CentOS服务器简单安全配置

在前面的文章中我们已经完成了WEB类服务器的相关安装和配置,经过前面的安装配置之后我们就可以把网站代码放在服务器上让其他用户访问了,从今天开始连续几篇文章菠菜园将为朋友们带来服务器的安全维护

服务器放在公网上供用户访问的同时也面临着各种各样的危险。所以我们还应该为服务器配置一些安全的策略以保障其正常的运行。下面这个脚本来自阿里云分享,大家可以将其复制保存之后,放在服务器上执行。为了让大家放心,菠菜园不直接提供可执行文件了,仅将源码分享如下:

  1. #!/bin/bash
  2. #########################################
  3.     #Function:    linux drop port
  4.     #Usage:       bash linux_drop_port.sh
  5.     #Author:      Customer Service Department
  6.     #Company:     Alibaba Cloud Computing
  7.     #Version:     2.0
  8. #########################################
  9.     check_os_release()
  10.     {
  11.      while true
  12.       do
  13.        os_release=$(grep "Red Hat Enterprise Linux Server release"/etc/issue 2>/dev/null)
  14.        os_release_2=$(grep "Red Hat Enterprise Linux Server release"/etc/redhat-release 2>/dev/null)
  15.        if [ "$os_release" ] && [ "$os_release_2" ]
  16.        then
  17.          if echo "$os_release"|grep "release 5" >/dev/null2>&1
  18.          then
  19.            os_release=redhat5
  20.            echo "$os_release"
  21.          elif echo "$os_release"|grep "release 6">/dev/null 2>&1
  22.          then
  23.            os_release=redhat6
  24.            echo "$os_release"
  25.          else
  26.            os_release=""
  27.            echo "$os_release"
  28.          fi
  29.          break
  30.        fi
  31.        os_release=$(grep "Aliyun Linux release" /etc/issue2>/dev/null)
  32.        os_release_2=$(grep "Aliyun Linux release" /etc/aliyun-release2>/dev/null)
  33.        if [ "$os_release" ] && [ "$os_release_2" ]
  34.        then
  35.          if echo "$os_release"|grep "release 5" >/dev/null2>&1
  36.          then
  37.            os_release=aliyun5
  38.            echo "$os_release"
  39.          elif echo "$os_release"|grep "release 6">/dev/null 2>&1
  40.          then
  41.            os_release=aliyun6
  42.            echo "$os_release"
  43.          else
  44.            os_release=""
  45.            echo "$os_release"
  46.          fi
  47.          break
  48.        fi
  49.        os_release=$(grep "CentOS release" /etc/issue 2>/dev/null)
  50.        os_release_2=$(grep "CentOS release" /etc/*release2>/dev/null)
  51.        if [ "$os_release" ] && [ "$os_release_2" ]
  52.        then
  53.          if echo "$os_release"|grep "release 5" >/dev/null2>&1
  54.          then
  55.            os_release=centos5
  56.             echo "$os_release"
  57.          elif echo "$os_release"|grep "release 6">/dev/null 2>&1
  58.          then
  59.            os_release=centos6
  60.            echo "$os_release"
  61.          else
  62.            os_release=""
  63.            echo "$os_release"
  64.          fi
  65.          break
  66.        fi
  67.        os_release=$(grep -i "ubuntu" /etc/issue 2>/dev/null)
  68.        os_release_2=$(grep -i "ubuntu" /etc/lsb-release2>/dev/null)
  69.        if [ "$os_release" ] && [ "$os_release_2" ]
  70.        then
  71.          if echo "$os_release"|grep "Ubuntu 10" >/dev/null2>&1
  72.          then
  73.             os_release=ubuntu10
  74.            echo "$os_release"
  75.          elif echo "$os_release"|grep "Ubuntu 12.04">/dev/null 2>&1
  76.          then
  77.            os_release=ubuntu1204
  78.            echo "$os_release"
  79.          elif echo "$os_release"|grep "Ubuntu 12.10">/dev/null 2>&1
  80.           then
  81.            os_release=ubuntu1210
  82.            echo "$os_release"
  83.          else
  84.            os_release=""
  85.            echo "$os_release"
  86.          fi
  87.          break
  88.        fi
  89.        os_release=$(grep -i "debian" /etc/issue 2>/dev/null)
  90.        os_release_2=$(grep -i "debian" /proc/version 2>/dev/null)
  91.        if [ "$os_release" ] && [ "$os_release_2" ]
  92.        then
  93.          if echo "$os_release"|grep "Linux 6" >/dev/null2>&1
  94.          then
  95.            os_release=debian6
  96.            echo "$os_release"
  97.          else
  98.             os_release=""
  99.            echo "$os_release"
  100.          fi
  101.          break
  102.        fi
  103.        os_release=$(grep "openSUSE" /etc/issue 2>/dev/null)
  104.        os_release_2=$(grep "openSUSE" /etc/*release 2>/dev/null)
  105.        if [ "$os_release" ] && [ "$os_release_2" ]
  106.        then
  107.           if echo "$os_release"|grep"13.1" >/dev/null 2>&1
  108.          then
  109.            os_release=opensuse131
  110.            echo "$os_release"
  111.          else
  112.            os_release=""
  113.            echo "$os_release"
  114.          fi
  115.          break
  116.        fi
  117.        break
  118.        done
  119.     }
  120.     exit_script()
  121.     {
  122.      echo -e "\033[1;40;31mInstall $1 error,will exit.\n\033[0m"
  123.       rm-f $LOCKfile
  124.      exit 1
  125.     }
  126.     config_iptables()
  127.     {
  128.      iptables -I OUTPUT 1 -p tcp -m multiport --dport21,22,23,25,53,80,135,139,443,445 -j DROP
  129.      iptables -I OUTPUT 2 -p tcp -m multiport --dport 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186-j DROP
  130.      iptables -I OUTPUT 3 -p udp -j DROP
  131.      iptables -nvL
  132.     }
  133.     ubuntu_config_ufw()
  134.     {
  135.       ufwdeny out proto tcp to any port 21,22,23,25,53,80,135,139,443,445
  136.       ufwdeny out proto tcp to any port 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186
  137.       ufwdeny out proto udp to any
  138.       ufwstatus
  139.     }
  140.     ####################Start###################
  141.     #check lock file ,one time only let thescript run one time
  142.     LOCKfile=/tmp/.$(basename $0)
  143.     if [ -f "$LOCKfile" ]
  144.     then
  145.      echo -e "\033[1;40;31mThe script is already exist,please next timeto run this script.\n\033[0m"
  146.      exit
  147.     else
  148.      echo -e "\033[40;32mStep 1.No lock file,begin to create lock fileand continue.\n\033[40;37m"
  149.      touch $LOCKfile
  150.     fi
  151.     #check user
  152.     if [ $(id -u) != "0" ]
  153.     then
  154.      echo -e "\033[1;40;31mError: You must be root to run this script,please use root to execute this script.\n\033[0m"
  155.       rm-f $LOCKfile
  156.      exit 1
  157.     fi
  158.     echo -e "\033[40;32mStep 2.Begen tocheck the OS issue.\n\033[40;37m"
  159.     os_release=$(check_os_release)
  160.     if [ "X$os_release" =="X" ]
  161.     then
  162.      echo -e "\033[1;40;31mThe OS does not identify,So this script isnot executede.\n\033[0m"
  163.       rm-f $LOCKfile
  164.      exit 0
  165.     else
  166.      echo -e "\033[40;32mThis OS is $os_release.\n\033[40;37m"
  167.     fi
  168.     echo -e "\033[40;32mStep 3.Begen toconfig firewall.\n\033[40;37m"
  169.     case "$os_release" in
  170.     redhat5|centos5|redhat6|centos6|aliyun5|aliyun6)
  171.      service iptables start
  172.      config_iptables
  173.       ;;
  174.     debian6)
  175.      config_iptables
  176.       ;;
  177.     ubuntu10|ubuntu1204|ubuntu1210)
  178.       ufwenable <<EOF
  179.     y
  180.     EOF
  181.      ubuntu_config_ufw
  182.       ;;
  183.     opensuse131)
  184.      config_iptables
  185.       ;;
  186.     esac
  187.     echo -e "\033[40;32mConfig firewallsuccess,this script now exit!\n\033[40;37m"
  188.     rm -f $LOCKfile

二、设置访问限制策略:

  1. /sbin/iptables -P INPUT ACCEPT
  2. /sbin/iptables -F
  3. /sbin/iptables -X
  4. /sbin/iptables -Z
  5.  /sbin/iptables -A INPUT -i lo -j ACCEPT
  6.  /sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
  7.  /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
  8. /sbin/iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
  9.  /sbin/iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
  10. /sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
  11. /sbin/iptables -P INPUT DROP
  12. service iptables save

在设置访问限制策略的时候一定要注意web访问需要的80端口,SSH连接需要用到的22端口,FTP用到的21端口都要保留,当然也可以更改,不过更改之后一定要注意访问问题,不然远程桌面无法访问的话只能联系机房了。iptable详细设置步骤参考

经过以上设置之后,CentOS的简单安全配置就可以了。下一篇菠菜园将通过实例教大家如何修改SSH远程端口以防止黑客简单猜测破解。

 

  • 版权声明: 本文源自 菠菜园, 于7年前,由整理发表,共 6644字。
  • 原文链接:点此查看原文
你想把广告放到这里吗?

发表评论

您必须 登录 才能发表留言!