Of Stack

Aliyun windows server security Settings of firewall policy

  • 2020-05-17 07:05:52
  • OfStack

Restrict external scanning behavior through firewall policies

Please download the corresponding script to run according to your server operating system. After running, your firewall policy will block the behavior of outsourcing, so as to ensure that your host will no longer have malicious outsourcing, and provide enough time for your subsequent data backup operation.

Batch file for Window2003 


@rem  configuration windows2003 Of the system IP The security policy 
@rem version 3.0 time:2014-5-12

netsh ipsec static add policy name=drop
netsh ipsec static add filterlist name=drop_port
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=21 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=22 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=23 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=25 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=53 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=80 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=135 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=139 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=443 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=445 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=1314 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=1433 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=1521 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=2222 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=3306 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=3433 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=3389 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=4899 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=8080 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=18186 protocol=TCP mirrored=no
netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any protocol=UDP mirrored=no
netsh ipsec static add filteraction name=denyact action=block
netsh ipsec static add rule name=kill policy=drop filterlist=drop_port filteraction=denyact
netsh ipsec static set policy name=drop assign=y

Batch file for Window2008 


@rem  configuration windows2008 Of the system IP The security policy 
@rem version 3.0 time:2014-5-12

@rem  Reset the firewall to use the default rules 
netsh firewall reset
netsh firewall set service remotedesktop enable all

@rem  Configure the advanced windows A firewall 
netsh advfirewall firewall add rule name="drop" protocol=TCP dir=out remoteport="21,22,23,25,53,80,135,139,443,445,1433,1314,1521,2222,3306,3433,3389,4899,8080,18186" action=block
netsh advfirewall firewall add rule name="dropudp" protocol=UDP dir=out remoteport=any action=block

Linux system scripts 


#!/bin/bash
#########################################
#Function:  linux drop port
#Usage:    bash linux_drop_port.sh
#Author:   Customer Service Department
#Company:   Alibaba Cloud Computing
#Version:   2.0
#########################################
 
check_os_release()
{
 while true
 do
  os_release=$(grep "Red Hat Enterprise Linux Server release"/etc/issue 2>/dev/null)
  os_release_2=$(grep "Red Hat Enterprise Linux Server release"/etc/redhat-release 2>/dev/null)
  if [ "$os_release" ] && [ "$os_release_2" ]
  then
   if echo "$os_release"|grep "release 5" >/dev/null2>&1
   then
    os_release=redhat5
    echo "$os_release"
   elif echo "$os_release"|grep "release 6">/dev/null 2>&1
   then
    os_release=redhat6
    echo "$os_release"
   else
    os_release=""
    echo "$os_release"
   fi
   break
  fi
  os_release=$(grep "Aliyun Linux release" /etc/issue2>/dev/null)
  os_release_2=$(grep "Aliyun Linux release" /etc/aliyun-release2>/dev/null)
  if [ "$os_release" ] && [ "$os_release_2" ]
  then
   if echo "$os_release"|grep "release 5" >/dev/null2>&1
   then
    os_release=aliyun5
    echo "$os_release"
   elif echo "$os_release"|grep "release 6">/dev/null 2>&1
   then
    os_release=aliyun6
    echo "$os_release"
   else
    os_release=""
    echo "$os_release"
   fi
   break
  fi
  os_release=$(grep "CentOS release" /etc/issue 2>/dev/null)
  os_release_2=$(grep "CentOS release" /etc/*release2>/dev/null)
  if [ "$os_release" ] && [ "$os_release_2" ]
  then
   if echo "$os_release"|grep "release 5" >/dev/null2>&1
   then
    os_release=centos5
    echo "$os_release"
   elif echo "$os_release"|grep "release 6">/dev/null 2>&1
   then
    os_release=centos6
    echo "$os_release"
   else
    os_release=""
    echo "$os_release"
   fi
   break
  fi
  os_release=$(grep -i "ubuntu" /etc/issue 2>/dev/null)
  os_release_2=$(grep -i "ubuntu" /etc/lsb-release2>/dev/null)
  if [ "$os_release" ] && [ "$os_release_2" ]
  then
   if echo "$os_release"|grep "Ubuntu 10" >/dev/null2>&1
   then
    os_release=ubuntu10
    echo "$os_release"
   elif echo "$os_release"|grep "Ubuntu 12.04">/dev/null 2>&1
   then
    os_release=ubuntu1204
    echo "$os_release"
   elif echo "$os_release"|grep "Ubuntu 12.10">/dev/null 2>&1
   then
    os_release=ubuntu1210
    echo "$os_release"
   else
    os_release=""
    echo "$os_release"
   fi
   break
  fi
  os_release=$(grep -i "debian" /etc/issue 2>/dev/null)
  os_release_2=$(grep -i "debian" /proc/version 2>/dev/null)
  if [ "$os_release" ] && [ "$os_release_2" ]
  then
   if echo "$os_release"|grep "Linux 6" >/dev/null2>&1
   then
    os_release=debian6
    echo "$os_release"
   else
    os_release=""
    echo "$os_release"
   fi
   break
  fi
  os_release=$(grep "openSUSE" /etc/issue 2>/dev/null)
  os_release_2=$(grep "openSUSE" /etc/*release 2>/dev/null)
  if [ "$os_release" ] && [ "$os_release_2" ]
  then
   if echo "$os_release"|grep"13.1" >/dev/null 2>&1
   then
    os_release=opensuse131
    echo "$os_release"
   else
    os_release=""
    echo "$os_release"
   fi
   break
  fi
  break
  done
}
 
exit_script()
{
 echo -e "\033[1;40;31mInstall $1 error,will exit.\n\033[0m"
 rm-f $LOCKfile
 exit 1
}
 
config_iptables()
{
 iptables -I OUTPUT 1 -p tcp -m multiport --dport21,22,23,25,53,80,135,139,443,445 -j DROP
 iptables -I OUTPUT 2 -p tcp -m multiport --dport 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186-j DROP
 iptables -I OUTPUT 3 -p udp -j DROP
 iptables -nvL
}
 
ubuntu_config_ufw()
{
 ufwdeny out proto tcp to any port 21,22,23,25,53,80,135,139,443,445
 ufwdeny out proto tcp to any port 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186
 ufwdeny out proto udp to any
 ufwstatus
}
 
####################Start###################
#check lock file ,one time only let thescript run one time
LOCKfile=/tmp/.$(basename $0)
if [ -f "$LOCKfile" ]
then
 echo -e "\033[1;40;31mThe script is already exist,please next timeto run this script.\n\033[0m"
 exit
else
 echo -e "\033[40;32mStep 1.No lock file,begin to create lock fileand continue.\n\033[40;37m"
 touch $LOCKfile
fi
 
#check user
if [ $(id -u) != "0" ]
then
 echo -e "\033[1;40;31mError: You must be root to run this script,please use root to execute this script.\n\033[0m"
 rm-f $LOCKfile
 exit 1
fi
 
echo -e "\033[40;32mStep 2.Begen tocheck the OS issue.\n\033[40;37m"
os_release=$(check_os_release)
if [ "X$os_release" =="X" ]
then
 echo -e "\033[1;40;31mThe OS does not identify,So this script isnot executede.\n\033[0m"
 rm-f $LOCKfile
 exit 0
else
 echo -e "\033[40;32mThis OS is $os_release.\n\033[40;37m"
fi
 
echo -e "\033[40;32mStep 3.Begen toconfig firewall.\n\033[40;37m"
case "$os_release" in
redhat5|centos5|redhat6|centos6|aliyun5|aliyun6)
 service iptables start
 config_iptables
 ;;
debian6)
 config_iptables
 ;;
ubuntu10|ubuntu1204|ubuntu1210)
 ufwenable <<EOF
y
EOF
 ubuntu_config_ufw
 ;;
opensuse131)
 config_iptables
 ;;
esac
 
echo -e "\033[40;32mConfig firewallsuccess,this script now exit!\n\033[40;37m"
rm -f $LOCKfile

The above files can be downloaded and executed directly inside the machine.

Set iptables to restrict access 


/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z

/sbin/iptables -A INPUT -i lo -j ACCEPT 
/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
/sbin/iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -P INPUT DROP
 service iptables save

The above script can be executed once after each reinstallation of the system, and its configuration will be saved to /etc/sysconfig/iptables

Related articles: