阿里云linux服务器安全设置(防火墙策略等)
首先需要进行linux的基础安全设置,可以先参考这篇文章
https://www.nhooo.com/article/94842.htm
1、Linux系统脚本
#!/bin/bash ######################################### #Function:linuxdropport #Usage:bashlinux_drop_port.sh #Author:CustomerServiceDepartment #Company:AlibabaCloudComputing #Version:2.0 ######################################### check_os_release() { whiletrue do os_release=$(grep"RedHatEnterpriseLinuxServerrelease"/etc/issue2>/dev/null) os_release_2=$(grep"RedHatEnterpriseLinuxServerrelease"/etc/redhat-release2>/dev/null) if["$os_release"]&&["$os_release_2"] then ifecho"$os_release"|grep"release5">/dev/null2>&1 then os_release=redhat5 echo"$os_release" elifecho"$os_release"|grep"release6">/dev/null2>&1 then os_release=redhat6 echo"$os_release" else os_release="" echo"$os_release" fi break fi os_release=$(grep"AliyunLinuxrelease"/etc/issue2>/dev/null) os_release_2=$(grep"AliyunLinuxrelease"/etc/aliyun-release2>/dev/null) if["$os_release"]&&["$os_release_2"] then ifecho"$os_release"|grep"release5">/dev/null2>&1 then os_release=aliyun5 echo"$os_release" elifecho"$os_release"|grep"release6">/dev/null2>&1 then os_release=aliyun6 echo"$os_release" else os_release="" echo"$os_release" fi break fi os_release=$(grep"CentOSrelease"/etc/issue2>/dev/null) os_release_2=$(grep"CentOSrelease"/etc/*release2>/dev/null) if["$os_release"]&&["$os_release_2"] then ifecho"$os_release"|grep"release5">/dev/null2>&1 then os_release=centos5 echo"$os_release" elifecho"$os_release"|grep"release6">/dev/null2>&1 then os_release=centos6 echo"$os_release" else os_release="" echo"$os_release" fi break fi os_release=$(grep-i"ubuntu"/etc/issue2>/dev/null) os_release_2=$(grep-i"ubuntu"/etc/lsb-release2>/dev/null) if["$os_release"]&&["$os_release_2"] then ifecho"$os_release"|grep"Ubuntu10">/dev/null2>&1 then os_release=ubuntu10 echo"$os_release" elifecho"$os_release"|grep"Ubuntu12.04">/dev/null2>&1 then os_release=ubuntu1204 echo"$os_release" elifecho"$os_release"|grep"Ubuntu12.10">/dev/null2>&1 then os_release=ubuntu1210 echo"$os_release" else os_release="" echo"$os_release" fi break fi os_release=$(grep-i"debian"/etc/issue2>/dev/null) os_release_2=$(grep-i"debian"/proc/version2>/dev/null) if["$os_release"]&&["$os_release_2"] then ifecho"$os_release"|grep"Linux6">/dev/null2>&1 then os_release=debian6 echo"$os_release" else os_release="" echo"$os_release" fi break fi os_release=$(grep"openSUSE"/etc/issue2>/dev/null) os_release_2=$(grep"openSUSE"/etc/*release2>/dev/null) if["$os_release"]&&["$os_release_2"] then ifecho"$os_release"|grep"13.1">/dev/null2>&1 then os_release=opensuse131 echo"$os_release" else os_release="" echo"$os_release" fi break fi break done } exit_script() { echo-e"\033[1;40;31mInstall$1error,willexit.\n\033[0m" rm-f$LOCKfile exit1 } config_iptables() { iptables-IOUTPUT1-ptcp-mmultiport--dport21,22,23,25,53,80,135,139,443,445-jDROP iptables-IOUTPUT2-ptcp-mmultiport--dport1433,1314,1521,2222,3306,3433,3389,4899,8080,18186-jDROP iptables-IOUTPUT3-pudp-jDROP iptables-nvL } ubuntu_config_ufw() { ufwdenyoutprototcptoanyport21,22,23,25,53,80,135,139,443,445 ufwdenyoutprototcptoanyport1433,1314,1521,2222,3306,3433,3389,4899,8080,18186 ufwdenyoutprotoudptoany ufwstatus } ####################Start################### #checklockfile,onetimeonlyletthescriptrunonetime LOCKfile=/tmp/.$(basename$0) if[-f"$LOCKfile"] then echo-e"\033[1;40;31mThescriptisalreadyexist,pleasenexttimetorunthisscript.\n\033[0m" exit else echo-e"\033[40;32mStep1.Nolockfile,begintocreatelockfileandcontinue.\n\033[40;37m" touch$LOCKfile fi #checkuser if[$(id-u)!="0"] then echo-e"\033[1;40;31mError:Youmustberoottorunthisscript,pleaseuseroottoexecutethisscript.\n\033[0m" rm-f$LOCKfile exit1 fi echo-e"\033[40;32mStep2.BegentochecktheOSissue.\n\033[40;37m" os_release=$(check_os_release) if["X$os_release"=="X"] then echo-e"\033[1;40;31mTheOSdoesnotidentify,Sothisscriptisnotexecutede.\n\033[0m" rm-f$LOCKfile exit0 else echo-e"\033[40;32mThisOSis$os_release.\n\033[40;37m" fi echo-e"\033[40;32mStep3.Begentoconfigfirewall.\n\033[40;37m" case"$os_release"in redhat5|centos5|redhat6|centos6|aliyun5|aliyun6) serviceiptablesstart config_iptables ;; debian6) config_iptables ;; ubuntu10|ubuntu1204|ubuntu1210) ufwenable<<EOF y EOF ubuntu_config_ufw ;; opensuse131) config_iptables ;; esac echo-e"\033[40;32mConfigfirewallsuccess,thisscriptnowexit!\n\033[40;37m" rm-f$LOCKfile
上述文件下载到机器内部直接执行即可。
2、设置iptables,限制访问
/sbin/iptables-PINPUTACCEPT /sbin/iptables-F /sbin/iptables-X /sbin/iptables-Z /sbin/iptables-AINPUT-ilo-jACCEPT /sbin/iptables-AINPUT-ptcp--dport22-jACCEPT /sbin/iptables-AINPUT-ptcp--dport80-jACCEPT /sbin/iptables-AINPUT-ptcp--dport8080-jACCEPT /sbin/iptables-AINPUT-picmp-micmp--icmp-type8-jACCEPT /sbin/iptables-AINPUT-mstate--stateESTABLISHED-jACCEPT /sbin/iptables-PINPUTDROP serviceiptablessave
以上脚本,在每次重装完系统后执行一次即可,其配置会保存至/etc/sysconfig/iptables
更详细的可以参考这篇文章https://www.nhooo.com/article/94839.htm
3、常用网络监控命令
(1)netstat-tunl:查看所有正在监听的端口
[root@AY1407041017110375bbZ~]#netstat-tunl ActiveInternetconnections(onlyservers) ProtoRecv-QSend-QLocalAddressForeignAddressState tcp000.0.0.0:220.0.0.0:*LISTEN udp00ip:1230.0.0.0:* udp00ip:1230.0.0.0:* udp00127.0.0.1:1230.0.0.0:* udp000.0.0.0:1230.0.0.0:*
其中123端口用于NTP服务。
(2)netstat-tunp:查看所有已连接的网络连接状态,并显示其PID及程序名称。
[root@AY1407041017110375bbZ~]#netstat-tunp ActiveInternetconnections(w/oservers) ProtoRecv-QSend-QLocalAddress ForeignAddress State PID/Programname tcp 0 96ip:22 221.176.33.126:52699 ESTABLISHED926/sshd tcp 0 0ip:34385 42.156.166.25:80 ESTABLISHED1003/aegis_cli
根据上述结果,可以根据需要kill掉相应进程。
如:
kill-91003
(3)netstat-tunlp
(4)netstat常用选项说明:
-t:tcp
-u:udp
-l,--listening
Showonlylisteningsockets. (Theseareomittedbydefault.)
-p,--program
ShowthePIDandnameoftheprogramtowhicheachsocketbelongs.
--numeric,-n
Shownumericaladdressesinsteadoftryingtodeterminesymbolichost,portorusernames.
4、修改ssh的监听端口
(1)修改/etc/ssh/sshd_config
原有的port22
改为port44
(2)重启服务
/etc/init.d/sshdrestart
(3)查看情况
netstat-tunl ActiveInternetconnections(onlyservers) ProtoRecv-QSend-QLocalAddressForeignAddressState tcp000.0.0.0:440.0.0.0:*LISTEN udp00ip:1230.0.0.0:* udp00ip:1230.0.0.0:* udp00127.0.0.1:1230.0.0.0:* udp000.0.0.0:1230.0.0.0:*