2022-11-10 400
通过防火墙策略限制对外扫描行为
请您根据您的服务器操作系统,下载对应的脚本运行,运行后您的防火墙策略会封禁对外发包的行为,确保您的主机不会再出现恶意发包的情况,为您进行后续数据备份操作提供足够的时间。
Window2003的批处理文件
@rem 配置windows2003系统的IP安全策略
@rem version 3.0 time:2014-5-12
netsh ipsec static add policy name=drop
netsh ipsec static add filterlist name=drop_port
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=21 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=22 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=23 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=25 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=53 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=80 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=135 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=139 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=443 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=445 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=1314 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=1433 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=1521 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=2222 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=3306 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=3433 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=3389 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=4899 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=8080 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=18186 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any protocol=UDP mirrored=no
netsh ipsec static add filteraction name=denyact action=block
netsh ipsec static add rule name=kill policy=drop filterlist=drop_port filteraction=denyact
netsh ipsec static set policy name=drop assign=yWindow2008的批处理文件
@rem 配置windows2008系统的IP安全策略
@rem version 3.0 time:2014-5-12
@rem 重置防火墙使用默认规则
netsh firewall reset
netsh firewall set service remotedesktop enable all
@rem 配置高级windows防火墙
netsh advfirewall firewall add rule name="drop" protocol=TCP dir=out remoteport="21,22,23,25,53,80,135,139,443,445,1433,1314,1521,2222,3306,3433,3389,4899,8080,18186" action=block
netsh advfirewall firewall add rule name="dropudp" protocol=UDP dir=out remoteport=any action=blockLinux系统脚本
#!/bin/bash
#########################################
#Function: linux drop port
#Usage: bash linux_drop_port.sh
#Author: Customer Service Department
#Company: Alibaba Cloud Computing
#Version: 2.0
#########################################
check_os_release()
{
while true
do
os_release=$(grep "Red Hat Enterprise Linux Server release"/etc/issue 2>/dev/null)
os_release_2=$(grep "Red Hat Enterprise Linux Server release"/etc/redhat-release 2>/dev/null)
if [ "$os_release" ] && [ "$os_release_2" ]
then
if echo "$os_release"|grep "release 5" >/dev/null2>&1
then
os_release=redhat5
echo "$os_release"
elif echo "$os_release"|grep "release 6">/dev/null 2>&1
then
os_release=redhat6
echo "$os_release"
else
os_release=""
echo "$os_release"
fi
break
fi
os_release=$(grep "Aliyun Linux release" /etc/issue2>/dev/null)
os_release_2=$(grep "Aliyun Linux release" /etc/aliyun-release2>/dev/null)
if [ "$os_release" ] && [ "$os_release_2" ]
then
if echo "$os_release"|grep "release 5" >/dev/null2>&1
then
os_release=aliyun5
echo "$os_release"
elif echo "$os_release"|grep "release 6">/dev/null 2>&1
then
os_release=aliyun6
echo "$os_release"
else
os_release=""
echo "$os_release"
fi
break
fi
os_release=$(grep "CentOS release" /etc/issue 2>/dev/null)
os_release_2=$(grep "CentOS release" /etc/*release2>/dev/null)
if [ "$os_release" ] && [ "$os_release_2" ]
then
if echo "$os_release"|grep "release 5" >/dev/null2>&1
then
os_release=centos5
echo "$os_release"
elif echo "$os_release"|grep "release 6">/dev/null 2>&1
then
os_release=centos6
echo "$os_release"
else
os_release=""
echo "$os_release"
fi
break
fi
os_release=$(grep -i "ubuntu" /etc/issue 2>/dev/null)
os_release_2=$(grep -i "ubuntu" /etc/lsb-release2>/dev/null)
if [ "$os_release" ] && [ "$os_release_2" ]
then
if echo "$os_release"|grep "Ubuntu 10" >/dev/null2>&1
then
os_release=ubuntu10
echo "$os_release"
elif echo "$os_release"|grep "Ubuntu 12.04">/dev/null 2>&1
then
os_release=ubuntu1204
echo "$os_release"
elif echo "$os_release"|grep "Ubuntu 12.10">/dev/null 2>&1
then
os_release=ubuntu1210
echo "$os_release"
else
os_release=""
echo "$os_release"
fi
break
fi
os_release=$(grep -i "debian" /etc/issue 2>/dev/null)
os_release_2=$(grep -i "debian" /proc/version 2>/dev/null)
if [ "$os_release" ] && [ "$os_release_2" ]
then
if echo "$os_release"|grep "Linux 6" >/dev/null2>&1
then
os_release=debian6
echo "$os_release"
else
os_release=""
echo "$os_release"
fi
break
fi
os_release=$(grep "openSUSE" /etc/issue 2>/dev/null)
os_release_2=$(grep "openSUSE" /etc/*release 2>/dev/null)
if [ "$os_release" ] && [ "$os_release_2" ]
then
if echo "$os_release"|grep"13.1" >/dev/null 2>&1
then
os_release=opensuse131
echo "$os_release"
else
os_release=""
echo "$os_release"
fi
break
fi
break
done
}
exit_script()
{
echo -e "\033[1;40;31mInstall $1 error,will exit.\n\033[0m"
rm-f $LOCKfile
exit 1
}
config_iptables()
{
iptables -I OUTPUT 1 -p tcp -m multiport --dport21,22,23,25,53,80,135,139,443,445 -j DROP
iptables -I OUTPUT 2 -p tcp -m multiport --dport 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186-j DROP
iptables -I OUTPUT 3 -p udp -j DROP
iptables -nvL
}
ubuntu_config_ufw()
{
ufwdeny out proto tcp to any port 21,22,23,25,53,80,135,139,443,445
ufwdeny out proto tcp to any port 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186
ufwdeny out proto udp to any
ufwstatus
}
####################Start###################
#check lock file ,one time only let thescript run one time
LOCKfile=/tmp/.$(basename $0)
if [ -f "$LOCKfile" ]
then
echo -e "\033[1;40;31mThe script is already exist,please next timeto run this script.\n\033[0m"
exit
else
echo -e "\033[40;32mStep 1.No lock file,begin to create lock fileand continue.\n\033[40;37m"
touch $LOCKfile
fi
#check user
if [ $(id -u) != "0" ]
then
echo -e "\033[1;40;31mError: You must be root to run this script,please use root to execute this script.\n\033[0m"
rm-f $LOCKfile
exit 1
fi
echo -e "\033[40;32mStep 2.Begen tocheck the OS issue.\n\033[40;37m"
os_release=$(check_os_release)
if [ "X$os_release" =="X" ]
then
echo -e "\033[1;40;31mThe OS does not identify,So this script isnot executede.\n\033[0m"
rm-f $LOCKfile
exit 0
else
echo -e "\033[40;32mThis OS is $os_release.\n\033[40;37m"
fi
echo -e "\033[40;32mStep 3.Begen toconfig firewall.\n\033[40;37m"
case "$os_release" in
redhat5|centos5|redhat6|centos6|aliyun5|aliyun6)
service iptables start
config_iptables
;;
debian6)
config_iptables
;;
ubuntu10|ubuntu1204|ubuntu1210)
ufwenable <<EOF
y
EOF
ubuntu_config_ufw
;;
opensuse131)
config_iptables
;;
esac
echo -e "\033[40;32mConfig firewallsuccess,this script now exit!\n\033[40;37m"
rm -f $LOCKfile上述文件下载到机器内部直接执行即可。
设置iptables,限制访问
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
/sbin/iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -P INPUT DROP
service iptables save以上脚本,在每次重装完系统后执行一次即可,其配置会保存至/etc/sysconfig/iptables
以上所述是小编给大家介绍的阿里云windows服务器安全设置(防火墙策略),希望对大家有所帮助,如果大家有任何疑问请给我留言,小编会及时回复大家的。在此也非常感谢大家对77isp云服务器技术网的支持! 如果你觉得本文对你有帮助,欢迎转载,烦请注明出处,谢谢!原文链接:https://77isp.com/post/12948.html
=========================================
https://77isp.com/ 为 “云服务器技术网” 唯一官方服务平台,请勿相信其他任何渠道。
数据库技术 2022-03-28
网站技术 2022-11-26
网站技术 2023-01-07
网站技术 2022-11-17
Windows相关 2022-02-23
网站技术 2023-01-14
Windows相关 2022-02-16
Windows相关 2022-02-16
Linux相关 2022-02-27
数据库技术 2022-02-20
抠敌 2023年10月23日
嚼餐 2023年10月23日
男忌 2023年10月22日
瓮仆 2023年10月22日
簿偌 2023年10月22日
扫码二维码
获取最新动态
