页面“Debian服务器初始化”与“Ufw on debian”之间的差异

来自linux中国网wiki
(页面间的差异)
跳到导航 跳到搜索
 
 
第1行: 第1行:
 +
[[category:ops]]  [[category:debian]] 
  
[[Salt-ssh批量初始化机器]]
+
=线上一般的结合操作=
= os init=
 
== change sources ==
 
===10源===
 
 
<pre>
 
<pre>
 +
apt  install ufw
 +
ufw enable
  
deb http://mirrors.aliyun.com/debian/ buster main non-free contrib
+
sudo ufw default allow outgoing
deb-src http://mirrors.aliyun.com/debian/ buster main non-free contrib
+
sudo ufw default deny incoming
deb http://mirrors.aliyun.com/debian-security buster/updates main
+
 
deb-src http://mirrors.aliyun.com/debian-security buster/updates main
+
ufw  allow ssh
deb http://mirrors.aliyun.com/debian/ buster-updates main non-free contrib
+
ufw  allow  www
deb-src http://mirrors.aliyun.com/debian/ buster-updates main non-free contrib
+
 
deb http://mirrors.aliyun.com/debian/ buster-backports main non-free contrib
+
etc
deb-src http://mirrors.aliyun.com/debian/ buster-backports main non-free contrib
+
 
 +
 
 +
正常返回如下
 +
 
 +
ufw  status
 +
Status: active
 +
 
 +
To                        Action      From
 +
--                         ------     ----
 +
SSH                        ALLOW      Anywhere                 
 +
80/tcp                    ALLOW      Anywhere                 
 +
SSH (v6)                  ALLOW      Anywhere (v6)           
 +
80/tcp (v6)                ALLOW      Anywhere (v6) 
  
 
</pre>
 
</pre>
===9 源===
 
<pre>
 
  
echo 'deb http://mirrors.aliyun.com/debian/ stretch main non-free contrib
+
=*  install=
deb-src http://mirrors.aliyun.com/debian/ stretch main non-free contrib
+
 
deb http://mirrors.aliyun.com/debian-security stretch/updates main
+
apt  install ufw
deb-src http://mirrors.aliyun.com/debian-security stretch/updates main
+
 
deb http://mirrors.aliyun.com/debian/ stretch-updates main non-free contrib
+
=* Configuration=
deb-src http://mirrors.aliyun.com/debian/ stretch-updates main non-free contrib
+
<pre>
deb http://mirrors.aliyun.com/debian/ stretch-backports main non-free contrib
+
ufw enable
deb-src http://mirrors.aliyun.com/debian/ stretch-backports main non-free contrib ' >sources.list
+
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
</pre>
+
Firewall is active and enabled on system startup
  
== ssh config==
 
<pre>
 
echo "ssh-rsa AAAAB3NzaC you_prk_key root@ops
 
"  >> /root/.ssh/authorized_keys
 
  
sed -i "s/#PubkeyAuthentication yes/PubkeyAuthentication yes/g" /etc/ssh/sshd_config
+
UFW’s defaults are to deny all incoming connections and allow all outgoing connections.
  
sed -i "s/^PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config
+
要确定ufw  status 后有没有规则可见
  
systemctl restart sshd
+
可见 这两个不要手工执行了 默认就有的 现执行就可以连ssh都上不去了
#service  sshd restart
+
ufw default deny incoming
 +
ufw default allow outgoing
  
 +
ufw status verbose
 
</pre>
 
</pre>
==常用软件==
+
 
 +
=* Firewall Rules=
 
<pre>
 
<pre>
useradd -d /data/evan -s /bin/bash -m evan
+
  ufw app list
数m表示如果该目录不存在,则创建该目录
+
   
  
 +
ufw  allow 'SSH'
 +
ufw  allow  22/tcp
 +
ufw  allow WWW #其实就是80
  
apt install net-tools rsync wget firewalld vim  build-essential dnsutils screen  curl sudo lsb-release  iotop software-properties-common  -y  #dig dnsutils
+
   
 +
   
 +
  ufw allow 'Nginx HTTP'
  
#全面的开发工具
 
sudo apt  install git golang build-essential gcc g++ gdb libboost-dev make automake autogen autoconf cscope global cmake cmake-gui astyle clang-format clang llvm lldb libsqlite3-dev sqlite3 bison flex ruby-dev linux-headers-`uname -r`
 
  
 +
ufw allow 53/tcp </pre>
  
#ps
 
apt install procps
 
  
  
安装Fail2Ban
+
==** Port Ranges ==
</pre>
+
<pre>
 +
Port ranges may also be specified, a simple example for tcp would be:
  
[https://www.debian.cn/archives/2880 Debian 安装 fail2ban 方式SSH爆破攻击]
+
  ufw allow 1000:2000/tcp
  
 +
and for udp:
  
[[Debian配置iptables]]
+
  ufw allow 1000:2000/udp</pre>
  
=时间同步=
+
==** IP address==
 +
<pre>An IP address may also be used:
 +
 
 +
ufw allow from 111.222.333.444</pre>
 +
 
 +
=* Deleting Rules=
 
<pre>
 
<pre>
UTC时区切换到CST 时区
+
Rules may be deleted with the following command:
 +
 
 +
ufw delete allow ssh
  
#用这个啦
+
ufw reset
# 设置亚洲时区  tzselect 有时不准备
 
timedatectl set-timezone Asia/Shanghai
 
# 启用NTP同步 #关闭是 false
 
timedatectl set-ntp yes
 
  
  
echo "export TZ='Asia/Shanghai'"  >> /etc/profile 
+
</pre>
cat /etc/profile |grep TZ 
 
source /etc/profile
 
  
date -R  #时区查看
+
=开启/禁用相应端口或服务举例=
date
+
<pre>
Sat Aug 19 17:03:17 CST 2017
+
sudo ufw allow 80 #允许外部访问80端口
 +
sudo ufw delete allow 80 #禁止外部访问80 端口
 +
sudo ufw allow from 192.168.1.1 #允许此IP访问所有的本机端口
 +
sudo ufw deny smtp #禁止外部访问smtp服务,#以服务名代表端口,可以使用less /etc/services列出所有服务信息, 其中包括该服务使用了哪个端口和哪种协议
 +
sudo ufw delete allow smtp #删除上面建立的某条规则,或者sudo ufw delete allow 80/tcp,如果出现无法删除,可以用序号:sudo ufw status numbered,然后通过序号删除sudo ufw delete 1
 +
sudo ufw deny proto tcp from 10.0.0.0/8 to 192.168.0.1 port 22 #要拒绝所有的TCP流量从10.0.0.0/8 到192.168.0.1地址的22端口
 +
#可以允许所有RFC1918网络(局域网/无线局域网的)访问这个主机(/8,/16,/12是一种网络分级):
 +
sudo ufw allow from 10.0.0.0/8
 +
sudo ufw allow from 172.16.0.0/12
 +
sudo ufw allow from 192.168.0.0/16
 
</pre>
 
</pre>
 +
=troubleshooting=
 +
<pre>
  
=security=
+
openssh都连接上去
==firewalld==
 
  
详情可见 [[Centos7 firewalld防火墙基础]]
+
这个导致上不了的
 +
ufw default deny incoming
  
[https://computingforgeeks.com/how-to-install-and-configure-firewalld-on-debian/ How To Install and Configure Firewalld on Debian 10]
 
  
[https://ywnz.com/linuxaq/5495.html 在Debian 10(Buster)上安装和配置Firewalld]
+
确定了 不是这个问题  是
 +
ufw  status verbose
 +
Status: active
 +
Logging: on (low)
 +
Default: deny (incoming), allow (outgoing), disabled (routed)
 +
New profiles: skip
  
=参考=
+
To                        Action      From
 +
--                        ------      ----
 +
22/tcp (SSH)              ALLOW IN    Anywhere                 
 +
80/tcp (WWW)              ALLOW IN    Anywhere                 
 +
22/tcp (SSH (v6))          ALLOW IN    Anywhere (v6)           
 +
80/tcp (WWW (v6))          ALLOW IN    Anywhere (v6) 
 +
没有东西 
  
[https://blog.51cto.com/wzlinux/2043586 Ubuntu 新装服务器部署流程]
+
linode 文档得了
  
[https://www.howtoing.com/install-java-in-debian-and-ubuntu 如何在Debian和Ubuntu系统中安装Java 9]
+
如何确定在 ssh这后再deny incoming 呢  参考iptalbes ?
  
[http://www.ruanyifeng.com/blog/2014/03/server_setup.html Linux服务器的初步配置流程]
 
  
[http://spenserj.com/blog/2013/07/15/securing-a-linux-server/ Securing a Linux Server]
 
  
[http://blog.51cto.com/feihan21/1060365 Linux服务器初始化配置脚本]
+
</pre>
 +
 
 +
=* see also=
 +
https://wiki.debian.org/Uncomplicated%20Firewall%20%28ufw%29
  
[https://blog.imdst.com/linux-fu-wu-qi-chu-shi-hua-an-quan-jia-gu/ Linux服务器初始化调优及安全加固]
+
https://www.linode.com/docs/security/firewalls/configure-firewall-with-ufw/
  
[https://linux.cn/article-5067-1.html 如何使用 fail2ban 防御 SSH 服务器的暴力破解攻击]
 
  
[https://blog.csdn.net/developerinit/article/details/73065229?utm_source=blogxgwz7 Debian的一些常用命令]
+
https://help.ubuntu.com/community/UFW
  
 +
https://www.digitalocean.com/community/tutorials/how-to-setup-a-firewall-with-ufw-on-an-ubuntu-and-debian-cloud-server
  
[https://www.cnblogs.com/yoyotl/p/8151409.html Debian 8 设置时区和时间配置]
+
[https://zhuanlan.zhihu.com/p/36646621 ubuntu ufw 防火墙]
[[category:ops]]  [[category:debian]]
 

2020年2月28日 (五) 06:57的版本


线上一般的结合操作

apt  install ufw 
ufw enable 

sudo ufw default allow outgoing
sudo ufw default deny incoming

 ufw  allow ssh 
 ufw  allow  www

etc 


正常返回如下 

 ufw  status 
Status: active

To                         Action      From
--                         ------      ----
SSH                        ALLOW       Anywhere                  
80/tcp                     ALLOW       Anywhere                  
SSH (v6)                   ALLOW       Anywhere (v6)             
80/tcp (v6)                ALLOW       Anywhere (v6)  

* install

apt  install ufw

* Configuration

 ufw enable 
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup


UFW’s defaults are to deny all incoming connections and allow all outgoing connections.

要确定ufw  status 后有没有规则可见 

可见 这两个不要手工执行了 默认就有的 现执行就可以连ssh都上不去了 
ufw default deny incoming
ufw default allow outgoing

ufw status verbose

* Firewall Rules

 ufw app list
 

 ufw  allow 'SSH'
ufw  allow  22/tcp
 ufw  allow WWW #其实就是80

 
 
 ufw allow 'Nginx HTTP'


ufw allow 53/tcp 


** Port Ranges

Port ranges may also be specified, a simple example for tcp would be:

  ufw allow 1000:2000/tcp

and for udp:

  ufw allow 1000:2000/udp

** IP address

An IP address may also be used:

 ufw allow from 111.222.333.444

* Deleting Rules

Rules may be deleted with the following command:

 ufw delete allow ssh

ufw reset


开启/禁用相应端口或服务举例

sudo ufw allow 80 #允许外部访问80端口
sudo ufw delete allow 80 #禁止外部访问80 端口
sudo ufw allow from 192.168.1.1 #允许此IP访问所有的本机端口
sudo ufw deny smtp #禁止外部访问smtp服务,#以服务名代表端口,可以使用less /etc/services列出所有服务信息, 其中包括该服务使用了哪个端口和哪种协议
sudo ufw delete allow smtp #删除上面建立的某条规则,或者sudo ufw delete allow 80/tcp,如果出现无法删除,可以用序号:sudo ufw status numbered,然后通过序号删除sudo ufw delete 1
sudo ufw deny proto tcp from 10.0.0.0/8 to 192.168.0.1 port 22 #要拒绝所有的TCP流量从10.0.0.0/8 到192.168.0.1地址的22端口
#可以允许所有RFC1918网络(局域网/无线局域网的)访问这个主机(/8,/16,/12是一种网络分级):
sudo ufw allow from 10.0.0.0/8
sudo ufw allow from 172.16.0.0/12
sudo ufw allow from 192.168.0.0/16

troubleshooting


openssh都连接上去 

这个导致上不了的 
 ufw default deny incoming


确定了 不是这个问题  是 
ufw  status verbose 
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp (SSH)               ALLOW IN    Anywhere                  
80/tcp (WWW)               ALLOW IN    Anywhere                  
22/tcp (SSH (v6))          ALLOW IN    Anywhere (v6)             
80/tcp (WWW (v6))          ALLOW IN    Anywhere (v6)   
没有东西  

linode 文档得了

如何确定在 ssh这后再deny incoming 呢  参考iptalbes ?



* see also

https://wiki.debian.org/Uncomplicated%20Firewall%20%28ufw%29

https://www.linode.com/docs/security/firewalls/configure-firewall-with-ufw/


https://help.ubuntu.com/community/UFW

https://www.digitalocean.com/community/tutorials/how-to-setup-a-firewall-with-ufw-on-an-ubuntu-and-debian-cloud-server

ubuntu ufw 防火墙