|
|
第1行: |
第1行: |
− | [[category:ops]] [[category:debian]]
| + | [[category:ops]] |
| | | |
− | =on my kali2020 laptop= | + | =ins and config= |
| + | ==Download and install Filebeat== |
| <pre> | | <pre> |
| | | |
− | #on my laptop
| |
− | sudo apt install ufw
| |
| | | |
− | sudo ufw default deny incoming
| + | curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.12.0-amd64.deb |
− | | + | sudo dpkg -i filebeat-7.12.0-amd64.deb |
− | sudo ufw default allow outgoing
| |
− |
| |
− | sudo ufw allow ssh
| |
− |
| |
− | #is a web
| |
− | sudo ufw allow 80
| |
− | sudo ufw allow 443
| |
− |
| |
− | #Firewall is active and enabled on system startup
| |
− | sudo ufw enable
| |
− | | |
− | sudo ufw status | |
| </pre> | | </pre> |
− | | + | ==Edit the configuration == |
− | =线上一般的结合操作= | |
| <pre> | | <pre> |
− | apt install ufw
| + | Modify /etc/filebeat/filebeat.yml to set the connection information: |
− | ufw enable
| |
− | | |
− | #Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
| |
− | #Firewall is active and enabled on system startup
| |
| | | |
| + | output.elasticsearch: |
| + | hosts: ["<es_url>"] |
| + | username: "elastic" |
| + | password: "<password>" |
| + | setup.kibana: |
| + | host: "<kibana_url>" |
| | | |
− | sudo ufw default allow outgoing
| + | Where <password> is the password of the elastic user, <es_url> is the URL of Elasticsearch, and <kibana_url> is the URL of Kibana. |
− | sudo ufw default deny incoming
| |
− | | |
− | ufw allow ssh
| |
− | ufw allow www
| |
− | | |
− | etc
| |
− | | |
− | | |
− | 正常返回如下
| |
− | | |
− | ufw status
| |
− | Status: active
| |
− | | |
− | To Action From
| |
− | -- ------ ----
| |
− | SSH ALLOW Anywhere
| |
− | 80/tcp ALLOW Anywhere
| |
− | SSH (v6) ALLOW Anywhere (v6)
| |
− | 80/tcp (v6) ALLOW Anywhere (v6)
| |
| | | |
| </pre> | | </pre> |
| | | |
− | =* install= | + | ==Enable and configure the nginx module == |
| | | |
− | apt install ufw
| + | <pre> |
| + | sudo filebeat modules enable nginx |
| | | |
− | =* Configuration=
| + | Modify the settings in the /etc/filebeat/modules.d/nginx.yml file. |
− | <pre>
| |
− | ufw enable
| |
− | Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
| |
− | Firewall is active and enabled on system startup
| |
| | | |
− |
| |
− | UFW’s defaults are to deny all incoming connections and allow all outgoing connections.
| |
− |
| |
− | 要确定ufw status 后有没有规则可见
| |
− |
| |
− | 可见 这两个不要手工执行了 默认就有的 现执行就可以连ssh都上不去了 昨天也是这样 2020年 10月 27日
| |
− | ufw default deny incoming
| |
− | ufw default allow outgoing
| |
− |
| |
− | ufw status verbose
| |
| </pre> | | </pre> |
| | | |
− | =* Firewall Rules= | + | == Start Filebeat== |
− | <pre>
| |
− | ufw app list
| |
− |
| |
− | | |
− | ufw allow 'SSH'
| |
− | ufw allow 22/tcp
| |
− | ufw allow WWW #其实就是80
| |
− | | |
− |
| |
− |
| |
− | ufw allow 'Nginx HTTP'
| |
− | | |
− | | |
− | ufw allow 53/tcp </pre>
| |
− | | |
− | | |
| | | |
− | ==** Port Ranges ==
| |
| <pre> | | <pre> |
− | Port ranges may also be specified, a simple example for tcp would be:
| + | The setup command loads the Kibana dashboards. If the dashboards are already set up, omit this command. |
− | | |
− | ufw allow 1000:2000/tcp
| |
− | | |
− | and for udp:
| |
− | | |
− | ufw allow 1000:2000/udp</pre>
| |
− | | |
− | ==** IP address==
| |
− | <pre>An IP address may also be used:
| |
− | | |
− | ufw allow from 111.222.333.444</pre>
| |
− | | |
− | =* Deleting Rules=
| |
− | <pre>
| |
− | Rules may be deleted with the following command:
| |
− | | |
− | ufw delete allow ssh
| |
− | | |
− | ufw reset
| |
− | | |
| | | |
| + | sudo filebeat setup |
| + | sudo service filebeat start |
| </pre> | | </pre> |
| | | |
− | =开启/禁用相应端口或服务举例= | + | == Module status== |
| <pre> | | <pre> |
− | sudo ufw allow 80 #允许外部访问80端口
| + | Module status 右边的 check data 按键 -- > Nginx logs dashboard |
− | sudo ufw delete allow 80 #禁止外部访问80 端口
| |
− | sudo ufw allow from 192.168.1.1 #允许此IP访问所有的本机端口
| |
− | sudo ufw deny smtp #禁止外部访问smtp服务,#以服务名代表端口,可以使用less /etc/services列出所有服务信息, 其中包括该服务使用了哪个端口和哪种协议
| |
− | sudo ufw delete allow smtp #删除上面建立的某条规则,或者sudo ufw delete allow 80/tcp,如果出现无法删除,可以用序号:sudo ufw status numbered,然后通过序号删除sudo ufw delete 1
| |
− | sudo ufw deny proto tcp from 10.0.0.0/8 to 192.168.0.1 port 22 #要拒绝所有的TCP流量从10.0.0.0/8 到192.168.0.1地址的22端口
| |
− | #可以允许所有RFC1918网络(局域网/无线局域网的)访问这个主机(/8,/16,/12是一种网络分级):
| |
− | sudo ufw allow from 10.0.0.0/8
| |
− | sudo ufw allow from 172.16.0.0/12
| |
− | sudo ufw allow from 192.168.0.0/16
| |
− | </pre>
| |
− | ==eg==
| |
− | <pre>
| |
− | 允许8090到9090之间的端口都允许tcp/udp访问,我们可以通过以下命令解决。
| |
− | | |
− | sudo ufw allow 8090:9090/tcp
| |
− | sudo ufw allow 8090:9090/udp
| |
− | | |
− | 允许特定的IP地址
| |
− | | |
− | 要允许从特定IP地址访问所有端口,可以使用ufw allow from命令,后跟IP地址。命令如下:
| |
− | | |
− | sudo ufw allow from 115.127.62.61
| |
− | | |
− | 当然也可以允许特定IP访问前提条件下,允许其访问特定端口,命令如下:
| |
− | | |
− | sudo ufw allow from 115.127.62.61 to any port 22
| |
− | | |
− | | |
− | 允许子网
| |
− | | |
− | 允许从IP地址的子网进行连接的命令与使用单个IP地址时的命令相同。 唯一的区别是您需要指定网络掩码。 例如,如果要允许访问从192.168.1.1到192.168.1.254的IP地址到端口3360(MySQL),则可以使用以下命令:
| |
− | | |
− | sudo ufw allow from 192.168.1.0/24 to any port 3306
| |
− | | |
− | 允许连接到特定的网络接口
| |
− | | |
− | 要允许访问特定端口,假设仅将3360端口访问特定网络接口eth2,可以使用allow in on和网络接口名称:
| |
− | | |
− | sudo ufw allow in on eth2 to any port 3306
| |
− | | |
− | 拒绝连接
| |
− | | |
− | 所有传入连接的默认策略都设置为“拒绝”,这意味着除非你专门打开该连接,否则UFW将阻止所有传入连接。
| |
− | | |
− | 假设您打开了端口80和443,并且服务器受到23.24.25.0/24网络的攻击。 要拒绝来自23.24.25.0/24的所有连接,可以使用以下命令:
| |
− | | |
− | sudo ufw deny from 23.24.25.0/24
| |
− | | |
− | 如果只想拒绝从23.24.25.0/24访问端口80和443,请使用:
| |
− | | |
− | sudo ufw deny from 23.24.25.0/24 to any port 80
| |
− | sudo ufw deny from 23.24.25.0/24 to any port 443
| |
− | | |
− | 编写拒绝规则与编写允许规则相同。 您只需要将allow替换为deny即可。
| |
− | 删除UFW规则
| |
− | | |
− | 删除UFW规则有两种方法, 通过规则编号和通过指定实际规则。
| |
− | | |
− | 通过规则编号删除UFW规则比较容易,特别是如果您不熟悉UFW。
| |
− | | |
− | 要首先按规则编号删除规则,您需要找到要删除的规则编号。 为此,请运行以下命令:
| |
− | | |
− | sudo ufw status numbered
| |
− | | |
− | 输出类似如下:
| |
− | | |
− | Status: active
| |
− | | |
− | To Action From
| |
− | -- ------ ----
| |
− | [ 1] 22/tcp ALLOW IN Anywhere
| |
− | [ 2] 80/tcp ALLOW IN Anywhere
| |
− | [ 3] 8080/tcp ALLOW IN Anywhere
| |
− | | |
− | 要删除规则号3(允许连接到端口8080的规则),可以使用以下命令:
| |
− | | |
− | sudo ufw delete 3
| |
− | | |
− | 第二种方法是通过指定实际规则来删除规则。 例如,如果您添加了打开端口8069的规则,则可以使用以下命令将其删除:
| |
− | | |
− | sudo ufw delete allow 8069
| |
− | | |
− | </pre>
| |
− | | |
− | =troubleshooting=
| |
− | <pre>
| |
− | | |
− | openssh都连接上去
| |
− | | |
− | 这个导致上不了的
| |
− | ufw default deny incoming
| |
− | | |
− | | |
− | 确定了 不是这个问题 是
| |
− | ufw status verbose
| |
− | Status: active
| |
− | Logging: on (low)
| |
− | Default: deny (incoming), allow (outgoing), disabled (routed)
| |
− | New profiles: skip
| |
− | | |
− | To Action From
| |
− | -- ------ ---- | |
− | 22/tcp (SSH) ALLOW IN Anywhere
| |
− | 80/tcp (WWW) ALLOW IN Anywhere
| |
− | 22/tcp (SSH (v6)) ALLOW IN Anywhere (v6)
| |
− | 80/tcp (WWW (v6)) ALLOW IN Anywhere (v6)
| |
− | 没有东西
| |
− | | |
− | linode 文档得了
| |
− | | |
− | 如何确定在 ssh这后再deny incoming 呢 参考iptalbes ?
| |
− | | |
− | | |
| | | |
| </pre> | | </pre> |
| + | systemctl daemon-reload |
| | | |
− | =* see also= | + | =see also= |
− | [https://www.tecmint.com/setup-ufw-firewall-on-ubuntu-and-debian/ How to Setup UFW Firewall on Ubuntu and Debian]
| |
− | | |
− | https://wiki.debian.org/Uncomplicated%20Firewall%20%28ufw%29
| |
− | | |
− | https://www.linode.com/docs/security/firewalls/configure-firewall-with-ufw/
| |
− | | |
− | [https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-debian-9 How To Set Up a Firewall with UFW on Debian 9]
| |
− | | |
− | https://help.ubuntu.com/community/UFW
| |
− | | |
− | https://www.digitalocean.com/community/tutorials/how-to-setup-a-firewall-with-ufw-on-an-ubuntu-and-debian-cloud-server
| |
| | | |
− | [https://zhuanlan.zhihu.com/p/36646621 ubuntu ufw 防火墙]
| + | https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-nginx.html |
| | | |
− | [https://linux265.com/news/5984.html 如何在Debian 10中使用ufw设置防火墙]
| |
| | | |
− | [https://www.configserverfirewall.com/debian-linux/install-ufw-firewall-debian/ How to Install UFW Ubuntu Firewall on Debian Linux] | + | [https://www.cnblogs.com/kuku0223/p/8317965.html ELK--filebeat nginx模块] |