This worked!
Command:
# cat /etc/sysconfig/iptables
Result:
# (1) ポリシーの設定 OUTPUTのみACCEPTにする
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# (2) ループバック(自分自身からの通信)を許可する
-A INPUT -i lo -j ACCEPT
# (3) データを持たないパケットの接続を破棄する
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# (4) SYNflood攻撃と思われる接続を破棄する
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# (5) ステルススキャンと思われる接続を破棄する
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# (6) icmp(ping)の設定
# hashlimitを使う
# -m hashlimit hashlimitモジュールを使用する
# —hashlimit-name t_icmp 記録するファイル名
# —hashlimit 1/m リミット時には1分間に1パケットを上限とする
# —hashlimit-burst 10 規定時間内に10パケット受信すればリミットを有効にする
# —hashlimit-mode srcip ソースIPを元にアクセスを制限する
# —hashlimit-htable-expire 120000 リミットの有効期間。単位はms
-A INPUT -p icmp --icmp-type echo-request -m hashlimit --hashlimit-name t_icmp --hashlimit 1/m --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-htable-expire 120000 -j ACCEPT
# (7) 確立済みの通信は、ポート番号に関係なく許可する
-A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
# (8) 任意へのDNSアクセスの戻りパケットを受け付ける
-A INPUT -p udp --sport 53 -j ACCEPT
# (9) SSHを許可する設定
# hashlimitを使う
# -m hashlimit hashlimitモジュールを使用する
# —hashlimit-name t_sshd 記録するファイル名
# —hashlimit 1/m リミット時には1分間に1パケットを上限とする
# —hashlimit-burst 10 規定時間内に10パケット受信すればリミットを有効にする
# —hashlimit-mode srcip ソースIPを元にアクセスを制限する
# —hashlimit-htable-expire 120000 リミットの有効期間。単位はms
-A INPUT -p tcp -m state --syn --state NEW --dport 22 -m hashlimit --hashlimit-name t_sshd --hashlimit 1/m --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-htable-expire 120000 -j ACCEPT
# (10) 個別に許可するプロトコルとポートをここに書き込む。
# この例では、HTTP(TCP 80)とHTTPS(TCP 443)を許可している。
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
COMMIT
Reference:
http://knowledge.sakura.ad.jp/beginner/4048/
Wednesday, August 30, 2017
CentOS: iptables: Fixing Webserver Accessibility (How secure now?)
Command:
# diff /etc/sysconfig/iptables /etc/sysconfig/iptables.org
Result:
1c1,2
< # Generated by iptables-save v1.4.7 on Wed Aug 30 00:09:28 2017
---
> # Firewall configuration written by system-config-firewall
> # Manual customization of this file is not recommended.
3,11c4,12
< :INPUT DROP [0:0]
< :FORWARD DROP [0:0]
< :OUTPUT ACCEPT [24:2320]
< -A INPUT -i lo -j ACCEPT
< -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
< -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
< -A INPUT -p udp -m udp --dport 53 -j ACCEPT
< -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
< -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
---
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
13d13
< # Completed on Wed Aug 30 00:09:28 2017
Reference:
http://programmerbox.com/2013-12-24_vps_construct_procedure_manual/
# diff /etc/sysconfig/iptables /etc/sysconfig/iptables.org
Result:
1c1,2
< # Generated by iptables-save v1.4.7 on Wed Aug 30 00:09:28 2017
---
> # Firewall configuration written by system-config-firewall
> # Manual customization of this file is not recommended.
3,11c4,12
< :INPUT DROP [0:0]
< :FORWARD DROP [0:0]
< :OUTPUT ACCEPT [24:2320]
< -A INPUT -i lo -j ACCEPT
< -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
< -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
< -A INPUT -p udp -m udp --dport 53 -j ACCEPT
< -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
< -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
---
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
13d13
< # Completed on Wed Aug 30 00:09:28 2017
Reference:
http://programmerbox.com/2013-12-24_vps_construct_procedure_manual/
ラベル:
CentOS,
diff utility,
iptables
Tuesday, August 29, 2017
CentOS: iptables: Opening HTTP and HTTPS Ports
Command:
# diff /etc/sysconfig/iptables /etc/sysconfig/iptables.org
Result:
13,14d12
< -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
< -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
Command:
# service iptables restart
Result:
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
# diff /etc/sysconfig/iptables /etc/sysconfig/iptables.org
Result:
13,14d12
< -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
< -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
Command:
# service iptables restart
Result:
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
CentOS: Adding User
Command:
# useradd USERNAME
# passwd USERNAME
Result:
Changing password for user USERNAME.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Command:
# su USERNAME
$ cd ~
$ ls
$ pwd
Result:
/home/USERNAME
# useradd USERNAME
# passwd USERNAME
Result:
Changing password for user USERNAME.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Command:
# su USERNAME
$ cd ~
$ ls
$ pwd
Result:
/home/USERNAME
ラベル:
CentOS
SSH: Accessing Virtual Private Server Using RSA Private Key File
Command:
$ cat vps.key
Result:
-----BEGIN RSA PRIVATE KEY-----
fasdfsadfsadJAyxNgvFkJoMF+MEyWV4Qfasdfasd
gTf2LsM2mo6Jodh+VVffsadfsadfsdafsadfa0QPTlY+905/z3e24DYtKHbP
eRfem0kq/H17eguWk4BounPWfJKrYGR1rS00K5OeWfoTAoz6osc3rN8LXwIBIwKB
gQCZXb8ppDdM50Ki7A04CSoEb/qWChMJtIRFGfMI3A+MvFuj/50Wi7zGoQz9wDxW
gv0cNaT/Z/B1z40AAAAAAAAAAAAAAAAAAAAIY83RKh/Kj+Jv8OhW1FNUp/Il7WOs
1zo+owYp9uyT08gE1XBGvMrdam2w77YabIT20Dt2jkKs2wJBfasdfVu88cqmJ2P
F0+JlFbOL5pvldjfkeDkefIesdIdfeIdkXxK343/45uo35lYVj6vXfdsafFeMWD
jHH3EYMCQQD1JcnOz8CGMSeMbFXrdb1erkt3fgcJwny4WotUUoRx5KZinPGSasXv
GmL8zshzHcN9wWFgicXGOcqpQijM8kP1AkAdHoMd4MtnOBFxF6rkhMB+8v4gR0zw
F901P7OURpHAiCf/4lnFD98fadsfsadfasdfasdfuoUFHeHqr/LLMi3jAkBUDPS7
73U1Uq55SbcO5ooR1Vuz8LH0t7W7jMIOSC1o4K4TLn6123cQJk3TBRGGjdygJQtx
jlJv2UzMUTKPaQFbAkAuvRDkvUVb1lvuduolUZHmz3SBdwiKIVMn8+SeXoCT+hL8
SQJ56ary8w+dkfjaldkfkjdekelsldkelf
-----END RSA PRIVATE KEY-----
Command:
$ cat ~/.ssh/config
Result:
Host vps
HostName 111.111.11.111
Port 22
User root
IdentityFile ~/vps.key
Command:
$ chmod 600 ~/vps.key
Command:
$ ssh vps
Result:
[root@v111-111-11-111 ~]#
$ cat vps.key
Result:
-----BEGIN RSA PRIVATE KEY-----
fasdfsadfsadJAyxNgvFkJoMF+MEyWV4Qfasdfasd
gTf2LsM2mo6Jodh+VVffsadfsadfsdafsadfa0QPTlY+905/z3e24DYtKHbP
eRfem0kq/H17eguWk4BounPWfJKrYGR1rS00K5OeWfoTAoz6osc3rN8LXwIBIwKB
gQCZXb8ppDdM50Ki7A04CSoEb/qWChMJtIRFGfMI3A+MvFuj/50Wi7zGoQz9wDxW
gv0cNaT/Z/B1z40AAAAAAAAAAAAAAAAAAAAIY83RKh/Kj+Jv8OhW1FNUp/Il7WOs
1zo+owYp9uyT08gE1XBGvMrdam2w77YabIT20Dt2jkKs2wJBfasdfVu88cqmJ2P
F0+JlFbOL5pvldjfkeDkefIesdIdfeIdkXxK343/45uo35lYVj6vXfdsafFeMWD
jHH3EYMCQQD1JcnOz8CGMSeMbFXrdb1erkt3fgcJwny4WotUUoRx5KZinPGSasXv
GmL8zshzHcN9wWFgicXGOcqpQijM8kP1AkAdHoMd4MtnOBFxF6rkhMB+8v4gR0zw
F901P7OURpHAiCf/4lnFD98fadsfsadfasdfasdfuoUFHeHqr/LLMi3jAkBUDPS7
73U1Uq55SbcO5ooR1Vuz8LH0t7W7jMIOSC1o4K4TLn6123cQJk3TBRGGjdygJQtx
jlJv2UzMUTKPaQFbAkAuvRDkvUVb1lvuduolUZHmz3SBdwiKIVMn8+SeXoCT+hL8
SQJ56ary8w+dkfjaldkfkjdekelsldkelf
-----END RSA PRIVATE KEY-----
Command:
$ cat ~/.ssh/config
Result:
Host vps
HostName 111.111.11.111
Port 22
User root
IdentityFile ~/vps.key
Command:
$ chmod 600 ~/vps.key
Command:
$ ssh vps
Result:
[root@v111-111-11-111 ~]#
Monday, August 28, 2017
Saturday, August 26, 2017
Thursday, August 24, 2017
Subscribe to:
Posts (Atom)