国产乱码精品一区二区三区,国产精品香蕉在线一区,精品福利一区二区三区精品国产第一国产综合精品

首先需要進(jìn)行l(wèi)inux的基礎(chǔ)安全設(shè)置

1、Linux系統(tǒng)腳本

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

#!/bin/bash
#########################################
#Function: linux drop port
#Usage:  bash linux_drop_port.sh
#Author:  Customer Service Department
#Company:  Alibaba Cloud Computing
#Version:  2.0
#########################################
 
check_os_release()
{
 while true
 do
 os_release=$(grep "Red Hat Enterprise Linux Server release"/etc/issue 2>/dev/null)
 os_release_2=$(grep "Red Hat Enterprise Linux Server release"/etc/redhat-release 2>/dev/null)
 if ["$os_release" ] && ["$os_release_2" ]
 then
  if echo "$os_release"|grep "release 5" >/dev/null2>&1
  then
  os_release=redhat5
  echo "$os_release"
  elif echo "$os_release"|grep "release 6">/dev/null 2>&1
  then
  os_release=redhat6
  echo "$os_release"
  else
  os_release=""
  echo "$os_release"
  fi
  break
 fi
 os_release=$(grep "Aliyun Linux release" /etc/issue2>/dev/null)
 os_release_2=$(grep "Aliyun Linux release" /etc/aliyun-release2>/dev/null)
 if ["$os_release" ] && ["$os_release_2" ]
 then
  if echo "$os_release"|grep "release 5" >/dev/null2>&1
  then
  os_release=aliyun5
  echo "$os_release"
  elif echo "$os_release"|grep "release 6">/dev/null 2>&1
  then
  os_release=aliyun6
  echo "$os_release"
  else
  os_release=""
  echo "$os_release"
  fi
  break
 fi
 os_release=$(grep "CentOS release" /etc/issue 2>/dev/null)
 os_release_2=$(grep "CentOS release" /etc/*release2>/dev/null)
 if ["$os_release" ] && ["$os_release_2" ]
 then
  if echo "$os_release"|grep "release 5" >/dev/null2>&1
  then
  os_release=centos5
  echo "$os_release"
  elif echo "$os_release"|grep "release 6">/dev/null 2>&1
  then
  os_release=centos6
  echo "$os_release"
  else
  os_release=""
  echo "$os_release"
  fi
  break
 fi
 os_release=$(grep -i"ubuntu" /etc/issue 2>/dev/null)
 os_release_2=$(grep -i"ubuntu" /etc/lsb-release2>/dev/null)
 if ["$os_release" ] && ["$os_release_2" ]
 then
  if echo "$os_release"|grep "Ubuntu 10" >/dev/null2>&1
  then
  os_release=ubuntu10
  echo "$os_release"
  elif echo "$os_release"|grep "Ubuntu 12.04">/dev/null 2>&1
  then
  os_release=ubuntu1204
  echo "$os_release"
  elif echo "$os_release"|grep "Ubuntu 12.10">/dev/null 2>&1
  then
  os_release=ubuntu1210
  echo "$os_release"
  else
  os_release=""
  echo "$os_release"
  fi
  break
 fi
 os_release=$(grep -i"debian" /etc/issue 2>/dev/null)
 os_release_2=$(grep -i"debian" /proc/version 2>/dev/null)
 if ["$os_release" ] && ["$os_release_2" ]
 then
  if echo "$os_release"|grep "Linux 6" >/dev/null2>&1
  then
  os_release=debian6
  echo "$os_release"
  else
  os_release=""
  echo "$os_release"
  fi
  break
 fi
 os_release=$(grep "openSUSE" /etc/issue 2>/dev/null)
 os_release_2=$(grep "openSUSE" /etc/*release 2>/dev/null)
 if ["$os_release" ] && ["$os_release_2" ]
 then
  if echo "$os_release"|grep"13.1" >/dev/null 2>&1
  then
  os_release=opensuse131
  echo "$os_release"
  else
  os_release=""
  echo "$os_release"
  fi
  break
 fi
 break
 done
}
 
exit_script()
{
 echo -e"\033[1;40;31mInstall $1 error,will exit.\n\033[0m"
 rm-f $LOCKfile
 exit 1
}
 
config_iptables()
{
 iptables -I OUTPUT 1 -p tcp -m multiport --dport21,22,23,25,53,80,135,139,443,445 -j DROP
 iptables -I OUTPUT 2 -p tcp -m multiport --dport 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186-j DROP
 iptables -I OUTPUT 3 -p udp -j DROP
 iptables -nvL
}
 
ubuntu_config_ufw()
{
 ufwdeny out proto tcp to any port 21,22,23,25,53,80,135,139,443,445
 ufwdeny out proto tcp to any port 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186
 ufwdeny out proto udp to any
 ufwstatus
}
 
####################Start###################
#check lock file ,one time only let thescript run one time
LOCKfile=/tmp/.$(basename $0)
if [ -f"$LOCKfile" ]
then
 echo -e"\033[1;40;31mThe script is already exist,please next timeto run this script.\n\033[0m"
 exit
else
 echo -e"\033[40;32mStep 1.No lock file,begin to create lock fileand continue.\n\033[40;37m"
 touch $LOCKfile
fi
 
#check user
if [ $(id -u) !="0" ]
then
 echo -e"\033[1;40;31mError: You must be root to run this script,please use root to execute this script.\n\033[0m"
 rm-f $LOCKfile
 exit 1
fi
 
echo -e"\033[40;32mStep 2.Begen tocheck the OS issue.\n\033[40;37m"
os_release=$(check_os_release)
if ["X$os_release" =="X" ]
then
 echo -e"\033[1;40;31mThe OS does not identify,So this script isnot executede.\n\033[0m"
 rm-f $LOCKfile
 exit 0
else
 echo -e"\033[40;32mThis OS is $os_release.\n\033[40;37m"
fi
 
echo -e"\033[40;32mStep 3.Begen toconfig firewall.\n\033[40;37m"
case "$os_release" in
redhat5|centos5|redhat6|centos6|aliyun5|aliyun6)
 service iptables start
 config_iptables
 ;;
debian6)
 config_iptables
 ;;
ubuntu10|ubuntu1204|ubuntu1210)
 ufwenable <<EOF
y
EOF
 ubuntu_config_ufw
 ;;
opensuse131)
 config_iptables
 ;;
esac
 
echo -e"\033[40;32mConfig firewallsuccess,this script now exit!\n\033[40;37m"
rm -f $LOCKfile

上述文件下載到機(jī)器內(nèi)部直接執(zhí)行即可。

2、設(shè)置iptables，限制訪問(wèn)

/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
                                     
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
/sbin/iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -P INPUT DROP
 service iptables save

以上腳本，在每次重裝完系統(tǒng)后執(zhí)行一次即可，其配置會(huì)保存至/etc/sysconfig/iptables

3、常用網(wǎng)絡(luò)監(jiān)控命令
（1） netstat -tunl：查看所有正在監(jiān)聽(tīng)的端口

[root@AY1407041017110375bbZ ~]# netstat -tunl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address    Foreign Address    State 
tcp  0  0 0.0.0.0:22     0.0.0.0:*     LISTEN 
udp  0  0 ip:123   0.0.0.0:*       
udp  0  0 ip:123   0.0.0.0:*       
udp  0  0 127.0.0.1:123    0.0.0.0:*       
udp  0  0 0.0.0.0:123     0.0.0.0:*

其中123端口用于NTP服務(wù)。
（2）netstat -tunp：查看所有已連接的網(wǎng)絡(luò)連接狀態(tài)，并顯示其PID及程序名稱。

[root@AY1407041017110375bbZ ~]# netstat -tunp
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0     96 ip:22            221.176.33.126:52699        ESTABLISHED 926/sshd            
tcp        0      0 ip:34385         42.156.166.25:80            ESTABLISHED 1003/aegis_cli

根據(jù)上述結(jié)果，可以根據(jù)需要kill掉相應(yīng)進(jìn)程。
如:
kill -9 1003

（3）netstat -tunlp
（4）netstat常用選項(xiàng)說(shuō)明：

-t: tcp
-u : udp
-l, --listening
       Show only listening sockets. (These are omitted by default.)
-p, --program
       Show the PID and name of the program to which each socket belongs.
--numeric , -n
Show numerical addresses instead of trying to determine symbolic host, port or user names.

4、修改ssh的監(jiān)聽(tīng)端口

[] [] （1）修改 /etc/s[]sh/ssh[]d_conf[]ig

[] [] 原有的por[]t 22

[] [] 改為port[] 44

[] [] （2）重啟服[]務(wù)

/etc/init.d/sshd restart
（3）查看情況

netstat -tunl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address    Foreign Address    State 
tcp  0  0 0.0.0.0:44    0.0.0.0:*     LISTEN 
udp  0  0 ip:123   0.0.0.0:*       
udp  0  0 ip:123   0.0.0.0:*       
udp  0  0 127.0.0.1:123    0.0.0.0:*       
udp  0  0 0.0.0.0:123     0.0.0.0:*