阿里云linux服务器安全设置(防火墙策略等)

首先需要进行linux的基础安全设置,可以先参考这篇文章

1、Linux系统脚本

  #!/bin/bash  #########################################  #Function: linux drop port  #Usage:  bash linux_drop_port.sh  #Author:  Customer Service Department  #Company:  Alibaba Cloud Computing  #Version:  2.0  #########################################     check_os_release()  {   while true   do   os_release=$(grep "Red Hat Enterprise Linux Server release"/etc/issue 2>/dev/null)   os_release_2=$(grep "Red Hat Enterprise Linux Server release"/etc/redhat-release 2>/dev/null)   if [ "$os_release" ] && [ "$os_release_2" ]   then    if echo "$os_release"|grep "release 5" >/dev/null2>&1    then    os_release=redhat5    echo "$os_release"    elif echo "$os_release"|grep "release 6">/dev/null 2>&1    then    os_release=redhat6    echo "$os_release"    else    os_release=""    echo "$os_release"    fi    break   fi   os_release=$(grep "Aliyun Linux release" /etc/issue2>/dev/null)   os_release_2=$(grep "Aliyun Linux release" /etc/aliyun-release2>/dev/null)   if [ "$os_release" ] && [ "$os_release_2" ]   then    if echo "$os_release"|grep "release 5" >/dev/null2>&1    then    os_release=aliyun5    echo "$os_release"    elif echo "$os_release"|grep "release 6">/dev/null 2>&1    then    os_release=aliyun6    echo "$os_release"    else    os_release=""    echo "$os_release"    fi    break   fi   os_release=$(grep "CentOS release" /etc/issue 2>/dev/null)   os_release_2=$(grep "CentOS release" /etc/*release2>/dev/null)   if [ "$os_release" ] && [ "$os_release_2" ]   then    if echo "$os_release"|grep "release 5" >/dev/null2>&1    then    os_release=centos5    echo "$os_release"    elif echo "$os_release"|grep "release 6">/dev/null 2>&1    then    os_release=centos6    echo "$os_release"    else    os_release=""    echo "$os_release"    fi    break   fi   os_release=$(grep -i "ubuntu" /etc/issue 2>/dev/null)   os_release_2=$(grep -i "ubuntu" /etc/lsb-release2>/dev/null)   if [ "$os_release" ] && [ "$os_release_2" ]   then    if echo "$os_release"|grep "Ubuntu 10" >/dev/null2>&1    then    os_release=ubuntu10    echo "$os_release"    elif echo "$os_release"|grep "Ubuntu 12.04">/dev/null 2>&1    then    os_release=ubuntu1204    echo "$os_release"    elif echo "$os_release"|grep "Ubuntu 12.10">/dev/null 2>&1    then    os_release=ubuntu1210    echo "$os_release"    else    os_release=""    echo "$os_release"    fi    break   fi   os_release=$(grep -i "debian" /etc/issue 2>/dev/null)   os_release_2=$(grep -i "debian" /proc/version 2>/dev/null)   if [ "$os_release" ] && [ "$os_release_2" ]   then    if echo "$os_release"|grep "Linux 6" >/dev/null2>&1    then    os_release=debian6    echo "$os_release"    else    os_release=""    echo "$os_release"    fi    break   fi   os_release=$(grep "openSUSE" /etc/issue 2>/dev/null)   os_release_2=$(grep "openSUSE" /etc/*release 2>/dev/null)   if [ "$os_release" ] && [ "$os_release_2" ]   then    if echo "$os_release"|grep"13.1" >/dev/null 2>&1    then    os_release=opensuse131    echo "$os_release"    else    os_release=""    echo "$os_release"    fi    break   fi   break   done  }     exit_script()  {   echo -e "33[1;40;31mInstall $1 error,will exit.n33[0m"   rm-f $LOCKfile   exit 1  }     config_iptables()  {   iptables -I OUTPUT 1 -p tcp -m multiport --dport21,22,23,25,53,80,135,139,443,445 -j DROP   iptables -I OUTPUT 2 -p tcp -m multiport --dport 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186-j DROP   iptables -I OUTPUT 3 -p udp -j DROP   iptables -nvL  }     ubuntu_config_ufw()  {   ufwdeny out proto tcp to any port 21,22,23,25,53,80,135,139,443,445   ufwdeny out proto tcp to any port 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186   ufwdeny out proto udp to any   ufwstatus  }     ####################Start###################  #check lock file ,one time only let thescript run one time  LOCKfile=/tmp/.$(basename $0)  if [ -f "$LOCKfile" ]  then   echo -e "33[1;40;31mThe script is already exist,please next timeto run this script.n33[0m"   exit  else   echo -e "33[40;32mStep 1.No lock file,begin to create lock fileand continue.n33[40;37m"   touch $LOCKfile  fi     #check user  if [ $(id -u) != "0" ]  then   echo -e "33[1;40;31mError: You must be root to run this script,please use root to execute this script.n33[0m"   rm-f $LOCKfile   exit 1  fi     echo -e "33[40;32mStep 2.Begen tocheck the OS issue.n33[40;37m"  os_release=$(check_os_release)  if [ "X$os_release" =="X" ]  then   echo -e "33[1;40;31mThe OS does not identify,So this script isnot executede.n33[0m"   rm-f $LOCKfile   exit 0  else   echo -e "33[40;32mThis OS is $os_release.n33[40;37m"  fi     echo -e "33[40;32mStep 3.Begen toconfig firewall.n33[40;37m"  case "$os_release" in  redhat5|centos5|redhat6|centos6|aliyun5|aliyun6)   service iptables start   config_iptables   ;;  debian6)   config_iptables   ;;  ubuntu10|ubuntu1204|ubuntu1210)   ufwenable <<EOF  y  EOF   ubuntu_config_ufw   ;;  opensuse131)   config_iptables   ;;  esac     echo -e "33[40;32mConfig firewallsuccess,this script now exit!n33[40;37m"  rm -f $LOCKfile

上述文件下载到机器内部直接执行即可。

2、设置iptables,限制访问

  /sbin/iptables -P INPUT ACCEPT  /sbin/iptables -F  /sbin/iptables -X  /sbin/iptables -Z    /sbin/iptables -A INPUT -i lo -j ACCEPT   /sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT  /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT  /sbin/iptables -A INPUT -p tcp --dport 8080 -j ACCEPT  /sbin/iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT  /sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT  /sbin/iptables -P INPUT DROP   service iptables save

以上脚本,在每次重装完系统后执行一次即可,其配置会保存至/etc/sysconfig/iptables

更详细的可以参考这篇文章

3、常用网络监控命令
(1) netstat -tunl:查看所有正在监听的端口

  [root@AY1407041017110375bbZ ~]# netstat -tunl  Active Internet connections (only servers)  Proto Recv-Q Send-Q Local Address    Foreign Address    State    tcp  0  0 0.0.0.0:22     0.0.0.0:*     LISTEN    udp  0  0 ip:123   0.0.0.0:*          udp  0  0 ip:123   0.0.0.0:*          udp  0  0 127.0.0.1:123    0.0.0.0:*          udp  0  0 0.0.0.0:123     0.0.0.0:* 

其中123端口用于NTP服务。
(2)netstat -tunp:查看所有已连接的网络连接状态,并显示其PID及程序名称。

  [root@AY1407041017110375bbZ ~]# netstat -tunp  Active Internet connections (w/o servers)  Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name     tcp        0     96 ip:22            221.176.33.126:52699        ESTABLISHED 926/sshd              tcp        0      0 ip:34385         42.156.166.25:80            ESTABLISHED 1003/aegis_cli 

根据上述结果,可以根据需要kill掉相应进程。
如:
kill -9 1003

(3)netstat -tunlp
(4)netstat常用选项说明:

-t: tcp  
-u : udp
-l, --listening
       Show only listening sockets.  (These are omitted by default.)
-p, --program
       Show the PID and name of the program to which each socket belongs.
--numeric , -n
Show numerical addresses instead of trying to determine symbolic host, port or user names.

4、修改ssh的监听端口

(1)修改 /etc/ssh/sshd_config

原有的port 22

改为port 44

(2)重启服务

/etc/init.d/sshd restart
(3)查看情况

   netstat -tunl  Active Internet connections (only servers)  Proto Recv-Q Send-Q Local Address    Foreign Address    State    tcp  0  0 0.0.0.0:44    0.0.0.0:*     LISTEN    udp  0  0 ip:123   0.0.0.0:*          udp  0  0 ip:123   0.0.0.0:*          udp  0  0 127.0.0.1:123    0.0.0.0:*          udp  0  0 0.0.0.0:123     0.0.0.0:* 

参与评论