阿里云windows服务器安全设置(防火墙策略)
通过防火墙策略限制对外扫描行为
请您根据您的服务器操作系统,下载对应的脚本运行,运行后您的防火墙策略会封禁对外发包的行为,确保您的主机不会再出现恶意发包的情况,为您进行后续数据备份操作提供足够的时间。
Window2003的批处理文件
@rem配置windows2003系统的IP安全策略 @remversion3.0time:2014-5-12 netshipsecstaticaddpolicyname=drop netshipsecstaticaddfilterlistname=drop_port netshipsecstaticaddfilterfilterlist=drop_portsrcaddr=medstaddr=anydstport=21protocol=TCPmirrored=no netshipsecstaticaddfilterfilterlist=drop_portsrcaddr=medstaddr=anydstport=22protocol=TCPmirrored=no netshipsecstaticaddfilterfilterlist=drop_portsrcaddr=medstaddr=anydstport=23protocol=TCPmirrored=no netshipsecstaticaddfilterfilterlist=drop_portsrcaddr=medstaddr=anydstport=25protocol=TCPmirrored=no netshipsecstaticaddfilterfilterlist=drop_portsrcaddr=medstaddr=anydstport=53protocol=TCPmirrored=no netshipsecstaticaddfilterfilterlist=drop_portsrcaddr=medstaddr=anydstport=80protocol=TCPmirrored=no netshipsecstaticaddfilterfilterlist=drop_portsrcaddr=medstaddr=anydstport=135protocol=TCPmirrored=no netshipsecstaticaddfilterfilterlist=drop_portsrcaddr=medstaddr=anydstport=139protocol=TCPmirrored=no netshipsecstaticaddfilterfilterlist=drop_portsrcaddr=medstaddr=anydstport=443protocol=TCPmirrored=no netshipsecstaticaddfilterfilterlist=drop_portsrcaddr=medstaddr=anydstport=445protocol=TCPmirrored=no netshipsecstaticaddfilterfilterlist=drop_portsrcaddr=medstaddr=anydstport=1314protocol=TCPmirrored=no netshipsecstaticaddfilterfilterlist=drop_portsrcaddr=medstaddr=anydstport=1433protocol=TCPmirrored=no netshipsecstaticaddfilterfilterlist=drop_portsrcaddr=medstaddr=anydstport=1521protocol=TCPmirrored=no netshipsecstaticaddfilterfilterlist=drop_portsrcaddr=medstaddr=anydstport=2222protocol=TCPmirrored=no netshipsecstaticaddfilterfilterlist=drop_portsrcaddr=medstaddr=anydstport=3306protocol=TCPmirrored=no netshipsecstaticaddfilterfilterlist=drop_portsrcaddr=medstaddr=anydstport=3433protocol=TCPmirrored=no netshipsecstaticaddfilterfilterlist=drop_portsrcaddr=medstaddr=anydstport=3389protocol=TCPmirrored=no netshipsecstaticaddfilterfilterlist=drop_portsrcaddr=medstaddr=anydstport=4899protocol=TCPmirrored=no netshipsecstaticaddfilterfilterlist=drop_portsrcaddr=medstaddr=anydstport=8080protocol=TCPmirrored=no netshipsecstaticaddfilterfilterlist=drop_portsrcaddr=medstaddr=anydstport=18186protocol=TCPmirrored=no netshipsecstaticaddfilterfilterlist=drop_portsrcaddr=medstaddr=anyprotocol=UDPmirrored=no netshipsecstaticaddfilteractionname=denyactaction=block netshipsecstaticaddrulename=killpolicy=dropfilterlist=drop_portfilteraction=denyact netshipsecstaticsetpolicyname=dropassign=y
Window2008的批处理文件
@rem配置windows2008系统的IP安全策略 @remversion3.0time:2014-5-12 @rem重置防火墙使用默认规则 netshfirewallreset netshfirewallsetserviceremotedesktopenableall @rem配置高级windows防火墙 netshadvfirewallfirewalladdrulename="drop"protocol=TCPdir=outremoteport="21,22,23,25,53,80,135,139,443,445,1433,1314,1521,2222,3306,3433,3389,4899,8080,18186"action=block netshadvfirewallfirewalladdrulename="dropudp"protocol=UDPdir=outremoteport=anyaction=block
Linux系统脚本
#!/bin/bash ######################################### #Function:linuxdropport #Usage:bashlinux_drop_port.sh #Author:CustomerServiceDepartment #Company:AlibabaCloudComputing #Version:2.0 ######################################### check_os_release() { whiletrue do os_release=$(grep"RedHatEnterpriseLinuxServerrelease"/etc/issue2>/dev/null) os_release_2=$(grep"RedHatEnterpriseLinuxServerrelease"/etc/redhat-release2>/dev/null) if["$os_release"]&&["$os_release_2"] then ifecho"$os_release"|grep"release5">/dev/null2>&1 then os_release=redhat5 echo"$os_release" elifecho"$os_release"|grep"release6">/dev/null2>&1 then os_release=redhat6 echo"$os_release" else os_release="" echo"$os_release" fi break fi os_release=$(grep"AliyunLinuxrelease"/etc/issue2>/dev/null) os_release_2=$(grep"AliyunLinuxrelease"/etc/aliyun-release2>/dev/null) if["$os_release"]&&["$os_release_2"] then ifecho"$os_release"|grep"release5">/dev/null2>&1 then os_release=aliyun5 echo"$os_release" elifecho"$os_release"|grep"release6">/dev/null2>&1 then os_release=aliyun6 echo"$os_release" else os_release="" echo"$os_release" fi break fi os_release=$(grep"CentOSrelease"/etc/issue2>/dev/null) os_release_2=$(grep"CentOSrelease"/etc/*release2>/dev/null) if["$os_release"]&&["$os_release_2"] then ifecho"$os_release"|grep"release5">/dev/null2>&1 then os_release=centos5 echo"$os_release" elifecho"$os_release"|grep"release6">/dev/null2>&1 then os_release=centos6 echo"$os_release" else os_release="" echo"$os_release" fi break fi os_release=$(grep-i"ubuntu"/etc/issue2>/dev/null) os_release_2=$(grep-i"ubuntu"/etc/lsb-release2>/dev/null) if["$os_release"]&&["$os_release_2"] then ifecho"$os_release"|grep"Ubuntu10">/dev/null2>&1 then os_release=ubuntu10 echo"$os_release" elifecho"$os_release"|grep"Ubuntu12.04">/dev/null2>&1 then os_release=ubuntu1204 echo"$os_release" elifecho"$os_release"|grep"Ubuntu12.10">/dev/null2>&1 then os_release=ubuntu1210 echo"$os_release" else os_release="" echo"$os_release" fi break fi os_release=$(grep-i"debian"/etc/issue2>/dev/null) os_release_2=$(grep-i"debian"/proc/version2>/dev/null) if["$os_release"]&&["$os_release_2"] then ifecho"$os_release"|grep"Linux6">/dev/null2>&1 then os_release=debian6 echo"$os_release" else os_release="" echo"$os_release" fi break fi os_release=$(grep"openSUSE"/etc/issue2>/dev/null) os_release_2=$(grep"openSUSE"/etc/*release2>/dev/null) if["$os_release"]&&["$os_release_2"] then ifecho"$os_release"|grep"13.1">/dev/null2>&1 then os_release=opensuse131 echo"$os_release" else os_release="" echo"$os_release" fi break fi break done } exit_script() { echo-e"\033[1;40;31mInstall$1error,willexit.\n\033[0m" rm-f$LOCKfile exit1 } config_iptables() { iptables-IOUTPUT1-ptcp-mmultiport--dport21,22,23,25,53,80,135,139,443,445-jDROP iptables-IOUTPUT2-ptcp-mmultiport--dport1433,1314,1521,2222,3306,3433,3389,4899,8080,18186-jDROP iptables-IOUTPUT3-pudp-jDROP iptables-nvL } ubuntu_config_ufw() { ufwdenyoutprototcptoanyport21,22,23,25,53,80,135,139,443,445 ufwdenyoutprototcptoanyport1433,1314,1521,2222,3306,3433,3389,4899,8080,18186 ufwdenyoutprotoudptoany ufwstatus } ####################Start################### #checklockfile,onetimeonlyletthescriptrunonetime LOCKfile=/tmp/.$(basename$0) if[-f"$LOCKfile"] then echo-e"\033[1;40;31mThescriptisalreadyexist,pleasenexttimetorunthisscript.\n\033[0m" exit else echo-e"\033[40;32mStep1.Nolockfile,begintocreatelockfileandcontinue.\n\033[40;37m" touch$LOCKfile fi #checkuser if[$(id-u)!="0"] then echo-e"\033[1;40;31mError:Youmustberoottorunthisscript,pleaseuseroottoexecutethisscript.\n\033[0m" rm-f$LOCKfile exit1 fi echo-e"\033[40;32mStep2.BegentochecktheOSissue.\n\033[40;37m" os_release=$(check_os_release) if["X$os_release"=="X"] then echo-e"\033[1;40;31mTheOSdoesnotidentify,Sothisscriptisnotexecutede.\n\033[0m" rm-f$LOCKfile exit0 else echo-e"\033[40;32mThisOSis$os_release.\n\033[40;37m" fi echo-e"\033[40;32mStep3.Begentoconfigfirewall.\n\033[40;37m" case"$os_release"in redhat5|centos5|redhat6|centos6|aliyun5|aliyun6) serviceiptablesstart config_iptables ;; debian6) config_iptables ;; ubuntu10|ubuntu1204|ubuntu1210) ufwenable<<EOF y EOF ubuntu_config_ufw ;; opensuse131) config_iptables ;; esac echo-e"\033[40;32mConfigfirewallsuccess,thisscriptnowexit!\n\033[40;37m" rm-f$LOCKfile
上述文件下载到机器内部直接执行即可。
设置iptables,限制访问
/sbin/iptables-PINPUTACCEPT /sbin/iptables-F /sbin/iptables-X /sbin/iptables-Z /sbin/iptables-AINPUT-ilo-jACCEPT /sbin/iptables-AINPUT-ptcp--dport22-jACCEPT /sbin/iptables-AINPUT-ptcp--dport80-jACCEPT /sbin/iptables-AINPUT-ptcp--dport8080-jACCEPT /sbin/iptables-AINPUT-picmp-micmp--icmp-type8-jACCEPT /sbin/iptables-AINPUT-mstate--stateESTABLISHED-jACCEPT /sbin/iptables-PINPUTDROP serviceiptablessave
以上脚本,在每次重装完系统后执行一次即可,其配置会保存至/etc/sysconfig/iptables