To improve server security performance, enable iptables so make a record (1) set the default SSH port to 13256 and vsftpd port to 2121 (2) install iptables and shield all ports (3) open ports 13256, 80, and 2121 (4) set Port 3306 to allow only local access (5) all local ports are open to local ports (6) enabled to improve server security performance
IptablesSo make a record
(1) set the default SSH port to 13256 and vsftpd to 2121.
(2) install iptables and shield all ports
(3) open ports 13256, 80, and 2121
(4) set Port 3306 to allow only local access
(5) all local ports are open
(6) save and enable iptables
(1) set the default SSH port to 13256 and vsftpd to 2121.Modify the SSH Port:
Find Port 22 in/etc/ssh/sshd_config, change it to 13256, or use/usr/sbin/sshd-p
13256 specify the port.
Modify the vsftpd Port:
In/etc/vsftpd. conf
Add the following settings:
Listen_port = 2121 change the listening port
Pasv_min_port = 9981 passive mode lowest port
Pasv_max_port = 9990 highest port in passive mode
(2) install or enable iptables and shield all portsIf iptables is not installed, run the command yum install iptables to install iptables.
After initialization and installation, the following information is displayed:
[Root @ tp ~] #/Sbin/iptables-L-n
Chain INPUT (policy ACCEPT)
Target prot opt source destination
Chain FORWARD (policy ACCEPT)
Target prot opt source destination
Chain OUTPUT (policy ACCEPT)
Target prot opt source destination
Shield all ports
(Note: Use/etc/rc. d/init. d/iptablesstop to stop iptables before shielding the port. otherwise, SSH will be disconnected)
[Root @ tp ~] #/Sbin/iptables-F
[Root @ tp ~] #/Sbin/iptables-X
[Root @ tp ~] #/Sbin/iptables-P INPUT DROP
[Root @ tp ~] #/Sbin/iptables-P OUTPUT DROP
[Root @ tp ~] #/Sbin/iptables-P FORWARD DROP
When two chain rules (INPUT, FORWARD) in the filter table in IPTABLES are exceeded, how can we process data packets not in these two rules? that is, DROP (discard ), some people like to configure OUTPUT as accpet, because if it is intruded, the other party can use the server as a transit, initiate an attack, and generate a large number of data packets, so here the configuration is set to DROP
(3) open ports 13256, 80, and 2121[Root @ tp ~] #/Sbin/iptables-a input-p tcp? Dport 13256-j
ACCEPT
[Root @ tp ~] #/Sbin/iptables-a output-p tcp? Sport 13256-j
ACCEPT
[Root @ tp ~] #/Sbin/iptables-a input-p tcp? Dport 80-j ACCEPT
[Root @ tp ~] #/Sbin/iptables-a output-p tcp? Sport 80-j
ACCEPT
[Root @ tp ~] #/Sbin/iptables-a input-p tcp? Dport 2121-j
ACCEPT
[Root @ tp ~] #/Sbin/iptables-a output-p tcp? Sport 2121-j
ACCEPT
(4) set Port 3306 to allow only local access[Root @ tp ~] #/Sbin/iptables-a input-p tcp-s 127.0.0.1? Dport
3306-j ACCEPT
[Root @ tp ~] #/Sbin/iptables-a output-p tcp-s 127.0.0.1? Dport
3306-j ACCEPT
(5) all local ports are openIptables-a input-s 127.0.0.1-d 127.0.0.1-j ACCEPT
Iptables-a output-s 127.0.0.1-d 127.0.0.1-j ACCEPT
(6) save and enable iptables [Root @ tp ~] #/Etc/rc. d/init. d/iptables save
[Root @ tp ~] #/Etc/rc. d/init. d/iptables restart
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
A Free Trial That Lets You Build Big!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
