40;32mConfig firewallsuccess,this script now exit!\n\033[40;37m"rm -f $LOCKfile

   
上述文件下载到机器内部直接执行即可。

   
2、设置iptables,限制访问

?

12345678910111213 /sbin/iptables -P INPUT ACCEPT/sbin/iptables -F/sbin/iptables -X/sbin/iptables -Z                                   
 /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT/sbin/iptables -A INPUT -p tcp --dport 8080 -j ACCEPT/sbin/iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT/sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT/sbin/iptables -P INPUT DROP service iptables save

   
以上脚本,在每次重装完系统后执行一次即可,其配置会保存至/etc/sysconfig/iptables

   
3、常用网络监控命令
(1) netstat -tunl:查看所有正在监听的端口

?

12345678 [root@AY1407041017110375bbZ ~]# netstat -tunlActive Internet connections (only servers)Proto Recv-Q Send-Q Local Address    Foreign Address    State  tcp  0  0 0.0.0.0:22     0.0.0.0:*     LISTEN  udp  0  0 ip:123   0.0.0.0:*        udp  0  0 ip:123   0.0.0.0:*        udp  0  0 127.0.0.1:123    0.0.0.0:*        udp  0  0 0.0.0.0:123     0.0.0.0:*

   
其中123端口用于NTP服务。
(2)netstat -tunp:查看所有已连接的网络连接状态,并显示其PID及程序名称。

?

12345 [root@AY1407041017110375bbZ ~]# netstat -tunpActive Internet connections (w/o servers)Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   tcp        0     96 ip:22            221.176.33.126:52699        ESTABLISHED 926/sshd            tcp        0      0 ip:34385         42.156.166.25:80            ESTABLISHED 1003/aegis_cli

   
根据上述结果,可以根据需要kill掉相应进程。
如:
kill -9 1003

   
(3)netstat -tunlp
(4)netstat常用选项说明:

   
-t: tcp  
-u : udp
-l, –listening
       Show only listening sockets.  (These are omitted by default.)
-p, –program
       Show the PID and name of the program to which each socket belongs.
–numeric , -n
Show numerical addresses instead of trying to determine symbolic host, port or user names.

4、修改ssh的监听端口

   
(1)修改 /etc/ssh/sshd_config

   
原有的port 22

   
改为port 44

   
(2)重启服务

   
/etc/init.d/sshd restart
(3)查看情况

?

12345678 netstat -tunlActive Internet connections (only servers)Proto Recv-Q Send-Q Local Address    Foreign Address    State  tcp  0  0 0.0.0.0:44    0.0.0.0:*     LISTEN  udp  0  0 ip:123   0.0.0.0:*        udp  0  0 ip:123   0.0.0.0:*        udp  0  0 127.0.0.1:123    0.0.0.0:*        udp  0  0 0.0.0.0:123     0.0.0.0:*

   
 

原创文章,作者:FZLHY,如若转载,请注明出处:http://www.wangzhanshi.com/n/4185.html

(0)
FZLHY的头像FZLHY
0 0
上一篇 2024年12月17日 19:18:45
下一篇 2024年12月17日 19:18:54

相关推荐

发表回复

登录后才能评论