“This is the fifth day of my participation in the November Gwen Challenge. See details of the event: The Last Gwen Challenge 2021”.
Configure firewalls and security groups
A firewall
The firewall on centos system uses iptables and firewall. I use iptables to demonstrate examples
Write a rule that allows access only to HTTP and HTTPS, as well as SSH (12211), all entries are rejected, all exits are rejected, and the server is not allowed to actively access external services
In this example, the SSH service port 12211 has been changed, and only the specified IP address can access port 12211
Vim /etc/sysconfig/iptables # filter :INPUT ACCEPT [8:400]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [44:3744] -a INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -a INPUT -I lo -j ACCEPT -a INPUT -p icmp -j ACCEPT ping -a INPUT -p tcp --dport80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -s 172.161.33./32 -m state --state NEW -m udp -p udp --dport 22:22 -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -j DROP
COMMIT
Copy the code
The security group
If you write a single iptables rule, it can be applied to a batch of servers, or hundreds or thousands of services, not a single iptables rule. At this time, the public cloud vendor issued a security group product, free to use, or interface configuration, very simple and convenient
For a batch of machines, like a database, you can make a rule, like an application, you can make another rule. Different security rules can be used between different service groups
Security groups are divided into inbound direction and outbound direction. The inbound direction means that customers access your services, and the outbound direction means that your services proactively access third parties
Inbound configuration
Disable THE ICMP protocol, the ping protocol, after disabled, the server cannot be pinged, creating a kind of server does not have the disguise
Port 12211 is an SSH port that has been changed. Only the specified IP address can be accessed
The web service 80,443 is open to the public network and can be accessed on any network. If not toC business. You can also turn it off. Or specify IP access only, as the case may be
Outgoing configuration
For example, the database class simply rejects all outbound directions because the database does not need to tune into a third party SDK. If it is a business service, it may access SMS, authentication, cloud storage, third-party SDKS, etc