阿里云windows服务器安全设置(防火墙策略)

通过防火墙策略限制对外扫描行为

请您根据您的服务器操作系统,下载对应的脚本运行,运行后您的防火墙策略会封禁对外发包的行为,确保您的主机不会再出现恶意发包的情况,为您进行后续数据备份操作提供足够的时间。

Window2003的批处理文件

@rem 配置windows2003系统的IP安全策略
@rem version 3.0 time:2014-5-12

netsh ipsec static add policy name=drop
netsh ipsec static add filterlist name=drop_port
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=21 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=22 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=23 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=25 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=53 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=80 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=135 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=139 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=443 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=445 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=1314 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=1433 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=1521 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=2222 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=3306 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=3433 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=3389 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=4899 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=8080 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=18186 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any protocol=UDP mirrored=no
netsh ipsec static add filteraction name=denyact action=block
netsh ipsec static add rule name=kill policy=drop filterlist=drop_port filteraction=denyact
netsh ipsec static set policy name=drop assign=y

Window2008的批处理文件

@rem 配置windows2008系统的IP安全策略
@rem version 3.0 time:2014-5-12

@rem 重置防火墙使用默认规则
netsh firewall reset
netsh firewall set service remotedesktop enable all

@rem 配置高级windows防火墙
netsh advfirewall firewall add rule name="drop" protocol=TCP dir=out remoteport="21,22,23,25,53,80,135,139,443,445,1433,1314,1521,2222,3306,3433,3389,4899,8080,18186" action=block
netsh advfirewall firewall add rule name="dropudp" protocol=UDP dir=out remoteport=any action=block

Linux系统脚本

#!/bin/bash
#########################################
#Function:  linux drop port
#Usage:    bash linux_drop_port.sh
#Author:   Customer Service Department
#Company:   Alibaba Cloud Computing
#Version:   2.0
#########################################

check_os_release()
{
 while true
 do
  os_release=$(grep "Red Hat Enterprise Linux Server release"/etc/issue 2>/dev/null)
  os_release_2=$(grep "Red Hat Enterprise Linux Server release"/etc/redhat-release 2>/dev/null)
  if [ "$os_release" ] && [ "$os_release_2" ]
  then
   if echo "$os_release"|grep "release 5" >/dev/null2>&1
   then
    os_release=redhat5
    echo "$os_release"
   elif echo "$os_release"|grep "release 6">/dev/null 2>&1
   then
    os_release=redhat6
    echo "$os_release"
   else
    os_release=""
    echo "$os_release"
   fi
   break
  fi
  os_release=$(grep "Aliyun Linux release" /etc/issue2>/dev/null)
  os_release_2=$(grep "Aliyun Linux release" /etc/aliyun-release2>/dev/null)
  if [ "$os_release" ] && [ "$os_release_2" ]
  then
   if echo "$os_release"|grep "release 5" >/dev/null2>&1
   then
    os_release=aliyun5
    echo "$os_release"
   elif echo "$os_release"|grep "release 6">/dev/null 2>&1
   then
    os_release=aliyun6
    echo "$os_release"
   else
    os_release=""
    echo "$os_release"
   fi
   break
  fi
  os_release=$(grep "CentOS release" /etc/issue 2>/dev/null)
  os_release_2=$(grep "CentOS release" /etc/*release2>/dev/null)
  if [ "$os_release" ] && [ "$os_release_2" ]
  then
   if echo "$os_release"|grep "release 5" >/dev/null2>&1
   then
    os_release=centos5
    echo "$os_release"
   elif echo "$os_release"|grep "release 6">/dev/null 2>&1
   then
    os_release=centos6
    echo "$os_release"
   else
    os_release=""
    echo "$os_release"
   fi
   break
  fi
  os_release=$(grep -i "ubuntu" /etc/issue 2>/dev/null)
  os_release_2=$(grep -i "ubuntu" /etc/lsb-release2>/dev/null)
  if [ "$os_release" ] && [ "$os_release_2" ]
  then
   if echo "$os_release"|grep "Ubuntu 10" >/dev/null2>&1
   then
    os_release=ubuntu10
    echo "$os_release"
   elif echo "$os_release"|grep "Ubuntu 12.04">/dev/null 2>&1
   then
    os_release=ubuntu1204
    echo "$os_release"
   elif echo "$os_release"|grep "Ubuntu 12.10">/dev/null 2>&1
   then
    os_release=ubuntu1210
    echo "$os_release"
   else
    os_release=""
    echo "$os_release"
   fi
   break
  fi
  os_release=$(grep -i "debian" /etc/issue 2>/dev/null)
  os_release_2=$(grep -i "debian" /proc/version 2>/dev/null)
  if [ "$os_release" ] && [ "$os_release_2" ]
  then
   if echo "$os_release"|grep "Linux 6" >/dev/null2>&1
   then
    os_release=debian6
    echo "$os_release"
   else
    os_release=""
    echo "$os_release"
   fi
   break
  fi
  os_release=$(grep "openSUSE" /etc/issue 2>/dev/null)
  os_release_2=$(grep "openSUSE" /etc/*release 2>/dev/null)
  if [ "$os_release" ] && [ "$os_release_2" ]
  then
   if echo "$os_release"|grep"13.1" >/dev/null 2>&1
   then
    os_release=opensuse131
    echo "$os_release"
   else
    os_release=""
    echo "$os_release"
   fi
   break
  fi
  break
  done
}

exit_script()
{
 echo -e "\033[1;40;31mInstall $1 error,will exit.\n\033[0m"
 rm-f $LOCKfile
 exit 1
}

config_iptables()
{
 iptables -I OUTPUT 1 -p tcp -m multiport --dport21,22,23,25,53,80,135,139,443,445 -j DROP
 iptables -I OUTPUT 2 -p tcp -m multiport --dport 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186-j DROP
 iptables -I OUTPUT 3 -p udp -j DROP
 iptables -nvL
}

ubuntu_config_ufw()
{
 ufwdeny out proto tcp to any port 21,22,23,25,53,80,135,139,443,445
 ufwdeny out proto tcp to any port 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186
 ufwdeny out proto udp to any
 ufwstatus
}

####################Start###################
#check lock file ,one time only let thescript run one time
LOCKfile=/tmp/.$(basename $0)
if [ -f "$LOCKfile" ]
then
 echo -e "\033[1;40;31mThe script is already exist,please next timeto run this script.\n\033[0m"
 exit
else
 echo -e "\033[40;32mStep 1.No lock file,begin to create lock fileand continue.\n\033[40;37m"
 touch $LOCKfile
fi

#check user
if [ $(id -u) != "0" ]
then
 echo -e "\033[1;40;31mError: You must be root to run this script,please use root to execute this script.\n\033[0m"
 rm-f $LOCKfile
 exit 1
fi

echo -e "\033[40;32mStep 2.Begen tocheck the OS issue.\n\033[40;37m"
os_release=$(check_os_release)
if [ "X$os_release" =="X" ]
then
 echo -e "\033[1;40;31mThe OS does not identify,So this script isnot executede.\n\033[0m"
 rm-f $LOCKfile
 exit 0
else
 echo -e "\033[40;32mThis OS is $os_release.\n\033[40;37m"
fi

echo -e "\033[40;32mStep 3.Begen toconfig firewall.\n\033[40;37m"
case "$os_release" in
redhat5|centos5|redhat6|centos6|aliyun5|aliyun6)
 service iptables start
 config_iptables
 ;;
debian6)
 config_iptables
 ;;
ubuntu10|ubuntu1204|ubuntu1210)
 ufwenable <<EOF
y
EOF
 ubuntu_config_ufw
 ;;
opensuse131)
 config_iptables
 ;;
esac

echo -e "\033[40;32mConfig firewallsuccess,this script now exit!\n\033[40;37m"
rm -f $LOCKfile

上述文件下载到机器内部直接执行即可。

设置iptables,限制访问

/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z

/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
/sbin/iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -P INPUT DROP
 service iptables save

以上脚本,在每次重装完系统后执行一次即可,其配置会保存至/etc/sysconfig/iptables

(0)

相关推荐

  • 阿里云windows服务器安全设置(防火墙策略)

    通过防火墙策略限制对外扫描行为 请您根据您的服务器操作系统,下载对应的脚本运行,运行后您的防火墙策略会封禁对外发包的行为,确保您的主机不会再出现恶意发包的情况,为您进行后续数据备份操作提供足够的时间. Window2003的批处理文件 @rem 配置windows2003系统的IP安全策略 @rem version 3.0 time:2014-5-12 netsh ipsec static add policy name=drop netsh ipsec static add filterlis

  • 阿里云linux服务器安全设置(防火墙策略等)

    首先需要进行linux的基础安全设置,可以先参考这篇文章 http://www.jb51.net/article/94842.htm 1.Linux系统脚本 #!/bin/bash ######################################### #Function: linux drop port #Usage: bash linux_drop_port.sh #Author: Customer Service Department #Company: Alibaba Clo

  • 阿里云windows server2019配置FTP服务的完整步骤

    1.在windowsserver菜单中打开服务器管理器 2. 在快速启动仪表盘中选择配置角色服务 3. 直接下一步 4. 选择基于角色或基于功能的安装,下一步 5. 选择要配置ftp服务的服务器,下一步 6. 选择Web服务器下面的选项 7. 功能选项里网上有些帖子说需要选,但是我看没有ftp相关的功能,所以我就没选,直接安装 安装完成后打开windowsserver菜单,选择windows管理工具 打开iis服务 鼠标右键服务器名称,选择添加ftp站点 填写ftp站点名称和服务路径 ip选择未

  • 阿里云Windows 2008一键安装包配置php web环境图文安装教程(IIS+Php+Mysql)

    集成包下载地址: 1.阿里云Windows Server 2008 一键安装Web环境包 x64 2.阿里云Windows Server 2008 一键安装Web环境包 32 集成包版本介绍: IIS7组件.FTP7.php 5.5.7.mysql 5.6.15.phpMyAdmin 4.1.8.phpwind 9.0.ISAPI_Rewrite 安装包: 32位和64位 安装包启动 点击"下一步"后,指定安装目录,默认使用C:\websoft,然后点击"安装".

  • Windows Server 2008配置防火墙策略详解

    目录 什么是防火墙 墙和门卫的区别 Windows Server 2008 防火墙 windows 防火墙配置 如何创建一个定制的入站规则? 什么是防火墙 防火墙一般都是指网络防火墙,是一个位于计算机和它所连接的网络之间的软件.计算机流入流出的所有网络通信均要经过网络防火墙.防火墙对流经它的网络通信进行扫描,这样能够过滤掉一些攻击,以免其在目标计算机上被执行.防火墙还可以关闭不使用的端口.而且它还能禁止特定端口的流出通信.最后,它可以禁止来自特殊站点的访问,从而防止来自不明入侵者的所有通信. 讲

  • 阿里云ECS服务器部署django的方法

    参考 服务器安装的是Centos 系统. uwsgi是使用pip安装的. nginx是使用yum install nginx安装. python 2.7, mysql 5.5使用 yum安装. 它们之间的逻辑关系如下: the web client <-> the web server <-> the socket <-> uwsgi <-> Django uswgi负责从Django拿内容,通过socket传给 web server如nginx, 最后显示

  • 解析阿里云centos7服务器nginx配置及常见问题解答

    前言: 本文参考了jackyzm的博客:https://www.cnblogs.com/jackyzm/p/9600738.html,进行了内容的更新,并请注意这里适用的版本是centos7的版本.并且本文的配置方式曾经在版本8上失败过,因此查看本文前最好先确定服务器的版本. 而关于nginx部分问题的处理,则是参考了文章:http://www.mamicode.com/info-detail-3008792.html进行,其中包括的部分错误如下: 1.make[1]: *** [objs/Ma

  • 阿里云centos7服务器搭建nginx  web服务经验示例

    (1)购买完centos7服务器后,一定要进入阿里云的管理控制台的安全组规则,入方向,添加安全组规则,开放80端口,授权对象填写0.0.0.0/0授权所有ipv4地址.切记,我就是没搞这个,然后各种搞防火墙开80端口,然后浏览器一直还是无法访问. (2)下载安装Nginx: 下载: wget -c https://nginx.org/download/nginx-1.10.1.tar.gz 安装nginx的依赖库: 安装gcc(一般都自带,不需要再安装): yum install gcc-c++

  • 阿里云ecs服务器 修改php上传最大限制的方法

    找到PHP.ini位置,可以通过phpinfo()查看 编辑php vi /etc/php.ini 修改 ①upload_max_filesize 默认2m ②memory_limit  默认128m ③post_max_size 默认8m 修改保存后重启php-fpm和nginx /etc/init.d/php-fpm start /etc/init.d/php-fpm stop /etc/init.d/php-fpm restart /etc/init.d/php-fpm reload se

  • 阿里云ecs服务器中安装部署node.js的步骤

    首先下载了putty用来连接服务器的控制台,还有flashFXP用来上传文件.下面是详细的步骤,一起来看看. 1.下载node.js 下载地址:node.js 千万不要用命令行下载,太慢. 下载完成后上传至服务器. 2.解压 进入到node.js安装包的目录,然后输入命令: tar zxf node-latest.tar.gz 3.编译 进入解压后的文件夹 输入命令: ./configure 多等一会 再输入命令: make 4.安装 命令: make install 再等一会. 结束后,输入

随机推荐