Aliyun CentOS Server security setting steps are as follows
1, open the Cloud shield all services
2. Restricting external scan behavior through firewall policy
Please according to your server operating system, download the corresponding script to run, after running your firewall policy will ban the behavior of the external contract, to ensure that your host will not appear malicious contract, for you to do follow-up data backup operations to provide enough time.
Window2003 batch File download address: Http://oss.aliyuncs.com/aliyunecs/windows2003_drop_port.bat
Window2008 batch File download address: Http://oss.aliyuncs.com/aliyunecs/windows2008_drop_port.bat
Linux System scripts: http://oss.aliyuncs.com/aliyunecs/linux_drop_port.sh
The above files can be downloaded to the machine for direct execution.
The contents of the document are as follows:
#!/bin/bash #########################################
#Function: linux drop port #Usage: bash linux_drop_port.sh #Author: customer service department #Company: alibaba cloud computing #Version: 2.0 ######################################### check_os_release () { while true do os_release=$ (grep "Red hat enterprise linux server release"/etc/issue 2 >/dev/null) os_release_2=$ (grep "Red Hat
enterprise linux server release "/etc/redhat-release 2>/dev/null" if [ "$os _release" ] && [ "$os _release_2 " ] then if echo "$os _release" |grep "release 5" >/dev/ null2>&1 then os_release=redhat5 echo "$os _release" elif echo "$os _release" |grep "release 6" >/dev/null 2>&1 then os_release=redhat6 echo "$os _release" else os_release= "" echo "$os _release" fi break fi os_release=$ (grep "Aliyun linux release" /etc/issue2>/dev/null) os_release_2=$ (grep "Aliyun linux release" /etc/aliyun-release2>/dev/ NULL) if [ "$os _release" ] &&
[ "$os _release_2" ] then if echo "$os _release" |grep "release 5 " >/dev/null2>&1 then os_release=aliyun5 echo "$os _release" elif echo "$os _release" |grep "Release 6" >/dev /null 2>&1 then os_release=aliyun6 echo "$os _release" else os_release = "" echo "$os _release" fi break fi os_release=$ (grep "Centos release" /etc/issue 2>/dev/null) os_release_2=$ (grep "Centos release" /etc /*release2>/dev/null) if [ "$os _release" ] && [ "$os _release_2" ] then if echo "$os _release" |grep "release 5 " >/dev/null2>&1 then
os_release=centos5
echo "$os _release" elif echo "$os _release" |grep "release 6 ">/dev/null 2>&1 then
os_release=centos6 echo "$os _release" else os _release= " echo " $os _ Release " fi
break fi os_release=$ (grep -i "Ubuntu" /etc/issue 2>/ Dev/null) os_release_2=$ (grep -i "Ubuntu" /etc/lsb-release2>/dev/null) if [ "$os _ Release " ] && [ " $os _release_2 " ] then if echo "$os _ Release "|grep " UbunTu 10 " >/dev/null2>&1 then             OS_RELEASE=UBUNTU10 echo "$os _release" elif echo "$os _release" |grep " ubuntu 12.04 ">/dev/null 2>&1 then os_release=ubuntu1204 echo "$os _release" elif echo "$os _release" |grep " ubuntu 12.10 ">/dev/null 2>&1 then
os_release=ubuntu1210 echo "$os _release" else os_release= "" echo "$os _release" fi break fi os_release=$ (grep -i "Debian" /etc/issue 2>/dev/null) os_release_2=$ (grep -i " Debian " /proc/version 2>/dev/null" if [ "$os _releaSe " ] && [ " $os _release_2 " ] then if echo "$os _release" | grep "Linux 6" >/dev/null2>&1 then os_release= debian6 echo "$os _release" else os_release= "" echo "$os _release" fi break fi os_release=$ (grep "OpenSUSE" /etc/ Issue 2>/dev/null) os_release_2=$ (grep " OpenSUSE " /etc/*release 2>/dev/null" if [ "$os _release" ] && [ "$os _release_2" ] then if echo "$os _release" |grep "13.1" >/dev/null 2>&1 then os_release=opensuse131 echo "$os _release" else os_release= "" echo "$os _release" fi break fi break done } exit_script () { echo -e "\033[1;40;31minstall $1 error,will exit.\n\033[0m" rm-f $LOCKfile exit 1 } &nBsp; config_iptables () { Iptables -i output 1 -p tcp -m multiport --dport21, 22,23,25,53,80,135,139,443,445 -j drop iptables -i OUTPUT 2 -p tcp -m multiport --dport 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186-j drop iptables -i output 3 -p udp -j drop iptables -nvL }     UBUNTU_CONFIG_UFW () { ufwdeny out proto tcp to any port 21,22,23,25,53,80,135,139,443,445 ufwdeny out proto tcp to any port 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186 ufwdeny out proto udp to any ufwstatus } # ################## #Start ################### #check lock file ,one time only let thescript run one time lockfile=/tmp/.$ (basename $0) if [ -f "$ Lockfile " ] then echo -e "\033[1;40;31mthe script is already exist,please next timeto run this script.\n\033[0m " exit else      ECHO -E "\033[40;32mstep 1.no lock file,begin to create lock fileand continue.\n\033[40;37m " touch $LOCKfile fi #check user if [ $ (id -u) != "0" ] then echo -e "\033[1;40;31merror: you must be root to run this script,please use root to execute this script.\n\033[0m " rm-f $LOCKfile exit 1 fi echo -e "\033[40;32mstep 2.begen tocheck the os issue.\n\033[40;37m " os_release=$ (check_os_release) if [ "X$os_release" == "X" ] then echo -e "\033[1;40;31mthe os does not identify,so this script isnot executede.\n\033[0m "
rm-f $LOCKfile exit 0 else echo -e "\033[40;32mthis os is $os _release.\n\033[40;37m " fi echo -e "\033[40;32mstep 3.begen toconfig firewall.\n\033[40;37m " case " $os _release " in &NBSP;&NBSP;REDHAT5|CENTOS5|REDHAT6|CENTOS6|ALIYUN5|ALIYUN6) service iptables start config_iptables ;; debian6) config_iptables ;; ubuntu10|ubuntu1204|ubuntu1210) ufwenable <<EOF y eof ubuntu_config_ufw ;; opensuse131) config_iptables ;; esac echo -e "\033[40;32mconfig firewallsuccess,this script now exit!\n\033[40; 37m " rm -f $LOCKfile
3, setting iptables, restricting access
/sbin/iptables -p input accept /sbin/iptables -F /sbin/iptables -x /sbin/iptables -z /sbin/ iptables -a input -i lo -j accept /sbin/iptables -A input -p tcp --dport 22 -j accept /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT /sbin/iptables -a input - p tcp --dport 8080 -j accept /sbin/iptables -a input -p icmp -m icmp --icmp-type 8 -j ACCEPT /sbin/iptables -a INPUT -m state --state ESTABLISHED -j ACCEPT /sbin/iptables -P INPUT DROP service iptables save
The above script is executed once after each reload system, and its configuration is saved to/etc/sysconfig/iptables
This step refers to the Aliyun CentOS configuration iptables firewall http://www.111cn.net/sys/linux/85675.htm
Because it is used as a Web server, so external to open 80 ports, and also must be through SSH server management, 22 ports also to open up, of course, the SSH service is best to change the default port, on the public network will be a lot of people trying to crack the password, if you modify the port, remember to put the port to develop external, Otherwise, it's not even a tragedy. The following provides a detailed description of the configuration rules:
First step: Clear all Rules
When/sbin/iptables-f is executed when chain INPUT (Policy DROP), you disconnect from the server
All the rules before emptying all the policy drop should be input, prevent the tragedy, careful and careful
/sbin/iptables-p INPUT ACCEPT
Clear all Rules
/sbin/iptables-f
/sbin/iptables-x
Counter 0
/sbin/iptables-z
Step Two: Set the Rules
Allow packets from the LO interface, without this rule, you will not be able to access local services via 127.0.0.1, such as Ping 127.0.0.1
/sbin/iptables-a input-i lo-j ACCEPT
Open TCP protocol 22 port so that you can ssh, if you are in a fixed IP location, you can use-s to qualify the client's IP
/sbin/iptables-a input-p TCP--dport 22-j ACCEPT
Open TCP protocol 80-End confession Web Service
/sbin/iptables-a input-p TCP--dport 80-j ACCEPT
10.241.121.15 is another server intranet IP, because there is communication between all the TCP requests from 10.241.121.15
/sbin/iptables-a input-p tcp-s 10.241.121.15-j ACCEPT
Accept Ping
/sbin/iptables-a input-p icmp-m ICMP--icmp-type 8-j ACCEPT
This rule is as follows: http://www.netingcn.com/iptables-localhost-not-access-internet.html
/sbin/iptables-a input-m State--state established-j ACCEPT
Mask the above rules for all requests, indispensable, otherwise firewall does not have any filtering function
/sbin/iptables-p INPUT DROP
You can use Iptables-l-N to see if a rule takes effect
At this point the firewall is configured, but this is temporary, when restarting the iptables or restarting the machine, the above configuration will be emptied, to be permanently effective, you need to do the following:
/etc/init.d/iptables Save
Or
Service Iptables Save
Execute the above command to see the configuration in file/etc/sysconfig/iptables
The following provides a clean configuration script:
/sbin/iptables-p INPUT ACCEPT
/sbin/iptables-f
/sbin/iptables-x
/sbin/iptables-z
/sbin/iptables-a input-i lo-j ACCEPT
/sbin/iptables-a input-p TCP--dport 22-j ACCEPT
/sbin/iptables-a input-p TCP--dport 80-j ACCEPT
/sbin/iptables-a input-p tcp-s 10.241.121.15-j ACCEPT
/sbin/iptables-a input-p icmp-m ICMP--icmp-type 8-j ACCEPT
/sbin/iptables-a input-m State--state established-j ACCEPT
/sbin/iptables-p INPUT DROP
Finally, to ensure that the SSH connection is not a problem, to prevent the rule error, resulting in the server can not be connected, because there is no save, restart the server rules are invalid, otherwise only to the room to modify the rules. Also can refer to: Ubuntu iptables configuration script to write.
4, the commonly used network monitoring command
(1) NETSTAT-TUNL: View all ports that are listening
[Root@ay1407041017110375bbz ~]# NETSTAT-TUNL
Active Internet connections (only servers)
Proto recv-q send-q Local address Foreign
TCP 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
UDP 0 0 ip:123 0.0.0.0:*
UDP 0 0 ip:123 0.0.0.0:*
UDP 0 0 127.0.0.1:123 0.0.0.0:*
UDP 0 0 0.0.0.0:123 0.0.0.0:*
Where 123 ports are used for NTP services.
(2) NETSTAT-TUNP: View all connected network connection status, and display its PID and program name.
[Root@ay1407041017110375bbz ~]# NETSTAT-TUNP
Active Internet connections (w/o servers)
Proto recv-q Send-q Local address Foreign address State Pid/program Name
TCP 0 ip:22 221.176.33.126:52699 established 926/sshd
TCP 0 0 ip:34385 42.156.166.25:80 established 1003/AEGIS_CLI
According to the above results, you can kill the corresponding process as needed.
Such as:
Kill-9 1003
(3) NETSTAT-TUNLP
(4) Netstat common option Description:
-t:tcp
-u:udp
-L,--listening
Show only listening sockets. (These are omitted by default.)
-P,--program
Show the PID and name of the "program to which" each socket belongs.
--numeric,-N
Show numerical addresses instead of trying to determine symbolic host, port or user names.
5, modify the SSH listening port
(1) Modify/etc/ssh/sshd_config
The original port 22
Change to Port 44
(2) Restart service
/etc/init.d/sshd restart
(3) View the situation
Netstat-tunl
Active Internet connections (only servers)
Proto recv-q send-q Local address Foreign
TCP 0 0 0.0.0.0:44 0.0.0.0:* LISTEN
UDP 0 0 ip:123 0.0.0.0:*
UDP 0 0 ip:123 0.0.0.0:*
UDP 0 0 127.0.0.1:123 0.0.0.0:*
UDP 0 0 0.0.0.0:123 0.0.0.0:*
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
