在前面的文章中我们已经完成了WEB类服务器的相关安装和配置,经过前面的安装配置之后我们就可以把网站代码放在服务器上让其他用户访问了,从今天开始连续几篇文章菠菜园将为朋友们带来服务器的安全维护。
服务器放在公网上供用户访问的同时也面临着各种各样的危险。所以我们还应该为服务器配置一些安全的策略以保障其正常的运行。下面这个脚本来自阿里云分享,大家可以将其复制保存之后,放在服务器上执行。为了让大家放心,菠菜园不直接提供可执行文件了,仅将源码分享如下:
- #!/bin/bash
- #########################################
- #Function: linux drop port
- #Usage: bash linux_drop_port.sh
- #Author: Customer Service Department
- #Company: Alibaba Cloud Computing
- #Version: 2.0
- #########################################
- check_os_release()
- {
- while true
- do
- os_release=$(grep "Red Hat Enterprise Linux Server release"/etc/issue 2>/dev/null)
- os_release_2=$(grep "Red Hat Enterprise Linux Server release"/etc/redhat-release 2>/dev/null)
- if [ "$os_release" ] && [ "$os_release_2" ]
- then
- if echo "$os_release"|grep "release 5" >/dev/null2>&1
- then
- os_release=redhat5
- echo "$os_release"
- elif echo "$os_release"|grep "release 6">/dev/null 2>&1
- then
- os_release=redhat6
- echo "$os_release"
- else
- os_release=""
- echo "$os_release"
- fi
- break
- fi
- os_release=$(grep "Aliyun Linux release" /etc/issue2>/dev/null)
- os_release_2=$(grep "Aliyun Linux release" /etc/aliyun-release2>/dev/null)
- if [ "$os_release" ] && [ "$os_release_2" ]
- then
- if echo "$os_release"|grep "release 5" >/dev/null2>&1
- then
- os_release=aliyun5
- echo "$os_release"
- elif echo "$os_release"|grep "release 6">/dev/null 2>&1
- then
- os_release=aliyun6
- echo "$os_release"
- else
- os_release=""
- echo "$os_release"
- fi
- break
- fi
- os_release=$(grep "CentOS release" /etc/issue 2>/dev/null)
- os_release_2=$(grep "CentOS release" /etc/*release2>/dev/null)
- if [ "$os_release" ] && [ "$os_release_2" ]
- then
- if echo "$os_release"|grep "release 5" >/dev/null2>&1
- then
- os_release=centos5
- echo "$os_release"
- elif echo "$os_release"|grep "release 6">/dev/null 2>&1
- then
- os_release=centos6
- echo "$os_release"
- else
- os_release=""
- echo "$os_release"
- fi
- break
- fi
- os_release=$(grep -i "ubuntu" /etc/issue 2>/dev/null)
- os_release_2=$(grep -i "ubuntu" /etc/lsb-release2>/dev/null)
- if [ "$os_release" ] && [ "$os_release_2" ]
- then
- if echo "$os_release"|grep "Ubuntu 10" >/dev/null2>&1
- then
- os_release=ubuntu10
- echo "$os_release"
- elif echo "$os_release"|grep "Ubuntu 12.04">/dev/null 2>&1
- then
- os_release=ubuntu1204
- echo "$os_release"
- elif echo "$os_release"|grep "Ubuntu 12.10">/dev/null 2>&1
- then
- os_release=ubuntu1210
- echo "$os_release"
- else
- os_release=""
- echo "$os_release"
- fi
- break
- fi
- os_release=$(grep -i "debian" /etc/issue 2>/dev/null)
- os_release_2=$(grep -i "debian" /proc/version 2>/dev/null)
- if [ "$os_release" ] && [ "$os_release_2" ]
- then
- if echo "$os_release"|grep "Linux 6" >/dev/null2>&1
- then
- os_release=debian6
- echo "$os_release"
- else
- os_release=""
- echo "$os_release"
- fi
- break
- fi
- os_release=$(grep "openSUSE" /etc/issue 2>/dev/null)
- os_release_2=$(grep "openSUSE" /etc/*release 2>/dev/null)
- if [ "$os_release" ] && [ "$os_release_2" ]
- then
- if echo "$os_release"|grep"13.1" >/dev/null 2>&1
- then
- os_release=opensuse131
- echo "$os_release"
- else
- os_release=""
- echo "$os_release"
- fi
- break
- fi
- break
- done
- }
- exit_script()
- {
- echo -e "\033[1;40;31mInstall $1 error,will exit.\n\033[0m"
- rm-f $LOCKfile
- exit 1
- }
- config_iptables()
- {
- iptables -I OUTPUT 1 -p tcp -m multiport --dport21,22,23,25,53,80,135,139,443,445 -j DROP
- iptables -I OUTPUT 2 -p tcp -m multiport --dport 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186-j DROP
- iptables -I OUTPUT 3 -p udp -j DROP
- iptables -nvL
- }
- ubuntu_config_ufw()
- {
- ufwdeny out proto tcp to any port 21,22,23,25,53,80,135,139,443,445
- ufwdeny out proto tcp to any port 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186
- ufwdeny out proto udp to any
- ufwstatus
- }
- ####################Start###################
- #check lock file ,one time only let thescript run one time
- LOCKfile=/tmp/.$(basename $0)
- if [ -f "$LOCKfile" ]
- then
- echo -e "\033[1;40;31mThe script is already exist,please next timeto run this script.\n\033[0m"
- exit
- else
- echo -e "\033[40;32mStep 1.No lock file,begin to create lock fileand continue.\n\033[40;37m"
- touch $LOCKfile
- fi
- #check user
- if [ $(id -u) != "0" ]
- then
- echo -e "\033[1;40;31mError: You must be root to run this script,please use root to execute this script.\n\033[0m"
- rm-f $LOCKfile
- exit 1
- fi
- echo -e "\033[40;32mStep 2.Begen tocheck the OS issue.\n\033[40;37m"
- os_release=$(check_os_release)
- if [ "X$os_release" =="X" ]
- then
- echo -e "\033[1;40;31mThe OS does not identify,So this script isnot executede.\n\033[0m"
- rm-f $LOCKfile
- exit 0
- else
- echo -e "\033[40;32mThis OS is $os_release.\n\033[40;37m"
- fi
- echo -e "\033[40;32mStep 3.Begen toconfig firewall.\n\033[40;37m"
- case "$os_release" in
- redhat5|centos5|redhat6|centos6|aliyun5|aliyun6)
- service iptables start
- config_iptables
- ;;
- debian6)
- config_iptables
- ;;
- ubuntu10|ubuntu1204|ubuntu1210)
- ufwenable <<EOF
- y
- EOF
- ubuntu_config_ufw
- ;;
- opensuse131)
- config_iptables
- ;;
- esac
- echo -e "\033[40;32mConfig firewallsuccess,this script now exit!\n\033[40;37m"
- rm -f $LOCKfile
二、设置访问限制策略:
- /sbin/iptables -P INPUT ACCEPT
- /sbin/iptables -F
- /sbin/iptables -X
- /sbin/iptables -Z
- /sbin/iptables -A INPUT -i lo -j ACCEPT
- /sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
- /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
- /sbin/iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
- /sbin/iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
- /sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
- /sbin/iptables -P INPUT DROP
- service iptables save
在设置访问限制策略的时候一定要注意web访问需要的80端口,SSH连接需要用到的22端口,FTP用到的21端口都要保留,当然也可以更改,不过更改之后一定要注意访问问题,不然远程桌面无法访问的话只能联系机房了。iptable详细设置步骤参考
经过以上设置之后,CentOS的简单安全配置就可以了。下一篇菠菜园将通过实例教大家如何修改SSH远程端口以防止黑客简单猜测破解。