IT博客汇
  • 首页
  • 精华
  • 技术
  • 设计
  • 资讯
  • 扯淡
  • 权利声明
    • 登录 注册

    自建vpn之二:保护你的机器

    Haidong Ji发表于 2015-11-06 06:06:47
    love 0

    选完虚拟机供应商、机器规格、操作系统啥的,机器启动后的第一件事是保护它的安全,尽可能减少被攻击面。我在这里只提供一些最基本建议,主要是在防火墙的设置方面。这里提供的一些指令假定你是用Debian 7或8。你如果用Ubuntu,这些指令基本上可以直接拿过来用。CentOS/Red Hat/Fedora方面的指令类似,请自行查询。如有需要,等我有空专门写CentOS/Red Hat/Fedora的设置。

    以下指令都是root级别。我假定你已经通过命令行连到服务器上。请根据需要在命令行前自行添加sudo或变成root。

    1. 给服务器做软件更新,打补丁:
      apt-get update
      apt-get upgrade
      (yum update)
    2. 调整ssh接口端,防范ssh攻击:
      Linux服务器默认ssh接口端是22。很多网络攻击就从这个接口强攻,用程序频繁自动发起无数次的连接申请,所谓的dictionary attack和brute-force attack。把默认的接口改成其它如50683,是防止这种攻击的有效手段。
      用你熟悉的编辑器,打开/etc/ssh/sshd_config,然后查找”Port 22″,把22改成50683后保存文件。
      接下来请重新启动ssh服务:
      service ssh restart
      注意以后的远程连接你要记得加-p 50683
    3. 建防火墙
      apt-get install iptables
      apt-get install iptables-persistent (运行这个指令,系统会问你要不要把现在的设置存下来,说要)
    4. 基本的防火墙设定,IPv4
      用你熟悉的编辑器,打开/etc/iptables/rules.v4,删除里面所有的内容,然后加下面的设置: 
      *filter
#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#  VPN port and forwarding.
-A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

#  Allow SSH connections
#
#  The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 50683 -j ACCEPT

#  Allow ping
-A INPUT -p icmp -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT
    5. 基本的防火墙设定,IPv6
      用你熟悉的编辑器,打开/etc/iptables/rules.v6,删除里面所有的内容,然后加下面的设置: 
      *filter

# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s ::1/128 -j REJECT

# Allow ICMP
-A INPUT  -p icmpv6 -j ACCEPT

#  Allow SSH connections
#
#  The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 50683 -j ACCEPT

# Accept inbound traffic from established connections.
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Log what was incoming but denied (optional but useful).
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "ip6tables_INPUT_denied: " --log-level 7

# Reject all other inbound.
-A INPUT -j REJECT

# Log any traffic which was sent to you
# for forwarding (optional but useful).
-A FORWARD -m limit --limit 5/min -j LOG --log-prefix "ip6tables_FORWARD_denied: " --log-level 7

# Reject all traffic forwarding.
-A FORWARD -j REJECT

COMMIT
    6. 激活防火墙
      iptables-restore < /etc/iptables/rules.v4 ip6tables-restore < /etc/iptables/rules.v6

    以上是一些很基本的保护措施。让服务器更安全,建议你以后安装Fail2Ban,使用ssh key认证,而不是简单的用户名密码认证,等等等等。接下来,我们就可以设置vpn服务器了。



沪ICP备19023445号-2号
友情链接