防火墙

1、更新 Ubuntu sudo apt-get update && sudo apt-get upgrade
2、清空原有规则 sudo iptables -F
3、配置防火墙 sudo vi /etc/iptables.up.rules 假设 ssh 访问端口为 39999，数据库访问端口为 19999，且开放 3000、3001 端口

*filter

# allow all connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow out traffic
-A OUTPUT -j ACCEPT

# allow https http
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT

# allow ssh port login
-A INPUT -p tcp -m state --state NEW --dport 39999 -j ACCEPT

# ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# mongodb connect   
-A INPUT -s 127.0.0.1 -p tcp --destination-port 19999 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d 127.0.0.1 -p tcp --source-port 19999 -m state --state ESTABLISHED -j ACCEPT

-A INPUT -s 127.0.0.1 -p tcp --destination-port 3000 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d 127.0.0.1 -p tcp --source-port 3000 -m state --state ESTABLISHED -j ACCEPT

-A INPUT -s 127.0.0.1 -p tcp --destination-port 3001 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d 127.0.0.1 -p tcp --source-port 3001 -m state --state ESTABLISHED -j ACCEPT

# log denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied:" --log-level 7

# drop incoming sensitive connections
-A INPUT -p tcp --dport 80 -8i eth0 -m state --state NEW -m recent --set
-A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 150 -j DROP

# reject all other inbound
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT

4、重载配置 sudo iptables-restore < /etc/iptables.up.rules （每次修改均需重载）
5、查看防火墙启动状态 sudo ufw status
6、激活 Firewalls sudo ufw enable
7、设置防火墙开机自启动 sudo vi /etc/network/if-up.d/iptables

#!/bin/sh
iptables-restore /etc/iptables.up.rules

8、授权 sudo chmod +x /etc/network/if-up.d/iptables

Fail2Ban

1、安装 sudo apt-get install fail2ban
2、配置 sudo vi /etc/fail2ban/jail.conf

bantime = 3600
destemail = your email  
action = %(action_mw)s
...

3、查看运行状态 sudo service fail2Ban statu
4、运行 or 停止 sudo service fail2Ban start ，sudo service fail2Ban stop

ubuntu 下部署 node 服务器环境 - 安全篇

防火墙

Fail2Ban

你可能感兴趣的:(防火墙,ubuntu14.04)