页面“Debian iptables防火墙基础”与“Debian服务器初始化”之间的差异

来自linux中国网wiki
(页面间的差异)
跳到导航 跳到搜索
 
 
第1行: 第1行:
  
=install =
+
[[Salt-ssh批量初始化机器]]
apt install iptables
+
= os init=
Debian已有firewalld 放弃iptables
+
== change sources ==
 +
===10源===
 +
<pre>
  
好像系统是自带的呢
+
deb http://mirrors.aliyun.com/debian/ buster main non-free contrib
 +
deb-src http://mirrors.aliyun.com/debian/ buster main non-free contrib
 +
deb http://mirrors.aliyun.com/debian-security buster/updates main
 +
deb-src http://mirrors.aliyun.com/debian-security buster/updates main
 +
deb http://mirrors.aliyun.com/debian/ buster-updates main non-free contrib
 +
deb-src http://mirrors.aliyun.com/debian/ buster-updates main non-free contrib
 +
deb http://mirrors.aliyun.com/debian/ buster-backports main non-free contrib
 +
deb-src http://mirrors.aliyun.com/debian/ buster-backports main non-free contrib
  
 +
</pre>
 +
===9 源===
 +
<pre>
  
[[Debian配置iptables]]
+
echo 'deb http://mirrors.aliyun.com/debian/ stretch main non-free contrib
 +
deb-src http://mirrors.aliyun.com/debian/ stretch main non-free contrib
 +
deb http://mirrors.aliyun.com/debian-security stretch/updates main
 +
deb-src http://mirrors.aliyun.com/debian-security stretch/updates main
 +
deb http://mirrors.aliyun.com/debian/ stretch-updates main non-free contrib
 +
deb-src http://mirrors.aliyun.com/debian/ stretch-updates main non-free contrib
 +
deb http://mirrors.aliyun.com/debian/ stretch-backports main non-free contrib
 +
deb-src http://mirrors.aliyun.com/debian/ stretch-backports main non-free contrib ' >sources.list
 +
</pre>
  
=来几个小例子=
+
== ssh config==
 
<pre>
 
<pre>
#这个多端口应该是不行的
+
echo "ssh-rsa AAAAB3NzaC you_prk_key root@ops
iptables -A INPUT -p tcp -m muliport --dports 21,22,25,80,110 -j ACCEPT
+
"  >> /root/.ssh/authorized_keys
  
iptables -A INPUT -p tcp -m muliport --dports 21,22,25,80,110 -j DROP
+
sed -i "s/#PubkeyAuthentication yes/PubkeyAuthentication yes/g" /etc/ssh/sshd_config
  
iptables -L -n --line-number
+
sed -i "s/^PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config
  
查看设置的规则: sudo iptables -nvL --line-numbers
+
systemctl restart sshd
插入一条规则到INPUT链第6的位置: sudo iptables -I INPUT 6 -j DROP
+
#service  sshd restart
修改INPUT链的第6条规则: sudo iptables -R INPUT 6 -j ACCEPT
 
删除INPUT链第6条规则: sudo iptables -D INPUT 6
 
  
#保存配置  但是这个保存 机器重启就没了
 
iptables-save
 
 
</pre>
 
</pre>
 +
==常用软件==
 +
<pre>
 +
useradd -d /data/evan  -s /bin/bash -m  evan
 +
数m表示如果该目录不存在,则创建该目录
 +
 +
 +
apt install net-tools  rsync wget  firewalld  vim  build-essential dnsutils screen  curl sudo lsb-release  iotop software-properties-common  -y  #dig dnsutils
  
==官方例子==
+
#全面的开发工具
<pre>
+
sudo apt install git golang build-essential gcc g++ gdb libboost-dev make automake autogen autoconf cscope global cmake cmake-gui astyle clang-format clang llvm lldb libsqlite3-dev sqlite3 bison flex ruby-dev linux-headers-`uname -r`
*filter
 
 
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
 
-A INPUT -i lo -j ACCEPT
 
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
 
 
# Accepts all established inbound connections
 
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
 
# Allows all outbound traffic
 
# You could modify this to only allow certain traffic
 
-A OUTPUT -j ACCEPT
 
   
 
# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
 
-A INPUT -p tcp --dport 80 -j ACCEPT
 
-A INPUT -p tcp --dport 443 -j ACCEPT
 
 
# Allows SSH connections for script kiddies
 
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
 
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
 
 
# Now you should read up on iptables rules and consider whether ssh access
 
# for everyone is really desired. Most likely you will only allow access from certain IPs.
 
 
# Allow ping
 
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
 
 
# log iptables denied calls (access via 'dmesg' command)
 
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
 
 
# Reject all other inbound - default deny unless explicitly allowed policy:
 
-A INPUT -j REJECT
 
-A FORWARD -j REJECT
 
 
COMMIT
 
</pre>
 
  
  
=开机自启动 自动加载实现=
+
#ps
 +
apt install procps
  
== iptables-persistent==
 
<pre>
 
apt  install iptables-persistent
 
  
Save your firewall rules with this command:
+
安装Fail2Ban
     
+
  </pre>
debain9  or Ubuntu 16.04 Server
 
netfilter-persistent save #这个为保存
 
netfilter-persistent reload
 
  
用iptables 删除的 好像不生效  只能在 配置 文件 /etc/iptables/rules.v4 删除
+
[https://www.debian.cn/archives/2880 Debian 安装 fail2ban 方式SSH爆破攻击]
</pre>
 
  
== 写入文件 ==
 
<pre>
 
1、将iptables配置保存到/etc/iptables,这个文件名可以自己定义,与下面的配置一致即可
 
  
iptables-save > /etc/iptables
+
[[Debian配置iptables]]
  
2、创建自启动配置文件,并授于可执行权限
+
=时间同步=
touch /etc/network/if-pre-up.d/iptables
+
<pre>
chmod +x /etc/network/if-pre-up.d/iptables
+
UTC时区切换到CST 时区
  
3、编辑该自启动配置文件,内容为启动网络时恢复iptables配置
+
#用这个啦
vim /etc/network/if-pre-up.d/iptables
+
# 设置亚洲时区
 +
timedatectl set-timezone Asia/Shanghai
 +
# 启用NTP同步 #关闭是 false
 +
timedatectl set-ntp yes
  
文件内容如下:
 
#!/bin/sh
 
/sbin/iptables-restore < /etc/iptables
 
 
4、:wq保存配置文件并退出即可,以后在修改完iptables配置之后只要再次执行下面的命令保存即可
 
iptables-save > /etc/iptables
 
  
 +
echo "export TZ='Asia/Shanghai'"  >> /etc/profile 
 +
cat /etc/profile |grep TZ 
 +
source /etc/profile
 +
date -R
 +
date
 +
Sat Aug 19 17:03:17 CST 2017
 
</pre>
 
</pre>
  
 +
=security=
 +
==firewalld==
  
https://packages.debian.org/search?keywords=iptables-persistent
+
详情可见 [[Centos7 firewalld防火墙基础]]
  
=参考=
+
[https://computingforgeeks.com/how-to-install-and-configure-firewalld-on-debian/ How To Install and Configure Firewalld on Debian 10]
  
https://wiki.debian.org/iptables
+
[https://ywnz.com/linuxaq/5495.html 在Debian 10(Buster)上安装和配置Firewalld]
  
https://wiki.debian.org/DebianFirewall
+
=参考=
  
 +
[https://blog.51cto.com/wzlinux/2043586 Ubuntu 新装服务器部署流程]
  
[http://www.slyar.com/blog/vps-debian-iptables.html VPS安全之iptables基本配置(Debian)]
+
[https://www.howtoing.com/install-java-in-debian-and-ubuntu 如何在Debian和Ubuntu系统中安装Java 9]
  
[http://blog.linuxchina.net/?p=2813 myblog Ubuntu使用ufw或iptables配置防火墙]
+
[http://www.ruanyifeng.com/blog/2014/03/server_setup.html Linux服务器的初步配置流程]
  
[https://www.thomas-krenn.com/en/wiki/Saving_Iptables_Firewall_Rules_Permanently Saving Iptables Firewall Rules Permanently]
+
[http://spenserj.com/blog/2013/07/15/securing-a-linux-server/ Securing a Linux Server]
  
[http://chuansong.me/n/1490519851248 Debian/Ubuntu下使用iptables-persistent持久化iptables规则]
+
[http://blog.51cto.com/feihan21/1060365 Linux服务器初始化配置脚本]
  
[https://linuxconfig.org/how-to-install-missing-ifconfig-command-on-debian-linux How to install missing ifconfig command on Debian ]
+
[https://blog.imdst.com/linux-fu-wu-qi-chu-shi-hua-an-quan-jia-gu/ Linux服务器初始化调优及安全加固]
  
[http://salogs.com/news/2015/08/20/iptables-save/ 保存iptable规则并开机自动加载]
+
[https://linux.cn/article-5067-1.html 如何使用 fail2ban 防御 SSH 服务器的暴力破解攻击]
  
[https://www.tennfy.com/2552.html Debian VPS下使用iptables防火墙]
+
[https://blog.csdn.net/developerinit/article/details/73065229?utm_source=blogxgwz7 Debian的一些常用命令]
  
  
  [[category:ops]]   [[category:Security]]
+
[https://www.cnblogs.com/yoyotl/p/8151409.html Debian 8 设置时区和时间配置]
 +
  [[category:ops]] [[category:debian]]

2020年2月27日 (四) 06:35的版本

Salt-ssh批量初始化机器

os init

change sources

10源


deb http://mirrors.aliyun.com/debian/ buster main non-free contrib
deb-src http://mirrors.aliyun.com/debian/ buster main non-free contrib
deb http://mirrors.aliyun.com/debian-security buster/updates main
deb-src http://mirrors.aliyun.com/debian-security buster/updates main
deb http://mirrors.aliyun.com/debian/ buster-updates main non-free contrib
deb-src http://mirrors.aliyun.com/debian/ buster-updates main non-free contrib
deb http://mirrors.aliyun.com/debian/ buster-backports main non-free contrib
deb-src http://mirrors.aliyun.com/debian/ buster-backports main non-free contrib

9 源


echo 'deb http://mirrors.aliyun.com/debian/ stretch main non-free contrib
deb-src http://mirrors.aliyun.com/debian/ stretch main non-free contrib
deb http://mirrors.aliyun.com/debian-security stretch/updates main
deb-src http://mirrors.aliyun.com/debian-security stretch/updates main
deb http://mirrors.aliyun.com/debian/ stretch-updates main non-free contrib
deb-src http://mirrors.aliyun.com/debian/ stretch-updates main non-free contrib
deb http://mirrors.aliyun.com/debian/ stretch-backports main non-free contrib
deb-src http://mirrors.aliyun.com/debian/ stretch-backports main non-free contrib ' >sources.list

ssh config

echo "ssh-rsa AAAAB3NzaC you_prk_key root@ops
"  >> /root/.ssh/authorized_keys

sed -i "s/#PubkeyAuthentication yes/PubkeyAuthentication yes/g" /etc/ssh/sshd_config

sed -i "s/^PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config

systemctl restart sshd
#service  sshd restart

常用软件

useradd -d /data/evan  -s /bin/bash -m  evan
数m表示如果该目录不存在,则创建该目录


apt install net-tools  rsync wget  firewalld  vim  build-essential dnsutils screen  curl sudo lsb-release  iotop software-properties-common  -y  #dig dnsutils 

#全面的开发工具
sudo apt  install git golang build-essential gcc g++ gdb libboost-dev make automake autogen autoconf cscope global cmake cmake-gui astyle clang-format clang llvm lldb libsqlite3-dev sqlite3 bison flex ruby-dev linux-headers-`uname -r`


#ps 
apt install procps


安装Fail2Ban

Debian 安装 fail2ban 方式SSH爆破攻击


Debian配置iptables

时间同步

UTC时区切换到CST 时区

#用这个啦 
# 设置亚洲时区
timedatectl set-timezone Asia/Shanghai
# 启用NTP同步 #关闭是 false 
timedatectl set-ntp yes


 echo "export TZ='Asia/Shanghai'"  >> /etc/profile  
 cat /etc/profile |grep TZ  
source /etc/profile
date -R
 date 
Sat Aug 19 17:03:17 CST 2017

security

firewalld

详情可见 Centos7 firewalld防火墙基础

How To Install and Configure Firewalld on Debian 10

在Debian 10(Buster)上安装和配置Firewalld

参考

Ubuntu 新装服务器部署流程

如何在Debian和Ubuntu系统中安装Java 9

Linux服务器的初步配置流程

Securing a Linux Server

Linux服务器初始化配置脚本

Linux服务器初始化调优及安全加固

如何使用 fail2ban 防御 SSH 服务器的暴力破解攻击

Debian的一些常用命令


Debian 8 设置时区和时间配置

取自“http://wiki.linuxchina.net/index.php?title=Debian_iptables防火墙基础&oldid=3020