阿里云linux服务器安全设置(防火墙策略等)
首先需要进行linux的基础安全设置,可以先参考这篇文章
https://www.nhooo.com/article/94842.htm
1、Linux系统脚本
#!/bin/bash
#########################################
#Function:linuxdropport
#Usage:bashlinux_drop_port.sh
#Author:CustomerServiceDepartment
#Company:AlibabaCloudComputing
#Version:2.0
#########################################
check_os_release()
{
whiletrue
do
os_release=$(grep"RedHatEnterpriseLinuxServerrelease"/etc/issue2>/dev/null)
os_release_2=$(grep"RedHatEnterpriseLinuxServerrelease"/etc/redhat-release2>/dev/null)
if["$os_release"]&&["$os_release_2"]
then
ifecho"$os_release"|grep"release5">/dev/null2>&1
then
os_release=redhat5
echo"$os_release"
elifecho"$os_release"|grep"release6">/dev/null2>&1
then
os_release=redhat6
echo"$os_release"
else
os_release=""
echo"$os_release"
fi
break
fi
os_release=$(grep"AliyunLinuxrelease"/etc/issue2>/dev/null)
os_release_2=$(grep"AliyunLinuxrelease"/etc/aliyun-release2>/dev/null)
if["$os_release"]&&["$os_release_2"]
then
ifecho"$os_release"|grep"release5">/dev/null2>&1
then
os_release=aliyun5
echo"$os_release"
elifecho"$os_release"|grep"release6">/dev/null2>&1
then
os_release=aliyun6
echo"$os_release"
else
os_release=""
echo"$os_release"
fi
break
fi
os_release=$(grep"CentOSrelease"/etc/issue2>/dev/null)
os_release_2=$(grep"CentOSrelease"/etc/*release2>/dev/null)
if["$os_release"]&&["$os_release_2"]
then
ifecho"$os_release"|grep"release5">/dev/null2>&1
then
os_release=centos5
echo"$os_release"
elifecho"$os_release"|grep"release6">/dev/null2>&1
then
os_release=centos6
echo"$os_release"
else
os_release=""
echo"$os_release"
fi
break
fi
os_release=$(grep-i"ubuntu"/etc/issue2>/dev/null)
os_release_2=$(grep-i"ubuntu"/etc/lsb-release2>/dev/null)
if["$os_release"]&&["$os_release_2"]
then
ifecho"$os_release"|grep"Ubuntu10">/dev/null2>&1
then
os_release=ubuntu10
echo"$os_release"
elifecho"$os_release"|grep"Ubuntu12.04">/dev/null2>&1
then
os_release=ubuntu1204
echo"$os_release"
elifecho"$os_release"|grep"Ubuntu12.10">/dev/null2>&1
then
os_release=ubuntu1210
echo"$os_release"
else
os_release=""
echo"$os_release"
fi
break
fi
os_release=$(grep-i"debian"/etc/issue2>/dev/null)
os_release_2=$(grep-i"debian"/proc/version2>/dev/null)
if["$os_release"]&&["$os_release_2"]
then
ifecho"$os_release"|grep"Linux6">/dev/null2>&1
then
os_release=debian6
echo"$os_release"
else
os_release=""
echo"$os_release"
fi
break
fi
os_release=$(grep"openSUSE"/etc/issue2>/dev/null)
os_release_2=$(grep"openSUSE"/etc/*release2>/dev/null)
if["$os_release"]&&["$os_release_2"]
then
ifecho"$os_release"|grep"13.1">/dev/null2>&1
then
os_release=opensuse131
echo"$os_release"
else
os_release=""
echo"$os_release"
fi
break
fi
break
done
}
exit_script()
{
echo-e"\033[1;40;31mInstall$1error,willexit.\n\033[0m"
rm-f$LOCKfile
exit1
}
config_iptables()
{
iptables-IOUTPUT1-ptcp-mmultiport--dport21,22,23,25,53,80,135,139,443,445-jDROP
iptables-IOUTPUT2-ptcp-mmultiport--dport1433,1314,1521,2222,3306,3433,3389,4899,8080,18186-jDROP
iptables-IOUTPUT3-pudp-jDROP
iptables-nvL
}
ubuntu_config_ufw()
{
ufwdenyoutprototcptoanyport21,22,23,25,53,80,135,139,443,445
ufwdenyoutprototcptoanyport1433,1314,1521,2222,3306,3433,3389,4899,8080,18186
ufwdenyoutprotoudptoany
ufwstatus
}
####################Start###################
#checklockfile,onetimeonlyletthescriptrunonetime
LOCKfile=/tmp/.$(basename$0)
if[-f"$LOCKfile"]
then
echo-e"\033[1;40;31mThescriptisalreadyexist,pleasenexttimetorunthisscript.\n\033[0m"
exit
else
echo-e"\033[40;32mStep1.Nolockfile,begintocreatelockfileandcontinue.\n\033[40;37m"
touch$LOCKfile
fi
#checkuser
if[$(id-u)!="0"]
then
echo-e"\033[1;40;31mError:Youmustberoottorunthisscript,pleaseuseroottoexecutethisscript.\n\033[0m"
rm-f$LOCKfile
exit1
fi
echo-e"\033[40;32mStep2.BegentochecktheOSissue.\n\033[40;37m"
os_release=$(check_os_release)
if["X$os_release"=="X"]
then
echo-e"\033[1;40;31mTheOSdoesnotidentify,Sothisscriptisnotexecutede.\n\033[0m"
rm-f$LOCKfile
exit0
else
echo-e"\033[40;32mThisOSis$os_release.\n\033[40;37m"
fi
echo-e"\033[40;32mStep3.Begentoconfigfirewall.\n\033[40;37m"
case"$os_release"in
redhat5|centos5|redhat6|centos6|aliyun5|aliyun6)
serviceiptablesstart
config_iptables
;;
debian6)
config_iptables
;;
ubuntu10|ubuntu1204|ubuntu1210)
ufwenable<<EOF
y
EOF
ubuntu_config_ufw
;;
opensuse131)
config_iptables
;;
esac
echo-e"\033[40;32mConfigfirewallsuccess,thisscriptnowexit!\n\033[40;37m"
rm-f$LOCKfile
上述文件下载到机器内部直接执行即可。
2、设置iptables,限制访问
/sbin/iptables-PINPUTACCEPT /sbin/iptables-F /sbin/iptables-X /sbin/iptables-Z /sbin/iptables-AINPUT-ilo-jACCEPT /sbin/iptables-AINPUT-ptcp--dport22-jACCEPT /sbin/iptables-AINPUT-ptcp--dport80-jACCEPT /sbin/iptables-AINPUT-ptcp--dport8080-jACCEPT /sbin/iptables-AINPUT-picmp-micmp--icmp-type8-jACCEPT /sbin/iptables-AINPUT-mstate--stateESTABLISHED-jACCEPT /sbin/iptables-PINPUTDROP serviceiptablessave
以上脚本,在每次重装完系统后执行一次即可,其配置会保存至/etc/sysconfig/iptables
更详细的可以参考这篇文章https://www.nhooo.com/article/94839.htm
3、常用网络监控命令
(1)netstat-tunl:查看所有正在监听的端口
[root@AY1407041017110375bbZ~]#netstat-tunl ActiveInternetconnections(onlyservers) ProtoRecv-QSend-QLocalAddressForeignAddressState tcp000.0.0.0:220.0.0.0:*LISTEN udp00ip:1230.0.0.0:* udp00ip:1230.0.0.0:* udp00127.0.0.1:1230.0.0.0:* udp000.0.0.0:1230.0.0.0:*
其中123端口用于NTP服务。
(2)netstat-tunp:查看所有已连接的网络连接状态,并显示其PID及程序名称。
[root@AY1407041017110375bbZ~]#netstat-tunp ActiveInternetconnections(w/oservers) ProtoRecv-QSend-QLocalAddress ForeignAddress State PID/Programname tcp 0 96ip:22 221.176.33.126:52699 ESTABLISHED926/sshd tcp 0 0ip:34385 42.156.166.25:80 ESTABLISHED1003/aegis_cli
根据上述结果,可以根据需要kill掉相应进程。
如:
kill-91003
(3)netstat-tunlp
(4)netstat常用选项说明:
-t:tcp
-u:udp
-l,--listening
Showonlylisteningsockets. (Theseareomittedbydefault.)
-p,--program
ShowthePIDandnameoftheprogramtowhicheachsocketbelongs.
--numeric,-n
Shownumericaladdressesinsteadoftryingtodeterminesymbolichost,portorusernames.
4、修改ssh的监听端口
(1)修改/etc/ssh/sshd_config
原有的port22
改为port44
(2)重启服务
/etc/init.d/sshdrestart
(3)查看情况
netstat-tunl ActiveInternetconnections(onlyservers) ProtoRecv-QSend-QLocalAddressForeignAddressState tcp000.0.0.0:440.0.0.0:*LISTEN udp00ip:1230.0.0.0:* udp00ip:1230.0.0.0:* udp00127.0.0.1:1230.0.0.0:* udp000.0.0.0:1230.0.0.0:*