亚洲欧美精品沙发,日韩在线精品视频,亚洲Av每日更新在线观看,亚洲国产另类一区在线5

<pre id="hdphd"></pre>

  • <div id="hdphd"><small id="hdphd"></small></div>
      學習啦 > 學習電腦 > 電腦安全 > 防火墻知識 >

      FreeBSD配置防火墻開啟SSH服務的方法是什么

      時間: 加城1195 分享

        防火墻主要由服務訪問規(guī)則、驗證工具、包過濾和應用網(wǎng)關(guān)4個部分組成,防火墻就是一個位于計算機和它所連接的網(wǎng)絡之間的軟件或硬件。這篇文章主要介紹下如何下freebsd下配置防火墻開啟SSH服務的方法,需要的朋友可以參考下

        方法步驟

        1、配置FreeBSD 防火墻

        ee /etc/rc.conf #編輯,在最后添加

        firewall_enable="yes" #開啟防火墻

        net.inet.ip.fw.verbose=1 #啟用防火墻日志功能

        net.inet.ip.fw.verbose_limit=5 #啟用防火墻日志功能

        natd_enable="YES" # 開啟防火墻NAT功能

        natd_interface="rl0"

        natd_flags="-dynamic -m"

        firewall_script="/etc/ipfw.rules" #自定義防火墻規(guī)則路徑

        按esc,回車,再按a保存配置

        2、添加防火墻規(guī)則

        ee /etc/ipfw.rules #編輯防火墻規(guī)則,添加以下代碼

        #!/bin/sh

        ################ Start of IPFW rules file ######################

        # Flush out the list before we begin.

        ipfw -q -f flush

        # Set rules command prefix

        cmd="ipfw -q add"

        skip="skipto 800"

        pif="rl0" # public interface name of NIC

        # facing the public Internet

        #################################################################

        # No restrictions on Inside LAN Interface for private network

        # Change xl0 to your LAN NIC interface name

        #################################################################

        $cmd 005 allow all from any to any via xl0

        #################################################################

        # No restrictions on Loopback Interface

        #################################################################

        $cmd 010 allow all from any to any via lo0

        #################################################################

        # check if packet is inbound and nat address if it is

        #################################################################

        $cmd 014 divert natd ip from any to any in via $pif

        #################################################################

        # Allow the packet through if it has previous been added to the

        # the "dynamic" rules table by a allow keep-state statement.

        #################################################################

        $cmd 015 check-state

        #################################################################

        # Interface facing Public Internet (Outbound Section)

        # Check session start requests originating from behind the

        # firewall on the private network or from this gateway server

        # destined for the public Internet.

        #################################################################

        # Allow out access to my ISP's Domain name server.

        # x.x.x.x must be the IP address of your ISP's DNS

        # Dup these lines if your ISP has more than one DNS server

        # Get the IP addresses from /etc/resolv.conf file

        $cmd 020 $skip tcp from any to x.x.x.x 53 out via $pif setup keep-state

        # Allow out access to my ISP's DHCP server for cable/DSL configurations.

        $cmd 030 $skip udp from any to x.x.x.x 67 out via $pif keep-state

        # Allow out non-secure standard www function

        $cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state

        # Allow out secure www function https over TLS SSL

        $cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state

        # Allow out send & get email function

        $cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state

        $cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state

        # Allow out FreeBSD (make install & CVSUP) functions

        # Basically give user root "GOD" privileges.

        $cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root

        # Allow out ping

        $cmd 080 $skip icmp from any to any out via $pif keep-state

        # Allow out Time

        $cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state

        # Allow out nntp news (i.e. news groups)

        $cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state

        # Allow out secure FTP, Telnet, and SCP

        # This function is using SSH (secure shell)

        $cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state

        # Allow out whois

        $cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state

        # Allow ntp time server

        $cmd 130 $skip udp from any to any 123 out via $pif keep-state

        #################################################################

        # Interface facing Public Internet (Inbound Section)

        # Check packets originating from the public Internet

        # destined for this gateway server or the private network.

        #################################################################

        # Deny all inbound traffic from non-routable reserved address spaces

        #$cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP

        $cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP

        $cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP

        $cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback

        $cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback

        $cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config

        $cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs

        $cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster

        $cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast

        # Deny ident

        $cmd 315 deny tcp from any to any 113 in via $pif

        # Deny all Netbios service. 137=name, 138=datagram, 139=session

        # Netbios is MS/Windows sharing services.

        # Block MS/Windows hosts2 name server requests 81

        $cmd 320 deny tcp from any to any 137 in via $pif

        $cmd 321 deny tcp from any to any 138 in via $pif

        $cmd 322 deny tcp from any to any 139 in via $pif

        $cmd 323 deny tcp from any to any 81 in via $pif

        # Deny any late arriving packets

        $cmd 330 deny all from any to any frag in via $pif

        # Deny ACK packets that did not match the dynamic rule table

        $cmd 332 deny tcp from any to any established in via $pif

        # Allow traffic in from ISP's DHCP server. This rule must contain

        # the IP address of your ISP's DHCP server as it's the only

        # authorized source to send this packet type.

        # Only necessary for cable or DSL configurations.

        # This rule is not needed for 'user ppp' type connection to

        # the public Internet. This is the same IP address you captured

        # and used in the outbound section.

        $cmd 360 allow udp from x.x.x.x to any 68 in via $pif keep-state

        # Allow in standard www function because I have Apache server

        $cmd 370 allow tcp from any to me 80 in via $pif setup limit src-addr 2

        # Allow in secure FTP, Telnet, and SCP from public Internet

        $cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2

        # Allow in non-secure Telnet session from public Internet

        # labeled non-secure because ID & PW are passed over public

        # Internet as clear text.

        # Delete this sample group if you do not have telnet server enabled.

        $cmd 390 allow tcp from any to me 23 in via $pif setup limit src-addr 2

        # Reject & Log all unauthorized incoming connections from the public Internet

        $cmd 400 deny log all from any to any in via $pif

        # Reject & Log all unauthorized out going connections to the public Internet

        $cmd 450 deny log all from any to any out via $pif

        # This is skipto location for outbound stateful rules

        $cmd 800 divert natd ip from any to any out via $pif

        $cmd 801 allow ip from any to any

        # Everything else is denied by default

        # deny and log all packets that fell through to see what they are

        $cmd 999 deny log all from any to any

        ################ End of IPFW rules file ###############################

        備注:參數(shù)說明:

        #$cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP

        我的IP地址是192.168.21.173,是屬于192.168.0.0/16 IP段,所以這里要注釋掉這一行,允許連接外網(wǎng),否則主機無法聯(lián)網(wǎng)。

        $cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2

        是開啟SSH默認端口22

        3、重啟網(wǎng)絡服務,使防火墻規(guī)則生效

        /etc/netstart #重啟網(wǎng)絡

        /etc/rc.d/ipfw start #開啟防火墻

        ipfw disable firewall #關(guān)閉防火墻

        ipfw enable firewall #開啟防火墻

        /etc/rc.d/ipfw restart #重啟防火墻

        sh /etc/ipfw.rules #使防火墻規(guī)則生效

        4、開啟SSH服務

        (1)ee /etc/inetd.conf #編輯,去掉sshd前面的#

        ssh stream tcp nowait root /usr/sbin/sshd sshd -i -4

        (2)ee /etc/rc.conf #編輯,在最后添加

        sshd_enable="yes"

        (3)ee /etc/ssh/sshd_config #編輯配置文件

        PermitRootLogin yes #允許root登錄

        PasswordAuthentication yes #使用密碼驗證

        PermitEmptyPasswords no #不允許空密碼登錄

        /etc/rc.d/sshd start #啟動ssh服務

        /etc/rc.d/sshd restart #重啟ssh

        配置完成,現(xiàn)在已經(jīng)可以使用Putty等遠程連接工具連接服務器了。

        #####################################################

        擴展閱讀:

        有兩種加載自定義 ipfw 防火墻規(guī)則的方法。

        其一是將變量 firewall_type 設為包含不帶 ipfw(8) 命令行選項的 防火墻規(guī)則 文件的完整路徑。

        例如:

        add allow in

        add allow out

        firewall_type="open"參數(shù)說明

        open ── 允許所有流量通過。

        client ── 只保護本機。

        simple ── 保護整個網(wǎng)絡。

        closed ── 完全禁止除回環(huán)設備之外的全部 IP 流量。

        UNKNOWN ── 禁止加載防火墻規(guī)則。

        filename ── 到防火墻規(guī)則文件的絕對路徑。

        IPFW防火墻規(guī)則集樣例在這兩個文件中

        /etc/rc.firewall

        /etc/rc.firewall6

        除此之外, 也可以將 firewall_script 變量設為包含 ipfw 命令的可執(zhí)行腳本, 這樣這個腳本會在啟動時自動執(zhí)行。

        補充閱讀:防火墻主要使用技巧

        一、所有的防火墻文件規(guī)則必須更改。

        盡管這種方法聽起來很容易,但是由于防火墻沒有內(nèi)置的變動管理流程,因此文件更改對于許多企業(yè)來說都不是最佳的實踐方法。如果防火墻管理員因為突發(fā)情況或者一些其他形式的業(yè)務中斷做出更改,那么他撞到槍口上的可能性就會比較大。但是如果這種更改抵消了之前的協(xié)議更改,會導致宕機嗎?這是一個相當高發(fā)的狀況。

        防火墻管理產(chǎn)品的中央控制臺能全面可視所有的防火墻規(guī)則基礎,因此團隊的所有成員都必須達成共識,觀察誰進行了何種更改。這樣就能及時發(fā)現(xiàn)并修理故障,讓整個協(xié)議管理更加簡單和高效。

        二、以最小的權(quán)限安裝所有的訪問規(guī)則。

        另一個常見的安全問題是權(quán)限過度的規(guī)則設置。防火墻規(guī)則是由三個域構(gòu)成的:即源(IP地址),目的地(網(wǎng)絡/子網(wǎng)絡)和服務(應用軟件或者其他目的地)。為了確保每個用戶都有足夠的端口來訪問他們所需的系統(tǒng),常用方法是在一個或者更多域內(nèi)指定打來那個的目標對象。當你出于業(yè)務持續(xù)性的需要允許大范圍的IP地址來訪問大型企業(yè)的網(wǎng)絡,這些規(guī)則就會變得權(quán)限過度釋放,因此就會增加不安全因素。服務域的規(guī)則是開放65535個TCP端口的ANY。防火墻管理員真的就意味著為黑客開放了65535個攻擊矢量?

        三、根據(jù)法規(guī)協(xié)議和更改需求來校驗每項防火墻的更改。

        在防火墻操作中,日常工作都是以尋找問題,修正問題和安裝新系統(tǒng)為中心的。在安裝最新防火墻規(guī)則來解決問題,應用新產(chǎn)品和業(yè)務部門的過程中,我們經(jīng)常會遺忘防火墻也是企業(yè)安全協(xié)議的物理執(zhí)行者。每項規(guī)則都應該重新審核來確保它能符合安全協(xié)議和任何法規(guī)協(xié)議的內(nèi)容和精神,而不僅是一篇法律條文。

        四、當服務過期后從防火墻規(guī)則中刪除無用的規(guī)則。

        規(guī)則膨脹是防火墻經(jīng)常會出現(xiàn)的安全問題,因為多數(shù)運作團隊都沒有刪除規(guī)則的流程。業(yè)務部門擅長讓你知道他們了解這些新規(guī)則,卻從來不會讓防火墻團隊知道他們不再使用某些服務了。了解退役的服務器和網(wǎng)絡以及應用軟件更新周期對于達成規(guī)則共識是個好的開始。運行無用規(guī)則的報表是另外一步。黑客喜歡從來不刪除規(guī)則的防火墻團隊。


      防火墻開啟SSH服務的方法是什么相關(guān)文章:

      1.阿里云防火墻配置

      2.sonicwall防火墻設置主要方法有哪些

      3.如何解決端口映射之后還有訪問不了內(nèi)網(wǎng)的服務器

      4.linux防火墻設置命令是什么

      5.ssh防火墻連不上怎么辦

      4041994