阿里云linux服务器安全设置(防火墙策略等)
首先需要进行linux的基础安全设置,可以先参考这篇文章
1、linux系统脚本
#!/bin/bash ######################################### #function: linux drop port #usage: bash linux_drop_port.sh #author: customer service department #company: alibaba cloud computing #version: 2.0 ######################################### check_os_release() { while true do os_release=$(grep "red hat enterprise linux server release"/etc/issue 2>/dev/null) os_release_2=$(grep "red hat enterprise linux server release"/etc/redhat-release 2>/dev/null) if [ "$os_release" ] && [ "$os_release_2" ] then if echo "$os_release"|grep "release 5" >/dev/null2>&1 then os_release=redhat5 echo "$os_release" elif echo "$os_release"|grep "release 6">/dev/null 2>&1 then os_release=redhat6 echo "$os_release" else os_release="" echo "$os_release" fi break fi os_release=$(grep "aliyun linux release" /etc/issue2>/dev/null) os_release_2=$(grep "aliyun linux release" /etc/aliyun-release2>/dev/null) if [ "$os_release" ] && [ "$os_release_2" ] then if echo "$os_release"|grep "release 5" >/dev/null2>&1 then os_release=aliyun5 echo "$os_release" elif echo "$os_release"|grep "release 6">/dev/null 2>&1 then os_release=aliyun6 echo "$os_release" else os_release="" echo "$os_release" fi break fi os_release=$(grep "centos release" /etc/issue 2>/dev/null) os_release_2=$(grep "centos release" /etc/*release2>/dev/null) if [ "$os_release" ] && [ "$os_release_2" ] then if echo "$os_release"|grep "release 5" >/dev/null2>&1 then os_release=centos5 echo "$os_release" elif echo "$os_release"|grep "release 6">/dev/null 2>&1 then os_release=centos6 echo "$os_release" else os_release="" echo "$os_release" fi break fi os_release=$(grep -i "ubuntu" /etc/issue 2>/dev/null) os_release_2=$(grep -i "ubuntu" /etc/lsb-release2>/dev/null) if [ "$os_release" ] && [ "$os_release_2" ] then if echo "$os_release"|grep "ubuntu 10" >/dev/null2>&1 then os_release=ubuntu10 echo "$os_release" elif echo "$os_release"|grep "ubuntu 12.04">/dev/null 2>&1 then os_release=ubuntu1204 echo "$os_release" elif echo "$os_release"|grep "ubuntu 12.10">/dev/null 2>&1 then os_release=ubuntu1210 echo "$os_release" else os_release="" echo "$os_release" fi break fi os_release=$(grep -i "debian" /etc/issue 2>/dev/null) os_release_2=$(grep -i "debian" /proc/version 2>/dev/null) if [ "$os_release" ] && [ "$os_release_2" ] then if echo "$os_release"|grep "linux 6" >/dev/null2>&1 then os_release=debian6 echo "$os_release" else os_release="" echo "$os_release" fi break fi os_release=$(grep "opensuse" /etc/issue 2>/dev/null) os_release_2=$(grep "opensuse" /etc/*release 2>/dev/null) if [ "$os_release" ] && [ "$os_release_2" ] then if echo "$os_release"|grep"13.1" >/dev/null 2>&1 then os_release=opensuse131 echo "$os_release" else os_release="" echo "$os_release" fi break fi break done } exit_script() { echo -e "\033[1;40;31minstall $1 error,will exit.\n\033[0m" rm-f $lockfile exit 1 } config_iptables() { iptables -i output 1 -p tcp -m multiport --dport21,22,23,25,53,80,135,139,443,445 -j drop iptables -i output 2 -p tcp -m multiport --dport 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186-j drop iptables -i output 3 -p udp -j drop iptables -nvl } ubuntu_config_ufw() { ufwdeny out proto tcp to any port 21,22,23,25,53,80,135,139,443,445 ufwdeny out proto tcp to any port 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186 ufwdeny out proto udp to any ufwstatus } ####################start################### #check lock file ,one time only let thescript run one time lockfile=/tmp/.$(basename $0) if [ -f "$lockfile" ] then echo -e "\033[1;40;31mthe script is already exist,please next timeto run this script.\n\033[0m" exit else echo -e "\033[40;32mstep 1.no lock file,begin to create lock fileand continue.\n\033[40;37m" touch $lockfile fi #check user if [ $(id -u) != "0" ] then echo -e "\033[1;40;31merror: you must be root to run this script,please use root to execute this script.\n\033[0m" rm-f $lockfile exit 1 fi echo -e "\033[40;32mstep 2.begen tocheck the os issue.\n\033[40;37m" os_release=$(check_os_release) if [ "x$os_release" =="x" ] then echo -e "\033[1;40;31mthe os does not identify,so this script isnot executede.\n\033[0m" rm-f $lockfile exit 0 else echo -e "\033[40;32mthis os is $os_release.\n\033[40;37m" fi echo -e "\033[40;32mstep 3.begen toconfig firewall.\n\033[40;37m" case "$os_release" in redhat5|centos5|redhat6|centos6|aliyun5|aliyun6) service iptables start config_iptables ;; debian6) config_iptables ;; ubuntu10|ubuntu1204|ubuntu1210) ufwenable <<eof y eof ubuntu_config_ufw ;; opensuse131) config_iptables ;; esac echo -e "\033[40;32mconfig firewallsuccess,this script now exit!\n\033[40;37m" rm -f $lockfile
上述文件下载到机器内部直接执行即可。
2、设置iptables,限制访问
/sbin/iptables -p input accept /sbin/iptables -f /sbin/iptables -x /sbin/iptables -z /sbin/iptables -a input -i lo -j accept /sbin/iptables -a input -p tcp --dport 22 -j accept /sbin/iptables -a input -p tcp --dport 80 -j accept /sbin/iptables -a input -p tcp --dport 8080 -j accept /sbin/iptables -a input -p icmp -m icmp --icmp-type 8 -j accept /sbin/iptables -a input -m state --state established -j accept /sbin/iptables -p input drop service iptables save
以上脚本,在每次重装完系统后执行一次即可,其配置会保存至/etc/sysconfig/iptables
更详细的可以参考这篇文章
3、常用网络监控命令
(1) netstat -tunl:查看所有正在监听的端口
[root@ay1407041017110375bbz ~]# netstat -tunl active internet connections (only servers) proto recv-q send-q local address foreign address state tcp 0 0 0.0.0.0:22 0.0.0.0:* listen udp 0 0 ip:123 0.0.0.0:* udp 0 0 ip:123 0.0.0.0:* udp 0 0 127.0.0.1:123 0.0.0.0:* udp 0 0 0.0.0.0:123 0.0.0.0:*
其中123端口用于ntp服务。
(2)netstat -tunp:查看所有已连接的网络连接状态,并显示其pid及程序名称。
[root@ay1407041017110375bbz ~]# netstat -tunp active internet connections (w/o servers) proto recv-q send-q local address foreign address state pid/program name tcp 0 96 ip:22 221.176.33.126:52699 established 926/sshd tcp 0 0 ip:34385 42.156.166.25:80 established 1003/aegis_cli
根据上述结果,可以根据需要kill掉相应进程。
如:
kill -9 1003
(3)netstat -tunlp
(4)netstat常用选项说明:
-t: tcp
-u : udp
-l, --listening
show only listening sockets. (these are omitted by default.)
-p, --program
show the pid and name of the program to which each socket belongs.
--numeric , -n
show numerical addresses instead of trying to determine symbolic host, port or user names.
4、修改ssh的监听端口
(1)修改 /etc/ssh/sshd_config
原有的port 22
改为port 44
(2)重启服务
/etc/init.d/sshd restart
(3)查看情况
netstat -tunl active internet connections (only servers) proto recv-q send-q local address foreign address state tcp 0 0 0.0.0.0:44 0.0.0.0:* listen udp 0 0 ip:123 0.0.0.0:* udp 0 0 ip:123 0.0.0.0:* udp 0 0 127.0.0.1:123 0.0.0.0:* udp 0 0 0.0.0.0:123 0.0.0.0:*