通過防火牆策略限制對外掃描行為
請您根據您的伺服器作業系統,下載對應的指令碼運行,運行後您的防火牆策略會封鎖對外發包的行為,確保您的主機不會再出現惡意發包的情況,為您進行後續資料備份操作提供足夠的時間。
Window2003的批次檔
@rem 配置windows2003系統的IP安全性原則@rem version 3.0 time:2014-5-12netsh ipsec static add policy name=dropnetsh ipsec static add filterlist name=drop_portnetsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=21 protocol=TCP mirrored=nonetsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=22 protocol=TCP mirrored=nonetsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=23 protocol=TCP mirrored=nonetsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=25 protocol=TCP mirrored=nonetsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=53 protocol=TCP mirrored=nonetsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=80 protocol=TCP mirrored=nonetsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=135 protocol=TCP mirrored=nonetsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=139 protocol=TCP mirrored=nonetsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=443 protocol=TCP mirrored=nonetsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=445 protocol=TCP mirrored=nonetsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=1314 protocol=TCP mirrored=nonetsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=1433 protocol=TCP mirrored=nonetsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=1521 protocol=TCP mirrored=nonetsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=2222 protocol=TCP mirrored=nonetsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=3306 protocol=TCP mirrored=nonetsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=3433 protocol=TCP mirrored=nonetsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=3389 protocol=TCP mirrored=nonetsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=4899 protocol=TCP mirrored=nonetsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=8080 protocol=TCP mirrored=nonetsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=18186 protocol=TCP mirrored=nonetsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any protocol=UDP mirrored=nonetsh ipsec static add filteraction name=denyact action=blocknetsh ipsec static add rule name=kill policy=drop filterlist=drop_port filteraction=denyactnetsh ipsec static set policy name=drop assign=y
Window2008的批次檔
@rem 配置windows2008系統的IP安全性原則@rem version 3.0 time:2014-5-12@rem 重設防火牆使用預設規則netsh firewall resetnetsh firewall set service remotedesktop enable all@rem 配置進階windows防火牆netsh advfirewall firewall add rule name="drop" protocol=TCP dir=out remoteport="21,22,23,25,53,80,135,139,443,445,1433,1314,1521,2222,3306,3433,3389,4899,8080,18186" action=blocknetsh advfirewall firewall add rule name="dropudp" protocol=UDP dir=out remoteport=any action=block
Linux系統指令碼
#!/bin/bash##########################################Function: linux drop port#Usage: bash linux_drop_port.sh#Author: Customer Service Department#Company: Alibaba Cloud Computing#Version: 2.0######################################### check_os_release(){ while true do os_release=$(grep "Red Hat Enterprise Linux Server release"/etc/issue 2>/dev/null) os_release_2=$(grep "Red Hat Enterprise Linux Server release"/etc/redhat-release 2>/dev/null) if [ "$os_release" ] && [ "$os_release_2" ] then if echo "$os_release"|grep "release 5" >/dev/null2>&1 then os_release=redhat5 echo "$os_release" elif echo "$os_release"|grep "release 6">/dev/null 2>&1 then os_release=redhat6 echo "$os_release" else os_release="" echo "$os_release" fi break fi os_release=$(grep "Aliyun Linux release" /etc/issue2>/dev/null) os_release_2=$(grep "Aliyun Linux release" /etc/aliyun-release2>/dev/null) if [ "$os_release" ] && [ "$os_release_2" ] then if echo "$os_release"|grep "release 5" >/dev/null2>&1 then os_release=aliyun5 echo "$os_release" elif echo "$os_release"|grep "release 6">/dev/null 2>&1 then os_release=aliyun6 echo "$os_release" else os_release="" echo "$os_release" fi break fi os_release=$(grep "CentOS release" /etc/issue 2>/dev/null) os_release_2=$(grep "CentOS release" /etc/*release2>/dev/null) if [ "$os_release" ] && [ "$os_release_2" ] then if echo "$os_release"|grep "release 5" >/dev/null2>&1 then os_release=centos5 echo "$os_release" elif echo "$os_release"|grep "release 6">/dev/null 2>&1 then os_release=centos6 echo "$os_release" else os_release="" echo "$os_release" fi break fi os_release=$(grep -i "ubuntu" /etc/issue 2>/dev/null) os_release_2=$(grep -i "ubuntu" /etc/lsb-release2>/dev/null) if [ "$os_release" ] && [ "$os_release_2" ] then if echo "$os_release"|grep "Ubuntu 10" >/dev/null2>&1 then os_release=ubuntu10 echo "$os_release" elif echo "$os_release"|grep "Ubuntu 12.04">/dev/null 2>&1 then os_release=ubuntu1204 echo "$os_release" elif echo "$os_release"|grep "Ubuntu 12.10">/dev/null 2>&1 then os_release=ubuntu1210 echo "$os_release" else os_release="" echo "$os_release" fi break fi os_release=$(grep -i "debian" /etc/issue 2>/dev/null) os_release_2=$(grep -i "debian" /proc/version 2>/dev/null) if [ "$os_release" ] && [ "$os_release_2" ] then if echo "$os_release"|grep "Linux 6" >/dev/null2>&1 then os_release=debian6 echo "$os_release" else os_release="" echo "$os_release" fi break fi os_release=$(grep "openSUSE" /etc/issue 2>/dev/null) os_release_2=$(grep "openSUSE" /etc/*release 2>/dev/null) if [ "$os_release" ] && [ "$os_release_2" ] then if echo "$os_release"|grep"13.1" >/dev/null 2>&1 then os_release=opensuse131 echo "$os_release" else os_release="" echo "$os_release" fi break fi break done} exit_script(){ echo -e "\033[1;40;31mInstall $1 error,will exit.\n\033[0m" rm-f $LOCKfile exit 1} config_iptables(){ iptables -I OUTPUT 1 -p tcp -m multiport --dport21,22,23,25,53,80,135,139,443,445 -j DROP iptables -I OUTPUT 2 -p tcp -m multiport --dport 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186-j DROP iptables -I OUTPUT 3 -p udp -j DROP iptables -nvL} ubuntu_config_ufw(){ ufwdeny out proto tcp to any port 21,22,23,25,53,80,135,139,443,445 ufwdeny out proto tcp to any port 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186 ufwdeny out proto udp to any ufwstatus} ####################Start####################check lock file ,one time only let thescript run one timeLOCKfile=/tmp/.$(basename $0)if [ -f "$LOCKfile" ]then echo -e "\033[1;40;31mThe script is already exist,please next timeto run this script.\n\033[0m" exitelse echo -e "\033[40;32mStep 1.No lock file,begin to create lock fileand continue.\n\033[40;37m" touch $LOCKfilefi #check userif [ $(id -u) != "0" ]then echo -e "\033[1;40;31mError: You must be root to run this script,please use root to execute this script.\n\033[0m" rm-f $LOCKfile exit 1fi echo -e "\033[40;32mStep 2.Begen tocheck the OS issue.\n\033[40;37m"os_release=$(check_os_release)if [ "X$os_release" =="X" ]then echo -e "\033[1;40;31mThe OS does not identify,So this script isnot executede.\n\033[0m" rm-f $LOCKfile exit 0else echo -e "\033[40;32mThis OS is $os_release.\n\033[40;37m"fi echo -e "\033[40;32mStep 3.Begen toconfig firewall.\n\033[40;37m"case "$os_release" inredhat5|centos5|redhat6|centos6|aliyun5|aliyun6) service iptables start config_iptables ;;debian6) config_iptables ;;ubuntu10|ubuntu1204|ubuntu1210) ufwenable <<EOFyEOF ubuntu_config_ufw ;;opensuse131) config_iptables ;;esac echo -e "\033[40;32mConfig firewallsuccess,this script now exit!\n\033[40;37m"rm -f $LOCKfile
上述檔案下載到機器內部直接執行即可。
設定iptables,限制訪問
/sbin/iptables -P INPUT ACCEPT/sbin/iptables -F/sbin/iptables -X/sbin/iptables -Z/sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT/sbin/iptables -A INPUT -p tcp --dport 8080 -j ACCEPT/sbin/iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT/sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT/sbin/iptables -P INPUT DROP service iptables save
以上指令碼,在每次重裝完系統後執行一次即可,其配置會儲存至/etc/sysconfig/iptables
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
