×ðÁú¿­Ê±¹ÙÍøµÇ¼

LinuxЧÀÍÆ÷Çå¾²ÐÔ£ºÓÅ»¯Web½Ó¿Ú±£»¤Õ½ÂÔµÄÕ½ÂÔ¡£

LinuxЧÀÍÆ÷Çå¾²ÐÔ£ºÓÅ»¯Web½Ó¿Ú±£»¤Õ½ÂÔµÄÕ½ÂÔ

Ëæ×Å»¥ÁªÍøµÄ¿ìËÙÉú³¤£¬Ô½À´Ô½¶àµÄÓªÒµ¶¼×ªÏòÁËÔÚÏß»¯£¬Web½Ó¿ÚµÄÇå¾²ÐÔÒ²³ÉΪÁËЧÀÍÆ÷ÔËάÖв»¿ÉºöÊÓµÄÒ»¸öÖصã¡£ÔÚLinuxЧÀÍÆ÷ÉÏ£¬ÎÒÃÇ¿ÉÒÔ½ÓÄÉһϵÁеÄÕ½ÂÔÀ´±£»¤ÎÒÃǵÄWeb½Ó¿Ú£¬È·±£Ð§ÀÍÆ÷µÄÇå¾²ÐÔ¡£±¾ÎĽ«Õë¶ÔWeb½Ó¿Ú±£»¤Õ½ÂÔµÄÓÅ»¯²½·¥¾ÙÐÐÌÖÂÛ£¬²¢¸ø³öÏìÓ¦µÄ´úÂëʾÀý¡£

·À»ðǽÉèÖÃ

ÉèÖ÷À»ðǽÊDZ£»¤Web½Ó¿ÚÇå¾²µÄµÚÒ»µÀ·ÀµØ¡£ÎÒÃÇ¿ÉÒÔʹÓÃiptables»òÕßfirewalldµÈ¹¤¾ßÀ´ÉèÖ÷À»ðǽ¹æÔò£¬ÏÞÖƶÔWeb½Ó¿ÚµÄ»á¼û¡£ÒÔÏÂÊÇÒ»¸ö»ù±¾µÄ·À»ðǽÉèÖõÄʾÀý£º

# Çå¿ÕÏÖÓйæÔò
iptables -F

# ĬÈÏÕ½ÂÔ
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# ÔÊÐíÍâµØ»Ø»·½Ó¿Ú
iptables -A INPUT -i lo -j ACCEPT

# ÔÊÐíÒѽ¨ÉèµÄºÍÏà¹ØµÄÅþÁ¬
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# ¿ª·Å22¶Ë¿Ú£¨SSH£©
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# ¿ª·Å80¶Ë¿Ú£¨HTTP£©
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

# ¿ª·Å443¶Ë¿Ú£¨HTTPS£©
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# ÆäËûµÄһЩ¹æÔò...

# ÔÊÐípingÇëÇó
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

# ²»Ã÷ȪԴµÄÊý¾Ý°üÑïÆú
iptables -A INPUT -m state --state INVALID -j DROP

# ¼ÓÉÏÕâÌõ¹æÔò£¬¿ÉÒÔ±ÜÃâPing¹¥»÷
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 4 -j ACCEPT

# ÆäËûµÄһЩ¹æÔò...

# ×îºóÌí¼ÓÒ»ÌõĬÈÏDROP¹æÔò
iptables -A INPUT -j DROP

µÇ¼ºó¸´ÖÆ

ÒÔÉϵÄʾÀýÖУ¬ÎÒÃÇÊ×ÏÈÇå¿ÕÏÖÓеĹæÔò£¬È»ºóÉèÖÃĬÈÏÕ½ÂÔΪDROP£¬¾Ü¾øËùÓÐδÃ÷È·ÔÊÐíµÄÅþÁ¬¡£½ÓÏÂÀ´£¬ÎÒÃÇÔÊÐíÍâµØ»Ø»·½Ó¿ÚºÍÒѽ¨ÉèµÄºÍÏà¹ØµÄÅþÁ¬¡£È»ºó£¬¿ª·ÅSSH£¨22¶Ë¿Ú£©£¬HTTP£¨80¶Ë¿Ú£©ºÍHTTPS£¨443¶Ë¿Ú£©¡£

ÔÚÐèÒªµÄʱ¼ä£¬¿ÉÒÔƾ֤ÏÖÕæÏàÐÎÌí¼ÓÆäËûµÄ¹æÔò£¬ºÃ±ÈÏÞÖÆÌض¨IPµØµãµÄ»á¼ûµÈ¡£

HTTPS¼ÓÃÜ´«Êä

ΪÁË°ü¹ÜWeb½Ó¿ÚµÄÊý¾Ý´«ÊäµÄÇå¾²ÐÔ£¬ÎÒÃÇÓ¦¸ÃʹÓÃHTTPSÀ´¼ÓÃÜ´«ÊäÊý¾Ý¡£¹ØÓÚ»ùÓÚApacheµÄWebЧÀÍÆ÷£¬ÎÒÃÇ¿ÉÒÔʹÓÃmod_sslÄ£¿éÀ´ÉèÖÃHTTPS¡£ÒÔÏÂÊÇÒ»¸ö¼òÆÓµÄʾÀý£º

# ×°ÖÃmod_ssl
sudo yum install mod_ssl

# ÉèÖÃSSLÖ¤Êé
sudo mkdir /etc/httpd/ssl
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/httpd/ssl/server.key -out /etc/httpd/ssl/server.crt

# ±à¼­ApacheÉèÖÃÎļþ
sudo vi /etc/httpd/conf/httpd.conf

# ÔÚÊʵ±µÄλÖÃÌí¼ÓÒÔÏÂÄÚÈÝ
<VirtualHost *:443>
    ServerName example.com
    DocumentRoot /var/www/html
    
    SSLEngine on
    SSLCertificateFile /etc/httpd/ssl/server.crt
    SSLCertificateKeyFile /etc/httpd/ssl/server.key
</VirtualHost>

# ÖØÆôApache
sudo systemctl restart httpd

µÇ¼ºó¸´ÖÆ

ÔÚÉÏÊöʾÀýÖУ¬ÎÒÃÇÊ×ÏÈ×°ÖÃÁËmod_sslÄ£¿é£¬È»ºóÌìÉúÁËÒ»¸ö×ÔÊðÃûµÄSSLÖ¤Ê飬²¢½«Ö¤ÊéµÄ·¾¶ÉèÖõ½ApacheµÄÉèÖÃÎļþÖС£

»á¼û¿ØÖÆÕ½ÂÔ

³ýÁË·À»ðǽºÍHTTPS¼ÓÃÜ£¬ÎÒÃÇ»¹¿ÉÒÔͨ¹ý»á¼û¿ØÖÆÕ½ÂÔÀ´±£»¤Web½Ó¿Ú¡£ÎÒÃÇ¿ÉÒÔʹÓûùÓÚIPµØµãµÄ»á¼û¿ØÖÆÁÐ±í£¨ACL£©À´ÏÞÖÆWeb½Ó¿ÚµÄ»á¼û¡£ÒÔÏÂÊÇÒ»¸öACLµÄʾÀý£º

# ±à¼­ApacheÉèÖÃÎļþ
sudo vi /etc/httpd/conf/httpd.conf

# ÔÚÊʵ±µÄλÖÃÌí¼ÓÒÔÏÂÄÚÈÝ
<Location />
    Order deny,allow
    Deny from all
    Allow from 192.168.1.0/24
    Allow from 10.0.0.0/8
</Location>

# ÖØÆôApache
sudo systemctl restart httpd

µÇ¼ºó¸´ÖÆ

ÔÚÉÏÊöʾÀýÖУ¬ÎÒÃÇʹÓÃÁËOrder¡¢DenyºÍAllowÖ¸ÁÀ´ÏÞÖÆWeb½Ó¿ÚµÄ»á¼û¡£Ö»ÓÐÀ´×Ô192.168.1.0/24ºÍ10.0.0.0/8ÕâÁ½¸öÍø¶ÎµÄÇëÇó²Å»á±»ÔÊÐí¡£

ÒÔÉÏÊÇÓÅ»¯Web½Ó¿Ú±£»¤Õ½ÂÔµÄһЩսÂԺʹúÂëʾÀý¡£ËäÈ»£¬ÉÐÓÐÐí¶àÆäËûµÄÇå¾²²½·¥ºÍÊÖÒÕ¿ÉÒÔÔÚLinuxЧÀÍÆ÷ÉÏÓ¦Óã¬ÒÔÌá¸ßWeb½Ó¿ÚµÄÇå¾²ÐÔ¡£ÎÒÃÇÓ¦¸Ãƾ֤ÏÖÕæÏàÐκÍÐèÇóÀ´Ñ¡ÔñºÍÉèÖÃÏìÓ¦µÄÕ½ÂÔ£¬ÒÔÈ·±£Ð§ÀÍÆ÷µÄÇå¾²ÔËÐС£

²Î¿¼ÎÄÏ×£º

Linux·À»ðǽÉèÖãºhttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-configuring_packet_filtering

Apache HTTPSÉèÖãºhttps://httpd.apache.org/docs/2.4/ssl/ssl_howto.html

Apache»á¼û¿ØÖÆÁÐ±í£¨ACL£©£ºhttps://httpd.apache.org/docs/2.4/mod/mod_access_compat.html

ÒÔÉϾÍÊÇLinuxЧÀÍÆ÷Çå¾²ÐÔ£ºÓÅ»¯Web½Ó¿Ú±£»¤Õ½ÂÔµÄÕ½ÂÔ¡£µÄÏêϸÄÚÈÝ£¬¸ü¶àÇë¹Ø×¢±¾ÍøÄÚÆäËüÏà¹ØÎÄÕ£¡

ÃâÔð˵Ã÷£ºÒÔÉÏչʾÄÚÈÝȪԴÓÚÏàÖúýÌå¡¢ÆóÒµ»ú¹¹¡¢ÍøÓÑÌṩ»òÍøÂçÍøÂçÕûÀí£¬°æȨÕùÒéÓë±¾Õ¾Î޹أ¬ÎÄÕÂÉæ¼°¿´·¨Óë¿´·¨²»´ú±í×ðÁú¿­Ê±¹ÙÍøµÇ¼ÂËÓÍ»úÍø¹Ù·½Ì¬¶È£¬Çë¶ÁÕß½ö×ö²Î¿¼¡£±¾ÎĽӴýתÔØ£¬×ªÔØÇë˵Ã÷À´ÓÉ¡£ÈôÄúÒÔΪ±¾ÎÄÇÖÕ¼ÁËÄúµÄ°æȨÐÅÏ¢£¬»òÄú·¢Ã÷¸ÃÄÚÈÝÓÐÈκÎÉæ¼°ÓÐÎ¥¹«µÂ¡¢Ã°·¸Ö´·¨µÈÎ¥·¨ÐÅÏ¢£¬ÇëÄúÁ¬Ã¦ÁªÏµ×ðÁú¿­Ê±¹ÙÍøµÇ¼ʵʱÐÞÕý»òɾ³ý¡£

Ïà¹ØÐÂÎÅ

ÁªÏµ×ðÁú¿­Ê±¹ÙÍøµÇ¼

18523999891

¿É΢ÐÅÔÚÏß×Éѯ

ÊÂÇéʱ¼ä£ºÖÜÒ»ÖÁÖÜÎ壬9:30-18:30£¬½ÚãåÈÕÐÝÏ¢

QR code
ÍøÕ¾µØͼ