Equal protection 3 - Server security configuration 3

“This is the fifth day of my participation in the November Gwen Challenge. See details of the event: The Last Gwen Challenge 2021”.

Configure firewalls and security groups

A firewall

The firewall on centos system uses iptables and firewall. I use iptables to demonstrate examples

Write a rule that allows access only to HTTP and HTTPS, as well as SSH (12211), all entries are rejected, all exits are rejected, and the server is not allowed to actively access external services

In this example, the SSH service port 12211 has been changed, and only the specified IP address can access port 12211

Vim /etc/sysconfig/iptables # filter :INPUT ACCEPT [8:400]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [44:3744] -a INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -a INPUT -I lo -j ACCEPT -a INPUT -p icmp -j ACCEPT ping -a INPUT -p tcp --dport80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -s 172.161.33./32 -m state --state NEW -m udp -p udp  --dport  22:22 -j ACCEPT

-A INPUT -j DROP
-A OUTPUT -j DROP

COMMIT
Copy the code

The security group

If you write a single iptables rule, it can be applied to a batch of servers, or hundreds or thousands of services, not a single iptables rule. At this time, the public cloud vendor issued a security group product, free to use, or interface configuration, very simple and convenient

For a batch of machines, like a database, you can make a rule, like an application, you can make another rule. Different security rules can be used between different service groups

Security groups are divided into inbound direction and outbound direction. The inbound direction means that customers access your services, and the outbound direction means that your services proactively access third parties

Inbound configuration

Disable THE ICMP protocol, the ping protocol, after disabled, the server cannot be pinged, creating a kind of server does not have the disguise

Port 12211 is an SSH port that has been changed. Only the specified IP address can be accessed

The web service 80,443 is open to the public network and can be accessed on any network. If not toC business. You can also turn it off. Or specify IP access only, as the case may be

Outgoing configuration

For example, the database class simply rejects all outbound directions because the database does not need to tune into a third party SDK. If it is a business service, it may access SMS, authentication, cloud storage, third-party SDKS, etc

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

Equal protection 3 – Server security configuration 3

Configure firewalls and security groups

A firewall

The security group

Inbound configuration

Outgoing configuration

Equal protection 3 – Server security configuration 3

Configure firewalls and security groups

A firewall

The security group

Inbound configuration

Outgoing configuration

Related Posts

After configuring nginx, the home page cannot be accessed, but other pages can be accessed

Use of Zset in Redis

(7) GC generation of JVM into god path: generation GC, CMS collector and YoungGC, FullGC log analysis