欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  网络运营

阿里云windows服务器安全设置(防火墙策略)

程序员文章站 2022-04-06 20:25:54
通过防火墙策略限制对外扫描行为 请您根据您的服务器操作系统,下载对应的脚本运行,运行后您的防火墙策略会封禁对外发包的行为,确保您的主机不会再出现恶意发包的情况,为您进行后...

通过防火墙策略限制对外扫描行为

请您根据您的服务器操作系统,下载对应的脚本运行,运行后您的防火墙策略会封禁对外发包的行为,确保您的主机不会再出现恶意发包的情况,为您进行后续数据备份操作提供足够的时间。

window2003的批处理文件

@rem 配置windows2003系统的ip安全策略
@rem version 3.0 time:2014-5-12

netsh ipsec static add policy name=drop
netsh ipsec static add filterlist name=drop_port
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=21 protocol=tcp mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=22 protocol=tcp mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=23 protocol=tcp mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=25 protocol=tcp mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=53 protocol=tcp mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=80 protocol=tcp mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=135 protocol=tcp mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=139 protocol=tcp mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=443 protocol=tcp mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=445 protocol=tcp mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=1314 protocol=tcp mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=1433 protocol=tcp mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=1521 protocol=tcp mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=2222 protocol=tcp mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=3306 protocol=tcp mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=3433 protocol=tcp mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=3389 protocol=tcp mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=4899 protocol=tcp mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=8080 protocol=tcp mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=18186 protocol=tcp mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any protocol=udp mirrored=no
netsh ipsec static add filteraction name=denyact action=block
netsh ipsec static add rule name=kill policy=drop filterlist=drop_port filteraction=denyact
netsh ipsec static set policy name=drop assign=y

window2008的批处理文件

@rem 配置windows2008系统的ip安全策略
@rem version 3.0 time:2014-5-12

@rem 重置防火墙使用默认规则
netsh firewall reset
netsh firewall set service remotedesktop enable all

@rem 配置高级windows防火墙
netsh advfirewall firewall add rule name="drop" protocol=tcp dir=out remoteport="21,22,23,25,53,80,135,139,443,445,1433,1314,1521,2222,3306,3433,3389,4899,8080,18186" action=block
netsh advfirewall firewall add rule name="dropudp" protocol=udp dir=out remoteport=any action=block

linux系统脚本

#!/bin/bash
#########################################
#function:  linux drop port
#usage:    bash linux_drop_port.sh
#author:   customer service department
#company:   alibaba cloud computing
#version:   2.0
#########################################
 
check_os_release()
{
 while true
 do
  os_release=$(grep "red hat enterprise linux server release"/etc/issue 2>/dev/null)
  os_release_2=$(grep "red hat enterprise linux server release"/etc/redhat-release 2>/dev/null)
  if [ "$os_release" ] && [ "$os_release_2" ]
  then
   if echo "$os_release"|grep "release 5" >/dev/null2>&1
   then
    os_release=redhat5
    echo "$os_release"
   elif echo "$os_release"|grep "release 6">/dev/null 2>&1
   then
    os_release=redhat6
    echo "$os_release"
   else
    os_release=""
    echo "$os_release"
   fi
   break
  fi
  os_release=$(grep "aliyun linux release" /etc/issue2>/dev/null)
  os_release_2=$(grep "aliyun linux release" /etc/aliyun-release2>/dev/null)
  if [ "$os_release" ] && [ "$os_release_2" ]
  then
   if echo "$os_release"|grep "release 5" >/dev/null2>&1
   then
    os_release=aliyun5
    echo "$os_release"
   elif echo "$os_release"|grep "release 6">/dev/null 2>&1
   then
    os_release=aliyun6
    echo "$os_release"
   else
    os_release=""
    echo "$os_release"
   fi
   break
  fi
  os_release=$(grep "centos release" /etc/issue 2>/dev/null)
  os_release_2=$(grep "centos release" /etc/*release2>/dev/null)
  if [ "$os_release" ] && [ "$os_release_2" ]
  then
   if echo "$os_release"|grep "release 5" >/dev/null2>&1
   then
    os_release=centos5
    echo "$os_release"
   elif echo "$os_release"|grep "release 6">/dev/null 2>&1
   then
    os_release=centos6
    echo "$os_release"
   else
    os_release=""
    echo "$os_release"
   fi
   break
  fi
  os_release=$(grep -i "ubuntu" /etc/issue 2>/dev/null)
  os_release_2=$(grep -i "ubuntu" /etc/lsb-release2>/dev/null)
  if [ "$os_release" ] && [ "$os_release_2" ]
  then
   if echo "$os_release"|grep "ubuntu 10" >/dev/null2>&1
   then
    os_release=ubuntu10
    echo "$os_release"
   elif echo "$os_release"|grep "ubuntu 12.04">/dev/null 2>&1
   then
    os_release=ubuntu1204
    echo "$os_release"
   elif echo "$os_release"|grep "ubuntu 12.10">/dev/null 2>&1
   then
    os_release=ubuntu1210
    echo "$os_release"
   else
    os_release=""
    echo "$os_release"
   fi
   break
  fi
  os_release=$(grep -i "debian" /etc/issue 2>/dev/null)
  os_release_2=$(grep -i "debian" /proc/version 2>/dev/null)
  if [ "$os_release" ] && [ "$os_release_2" ]
  then
   if echo "$os_release"|grep "linux 6" >/dev/null2>&1
   then
    os_release=debian6
    echo "$os_release"
   else
    os_release=""
    echo "$os_release"
   fi
   break
  fi
  os_release=$(grep "opensuse" /etc/issue 2>/dev/null)
  os_release_2=$(grep "opensuse" /etc/*release 2>/dev/null)
  if [ "$os_release" ] && [ "$os_release_2" ]
  then
   if echo "$os_release"|grep"13.1" >/dev/null 2>&1
   then
    os_release=opensuse131
    echo "$os_release"
   else
    os_release=""
    echo "$os_release"
   fi
   break
  fi
  break
  done
}
 
exit_script()
{
 echo -e "\033[1;40;31minstall $1 error,will exit.\n\033[0m"
 rm-f $lockfile
 exit 1
}
 
config_iptables()
{
 iptables -i output 1 -p tcp -m multiport --dport21,22,23,25,53,80,135,139,443,445 -j drop
 iptables -i output 2 -p tcp -m multiport --dport 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186-j drop
 iptables -i output 3 -p udp -j drop
 iptables -nvl
}
 
ubuntu_config_ufw()
{
 ufwdeny out proto tcp to any port 21,22,23,25,53,80,135,139,443,445
 ufwdeny out proto tcp to any port 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186
 ufwdeny out proto udp to any
 ufwstatus
}
 
####################start###################
#check lock file ,one time only let thescript run one time
lockfile=/tmp/.$(basename $0)
if [ -f "$lockfile" ]
then
 echo -e "\033[1;40;31mthe script is already exist,please next timeto run this script.\n\033[0m"
 exit
else
 echo -e "\033[40;32mstep 1.no lock file,begin to create lock fileand continue.\n\033[40;37m"
 touch $lockfile
fi
 
#check user
if [ $(id -u) != "0" ]
then
 echo -e "\033[1;40;31merror: you must be root to run this script,please use root to execute this script.\n\033[0m"
 rm-f $lockfile
 exit 1
fi
 
echo -e "\033[40;32mstep 2.begen tocheck the os issue.\n\033[40;37m"
os_release=$(check_os_release)
if [ "x$os_release" =="x" ]
then
 echo -e "\033[1;40;31mthe os does not identify,so this script isnot executede.\n\033[0m"
 rm-f $lockfile
 exit 0
else
 echo -e "\033[40;32mthis os is $os_release.\n\033[40;37m"
fi
 
echo -e "\033[40;32mstep 3.begen toconfig firewall.\n\033[40;37m"
case "$os_release" in
redhat5|centos5|redhat6|centos6|aliyun5|aliyun6)
 service iptables start
 config_iptables
 ;;
debian6)
 config_iptables
 ;;
ubuntu10|ubuntu1204|ubuntu1210)
 ufwenable <<eof
y
eof
 ubuntu_config_ufw
 ;;
opensuse131)
 config_iptables
 ;;
esac
 
echo -e "\033[40;32mconfig firewallsuccess,this script now exit!\n\033[40;37m"
rm -f $lockfile

上述文件下载到机器内部直接执行即可。

设置iptables,限制访问

/sbin/iptables -p input accept
/sbin/iptables -f
/sbin/iptables -x
/sbin/iptables -z

/sbin/iptables -a input -i lo -j accept 
/sbin/iptables -a input -p tcp --dport 22 -j accept
/sbin/iptables -a input -p tcp --dport 80 -j accept
/sbin/iptables -a input -p tcp --dport 8080 -j accept
/sbin/iptables -a input -p icmp -m icmp --icmp-type 8 -j accept
/sbin/iptables -a input -m state --state established -j accept
/sbin/iptables -p input drop
 service iptables save

以上脚本,在每次重装完系统后执行一次即可,其配置会保存至/etc/sysconfig/iptables