First you need to do the basic Linux security settings, you can refer to this article first
Http://www.jb51.net/article/94842.htm
1. Linux System Scripts
#!/bin/bash ######################################### #Function: Linux drop port #Usage: Bash linux_drop_port.sh #Autho R:customer Service Department #Company: Alibaba Cloud Computing #Version: 2.0 ######################################## # check_os_release () {While true doing os_release=$ (grep "Red Hat Enterprise Linux Server release"/etc/issue 2>/dev/ NULL) os_release_2=$ (grep "Red Hat Enterprise Linux Server release"/etc/redhat-release 2>/dev/null) if [$os _release "] && [" $os _release_2 "] then if echo" $os _release "|grep" Release 5 ">/dev/null2>&1 then Os_rel Ease=redhat5 echo "$os _release" elif echo "$os _release" |grep "Release 6" >/dev/null 2>&1 then os_release= Redhat6 echo "$os _release" Else os_release= "echo" $os _release "fi break fi os_release=$ (grep" Aliyun Linux Release "/etc/issue2>/dev/null" os_release_2=$ (grep "Aliyun Linux release"/etc/aliyun-release2>/dev/null) if [ $os _release "] && ["$os _release_2"] then if echo "$os _release" |grep "Release 5" >/dev/null2>&1 then Os_release=aliyun5 echo "$os _release" elif echo "$os _release" |grep "Release 6" >/dev/null 2>&1 then os_release=aliyun6 Echo "$os _release" Else os_release= "" echo "$os _release" fi break fi os_release=$ (grep "CentOS release"/etc/issue 2>/dev/null) os_release_2=$ (grep "CentOS release"/etc/*release2>/dev/null) if ["$os _release"] && ["$o S_release_2 "] Then if echo" $os _release "|grep" Release 5 ">/dev/null2>&1 then os_release=centos5 Echo "$os _release" elif echo "$os _release" |grep "Release 6" >/dev/null 2>&1 then Os_release=centos6 echo "$os _ Release "Else os_release=" "echo" $os _release "fi-break fi os_release=$ (grep-i" ubuntu "/etc/issue 2>/dev/ NULL) os_release_2=$ (grep-i "Ubuntu"/etc/lsb-release2>/dev/null) if ["$os _release"] && ["$os _release_2" ] Then if echo "$os _rElease "|grep" Ubuntu ">/dev/null2>&1 then Os_release=ubuntu10 echo" $os _release "elif echo" $os _relea Se "|grep" Ubuntu 12.04 ">/dev/null 2>&1 then os_release=ubuntu1204 echo" $os _release "elif echo" $os _rele ASE "|grep" Ubuntu 12.10 >/dev/null 2>&1 then os_release=ubuntu1210 echo "$os _release" Else os_release= "Echo" $os _release "fi break fi os_release=$ (grep-i" Debian "/etc/issue 2>/dev/null) os_release_2=$ (grep-i "Debian"/proc/version 2>/dev/null) if ["$os _release"] && ["$os _release_2"] then if echo "$os _release" |grep "Linux 6" >/dev/null2>&1 then os_release=debian6 echo "$os _release" Else os_release= "" echo "$ Os_release "Fi break fi os_release=$ (grep" OpenSUSE "/etc/issue 2>/dev/null) os_release_2=$ (grep" OpenSUSE "/etc /*release 2>/dev/null) If ["$os _release"] && ["$os _release_2"] then if echo "$os _release" |grep "13.1" &G
T;/dev/null 2>&1 Then os_release=opensuse131 echo "$os _release" Else os_release= "" echo "$os _release" fi break fi break Done} exit_script () {ECHO-E "\033[1;40;31minstall $ error,will exit.\n\033[0m" Rm-f $LOCKfile exit 1} config_i Ptables () {iptables-i output 1-p tcp-m multiport--dport21,22,23,25,53,80,135,139,443,445-j DROP iptables-i output 2-p tcp-m multiport--dport 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186-j DROP iptables-i OUTPUT 3-p udp-j D ROP IPTABLES-NVL} ubuntu_config_ufw () {Ufwdeny out proto TCP to any port 21,22,23,25,53,80,135,139,443,445 Ufwdeny
Out proto TCP to any port 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186 Ufwdeny out proto UDP to any ufwstatus} ################### #Start ################### #check lock file, one time is let Thescript run one time lockfile=/tmp/.$ ( BaseName $ if [f "$LOCKfile] then Echo-e" \033[1;40;31mthe script is already exist,please next Timeto run this SCR ipt.\n\033[0m "Exit ElsE echo-e "\033[40;32mstep 1.No lock File,begin to create lock Fileand continue.\n\033[40;37m" Touch $LOCKfile fi #che CK user If [$ (id-u)!= "0"] then ECHO-E "\033[1;40;31merror:you must is root to run this script,please use root to E Xecute this script.\n\033[0m "rm-f $LOCKfile exit 1 fi echo-e" \033[40;32mstep 2.Begen tocheck the OS issue.\n\033[40 ; 37m "os_release=$ (check_os_release) if [" X$os_release "=" X "] then ECHO-E" \033[1;40;31mthe OS does not identify,so t His script isnot executede.\n\033[0m "Rm-f $LOCKfile exit 0 Else Echo-e" \033[40;32mthis OS is $os _release.\n\033[40;3 7m "fi echo-e" \033[40;32mstep 3.Begen toconfig firewall.\n\033[40;37m "case" $os _release "in Redhat5|centos5|redhat6|c
ENTOS6|ALIYUN5|ALIYUN6) service iptables start config_iptables;;
DEBIAN6) config_iptables;;
ubuntu10|ubuntu1204|ubuntu1210) ufwenable <<eof y EOF ubuntu_config_ufw;;
opensuse131) config_iptables;; Esac echo-e "\033[40;32mconfig firewallsuccess,tHis script now exit!\n\033[40;37m "Rm-f $LOCKfile
The above files can be downloaded to the machine for direct execution.
2, set iptables, restrict access
/sbin/iptables-p INPUT ACCEPT /sbin/iptables-f /sbin/iptables-x /sbin/iptables-z /sbin/iptables- A input-i lo-j ACCEPT/sbin/iptables-a input-p tcp--dport 22-j ACCEPT/sbin/iptables-a input-p TCP--dport 80-j ACCEPT /sbin/iptables-a input-p tcp--dport 8080-j ACCEPT/sbin/iptables-a input-p icmp-m ICMP--icmp -type 8-j ACCEPT /sbin/iptables-a input-m State--state established-j ACCEPT /sbin/iptables-p INPUT drop service iptables Save
The above script is executed once after each reload system, and its configuration is saved to/etc/sysconfig/iptables
You can refer to this article in more detail http://www.jb51.net/article/94839.htm
3, the commonly used network monitoring command
(1) NETSTAT-TUNL: View all ports that are listening
[Root@ay1407041017110375bbz ~]# netstat-tunl Active Internet connections (only servers) Proto recv-q Local address Foreign address State TCP 0 0 0.0.0.0:22 0.0.0.0:* LISTEN UDP 0 0 ip:123 0.0.0.0:* UDP 0 0 ip:123 0.0.0.0:* UDP 0 0 127.0.0.1:123 0.0.0.0:* UDP 0 0 0.0.0.0:123
Where 123 ports are used for NTP services.
(2) NETSTAT-TUNP: View all connected network connection status, and display its PID and program name.
[Root@ay1407041017110375bbz ~]# NETSTAT-TUNP Active Internet connections (w/o servers) Proto recv-q Local address Foreign address state pid/program name TCP 0 ip:22 221.176.33.126:52699 established 926/SSHD
According to the above results, you can kill the corresponding process as needed.
Such as:
Kill-9 1003
(3) NETSTAT-TUNLP
(4) Netstat common option Description:
-t:tcp
-u:udp
-L,--listening
Show only listening sockets. (These are omitted by default.)
-P,--program
Show the PID and name of the "program to which" each socket belongs.
--numeric,-N
Show numerical addresses instead of trying to determine symbolic host, port or user names.
4, modify the SSH listening port
(1) Modify/etc/ssh/sshd_config
The original port 22
Change to Port 44
(2) Restart service
/etc/init.d/sshd restart
(3) View the situation
NETSTAT-TUNL Active Internet connections (only servers) Proto recv-q send-q Local address Foreign address< C4/>state TCP 0 0 0.0.0.0:44 0.0.0.0:* LISTEN UDP 0 0 ip:123 0.0.0.0:* UDP 0 0 ip:123 0.0.0.0:* UDP 0 0 127.0.0.1:123 0.0.0.0:* UDP 0 0 0.0.0.0:123
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
