Restricting external scan behavior through firewall policy
Please according to your server operating system, download the corresponding script to run, after running your firewall policy will ban the behavior of the external contract, to ensure that your host will not appear malicious contract, for you to do follow-up data backup operations to provide enough time.
Window2003 Batch File
@rem Configure the IP Security policy for the WINDOWS2003 system @rem version 3.0 time:2014-5-12 netsh ipsec static add policy name=drop netsh ipsec static a dd filterlist name=drop_port netsh ipsec static add filter filterlist=drop_port Srcaddr=me dstaddr=any dstport=21 Protocol =tcp mirrored=no netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=22 protocol=tcp mirrore D=no netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=23 protocol=tcp mirrored=no netsh i Psec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=25 protocol=tcp mirrored=no netsh ipsec static Add Filter filterlist=drop_port srcaddr=me dstaddr=any dstport=53 protocol=tcp mirrored=no netsh ipsec static add filter F Ilterlist=drop_port srcaddr=me dstaddr=any dstport=80 protocol=tcp mirrored=no netsh ipsec static add filter Filterlist=d Rop_port srcaddr=me dstaddr=any dstport=135 protocol=tcp mirrored=no netsh ipsec static add filter Filterlist=drop_port SR Caddr=me Dstaddr=any DSTPort=139 protocol=tcp mirrored=no netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=443 Pro Tocol=tcp mirrored=no netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=445 protocol=tcp m Irrored=no netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=1314 protocol=tcp mirrored=n o netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=1433 protocol=tcp mirrored=no netsh ip SEC static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=1521 protocol=tcp mirrored=no netsh ipsec static Add Filter filterlist=drop_port srcaddr=me dstaddr=any dstport=2222 protocol=tcp mirrored=no netsh ipsec static add Filte R filterlist=drop_port srcaddr=me dstaddr=any dstport=3306 protocol=tcp mirrored=no netsh ipsec static add filter Filterli St=drop_port srcaddr=me dstaddr=any dstport=3433 protocol=tcp mirrored=no netsh ipsec static add filter filterlist=drop_p ORT Srcaddr=me Dstaddr=any dstport=3389 protocol=tcp mirrored=no netsh ipsec static add filter Filterlist=drop_port Srcaddr=me dstaddr=any 899 protocol=tcp mirrored=no netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=8080 Protoc Ol=tcp mirrored=no netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=18186 protocol=tcp mi Rrored=no netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any protocol=udp mirrored=no netsh ipsec s Tatic add filteraction name=denyact action=block netsh ipsec static add rule Name=kill Policy=drop the Filterlist=drop_port fi Lteraction=denyact netsh ipsec static set policy Name=drop assign=y
Window2008 Batch File
@rem Configure the IP Security policy for the windows2008 system
@rem version 3.0 time:2014-5-12
@rem Reset firewall using default rules
netsh firewall reset
netsh firewall set service remotedesktop enable all
@rem Configure advanced Windows Firewall
netsh advfirewall firewall add rule name= " Drop "protocol=tcp dir=out remoteport=" 21,22,23,25,53,80,135,139,443,445,1433,1314,1521,2222,3306,3433,3389,4899,8080,18186 "Action=block
Netsh Advfirewall firewall Add rule name= "dropudp" protocol=udp dir=out remoteport=any Action=block
Linux System Scripts
#!/bin/bash ######################################### #Function: Linux drop port #Usage: Bash linux_drop_port.sh #Aut Hor:customer Service Department #Company: Alibaba Cloud Computing #Version: 2.0 ################################### ###### Check_os_release () {While True does os_release=$ (grep "Red Hat Enterprise Linux Server release"/etc/issue 2> ;/dev/null) os_release_2=$ (grep "Red Hat Enterprise Linux Server release"/etc/redhat-release 2>/dev/null) if [$os _release "] && [" $os _release_2 "] then if echo" $os _release "|grep" Release 5 ">/dev/null2>&1st En os_release=redhat5 echo "$os _release" elif echo "$os _release" |grep "Release 6" >/dev/null 2>&1 t Hen os_release=redhat6 echo "$os _release" Else os_release= "echo" $os _release "fi break fi O s_release=$ (grep "Aliyun Linux release"/etc/issue2>/dev/null) os_release_2=$ (grep "Aliyun Linux release"/etc/aliyu
N-release2>/dev/null) If ["$os _release"] && ["$os _release_2"] then if echo "$os _release" |grep "Release 5" >/dev/null2>& Amp;1 then Os_release=aliyun5 echo "$os _release" elif echo "$os _release" |grep "Release 6" >/dev/null 2> &1 then os_release=aliyun6 echo "$os _release" Else os_release= "" echo "$os _release" fi bre ak fi os_release=$ (grep "CentOS release"/etc/issue 2>/dev/null) os_release_2=$ (grep "CentOS release"/etc/*relea Se2>/dev/null) If ["$os _release"] && ["$os _release_2"] then if echo "$os _release" |grep "Release 5" & Gt;/dev/null2>&1 then os_release=centos5 echo "$os _release" elif echo "$os _release" |grep "Release 6" & Gt;/dev/null 2>&1 then os_release=centos6 echo "$os _release" Else os_release= "echo" $os _rel Ease "fi break fi os_release=$ (grep-i" ubuntu "/etc/issue 2>/dev/null) os_release_2=$ (grep-i" Ubuntu "/et c/lsb-release2>/dev/null) If ["$os _release"] && ["$os _release_2"] then if echo "$os _release" |grep "Ubuntu" >/dev/null2 >&1 then Os_release=ubuntu10 echo "$os _release" elif echo "$os _release" |grep "Ubuntu 12.04" >/dev/n ull 2>&1 then os_release=ubuntu1204 echo "$os _release" elif echo "$os _release" |grep "Ubuntu 12.10" /dev/null 2>&1 then os_release=ubuntu1210 echo "$os _release" Else os_release= "echo" $os _re Lease "Fi break fi os_release=$ (grep-i" Debian "/etc/issue 2>/dev/null) os_release_2=$ (grep-i" Debian "/p Roc/version 2>/dev/null) If ["$os _release"] && ["$os _release_2"] then if echo "$os _release" |grep "Li Nux 6 ">/dev/null2>&1 then os_release=debian6 echo" $os _release "Else os_release=" "echo" $os _release "fi break fi os_release=$ (grep" OpenSUSE "/etc/issue 2>/dev/null) os_release_2=$ (grep" OpenSUSE "/etc/*release 2>/deV/null) If ["$os _release"] && ["$os _release_2"] then if echo "$os _release" |grep "13.1" >/dev/null 2&G
T;&1 then os_release=opensuse131 echo "$os _release" Else os_release= "" echo "$os _release" fi Break fi Break Done} exit_script () {ECHO-E "\033[1;40;31minstall $ error,will exit.\n\033[0m" Rm-f $LOCKf Ile exit 1} config_iptables () {iptables-i OUTPUT 1-p tcp-m multiport Drop iptables-i OUTPUT 2-p tcp-m multiport--dport 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186-j DROP iptables -I OUTPUT 3-p udp-j DROP IPTABLES-NVL} ubuntu_config_ufw () {Ufwdeny out proto the TCP to any port 21,22,23,25,53,80, 135,139,443,445 Ufwdeny out Proto TCP to no port 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186 ufwdeny out Proto u DP to any ufwstatus} ################### #Start ################### #check lock file, one-let Thescript-run on E Time lockfile=/tmp/.$ (BaseName $ if [f "$LOCKfile] then Echo-e" \033[1;40;31mthe script is already exist,please next Timeto run this SCR ipt.\n\033[0m "Exit Else Echo-e" \033[40;32mstep 1.No lock File,begin to create lock Fileand continue.\n\033[40;37m "T Ouch $LOCKfile fi #check user if [$ (id-u)!= "0"] then ECHO-E "\033[1;40;31merror:you must is root to run this SCR Ipt,please use ROOT to execute this script.\n\033[0m "rm-f $LOCKfile exit 1 fi echo-e" \033[40;32mstep 2.Begen tochec K The OS issue.\n\033[40;37m "os_release=$ (check_os_release) if [" x$os_release "= =" X "] then Echo-e" \033[1;40;31mthe O S does not identify,so this script isnot executede.\n\033[0m ' rm-f $LOCKfile exit 0 Else echo-e ' \033[40;32mthis OS is $os _release.\n\033[40;37m "fi echo-e" \033[40;32mstep 3.Begen toconfig firewall.\n\033[40;37m "case" $os _release "in R
EDHAT5|CENTOS5|REDHAT6|CENTOS6|ALIYUN5|ALIYUN6) service iptables start config_iptables;;
DEBIAN6) config_iptables;; Ubuntu10|ubuntu1204|ubuntu1210) ufwenable <<eof y EOF ubuntu_config_ufw;;
opensuse131) config_iptables;; Esac echo-e "\033[40;32mconfig firewallsuccess,this script now exit!\n\033[40;37m" Rm-f $LOCKfile
The above files can be downloaded to the machine for direct execution.
Set Iptables to restrict access
/sbin/iptables-p INPUT ACCEPT
/sbin/iptables-f
/sbin/iptables-x
/sbin/iptables-z
/sbin/iptables- A input-i lo-j ACCEPT/sbin/iptables-a input-p tcp--dport 22-j ACCEPT/sbin/iptables-a input-p
TCP--dport 80-j ACCEPT
/sbin/iptables-a input-p tcp--dport 8080-j ACCEPT/sbin/iptables-a input-p icmp-m
ICMP--icmp -type 8-j ACCEPT
/sbin/iptables-a input-m State--state established-j ACCEPT
/sbin/iptables-p INPUT drop
service iptables Save
The above script is executed once after each reload system, and its configuration is saved to/etc/sysconfig/iptables