阿里云linux服务器安全设置(防火墙策略等)

发布时间：2020-12-15 00:57:09 所属栏目：C语言来源：网络整理

导读：首先需要进行linux的基础安全设置，可以先参考这篇文章 http://www.jb51.net/article/94842.htm 1、Linux系统脚本 #!/bin/bash##########################################Function: linux drop port#Usage: bash linux_drop_port.sh#Author: Customer Servi

首先需要进行linux的基础安全设置，可以先参考这篇文章

http://www.aspzz.cn/article/94842.htm

1、Linux系统脚本

#!/bin/bash
#########################################
#Function: linux drop port
#Usage:  bash linux_drop_port.sh
#Author:  Customer Service Department
#Company:  Alibaba Cloud Computing
#Version:  2.0
#########################################
 
check_os_release()
{
 while true
 do
 os_release=$(grep "Red Hat Enterprise Linux Server release"/etc/issue 2>/dev/null)
 os_release_2=$(grep "Red Hat Enterprise Linux Server release"/etc/redhat-release 2>/dev/null)
 if [ "$os_release" ] && [ "$os_release_2" ]
 then
  if echo "$os_release"|grep "release 5" >/dev/null2>&1
  then
  os_release=redhat5
  echo "$os_release"
  elif echo "$os_release"|grep "release 6">/dev/null 2>&1
  then
  os_release=redhat6
  echo "$os_release"
  else
  os_release=""
  echo "$os_release"
  fi
  break
 fi
 os_release=$(grep "Aliyun Linux release" /etc/issue2>/dev/null)
 os_release_2=$(grep "Aliyun Linux release" /etc/aliyun-release2>/dev/null)
 if [ "$os_release" ] && [ "$os_release_2" ]
 then
  if echo "$os_release"|grep "release 5" >/dev/null2>&1
  then
  os_release=aliyun5
  echo "$os_release"
  elif echo "$os_release"|grep "release 6">/dev/null 2>&1
  then
  os_release=aliyun6
  echo "$os_release"
  else
  os_release=""
  echo "$os_release"
  fi
  break
 fi
 os_release=$(grep "CentOS release" /etc/issue 2>/dev/null)
 os_release_2=$(grep "CentOS release" /etc/*release2>/dev/null)
 if [ "$os_release" ] && [ "$os_release_2" ]
 then
  if echo "$os_release"|grep "release 5" >/dev/null2>&1
  then
  os_release=centos5
  echo "$os_release"
  elif echo "$os_release"|grep "release 6">/dev/null 2>&1
  then
  os_release=centos6
  echo "$os_release"
  else
  os_release=""
  echo "$os_release"
  fi
  break
 fi
 os_release=$(grep -i "ubuntu" /etc/issue 2>/dev/null)
 os_release_2=$(grep -i "ubuntu" /etc/lsb-release2>/dev/null)
 if [ "$os_release" ] && [ "$os_release_2" ]
 then
  if echo "$os_release"|grep "Ubuntu 10" >/dev/null2>&1
  then
  os_release=ubuntu10
  echo "$os_release"
  elif echo "$os_release"|grep "Ubuntu 12.04">/dev/null 2>&1
  then
  os_release=ubuntu1204
  echo "$os_release"
  elif echo "$os_release"|grep "Ubuntu 12.10">/dev/null 2>&1
  then
  os_release=ubuntu1210
  echo "$os_release"
  else
  os_release=""
  echo "$os_release"
  fi
  break
 fi
 os_release=$(grep -i "debian" /etc/issue 2>/dev/null)
 os_release_2=$(grep -i "debian" /proc/version 2>/dev/null)
 if [ "$os_release" ] && [ "$os_release_2" ]
 then
  if echo "$os_release"|grep "Linux 6" >/dev/null2>&1
  then
  os_release=debian6
  echo "$os_release"
  else
  os_release=""
  echo "$os_release"
  fi
  break
 fi
 os_release=$(grep "openSUSE" /etc/issue 2>/dev/null)
 os_release_2=$(grep "openSUSE" /etc/*release 2>/dev/null)
 if [ "$os_release" ] && [ "$os_release_2" ]
 then
  if echo "$os_release"|grep"13.1" >/dev/null 2>&1
  then
  os_release=opensuse131
  echo "$os_release"
  else
  os_release=""
  echo "$os_release"
  fi
  break
 fi
 break
 done
}
 
exit_script()
{
 echo -e "33[1;40;31mInstall $1 error,will exit.n33[0m"
 rm-f $LOCKfile
 exit 1
}
 
config_iptables()
{
 iptables -I OUTPUT 1 -p tcp -m multiport --dport21,22,23,25,53,80,135,139,443,445 -j DROP
 iptables -I OUTPUT 2 -p tcp -m multiport --dport 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186-j DROP
 iptables -I OUTPUT 3 -p udp -j DROP
 iptables -nvL
}
 
ubuntu_config_ufw()
{
 ufwdeny out proto tcp to any port 21,445
 ufwdeny out proto tcp to any port 1433,18186
 ufwdeny out proto udp to any
 ufwstatus
}
 
####################Start###################
#check lock file,one time only let thescript run one time
LOCKfile=/tmp/.$(basename $0)
if [ -f "$LOCKfile" ]
then
 echo -e "33[1;40;31mThe script is already exist,please next timeto run this script.n33[0m"
 exit
else
 echo -e "33[40;32mStep 1.No lock file,begin to create lock fileand continue.n33[40;37m"
 touch $LOCKfile
fi
 
#check user
if [ $(id -u) != "0" ]
then
 echo -e "33[1;40;31mError: You must be root to run this script,please use root to execute this script.n33[0m"
 rm-f $LOCKfile
 exit 1
fi
 
echo -e "33[40;32mStep 2.Begen tocheck the OS issue.n33[40;37m"
os_release=$(check_os_release)
if [ "X$os_release" =="X" ]
then
 echo -e "33[1;40;31mThe OS does not identify,So this script isnot executede.n33[0m"
 rm-f $LOCKfile
 exit 0
else
 echo -e "33[40;32mThis OS is $os_release.n33[40;37m"
fi
 
echo -e "33[40;32mStep 3.Begen toconfig firewall.n33[40;37m"
case "$os_release" in
redhat5|centos5|redhat6|centos6|aliyun5|aliyun6)
 service iptables start
 config_iptables
 ;;
debian6)
 config_iptables
 ;;
ubuntu10|ubuntu1204|ubuntu1210)
 ufwenable <<EOF
y
EOF
 ubuntu_config_ufw
 ;;
opensuse131)
 config_iptables
 ;;
esac
 
echo -e "33[40;32mConfig firewallsuccess,this script now exit!n33[40;37m"
rm -f $LOCKfile

上述文件下载到机器内部直接执行即可。

2、设置iptables，限制访问

/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z

/sbin/iptables -A INPUT -i lo -j ACCEPT 
/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
/sbin/iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -P INPUT DROP
 service iptables save

以上脚本，在每次重装完系统后执行一次即可，其配置会保存至/etc/sysconfig/iptables

更详细的可以参考这篇文章 http://www.aspzz.cn/article/94839.htm

3、常用网络监控命令
（1） netstat -tunl：查看所有正在监听的端口

[root@AY1407041017110375bbZ ~]# netstat -tunl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address    Foreign Address    State  
tcp  0  0 0.0.0.0:22     0.0.0.0:*     LISTEN  
udp  0  0 ip:123   0.0.0.0:*        
udp  0  0 ip:123   0.0.0.0:*        
udp  0  0 127.0.0.1:123    0.0.0.0:*        
udp  0  0 0.0.0.0:123     0.0.0.0:*

其中123端口用于NTP服务。
（2）netstat -tunp：查看所有已连接的网络连接状态，并显示其PID及程序名称。

[root@AY1407041017110375bbZ ~]# netstat -tunp
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0     96 ip:22            221.176.33.126:52699        ESTABLISHED 926/sshd            
tcp        0      0 ip:34385         42.156.166.25:80            ESTABLISHED 1003/aegis_cli

根据上述结果，可以根据需要kill掉相应进程。
如:
kill -9 1003

（3）netstat -tunlp
（4）netstat常用选项说明：

-t: tcp
-u : udp
-l,--listening
       Show only listening sockets. (These are omitted by default.)
-p,--program
       Show the PID and name of the program to which each socket belongs.
--numeric,-n
Show numerical addresses instead of trying to determine symbolic host,port or user names.

4、修改ssh的监听端口

（1）修改 /etc/ssh/sshd_config

原有的port 22

改为port 44

（2）重启服务

/etc/init.d/sshd restart
（3）查看情况

 netstat -tunl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address    Foreign Address    State  
tcp  0  0 0.0.0.0:44    0.0.0.0:*     LISTEN  
udp  0  0 ip:123   0.0.0.0:*        
udp  0  0 ip:123   0.0.0.0:*        
udp  0  0 127.0.0.1:123    0.0.0.0:*        
udp  0  0 0.0.0.0:123     0.0.0.0:*

您可能感兴趣的文章:

linux查看防火墙状态与开启关闭命令详解
linux下mysql开启远程访问权限防火墙开放3306端口
关闭selinux(防火墙)方法分享
linux下mysql链接被防火墙阻止的解决方法
linux下防火墙开启某个端口号及防火墙常用命令使用(详解)
linux增加iptables防火墙规则的示例
Linux防火墙iptables入门教程
Linux下设置防火墙白名单(RHEL 6和CentOS 7)的步骤
在Linux代理服务器上设置防火墙
linux防火墙iptables规则的查看、添加、删除和修改方法总结

（编辑：李大同）

【声明】本站内容均来自网络，其相关言论仅代表作者个人观点，不代表本站立场。若无意侵犯到您的权利，请及时与联系站长删除相关内容!