×ðÁú¿­Ê±¹ÙÍøµÇ¼

ÔõÑù¾ÙÐÐLinuxϵͳµÄÍøÂçÇå¾²ÉèÖúͷÀ»¤

Ëæ×ÅLinuxϵͳµÄÆÕ±éÓ¦Óã¬ÍøÂçÇå¾²ÒѾ­³ÉΪÁËÒ»ÏîÖÁ¹ØÖ÷ÒªµÄʹÃü¡£ÔÚÃæÁÙÖÖÖÖÇå¾²ÍþвµÄͬʱ£¬ÏµÍ³ÖÎÀíÔ±ÐèÒª¶ÔЧÀÍÆ÷ʵÏÖÍøÂçÇå¾²ÉèÖúͷÀ»¤²½·¥¡£±¾ÎĽ«ÏÈÈÝÔõÑù¶ÔLinuxϵͳ¾ÙÐÐÍøÂçÇå¾²ÉèÖúͷÀ»¤£¬²¢ÌṩһЩÏêϸµÄ´úÂëʾÀý¡£

ÉèÖ÷À»ðǽ

LinuxϵͳĬÈϽÓÄÉiptables×÷Ϊ·À»ðǽ£¬¿ÉÒÔͨ¹ýÒÔÏÂÏÂÁîÀ´ÉèÖãº

# ¹Ø±ÕÏÖÓзÀ»ðǽ
service iptables stop

# Çå¿Õiptables¹æÔò
iptables -F

# ÔÊÐíÍâµØ»Ø»·½Ó¿Ú
iptables -A INPUT -i lo -j ACCEPT

# ÔÊÐíping
iptables -A INPUT -p icmp -j ACCEPT

# ÔÊÐíÒѽ¨ÉèµÄÅþÁ¬
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# ÔÊÐíSSH»á¼û
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# ÆäËû»á¼ûÒ»ÂÉեȡ
iptables -P INPUT DROP
iptables -P FORWARD DROP

µÇ¼ºó¸´ÖÆ

¹Ø±Õ²»ÐëÒªµÄЧÀÍ

ÔÚLinuxϵͳÖУ¬¾­³ £»áÓÐһЩ²»ÐëÒªµÄЧÀÍÔÚºǫ́ÔËÐУ¬ÕâЩЧÀÍ»áÕ¼ÓÃЧÀÍÆ÷×ÊÔ´£¬Ò²»á¸øϵͳ´øÀ´Ç±ÔÚµÄÇå¾²Òþ»¼¡£¿ÉÒÔͨ¹ýÒÔÏÂÏÂÁîÀ´¹Ø±Õ²»ÐëÒªµÄЧÀÍ£º

# ¹Ø±ÕNFSЧÀÍ
service nfs stop
chkconfig nfs off

# ¹Ø±ÕX WindowͼÐνçÃæ
yum groupremove "X Window System"

# ¹Ø±ÕFTPЧÀÍ
service vsftpd stop
chkconfig vsftpd off

µÇ¼ºó¸´ÖÆ

×°ÖúÍʹÓÃFail2ban

Fail2banÊÇÒ»¿î¿ªÔ´µÄÇå¾²¹¤¾ß£¬Äܹ»¼à¿ØÍøÂç״̬£¬¼ì²âµ½¿ÉÒɵĵǼʵÑ飬²¢Í¨¹ý·À»ðǽ×Ô¶¯µØ¾ÙÐкÚÃûµ¥ÏÞÖÆ£¬´Ó¶øÓÐÓõر £»¤ÍøÂçÇå¾²¡£¿ÉÒÔͨ¹ýÒÔÏÂÏÂÁîÀ´×°ÖÃFail2ban£º

yum install fail2ban -y

µÇ¼ºó¸´ÖÆ

ÉèÖÃÎļþ£º/etc/fail2ban/jail.conf

Ìí¼Ó×Ô½ç˵¹æÔò£º

# ÔÚjail.confÎļþÖÐÌí¼ÓÒ»ÐУº
[my_sshd]
enabled = true
port = ssh
filter = my_sshd
logpath = /var/log/secure
maxretry = 3

µÇ¼ºó¸´ÖÆ

½¨Éèfilter¹æÔò£º

# ÔÚ/etc/fail2ban/filter.d/Ŀ¼Ï£¬½¨Éèmy_sshd.confÎļþ£¬È»ºó±à¼­£º
[Definition]
failregex = .*Failed (password|publickey).* from <HOST>
ignoreregex =

µÇ¼ºó¸´ÖÆ

ÉèÖÃSSH

SSHÊÇÒ»¸öºÜÊÇÇ¿Ê¢ÇÒÆÕ±éÓ¦ÓõÄÔ¶³ÌµÇ¼ЭÒ飬ҲÊÇÖÚ¶àºÚ¿Í¹¥»÷µÄÄ¿µÄ¡£Òò´Ë£¬ÔÚʹÓÃSSHʱÐèÒª½ÓÄÉһЩÇå¾²²½·¥£º

# ÐÞ¸ÄSSHĬÈ϶˿Ú
vim /etc/ssh/sshd_config
# ½«Port 22ÐÞ¸ÄΪÆäËû¶Ë¿Ú£¬ÀýÈ磺
Port 22222

# եȡrootµÇ¼
vim /etc/ssh/sshd_config
# ½«PermitRootLogin yesÐÞ¸ÄΪPermitRootLogin no

# ÏÞÖÆÓû§µÇ¼
vim /etc/ssh/sshd_config
# Ìí¼ÓÒÔÏÂÄÚÈÝ£º
AllowUsers user1 user2

µÇ¼ºó¸´ÖÆ

½ûÓÃIPv6

´ó²¿·ÖЧÀÍÆ÷µÄÍøÂçÇéÐÎÖУ¬²¢²»ÐèÒªIPv6£¬½ûÓÃIPv6¿ÉÒÔÓÐÓýµµÍϵͳ±»¹¥»÷µÄΣº¦£º

# Ìí¼ÓÒÔÏÂÄÚÈݵ½/etc/sysctl.confÎļþÖУº
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

# ʹÓÃÒÔÏÂÏÂÁîÉúЧ£º
sysctl -p

µÇ¼ºó¸´ÖÆ

×ܽá

±¾ÎÄÏÈÈÝÁËÔõÑù¶ÔLinuxϵͳ¾ÙÐÐÍøÂçÇå¾²ÉèÖúͷÀ»¤£¬ÆäÖаüÀ¨ÁËÉèÖ÷À»ðǽ¡¢¹Ø±Õ²»ÐëÒªµÄЧÀÍ¡¢×°ÖúÍʹÓÃFail2ban¡¢ÉèÖÃSSHºÍ½ûÓÃIPv6µÈ·½Ãæ¡£±¾ÎÄÖÐÌṩµÄʾÀý´úÂë¿ÉÒÔ×ÊÖúÖÎÀíÔ±Ô½·¢Àû±ã¿ì½ÝµØÍê³ÉÍøÂçÇå¾²ÊÂÇé¡£ÔÚÏÖʵӦÓÃÖУ¬»¹Ó¦Æ¾Ö¤ÏêϸÇéÐξÙÐÐÏìÓ¦µÄµ÷½âºÍÍêÉÆ¡£

ÒÔÉϾÍÊÇÔõÑù¾ÙÐÐLinuxϵͳµÄÍøÂçÇå¾²ÉèÖúͷÀ»¤µÄÏêϸÄÚÈÝ£¬¸ü¶àÇë¹Ø×¢±¾ÍøÄÚÆäËüÏà¹ØÎÄÕ£¡

ÃâÔð˵Ã÷£ºÒÔÉÏչʾÄÚÈÝȪԴÓÚÏàÖúýÌå¡¢ÆóÒµ»ú¹¹¡¢ÍøÓÑÌṩ»òÍøÂçÍøÂçÕûÀí£¬°æȨÕùÒéÓë±¾Õ¾Î޹أ¬ÎÄÕÂÉæ¼°¿´·¨Óë¿´·¨²»´ú±í×ðÁú¿­Ê±¹ÙÍøµÇ¼ÂËÓÍ»úÍø¹Ù·½Ì¬¶È£¬Çë¶ÁÕß½ö×ö²Î¿¼¡£±¾ÎĽӴýתÔØ£¬×ªÔØÇë˵Ã÷À´ÓÉ¡£ÈôÄúÒÔΪ±¾ÎÄÇÖÕ¼ÁËÄúµÄ°æȨÐÅÏ¢£¬»òÄú·¢Ã÷¸ÃÄÚÈÝÓÐÈκÎÉæ¼°ÓÐÎ¥¹«µÂ¡¢Ã°·¸Ö´·¨µÈÎ¥·¨ÐÅÏ¢£¬ÇëÄúÁ¬Ã¦ÁªÏµ×ðÁú¿­Ê±¹ÙÍøµÇ¼ʵʱÐÞÕý»òɾ³ý¡£

Ïà¹ØÐÂÎÅ

ÁªÏµ×ðÁú¿­Ê±¹ÙÍøµÇ¼

13452372176

¿É΢ÐÅÔÚÏß×Éѯ

ÊÂÇéʱ¼ä£ºÖÜÒ»ÖÁÖÜÎ壬9:30-18:30£¬½ÚãåÈÕÐÝÏ¢

QR code
ÍøÕ¾µØͼ