通过防火墙策略限制对外扫描行为
请您根据您的服务器操作系统,下载对应的脚本运行,运行后您的防火墙策略会封禁对外发包的行为,确保您的主机不会再出现恶意发包的情况,为您进行后续数据备份操作提供足够的时间。
Window2003的批处理文件
@rem 配置windows2003系统的IP安全策略 @rem version 3.0 time:2014-5-12 netsh ipsec static add policy name=drop netsh ipsec static add filterlist name=drop_port netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=21 protocol=TCP mirrored=no netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=22 protocol=TCP mirrored=no netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=23 protocol=TCP mirrored=no netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=25 protocol=TCP mirrored=no netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=53 protocol=TCP mirrored=no netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=80 protocol=TCP mirrored=no netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=135 protocol=TCP mirrored=no netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=139 protocol=TCP mirrored=no netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=443 protocol=TCP mirrored=no netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=445 protocol=TCP mirrored=no netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=1314 protocol=TCP mirrored=no netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=1433 protocol=TCP mirrored=no netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=1521 protocol=TCP mirrored=no netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=2222 protocol=TCP mirrored=no netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=3306 protocol=TCP mirrored=no netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=3433 protocol=TCP mirrored=no netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=3389 protocol=TCP mirrored=no netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=4899 protocol=TCP mirrored=no netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=8080 protocol=TCP mirrored=no netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=18186 protocol=TCP mirrored=no netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any protocol=UDP mirrored=no netsh ipsec static add filteraction name=denyact action=block netsh ipsec static add rule name=kill policy=drop filterlist=drop_port filteraction=denyact netsh ipsec static set policy name=drop assign=y
Window2008的批处理文件
@rem 配置windows2008系统的IP安全策略 @rem version 3.0 time:2014-5-12 @rem 重置防火墙使用默认规则 netsh firewall reset netsh firewall set service remotedesktop enable all @rem 配置高级windows防火墙 netsh advfirewall firewall add rule name="drop" protocol=TCP dir=out remoteport="21,22,23,25,53,80,135,139,443,445,1433,1314,1521,2222,3306,3433,3389,4899,8080,18186" action=block netsh advfirewall firewall add rule name="dropudp" protocol=UDP dir=out remoteport=any action=block
Linux系统脚本
#!/bin/bash ######################################### #Function: linux drop port #Usage: bash linux_drop_port.sh #Author: Customer Service Department #Company: Alibaba Cloud Computing #Version: 2.0 ######################################### check_os_release() { while true do os_release=$(grep "Red Hat Enterprise Linux Server release"/etc/issue 2>/dev/null) os_release_2=$(grep "Red Hat Enterprise Linux Server release"/etc/redhat-release 2>/dev/null) if [ "$os_release" ] && [ "$os_release_2" ] then if echo "$os_release"|grep "release 5" >/dev/null2>&1 then os_release=redhat5 echo "$os_release" elif echo "$os_release"|grep "release 6">/dev/null 2>&1 then os_release=redhat6 echo "$os_release" else os_release="" echo "$os_release" fi break fi os_release=$(grep "Aliyun Linux release" /etc/issue2>/dev/null) os_release_2=$(grep "Aliyun Linux release" /etc/aliyun-release2>/dev/null) if [ "$os_release" ] && [ "$os_release_2" ] then if echo "$os_release"|grep "release 5" >/dev/null2>&1 then os_release=aliyun5 echo "$os_release" elif echo "$os_release"|grep "release 6">/dev/null 2>&1 then os_release=aliyun6 echo "$os_release" else os_release="" echo "$os_release" fi break fi os_release=$(grep "CentOS release" /etc/issue 2>/dev/null) os_release_2=$(grep "CentOS release" /etc/*release2>/dev/null) if [ "$os_release" ] && [ "$os_release_2" ] then if echo "$os_release"|grep "release 5" >/dev/null2>&1 then os_release=centos5 echo "$os_release" elif echo "$os_release"|grep "release 6">/dev/null 2>&1 then os_release=centos6 echo "$os_release" else os_release="" echo "$os_release" fi break fi os_release=$(grep -i "ubuntu" /etc/issue 2>/dev/null) os_release_2=$(grep -i "ubuntu" /etc/lsb-release2>/dev/null) if [ "$os_release" ] && [ "$os_release_2" ] then if echo "$os_release"|grep "Ubuntu 10" >/dev/null2>&1 then os_release=ubuntu10 echo "$os_release" elif echo "$os_release"|grep "Ubuntu 12.04">/dev/null 2>&1 then os_release=ubuntu1204 echo "$os_release" elif echo "$os_release"|grep "Ubuntu 12.10">/dev/null 2>&1 then os_release=ubuntu1210 echo "$os_release" else os_release="" echo "$os_release" fi break fi os_release=$(grep -i "debian" /etc/issue 2>/dev/null) os_release_2=$(grep -i "debian" /proc/version 2>/dev/null) if [ "$os_release" ] && [ "$os_release_2" ] then if echo "$os_release"|grep "Linux 6" >/dev/null2>&1 then os_release=debian6 echo "$os_release" else os_release="" echo "$os_release" fi break fi os_release=$(grep "openSUSE" /etc/issue 2>/dev/null) os_release_2=$(grep "openSUSE" /etc/*release 2>/dev/null) if [ "$os_release" ] && [ "$os_release_2" ] then if echo "$os_release"|grep"13.1" >/dev/null 2>&1 then os_release=opensuse131 echo "$os_release" else os_release="" echo "$os_release" fi break fi break done } exit_script() { echo -e "\033[1;40;31mInstall $1 error,will exit.\n\033[0m" rm-f $LOCKfile exit 1 } config_iptables() { iptables -I OUTPUT 1 -p tcp -m multiport --dport21,22,23,25,53,80,135,139,443,445 -j DROP iptables -I OUTPUT 2 -p tcp -m multiport --dport 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186-j DROP iptables -I OUTPUT 3 -p udp -j DROP iptables -nvL } ubuntu_config_ufw() { ufwdeny out proto tcp to any port 21,22,23,25,53,80,135,139,443,445 ufwdeny out proto tcp to any port 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186 ufwdeny out proto udp to any ufwstatus } ####################Start################### #check lock file ,one time only let thescript run one time LOCKfile=/tmp/.$(basename $0) if [ -f "$LOCKfile" ] then echo -e "\033[1;40;31mThe script is already exist,please next timeto run this script.\n\033[0m" exit else echo -e "\033[40;32mStep 1.No lock file,begin to create lock fileand continue.\n\033[40;37m" touch $LOCKfile fi #check user if [ $(id -u) != "0" ] then echo -e "\033[1;40;31mError: You must be root to run this script,please use root to execute this script.\n\033[0m" rm-f $LOCKfile exit 1 fi echo -e "\033[40;32mStep 2.Begen tocheck the OS issue.\n\033[40;37m" os_release=$(check_os_release) if [ "X$os_release" =="X" ] then echo -e "\033[1;40;31mThe OS does not identify,So this script isnot executede.\n\033[0m" rm-f $LOCKfile exit 0 else echo -e "\033[40;32mThis OS is $os_release.\n\033[40;37m" fi echo -e "\033[40;32mStep 3.Begen toconfig firewall.\n\033[40;37m" case "$os_release" in redhat5|centos5|redhat6|centos6|aliyun5|aliyun6) service iptables start config_iptables ;; debian6) config_iptables ;; ubuntu10|ubuntu1204|ubuntu1210) ufwenable <<EOF y EOF ubuntu_config_ufw ;; opensuse131) config_iptables ;; esac echo -e "\033[40;32mConfig firewallsuccess,this script now exit!\n\033[40;37m" rm -f $LOCKfile
上述文件下载到机器内部直接执行即可。
设置iptables,限制访问
/sbin/iptables -P INPUT ACCEPT /sbin/iptables -F /sbin/iptables -X /sbin/iptables -Z /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 8080 -j ACCEPT /sbin/iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT /sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT /sbin/iptables -P INPUT DROP service iptables save
以上脚本,在每次重装完系统后执行一次即可,其配置会保存至/etc/sysconfig/iptables
标签:
安全设置,防火墙策略
免责声明:本站文章均来自网站采集或用户投稿,网站不提供任何软件下载或自行开发的软件!
如有用户或公司发现本站内容信息存在侵权行为,请邮件告知! 858582#qq.com
暂无“阿里云windows服务器安全设置(防火墙策略)”评论...
《魔兽世界》大逃杀!60人新游玩模式《强袭风暴》3月21日上线
暴雪近日发布了《魔兽世界》10.2.6 更新内容,新游玩模式《强袭风暴》即将于3月21 日在亚服上线,届时玩家将前往阿拉希高地展开一场 60 人大逃杀对战。
艾泽拉斯的冒险者已经征服了艾泽拉斯的大地及遥远的彼岸。他们在对抗世界上最致命的敌人时展现出过人的手腕,并且成功阻止终结宇宙等级的威胁。当他们在为即将于《魔兽世界》资料片《地心之战》中来袭的萨拉塔斯势力做战斗准备时,他们还需要在熟悉的阿拉希高地面对一个全新的敌人──那就是彼此。在《巨龙崛起》10.2.6 更新的《强袭风暴》中,玩家将会进入一个全新的海盗主题大逃杀式限时活动,其中包含极高的风险和史诗级的奖励。
《强袭风暴》不是普通的战场,作为一个独立于主游戏之外的活动,玩家可以用大逃杀的风格来体验《魔兽世界》,不分职业、不分装备(除了你在赛局中捡到的),光是技巧和战略的强弱之分就能决定出谁才是能坚持到最后的赢家。本次活动将会开放单人和双人模式,玩家在加入海盗主题的预赛大厅区域前,可以从强袭风暴角色画面新增好友。游玩游戏将可以累计名望轨迹,《巨龙崛起》和《魔兽世界:巫妖王之怒 经典版》的玩家都可以获得奖励。
更新动态
2024年12月29日
2024年12月29日
- 小骆驼-《草原狼2(蓝光CD)》[原抓WAV+CUE]
- 群星《欢迎来到我身边 电影原声专辑》[320K/MP3][105.02MB]
- 群星《欢迎来到我身边 电影原声专辑》[FLAC/分轨][480.9MB]
- 雷婷《梦里蓝天HQⅡ》 2023头版限量编号低速原抓[WAV+CUE][463M]
- 群星《2024好听新歌42》AI调整音效【WAV分轨】
- 王思雨-《思念陪着鸿雁飞》WAV
- 王思雨《喜马拉雅HQ》头版限量编号[WAV+CUE]
- 李健《无时无刻》[WAV+CUE][590M]
- 陈奕迅《酝酿》[WAV分轨][502M]
- 卓依婷《化蝶》2CD[WAV+CUE][1.1G]
- 群星《吉他王(黑胶CD)》[WAV+CUE]
- 齐秦《穿乐(穿越)》[WAV+CUE]
- 发烧珍品《数位CD音响测试-动向效果(九)》【WAV+CUE】
- 邝美云《邝美云精装歌集》[DSF][1.6G]
- 吕方《爱一回伤一回》[WAV+CUE][454M]