防火墙
1、更新 Ubuntu sudo apt-get update && sudo apt-get upgrade
2、清空原有规则 sudo iptables -F
3、配置防火墙 sudo vi /etc/iptables.up.rules 假设 ssh 访问端口为 39999, 数据库访问端口为 19999,且开放 3000、3001 端口
*filter # allow all connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # allow out traffic -A OUTPUT -j ACCEPT # allow https http -A INPUT -p tcp --dport 443 -j ACCEPT -A INPUT -p tcp --dport 80 -j ACCEPT # allow ssh port login -A INPUT -p tcp -m state --state NEW --dport 39999 -j ACCEPT # ping -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT # mongodb connect -A INPUT -s 127.0.0.1 -p tcp --destination-port 19999 -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -d 127.0.0.1 -p tcp --source-port 19999 -m state --state ESTABLISHED -j ACCEPT -A INPUT -s 127.0.0.1 -p tcp --destination-port 3000 -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -d 127.0.0.1 -p tcp --source-port 3000 -m state --state ESTABLISHED -j ACCEPT -A INPUT -s 127.0.0.1 -p tcp --destination-port 3001 -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -d 127.0.0.1 -p tcp --source-port 3001 -m state --state ESTABLISHED -j ACCEPT # log denied calls -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied:" --log-level 7 # drop incoming sensitive connections -A INPUT -p tcp --dport 80 -8i eth0 -m state --state NEW -m recent --set -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 150 -j DROP # reject all other inbound -A INPUT -j REJECT -A FORWARD -j REJECT COMMIT
4、重载配置 sudo iptables-restore < /etc/iptables.up.rules (每次修改均需重载)
5、查看防火墙启动状态 sudo ufw status
6、激活 Firewalls sudo ufw enable
7、设置防火墙开机自启动 sudo vi /etc/network/if-up.d/iptables
#!/bin/sh iptables-restore /etc/iptables.up.rules
8、授权 sudo chmod +x /etc/network/if-up.d/iptables
Fail2Ban
1、安装 sudo apt-get install fail2ban
2、配置 sudo vi /etc/fail2ban/jail.conf
bantime = 3600 destemail = your email action = %(action_mw)s ...
3、查看运行状态 sudo service fail2Ban statu
4、运行 or 停止 sudo service fail2Ban start ,sudo service fail2Ban stop
