内容简介:本文风哥教程参考Linux官方文档、Red Hat Enterprise Linux官方文档、Ansible Automation Platform官方文档、Docker官方文档、Kubernetes官方文档和Podman官方文档等内容,详细介绍了相关技术的配置和使用方法。
本文档详
风哥提示:
细介绍Linux网络安全的配置和加固方法。
Part01-网络安全基础
1.1 网络安全配置
$ ip addr show
1: lo:
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.更多视频教程www.fgedu.net.cn1/8 scope host lo
2: eth0:
link/ether 00:11:22:33:44:5更多学习教程公众号风哥教程itpux_com5 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.100/24 brd 192.168.1.255 scope global eth0
# 查看开放端口
$ sudo ss -tulpn
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:((“sshd”,pid=1234,fd=3))
tcp LISTEN 0 128 *:80 *:* users:((“nginx”,pid=5678,fd=6))
# 查看网络连接
$ sudo ss -tunap
# 配置sysctl网络参数
$ sudo tee /etc/sysctl.d/99-security.conf << 'EOF'
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_rfrom PG视频:www.itpux.comedirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp学习交流加群风哥QQ113257174_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_keepalive_time = 1800
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.tcp_keepalive_probes = 5
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
EOF
# 应用sysctl配置
$ sudo sysctl -p /etc/sysctl.d/99-security.conf
# 禁用不必要的协议
$ sudo tee /etc/modprobe.d/disable-modules.conf << 'EOF'
install cramfs /bin/true
install freevxfs /bin/true
install jffs2 /bin/true
install hfs /bin/true
install hfsplus /bin/true
install squashfs /bin/true
install udf /bin/true
install vfat /bin/true
install usb-storage /bin/true
EOF
Part02-防火墙配置
2.1 配置firewalld
$ sudo firewall-cmd –state
running
# 查看默认区域
$ sudo firewall-cmd –get-default-zone
public
# 查看区域规则
$ sudo firewall-cmd –list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# 允许服务
$ sudo firewall-cmd –permanent –add-service=http
$ sudo firewall-cmd –permanent –add-service=https
$ sudo firewall-cmd –reload
# 允许端口
$ sudo firewall-cmd –permanent –add-port=8080/tcp
$ sudo firewall-cmd –reload
# 限制源IP
$ sudo firewall-cmd –permanent –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.0/24″ service name=”ssh” accept’
$ sudo firewall-cmd –reload
# 禁止IP访问
$ sudo firewall-cmd –permanent –add-rich-rule=’rule family=”ipv4″ source address=”10.0.0.100″ reject’
$ sudo firewall-cmd –reload
# 配置端口转发
$ sudo firewall-cmd –permanent –add-forward-port=port=80:proto=tcp:toport=8080
$ sudo firewall-cmd –reload
# 配置NAT
$ sudo firewall-cmd –permanent –zone=public –add-masquerade
$ sudo firewall-cmd –reload
# 配置区域
$ sudo firewall-cmd –permanent –new-zone=internal
$ sudo firewall-cmd –permanent –zone=internal –add-source=192.168.2.0/24
$ sudo firewall-cmd –permanent –zone=internal –add-service=ssh
$ sudo firewall-cmd –permanent –zone=internal –add-service=http
$ sudo firewall-cmd –reload
# 配置直接规则
$ sudo firewall-cmd –permanent –direct –add-rule ipv4 filter INPUT 0 -p tcp –dport 22 -m conntrack –ctstate NEW -m recent –set
$ sudo firewall-cmd –permanent –direct –add-rule ipv4 filter INPUT 1 -p tcp –dport 22 -m conntrack –ctstate NEW -m recent –update –seconds 60 –hitcount 4 -j DROP
$ sudo firewall-cmd –reload
Part03-入侵检测
3.1 配置入侵检测系统
$ sudo dnf install -y fail2ban
# 配置fail2ban
$ sudo tee /etc/fail2ban/jail.local << 'EOF'
[DEFAULT]
ignoreip = 127.0.0.1/8 ::1
bantime = 3600
findtime = 600
maxretry = 5
backend = auto
usedns = warn
destemail = admin@fgedu.net.cn
sendername = Fail2Ban
mta = sendmail
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/secure
maxretry = 3
bantime = 3600
findtime = 600
[nginx-http-auth]
enabled = true
port = http,https
filter = nginx-http-auth
logpath = /var/log/nginx/error.log
maxretry = 3
bantime = 3600
[nginx-limit-req]
enabled = true
port = http,https
filter = nginx-limit-req
logpath = /var/log/nginx/error.log
maxretry = 3
bantime = 3600
[nginx-botsearch]
enabled = true
port = http,https
filter = nginx-botsearch
logpath = /var/log/nginx/access.log
maxretry = 2
bantime = 86400
EOF
# 启动fail2ban
$ sudo systemctl start fail2ban
$ sudo systemctl enable fail2ban
# 查看fail2ban状态
$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 5
| `- File list: /var/log/secure
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 192.168.1.50
# 解封IP
$ sudo fail2ban-client set sshd unbanip 192.168.1.50
# 安装rkhunter
$ sudo dnf install -y rkhunter
# 更新rkhunter数据库
$ sudo rkhunter --update
# 扫描系统
$ sudo rkhunter --check
# 安装ClamAV
$ sudo dnf install -y clamav clamd
# 更新病毒库
$ sudo freshclam
# 扫描文件
$ sudo clamscan -r /home
# 配置定期扫描
$ sudo tee /etc/cron.daily/clamscan << 'EOF'
#!/bin/bash
SCAN_DIR="/home"
LOG_FILE="/var/log/clamav/clamscan.log"
/usr/bin/clamscan -r -i $SCAN_DIR >> $LOG_FILE
if [ $? -ne 0 ]; then
mail -s “ClamAV Alert” admin@fgedu.net.cn < $LOG_FILE
fi
EOF
chmod +x /etc/cron.daily/clamscan
1. 配置防火墙规则
2. 关闭不必要端口
3. 配置入侵检测
4. 定期安全扫描
5. 监控网络活动
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
