The east wind doesn't come
The catkins don't fly in March
Current location: Literal coffee > Programming learning > Site building notes > text

It's enough to play firewalld It's not that hard

2019-04-10 Classification: Site building notes / Programming learning Reading (2609) Comments (3)

It is believed that the most common thing many partners do when configuring servers is to directly close the firewall, which saves them a lot of trouble, but it also hides many risks. Therefore, the blogger suggests that the first thing for those who build the website to do after buying the server is to take security measures to protect their own server, so as to avoid becoming a broiler!

Generally speaking, the server will do the following things to protect its own server:
1. Change the login password (nonsense)
2. Modify the ssh port
3. Configure firewall to strictly control open ports
4. Use the key to log in, and prohibit password login
5. Install fail2ban to prevent huge profits from cracking service accounts such as ssh ftp

Of course, today's blogger mainly talks about firewalld firewall configuration! Maybe many small partners like bloggers like to use iptables as a firewall, but today the blogger himself looked at some instructions of firewalld and found that it is not that difficult. Compared with iptables, firewalld is a little simpler in terms of rules!

1. Install firewalld

 yum -y install firewalld

matters needing attention:
The preparation before running firewalld is really important. This is also why the blogger directly closed the firewall. After installing firewalld every time, SSH cannot connect to the server...

The default rule of firewalld has released the SSH service (port 22), but if you have modified the SSH port, you must first release it. Otherwise, once firewalld is enabled, it will be blocked and the server cannot be connected, so you have to reinstall the system...

For example, if you change the SSH port to 2019, you can directly edit the firewalld configuration file. Use the following command

 vi /etc/firewalld/zones/public.xml

Add the following rule:

 <port protocol="tcp" port="2019"/>

Add location as shown below:

 <? xml version="1.0" encoding="utf-8"?> <zone> <short>Public</short> <description>For use in public areas.  You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="dhcpv6-client"/> <service name="ssh"/> <port protocol="tcp" port="2019"/> </zone>

Then enter the command: systemctl start firewalld To start firewalld so that it will not be blocked.

2. Firewalld common instructions

The blogger is usually used here service
2.1 Viewing Firewalld Status

 service firewalld status or systemctl status firewalld or firewall-cmd --state

2.2 Start, stop and restart

 #Start service firewalld start or systemctl start firewalld #Stop service firewalld stop or systemctl stop firewalld #Restart service firewalld restart or systemctl restart firewalld

If you are prompted "Failed to start firewalld.service: Unit firewalld.service is masked" when starting, enter the following command to solve the problem:

 systemctl unmask firewalld.service

2.3 Shutdown and startup of startup and self startup

 #Start and start automatically systemctl enable firewalld #Turn off and start automatically systemctl disable firewalld

2.4 Viewing Firewall Rules

 firewall-cmd --list-all

3. Port configuration

 #Query whether port 8080 is open firewall-cmd --query-port=8080/tcp #Open 80 ports firewall-cmd --zone=public --add-port=80/tcp --permanent #Delete the released 8080 port: firewall-cmd --zone=public --remove-port=8080/tcp --permanent #Restart the firewall (restart the firewall after modifying the configuration) firewall-cmd --reload #View the listening port netstat -lntp #Parameter interpretation 1. Firewall cmd: a tool provided by Linux to operate firewall; 2. -- zone: indicates the scope 3. -- add port=80/tcp: indicates adding a port. The format is: port/communication protocol 4. -- permanent: indicates that it is permanently effective, and will become invalid after restarting without this parameter; 5. -- add port: identify the added port;

The blogger only said one thing here, that is, to use netstat -lntp Check which ports are occupied by the program. If it is not illegal, open the port. For example, if port 80 is occupied by nginx, open port 80!

4. Shield IP

 #Shield IP firewall-cmd --permanent --add-rich-rule="rule family=ipv4 source address=43.229.53.61 reject" #Restart the firewall (restart the firewall after modifying the configuration) firewall-cmd --reload #View shielding results firewall-cmd --list-rich-rules
AD: [Theme recommendation] DUX self use optimization version, without any restrictions and backdoors, is an almost perfect theme!
Like( seven ) Reward
Copyright notice: This article is authorized by the Knowledge Sharing Attribution 4.0 International License Agreement [BY-NC-SA]
Article name: Playing Firewall is enough
Article link: https://www.wenzika.com/1556.html
The resources of this website are only for personal learning and exchange. Please delete them within 24 hours after downloading, and they are not allowed to be used for commercial purposes, otherwise the legal issues will be borne by yourself.
label:
Wonder Zhou

Wonder Zhou

A sleepworm who likes tossing and doing things!

Related recommendations

comment three

cancel

  • Nickname (required)
  • Email (required)
  • website
  1. #0
    Baby Zhou

    Come here and learn!

    Baby Zhou Five years ago (April 19, 2019) Friends from China Google Browser Windows 8.1 reply
  2. #0

    Master, I've come to learn and collect!

    Wang Baozhen Pillow Five years ago (April 12, 2019) Friends from China Safari browser iPhone iPhone OS 12_1_4 like Mac OS X) AppleWebKit reply
  3. #0

    The layout of the ads is basically the same, and it will look good if the top margin is smaller

    Posthouse Blog Five years ago (April 11, 2019) Friends from China Google Browser Windows 10 reply

Literal Cafe QQ Communication Group

Literal coffee communication group: Literal Coffee Communication Group

Welcome to the QQ group of Literal Cafe! WordPress exchange, study and discuss, and grow together!

If you need the help of the blogger to find a friend of the software, you can add a QQ group and then send a private message to the blogger Reader Wall Leave a message~~~

Strongly recommended

The optimized version for DUX's own use is almost the perfect happy version

The self use optimized version of DUX has no restrictions and no back door, and has added more than 50 personalized functions on the basis of the original theme. It is a near perfect theme that can be used with confidence

Hot tags

Station construction (62) WordPress (53) Love tossing (44) Tools (18) Miscellaneous (14) Mood (12) Happy (10) DUX modification (9) Theme (9) Network welfare (8) Feeling (8) Fundamentals of Programming (6) Linux (6) Notes (5) Java (5) Active (4) VPS (3) English (3) Missing (3) SQL (2) Extract (2) Sad (2) Cracking software (2) Composition (2) Movie sharing (2) js (1) Website acceleration (1) Windows software (1) XIU Theme (1) Lossless Music (1)

Popular articles

Reward the author of the article if you think it is useful

Thank you very much for your reward, we will continue to give more high-quality content, let's create a better online world together!

Scan Alipay and reward

Scan WeChat and reward