页面“Debian服务器初始化”与“Ufw on debian”之间的差异

来自linux中国网wiki
(页面间的差异)
跳到导航 跳到搜索
 
 
第1行: 第1行:
 +
[[category:ops]]  [[category:debian]] 
  
[[Salt-ssh批量初始化机器]]
+
=*  install=
= os init=  
 
== change sources ==
 
===10源===
 
<pre>
 
  
deb http://mirrors.aliyun.com/debian/ buster main non-free contrib
+
apt  install ufw
deb-src http://mirrors.aliyun.com/debian/ buster main non-free contrib
 
deb http://mirrors.aliyun.com/debian-security buster/updates main
 
deb-src http://mirrors.aliyun.com/debian-security buster/updates main
 
deb http://mirrors.aliyun.com/debian/ buster-updates main non-free contrib
 
deb-src http://mirrors.aliyun.com/debian/ buster-updates main non-free contrib
 
deb http://mirrors.aliyun.com/debian/ buster-backports main non-free contrib
 
deb-src http://mirrors.aliyun.com/debian/ buster-backports main non-free contrib
 
  
</pre>
+
=* Configuration=
===9 源===
+
<pre>
<pre>
+
ufw enable
 +
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
 +
Firewall is active and enabled on system startup
  
echo 'deb http://mirrors.aliyun.com/debian/ stretch main non-free contrib
 
deb-src http://mirrors.aliyun.com/debian/ stretch main non-free contrib
 
deb http://mirrors.aliyun.com/debian-security stretch/updates main
 
deb-src http://mirrors.aliyun.com/debian-security stretch/updates main
 
deb http://mirrors.aliyun.com/debian/ stretch-updates main non-free contrib
 
deb-src http://mirrors.aliyun.com/debian/ stretch-updates main non-free contrib
 
deb http://mirrors.aliyun.com/debian/ stretch-backports main non-free contrib
 
deb-src http://mirrors.aliyun.com/debian/ stretch-backports main non-free contrib ' >sources.list
 
</pre>
 
  
== ssh config==
 
<pre>
 
echo "ssh-rsa AAAAB3NzaC you_prk_key root@ops
 
"  >> /root/.ssh/authorized_keys
 
  
sed -i "s/#PubkeyAuthentication yes/PubkeyAuthentication yes/g" /etc/ssh/sshd_config
+
UFW’s defaults are to deny all incoming connections and allow all outgoing connections.
  
sed -i "s/^PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config
+
可见 这两个不要手工执行了 默认就有的 现执行就可以连ssh都上不去了
 +
ufw default deny incoming
 +
ufw default allow outgoing
  
systemctl restart sshd
+
ufw status verbose
#service  sshd restart
+
</pre>
  
</pre>
+
=* Firewall Rules=
==常用软件==
 
 
<pre>
 
<pre>
useradd -d /data/evan -s /bin/bash -m evan
+
  ufw app list
数m表示如果该目录不存在,则创建该目录
+
   
  
 +
ufw  allow 'SSH'
 +
ufw  allow  22/tcp
 +
ufw  allow WWW #其实就是80
  
apt install net-tools procps rsync wget firewalld vim  build-essential dnsutils screen  curl sudo lsb-release  iotop software-properties-common  -y  #dig dnsutils
+
   
 +
   
 +
  ufw allow 'Nginx HTTP'
  
#全面的开发工具
 
sudo apt  install git golang build-essential gcc g++ gdb libboost-dev make automake autogen autoconf cscope global cmake cmake-gui astyle clang-format clang llvm lldb libsqlite3-dev sqlite3 bison flex ruby-dev linux-headers-`uname -r`
 
  
 +
ufw allow 53/tcp </pre>
  
#ps
 
apt install procps
 
  
  
安装Fail2Ban
+
==** Port Ranges ==
</pre>
+
<pre>
 +
Port ranges may also be specified, a simple example for tcp would be:
 +
 
 +
  ufw allow 1000:2000/tcp
 +
 
 +
and for udp:
  
[https://www.debian.cn/archives/2880 Debian 安装 fail2ban 方式SSH爆破攻击]
+
  ufw allow 1000:2000/udp</pre>
  
 +
==** IP address==
 +
<pre>An IP address may also be used:
  
[[Debian配置iptables]]
+
ufw allow from 111.222.333.444</pre>
  
=时间同步=
+
=* Deleting Rules=
 
<pre>
 
<pre>
UTC时区切换到CST 时区
+
Rules may be deleted with the following command:
  
#用这个啦
+
  ufw delete allow ssh
# 设置亚洲时区 tzselect 有时不准
 
timedatectl set-timezone Asia/Shanghai
 
# 启用NTP同步 #关闭是 false
 
timedatectl set-ntp yes
 
  
 +
ufw reset
  
echo "export TZ='Asia/Shanghai'"  >> /etc/profile 
 
cat /etc/profile |grep TZ 
 
source /etc/profile
 
  
date -R  #时区查看
 
date
 
Sat Aug 19 17:03:17 CST 2017
 
 
</pre>
 
</pre>
  
=security=
+
=troubleshooting=
==ufw==
+
<pre>
 +
 
 +
openssh都连接上去
  
==firewalld==
+
这个导致上不了的
这个放弃了
+
ufw default deny incoming
  
详情可见 [[Centos7 firewalld防火墙基础]]
 
  
[https://computingforgeeks.com/how-to-install-and-configure-firewalld-on-debian/ How To Install and Configure Firewalld on Debian 10]
+
确定了 不是这个问题  是
 +
ufw  status verbose
 +
Status: active
 +
Logging: on (low)
 +
Default: deny (incoming), allow (outgoing), disabled (routed)
 +
New profiles: skip
  
[https://ywnz.com/linuxaq/5495.html 在Debian 10(Buster)上安装和配置Firewalld]
+
To                        Action      From
 +
--                        ------      ----
 +
22/tcp (SSH)              ALLOW IN    Anywhere                 
 +
80/tcp (WWW)              ALLOW IN    Anywhere                 
 +
22/tcp (SSH (v6))          ALLOW IN    Anywhere (v6)           
 +
80/tcp (WWW (v6))          ALLOW IN    Anywhere (v6) 
 +
没有东西 
  
=参考=
+
linode 文档得了
  
[https://blog.51cto.com/wzlinux/2043586 Ubuntu 新装服务器部署流程]
+
如何确定在 ssh这后再deny incoming 呢  参考iptalbes ?
  
[https://www.howtoing.com/install-java-in-debian-and-ubuntu 如何在Debian和Ubuntu系统中安装Java 9]
 
  
[http://www.ruanyifeng.com/blog/2014/03/server_setup.html Linux服务器的初步配置流程]
 
  
[http://spenserj.com/blog/2013/07/15/securing-a-linux-server/ Securing a Linux Server]
+
</pre>
  
[http://blog.51cto.com/feihan21/1060365 Linux服务器初始化配置脚本]
+
=* see also=
 +
https://wiki.debian.org/Uncomplicated%20Firewall%20%28ufw%29
  
[https://blog.imdst.com/linux-fu-wu-qi-chu-shi-hua-an-quan-jia-gu/ Linux服务器初始化调优及安全加固]
+
https://www.linode.com/docs/security/firewalls/configure-firewall-with-ufw/
  
[https://linux.cn/article-5067-1.html 如何使用 fail2ban 防御 SSH 服务器的暴力破解攻击]
 
  
[https://blog.csdn.net/developerinit/article/details/73065229?utm_source=blogxgwz7 Debian的一些常用命令]
+
https://help.ubuntu.com/community/UFW
  
 +
https://www.digitalocean.com/community/tutorials/how-to-setup-a-firewall-with-ufw-on-an-ubuntu-and-debian-cloud-server
  
[https://www.cnblogs.com/yoyotl/p/8151409.html Debian 8 设置时区和时间配置]
+
[https://zhuanlan.zhihu.com/p/36646621 ubuntu ufw 防火墙]
[[category:ops]]  [[category:debian]]
 

2020年2月28日 (五) 05:57的版本


* install

apt  install ufw

* Configuration

 ufw enable 
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup



UFW’s defaults are to deny all incoming connections and allow all outgoing connections.

可见 这两个不要手工执行了 默认就有的 现执行就可以连ssh都上不去了 
ufw default deny incoming
ufw default allow outgoing

ufw status verbose

* Firewall Rules

 ufw app list
 

 ufw  allow 'SSH'
ufw  allow  22/tcp
 ufw  allow WWW #其实就是80

 
 
 ufw allow 'Nginx HTTP'


ufw allow 53/tcp


** Port Ranges

Port ranges may also be specified, a simple example for tcp would be:

  ufw allow 1000:2000/tcp

and for udp:

  ufw allow 1000:2000/udp

** IP address

An IP address may also be used:

 ufw allow from 111.222.333.444

* Deleting Rules

Rules may be deleted with the following command:

 ufw delete allow ssh

ufw reset

troubleshooting


openssh都连接上去 

这个导致上不了的 
 ufw default deny incoming


确定了 不是这个问题  是 
ufw  status verbose 
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp (SSH)               ALLOW IN    Anywhere                  
80/tcp (WWW)               ALLOW IN    Anywhere                  
22/tcp (SSH (v6))          ALLOW IN    Anywhere (v6)             
80/tcp (WWW (v6))          ALLOW IN    Anywhere (v6)   
没有东西  

linode 文档得了

如何确定在 ssh这后再deny incoming 呢  参考iptalbes ?

* see also

https://wiki.debian.org/Uncomplicated%20Firewall%20%28ufw%29

https://www.linode.com/docs/security/firewalls/configure-firewall-with-ufw/


https://help.ubuntu.com/community/UFW

https://www.digitalocean.com/community/tutorials/how-to-setup-a-firewall-with-ufw-on-an-ubuntu-and-debian-cloud-server

ubuntu ufw 防火墙

取自“http://wiki.linuxchina.net/index.php?title=Debian服务器初始化&oldid=3042