分类
所有文章

总结了些线上服务器上一些安全配置

线上服务器时不时会遇到些骚扰,因此要对服务器默认配置进行些修改。

#防止同步包洪水(Sync Flood)
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
#Ping洪水攻击
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
#防止各种端口扫描
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j 
#增加未完成连接队列q0的最大长度
echo 1280 >> /proc/sys/net/ipv4/tcp_max_syn_backlog
#启动SYN_cookie
echo 1 >> /proc/sys/net/ipv4/tcp_syncookies
#禁止imcp
echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all
#限制IP碎片
iptables -A INPUT -f -m limit --limit 100/sec --limit-burst 100 -j ACCEPT
//禁止imcp
iptables -A INPUT --proto icmp -j DROP
iptables -A INPUT --proto udp  -j DROP
echo "net.ipv4.icmp_echo_ignore_all = 1" >> /etc/sysctl.conf 
echo "net.ipv6.icmp_echo_ignore_all = 1" >> /etc/sysctl.conf 
echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf 
echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf 
sysctl -p
#ICMP timestamp 请求响应漏洞
iptables -A INPUT -p ICMP --icmp-type timestamp-request -j DROP
iptables -A INPUT -p ICMP --icmp-type timestamp-reply -j DROP
iptables -A INPUT -p ICMP --icmp-type time-exceeded -j DROP
iptables -A OUTPUT -p ICMP --icmp-type time-exceeded -j DROP

#禁止邮件
iptables -A OUTPUT -p tcp -m multiport --dport 24,25,50,57,105,106,109,110,143,158,209,218,220,465,587 -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -p tcp -m multiport --dport 993,995,1109,24554,60177,60179 -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -p tcp -m multiport --dport 24,25,50,57,105,106,109,110,143,158,209,218,220,465,587 -j DROP
iptables -A OUTPUT -p tcp -m multiport --dport 993,995,1109,24554,60177,60179 -j DROP
service iptables save
service iptables restart

发表评论

电子邮件地址不会被公开。 必填项已用*标注