# 配置Linux iptables防火墙
# 查看当前规则
$ iptables -L -n

# 清除现有规则
$ iptables -F
$ iptables -X
$ iptables -Z

# 设置默认策略
$ iptables -P INPUT DROP
$ iptables -P FORWARD DROP
$ iptables -P OUTPUT ACCEPT

# 允许本地回环
$ iptables -A INPUT -i lo -j ACCEPT

# 允许已建立的连接
$ iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

# 允许SSH访问
$ iptables -A INPUT -p tcp –dport 22 -j ACCEPT

# 允许HTTP和HTTPS访问
$ iptables -A INPUT -p tcp –dport 80 -j ACCEPT
$ iptables -A INPUT -p tcp –dport 443 -j ACCEPT

# 保存规则
$ iptables-save > /etc/iptables/rules.v4

# 查看规则
$ iptables -L -n

# Cisco ASA防火墙配置
configure terminal

# 设置接口
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 203.0.113.1 255.255.255.0
no shutdown

interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
no shutdown

# 创建访问控制列表
access-list outside_in extended permit tcp any host 203.0.113.10 eq ssh
access-list outside_in extended permit tcp any host 203.0.113.10 eq www
access-list outside_in extended permit tcp any host 203.0.113.10 eq https

# 应用访问控制列表
access-group outside_in in interface outside

# 配置NAT
object network web-server
host 192.168.1.10

object network web-server
nat (inside,outside) static 203.0.113.10

# 保存配置
write memory

# 查看配置
show running-config

风哥风哥提示：防火墙是网络安全的第一道防线，需要根据业务需求合理配置规则，确保只允许必要的流量通过。

3. IDS/IPS系统

3.1 Snort配置

# 安装Snort
$ apt-get update
$ apt-get install snort

# 配置Snort
$ vim /etc/snort/snort.conf

# 设置网络变量
ipvar HOME_NET 192.168.1.0/24
ipvar EXTERNAL_NET !$HOME_NET

# 配置规则文件
include $RULE_PATH/local.rules
include $RULE_PATH/community.rules

# 创建本地规则
$ vim /etc/snort/rules/local.rules

# 添加规则
alert tcp any any -> $HOME_NET 22 (msg:”SSH access attempt”; sid:1000001; rev:1;)
alert tcp any any -> $HOME_NET 80 (msg:”HTTP access”; sid:1000002; rev:1;)

# 测试Snort配置
$ snort -T -c /etc/snort/snort.conf

# 运行Snort
$ snort -A console -c /etc/snort/snort.conf -i eth0

# 查看告警
# 当有匹配规则的流量时，Snort会在控制台输出告警信息

# 安装Suricata
$ apt-get update
$ apt-get install suricata

# 配置Suricata
$ vim /etc/suricata/suricata.yaml

# 设置网络变量
HOME_NET: “[192.168.1.0/24]”
EXTERNAL_NET: “!$HOME_NET”

# 配置规则
rule-files:
– community.rules
– local.rules

# 创建本地规则
$ vim /etc/suricata/rules/local.rules

# 添加规则
alert tcp any any -> $HOME_NET 22 (msg:”SSH access attempt”; sid:1000001; rev:1;)
alert tcp any any -> $HOME_NET 80 (msg:”HTTP access”; sid:1000002; rev:1;)

# 测试Suricata配置
$ suricata -T -c /etc/suricata/suricata.yaml

# 运行Suricata
$ suricata -c /etc/suricata/suricata.yaml -i eth0

# 查看告警
$ tail -f /var/log/suricata/fast.log

# 安装ELK Stack
$ apt-get update
$ apt-get install docker docker-compose

$ cat docker-compose.yml
version: ‘3’
services:
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch:7.14.0
environment:
– discovery.type=single-node
ports:
– “9200:9200”
logstash:
image: docker.elastic.co/logstash/logstash:7.14.0
volumes:
– ./logstash.conf:/etc/logstash/conf.d/logstash.conf
ports:
– “5044:5044”
kibana:
image: docker.elastic.co/kibana/kibana:7.14.0
ports:
– “5601:5601”

$ cat logstash.conf
input {
file {
path => “/var/log/suricata/fast.log”
start_position => “beginning”
}
}

filter {
grok {
match => {
“message” => “%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:hostname} %{WORD:program}: \[%{NUMBER:alert_id}\] %{WORD:alert_type}: %{DATA:alert_message}; %{DATA:protocol} %{IP:src_ip}:%{NUMBER:src_port} -> %{IP:dst_ip}:%{NUMBER:dst_port}”
}
}
}

output {
elasticsearch {
hosts => [“elasticsearch:9200”]
index => “suricata-alerts-%{+YYYY.MM.dd}”
}
}

# 启动ELK Stack
$ docker-compose up -d

# 访问Kibana
# 打开浏览器访问 http://fgedudb:5601

学习交流加群风哥微信: itpux-com

4. VPN配置

4.1 OpenVPN配置

# 安装OpenVPN
$ apt-get update
$ apt-get install openvpn easy-rsa

# 初始化PKI
$ make-cadir ~/openvpn-ca
$ cd ~/openvpn-ca
$ source vars
$ ./clean-all
$ ./build-ca

# 生成服务器证书
$ ./build-key-server server

# 生成Diffie-Hellman参数
$ ./build-dh

# 生成客户端证书
$ ./build-key client1

# 配置OpenVPN服务器
$ cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
$ gunzip /etc/openvpn/server.conf.gz
$ vim /etc/openvpn/server.conf

# 修改配置
port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push “redirect-gateway def1 bypass-dhcp”
push “dhcp-option DNS 8.8.8.8”
push “dhcp-option DNS 8.8.4.4”
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

# 复制证书和密钥
$ cp ~/openvpn-ca/keys/ca.crt /etc/openvpn/
$ cp ~/openvpn-ca/keys/server.crt /etc/openvpn/
$ cp ~/openvpn-ca/keys/server.key /etc/openvpn/
$ cp ~/openvpn-ca/keys/dh.pem /etc/openvpn/

# 启动OpenVPN服务
$ systemctl start openvpn@server
$ systemctl enable openvpn@server

# 配置客户端
$ cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client1.ovpn
$ vim ~/client1.ovpn

# 修改客户端配置
client
dev tun
proto udp
remote your-server-ip 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3

# 复制客户端证书和密钥
$ cp ~/openvpn-ca/keys/ca.crt ~/
$ cp ~/openvpn-ca/keys/client1.crt ~/
$ cp ~/openvpn-ca/keys/client1.key ~/

# 安装StrongSwan
$ apt-get update
$ apt-get install strongswan strongswan-pki

# 生成证书
$ mkdir -p ~/pki/{private,certs}
$ chmod 700 ~/pki/private

# 生成CA证书
$ ipsec pki –gen –type rsa –size 4096 –outform pem > ~/pki/private/ca-key.pem
$ ipsec pki –self –ca –lifetime 3650 –in ~/pki/private/ca-key.pem –type rsa –dn “C=CN, O=Example, CN=Example CA” –outform pem > ~/pki/certs/ca-cert.pem

# 生成服务器证书
$ ipsec pki –gen –type rsa –size 4096 –outform pem > ~/pki/private/server-key.pem
$ ipsec pki –pub –in ~/pki/private/server-key.pem –type rsa | ipsec pki –issue –lifetime 1825 –cacert ~/pki/certs/ca-cert.pem –cakey ~/pki/private/ca-key.pem –dn “C=CN, O=Example, CN=server.fgedu.net.cn” –san “server.fgedu.net.cn” –outform pem > ~/pki/certs/server-cert.pem

# 复制证书
$ cp ~/pki/certs/ca-cert.pem /etc/ipsec.d/cacerts/
$ cp ~/pki/certs/server-cert.pem /etc/ipsec.d/certs/
$ cp ~/pki/private/server-key.pem /etc/ipsec.d/private/

# 配置StrongSwan
$ vim /etc/ipsec.conf

# 添加配置
config setup
charondebug=”all”
uniqueids=yes

conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=@server.fgedu.net.cn
leftcert=server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.10.10.0/24
rightdns=8.8.8.8,8.8.4.4
rightsendcert=never
eap_identity=%any

# 配置用户
$ vim /etc/ipsec.secrets

# 添加用户
: RSA server-key.pem
user : EAP “password”

# 重启StrongSwan
$ systemctl restart strongswan
$ systemctl enable strongswan

# 查看状态
$ ipsec statusall

学习交流加群风哥QQ113257174

5. 访问控制

5.1 网络访问控制

# 配置VLAN
$ vim /etc/network/interfaces

# 添加VLAN配置
auto eth0.10
aiface eth0.10 inet static
address 192.168.10.1
netmask 255.255.255.0

auto eth0.20
aiface eth0.20 inet static
address 192.168.20.1
netmask 255.255.255.0

# 重启网络
$ systemctl restart networking

# 配置ACL
$ vim /etc/iptables/rules.v4

# 添加ACL规则
# 允许VLAN 10访问VLAN 20的Web服务
-A FORWARD -s 192.168.10.0/24 -d 192.168.20.0/24 -p tcp –dport 80 -j ACCEPT
# 拒绝其他流量
-A FORWARD -s 192.168.10.0/24 -d 192.168.20.0/24 -j DROP

# 应用规则
$ iptables-restore < /etc/iptables/rules.v4

# 安装FreeRADIUS
$ apt-get update
$ apt-get install freeradius freeradius-mysql

# 配置FreeRADIUS
$ vim /etc/freeradius/3.0/clients.conf

# 添加客户端
client 192.168.1.0/24 {
secret = testing123
shortname = local-network
}

# 配置用户
$ vim /etc/freeradius/3.0/users

# 添加用户
user Cleartext-Password := “password”
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 10.10.10.1,
Framed-IP-Netmask = 255.255.255.0

# 启动FreeRADIUS
$ systemctl start freeradius
$ systemctl enable freeradius

# 测试认证
$ radtest user password fgedudb 1812 testing123

# 查看日志
$ tail -f /var/log/freeradius/radius.log

# 安装Keycloak
$ docker run -d –name keycloak \
-p 8080:8080 \
-e KEYCLOAK_USER=admin \
-e KEYCLOAK_PASSWORD=admin \
jboss/keycloak:15.0.2

# 访问Keycloak
# 打开浏览器访问 http://fgedudb:8080

# 创建 Realm
# 登录管理控制台 -> Add Realm

# 创建用户
# Users -> Add User

# 创建客户端
# Clients -> Create

# 配置客户端
# Access Type: confidential
# Valid Redirect URIs: http://fgedudb:8081/*

# 获取客户端密钥
# Clients -> 选择客户端 -> Credentials

# 测试认证
$ curl -X POST \
http://fgedudb:8080/auth/realms/myrealm/protocol/openid-connect/token \
-H ‘Content-Type: application/x-www-form-urlencoded’ \
-d ‘grant_type=password&client_id=myclient&client_secret=mysecret&username=user&password=password’

更多学习教程公众号风哥教程itpux_com

6. 数据加密

6.1 SSL/TLS配置

# 安装Certbot
$ apt-get update
$ apt-get install certbot python3-certbot-nginx

# 获取SSL证书
$ certbot –nginx -d fgedu.net.cn -d www.fgedu.net.cn

# 配置Nginx
$ vim /etc/nginx/sites-available/default

# 添加SSL配置
server {
listen 80;
server_name fgedu.net.cn www.fgedu.net.cn;
return 301 https://$server_name$request_uri;
}

server {
listen 443 ssl;
server_name fgedu.net.cn www.fgedu.net.cn;

ssl_certificate /etc/letsencrypt/live/fgedu.net.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/fgedu.net.cn/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

location / {
root /var/www/html;
index index.html index.htm;
}
}

# 重启Nginx
$ systemctl restart nginx

# 自动续期证书
$ crontab -e

# 添加定时任务
0 12 * * * /usr/bin/certbot renew –quiet

# 使用OpenSSL加密文件
$ openssl enc -aes-256-cbc -salt -in file.txt -out file.txt.enc

# 解密文件
$ openssl enc -d -aes-256-cbc -in file.txt.enc -out file.txt

# 使用GPG加密文件
$ gpg –gen-key

# 加密文件
$ gpg -e -r user@fgedu.net.cn file.txt

# 解密文件
$ gpg -d file.txt.gpg > file.txt

# 配置LUKS加密分区
$ fdisk /dev/sdb
# 创建分区

# 加密分区
$ cryptsetup luksFormat /dev/sdb1

# 打开加密分区
$ cryptsetup open /dev/sdb1 cryptdata

# 格式化分区
$ mkfs.ext4 /dev/mapper/cryptdata

# 挂载分区
$ mount /dev/mapper/cryptdata /mnt/data

# 自动挂载配置
$ vim /etc/crypttab
cryptdata /dev/sdb1 none luks

$ vim /etc/fstab
/dev/mapper/cryptdata /mnt/data ext4 defaults 0 2

# 配置SYN洪水防护
$ sysctl -w net.ipv4.tcp_syncookies=1
$ sysctl -w net.ipv4.tcp_max_syn_backlog=4096
$ sysctl -w net.ipv4.tcp_synack_retries=2

# 配置连接限制
$ iptables -A INPUT -p tcp –syn -m limit –limit 20/s –limit-burst 100 -j ACCEPT
$ iptables -A INPUT -p tcp –syn -j DROP

# 配置ICMP限制
$ iptables -A INPUT -p icmp –icmp-type echo-request -m limit –limit 1/s –limit-burst 10 -j ACCEPT
$ iptables -A INPUT -p icmp –icmp-type echo-request -j DROP

# 配置连接跟踪
$ sysctl -w net.netfilter.nf_conntrack_max=65536
$ sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=3600

# 保存配置
$ sysctl -p

# 查看连接跟踪状态
$ cat /proc/net/nf_conntrack | wc -l

# AWS Shield配置
# 访问AWS控制台 -> Shield -> 保护资源

# 配置CloudFront
$ aws cloudfront create-distribution \
–distribution-config file://distribution-config.json

$ cat distribution-config.json
{
“CallerReference”: “2026-04-03”,
“Origins”: [
{
“Id”: “origin1”,
“DomainName”: “fgedu.net.cn”,
“CustomOriginConfig”: {
“HTTPPort”: 80,
“HTTPSPort”: 443,
“OriginProtocolPolicy”: “https-only”
}
}
],
“DefaultCacheBehavior”: {
“TargetOriginId”: “origin1”,
“ViewerProtocolPolicy”: “redirect-to-https”,
“MinTTL”: 60,
“AllowedMethods”: {
“Quantity”: 2,
“Items”: [“GET”, “HEAD”],
“CachedMethods”: {
“Quantity”: 2,
“Items”: [“GET”, “HEAD”]
}
},
“ForwardedValues”: {
“QueryString”: false,
“Cookies”: {
“Forward”: “none”
}
}
},
“Enabled”: true
}

# 配置WAF
$ aws wafv2 create-web-acl \
–name my-web-acl \
–scope REGIONAL \
–default-action ‘{“Allow”: {}}’ \
–rules file://rules.json \
–visibility-config ‘{“SampledRequestsEnabled”: true, “CloudWatchMetricsEnabled”: true, “MetricName”: “my-web-acl”}’

$ cat rules.json
[
{
“Name”: “RateLimitRule”,
“Priority”: 0,
“Action”: {
“Block”: {}
},
“Statement”: {
“RateBasedStatement”: {
“Limit”: 100,
“AggregateKeyType”: “IP”
}
},
“VisibilityConfig”: {
“SampledRequestsEnabled”: true,
“CloudWatchMetricsEnabled”: true,
“MetricName”: “RateLimitRule”
}
}
]

author:www.itpux.com

8. 安全监控

8.1 日志监控

# 安装ELK Stack
$ docker-compose up -d

# 配置Filebeat
$ vim filebeat.yml

filebeat.inputs:
– type: log
enabled: true
paths:
– /var/log/syslog
– /var/log/auth.log

output.elasticsearch:
hosts: [“fgedudb:9200”]

# 启动Filebeat
$ ./filebeat -e -c filebeat.yml

# 配置Kibana
# 打开浏览器访问 http://fgedudb:5601
# 创建索引模式 -> 发现

# 配置告警
$ curl -X POST “fgedudb:9200/_alerting/rule” \
-H “Content-Type: application/json” \
-d ‘{
“name”: “Failed Login Attempts”,
“tags”: [“security”],
“schedule”: {
“interval”: “1m”
},
“inputs”: [
{
“search”: {
“indices”: [“filebeat-*”],
“query”: {
“query_string”: {
“query”: “message:Failed”
}
}
}
}
],
“conditions”: [
{
“script”: {
“source”: “ctx.results[0].hits.total.value > 5”
}
}
],
“actions”: [
{
“name”: “Send Email”,
“throttle_period”: “15m”,
“email”: {
“to”: [“admin@fgedu.net.cn”],
“subject”: “Security Alert: Failed Login Attempts”,
“body”: “There have been more than 5 failed login attempts in the last minute.”
}
}
]
}’

# 安装Netdata
$ bash <(curl -Ss https://my-netdata.io/kickstart.sh) # 访问Netdata # 打开浏览器访问 http://fgedudb:19999 # 安装Ntopng $ apt-get update $ apt-get install ntopng # 配置Ntopng $ vim /etc/ntopng/ntopng.conf # 添加配置 --interface=eth0 --http-port=3000 --data-dir=/var/lib/ntopng --pid-path=/var/run/ntopng.pid # 启动Ntopng $ systemctl start ntopng $ systemctl enable ntopng # 访问Ntopng # 打开浏览器访问 http://fgedudb:3000 # 安装Zeek $ apt-get update $ apt-get install zeek # 配置Zeek $ vim /usr/local/zeek/etc/node.cfg # 添加配置 [zeek] host=fgedudb interface=eth0 # 启动Zeek $ zeekctl deploy # 查看Zeek日志 $ ls /usr/local/zeek/logs/current/

# 事件响应计划
$ cat incident-response-plan.md
# 安全事件响应计划

## 1. 准备阶段
– 建立事件响应团队
– 制定响应流程
– 准备工具和资源
– 进行培训和演练

## 2. 检测与分析
– 监控系统和网络
– 识别安全事件
– 分析事件影响
– 确定事件类型

## 3. 遏制与根除
– 隔离受影响系统
– 终止恶意活动
– 移除恶意代码
– 修复漏洞

## 4. 恢复
– 恢复系统和数据
– 验证系统安全性
– 恢复业务运营
– 监控系统状态

## 5. 总结与改进
– 记录事件详情
– 分析事件原因
– 提出改进措施
– 更新响应计划

# 事件响应工具
$ apt-get install forensics-extra volatility

# 内存取证
$ sudo volatility -f memory.dump imageinfo
$ sudo volatility -f memory.dump pslist
$ sudo volatility -f memory.dump netscan

# 磁盘取证
$ sudo dd if=/dev/sda of=/mnt/forensics/sda.img bs=4M
$ sudo SleuthKit mmls /mnt/forensics/sda.img
$ sudo SleuthKit fls -r /mnt/forensics/sda.img 1

# 处理恶意软件感染
$ sudo rkhunter –check
$ sudo chkrootkit
$ sudo clamscan -r /

# 处理入侵事件
$ sudo grep “Failed password” /var/log/auth.log
$ sudo netstat -tulpn
$ sudo lsof -i

# 处理数据泄露
$ sudo find / -type f -mtime -1 -exec ls -la {} \
$ sudo auditctl -l
$ sudo ausearch -k passwd

# 处理DDoS攻击
$ sudo netstat -n | grep :80 | wc -l
$ sudo tcpdump -i eth0 ‘port 80’ | head -n 100
$ sudo iptables -A INPUT -s 192.168.1.100 -j DROP

# 系统安全基线
$ cat security-baseline.sh
#!/bin/bash

# 更新系统
apt-get update && apt-get upgrade -y

# 安装安全工具
apt-get install -y ufw fail2ban rkhunter chkrootkit

# 配置防火墙
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw allow http
ufw allow https
ufw enable

# 配置fail2ban
cat > /etc/fail2ban/jail.local << EOF [sshd] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 5 bantime = 3600 EOF systemctl restart fail2ban # 配置系统安全参数 sysctl -w net.ipv4.tcp_syncookies=1 sysctl -w net.ipv4.ip_forward=0 sysctl -w net.ipv4.conf.all.send_redirects=0 sysctl -w net.ipv4.conf.default.send_redirects=0 sysctl -w net.ipv4.conf.all.accept_source_route=0 sysctl -w net.ipv4.conf.default.accept_source_route=0 sysctl -w net.ipv4.conf.all.accept_redirects=0 sysctl -w net.ipv4.conf.default.accept_redirects=0 sysctl -w net.ipv4.conf.all.secure_redirects=0 sysctl -w net.ipv4.conf.default.secure_redirects=0 sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 sysctl -w net.ipv4.conf.all.rp_filter=1 sysctl -w net.ipv4.conf.default.rp_filter=1 sysctl -w net.ipv4.tcp_max_syn_backlog=4096 sysctl -w net.ipv4.tcp_synack_retries=2 sysctl -p # 禁用不必要的服务 systemctl stop avahi-daemon systemctl disable avahi-daemon systemctl stop cups systemctl disable cups # 设置密码策略 cat > /etc/security/pwquality.conf << EOF minlen = 12 minclass = 4 dcredit = -1 ucredit = -1 lcredit = -1 ocredit = -1 difok = 8 EOF # 配置SSH sed -i 's/^#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config sed -i 's/^#PermitRootLogin prohibit-password/PermitRootLogin no/' /etc/ssh/sshd_config sed -i 's/^#MaxAuthTries 6/MaxAuthTries 3/' /etc/ssh/sshd_config systemctl restart sshd # 运行安全扫描 rkhunter --check chkrootkit # 输出报告 echo "Security baseline applied successfully!" # 运行脚本 $ chmod +x security-baseline.sh $ sudo ./security-baseline.sh