由 bolzg 在 09-21-2002 14:12 发表:
LINUX安全
代理服务器功能的问题终于解决了,可是接下来应该安全的问题
使用LINUX做代理服务器是不是很安全,如何做好防范黑客的入侵啊,
如果有人攻击服务器,如何抵御啊,
LINUX下是不是有个命令可以看到是哪个IP在扫描本机器
请各位老兄们指点
由 yjh 在 09-21-2002 17:11 发表:
应该利用iptables做个防火墙。参考下文(从IBM的网上下的,看懂后,按你的实际情况改即可):
防火墙脚本,它可以用于膝上型计算机、工作站、路由器或服务器(或者其中的某些组合!)。
#!/bin/bash
#Our complete stateful firewall script. This firewall can be customized for
#a laptop, workstation, router or even a server. 
#change this to the name of the interface that provides your "uplink"
#(connection to the Internet)
UPLINK="eth1"
#if you're a router (and thus should forward IP packets between interfaces),
#you want ROUTER="yes"; otherwise, ROUTER="no"
ROUTER="yes"
#change this next line to the static IP of your uplink interface for static SNAT, or
#"dynamic" if you have a dynamic IP. If you don't need any NAT, set NAT to "" to
#disable it.
NAT="1.2.3.4"
#change this next line so it lists all your network interfaces, including lo
INTERFACES="lo eth0 eth1"
#change this line so that it lists the assigned numbers or symbolic names (from
#/etc/services) of all the services that you'd like to provide to the general
#public. If you don't want any services enabled, set it to ""
SERVICES="http ftp smtp ssh rsync"
if [ "$1" = "start" ]
then
echo "Starting firewall..."
iptables -P INPUT DROP
iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#enable public access to certain services
for x in ${SERVICES}
do
iptables -A INPUT -p tcp --dport ${x} -m state --state NEW -j ACCEPT
done
iptables -A INPUT -p tcp -i ${UPLINK} -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp -i ${UPLINK} -j REJECT --reject-with icmp-port-unreachable
#explicitly disable ECN
if [ -e /proc/sys/net/ipv4/tcp_ecn ]
then
echo 0 > /proc/sys/net/ipv4/tcp_ecn
fi
#disable spoofing on all interfaces
for x in ${INTERFACES}
do
echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
done