It is believed that the most common thing many partners do when configuring servers is to directly close the firewall, which saves them a lot of trouble, but it also hides many risks. Therefore, the blogger suggests that the first thing for those who build the website to do after buying the server is to take security measures to protect their own server, so as to avoid becoming a broiler!
Generally speaking, the server will do the following things to protect its own server:
1. Change the login password (nonsense)
2. Modify the ssh port
3. Configure firewall to strictly control open ports
4. Use the key to log in, and prohibit password login
5. Install fail2ban to prevent huge profits from cracking service accounts such as ssh ftp
Of course, today's blogger mainly talks about firewalld firewall configuration! Maybe many small partners like bloggers like to use iptables as a firewall, but today the blogger himself looked at some instructions of firewalld and found that it is not that difficult. Compared with iptables, firewalld is a little simpler in terms of rules!
1. Install firewalld
yum -y install firewalld
matters needing attention:
The preparation before running firewalld is really important. This is also why the blogger directly closed the firewall. After installing firewalld every time, SSH cannot connect to the server...
The default rule of firewalld has released the SSH service (port 22), but if you have modified the SSH port, you must first release it. Otherwise, once firewalld is enabled, it will be blocked and the server cannot be connected, so you have to reinstall the system...
For example, if you change the SSH port to 2019, you can directly edit the firewalld configuration file. Use the following command
vi /etc/firewalld/zones/public.xml
Add the following rule:
<port protocol="tcp" port="2019"/>
Add location as shown below:
<? xml version="1.0" encoding="utf-8"?> <zone> <short>Public</short> <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="dhcpv6-client"/> <service name="ssh"/> <port protocol="tcp" port="2019"/> </zone>
Then enter the command: systemctl start firewalld
To start firewalld so that it will not be blocked.
2. Firewalld common instructions
The blogger is usually used here service
2.1 Viewing Firewalld Status
service firewalld status or systemctl status firewalld or firewall-cmd --state
2.2 Start, stop and restart
#Start service firewalld start or systemctl start firewalld #Stop service firewalld stop or systemctl stop firewalld #Restart service firewalld restart or systemctl restart firewalld
If you are prompted "Failed to start firewalld.service: Unit firewalld.service is masked" when starting, enter the following command to solve the problem:
systemctl unmask firewalld.service
2.3 Shutdown and startup of startup and self startup
#Start and start automatically systemctl enable firewalld #Turn off and start automatically systemctl disable firewalld
2.4 Viewing Firewall Rules
firewall-cmd --list-all
3. Port configuration
#Query whether port 8080 is open firewall-cmd --query-port=8080/tcp #Open 80 ports firewall-cmd --zone=public --add-port=80/tcp --permanent #Delete the released 8080 port: firewall-cmd --zone=public --remove-port=8080/tcp --permanent #Restart the firewall (restart the firewall after modifying the configuration) firewall-cmd --reload #View the listening port netstat -lntp #Parameter interpretation 1. Firewall cmd: a tool provided by Linux to operate firewall; 2. -- zone: indicates the scope 3. -- add port=80/tcp: indicates adding a port. The format is: port/communication protocol 4. -- permanent: indicates that it is permanently effective, and will become invalid after restarting without this parameter; 5. -- add port: identify the added port;
The blogger only said one thing here, that is, to use netstat -lntp
Check which ports are occupied by the program. If it is not illegal, open the port. For example, if port 80 is occupied by nginx, open port 80!
4. Shield IP
#Shield IP firewall-cmd --permanent --add-rich-rule="rule family=ipv4 source address=43.229.53.61 reject" #Restart the firewall (restart the firewall after modifying the configuration) firewall-cmd --reload #View shielding results firewall-cmd --list-rich-rules