10.1 安全策略设计原则
10.1.1 最小权限原则
最小权限原则是网络安全的基础,要求只开放必要的服务和端口,拒绝所有不必要的访问。
1. 默认拒绝策略
#!/bin/bash
# default_deny_policy.sh
# 设置默认拒绝策略
setup_default_deny() {
echo "Setting up default deny policy..."
# 清空现有规则
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# 设置默认策略为 DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# 允许本地回环
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# 允许已建立的连接
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
echo "Default deny policy configured successfully"
}
# 基础服务白名单
setup_basic_whitelist() {
echo "Setting up basic service whitelist..."
# SSH 访问(限制源地址)
iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -m conntrack --ctstate NEW -j ACCEPT
# DNS 查询
iptables -A OUTPUT -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
# NTP 时间同步
iptables -A OUTPUT -p udp --dport 123 -m conntrack --ctstate NEW -j ACCEPT
# HTTP/HTTPS 出站(用于软件更新)
iptables -A OUTPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
echo "Basic whitelist configured"
}
setup_default_deny
setup_basic_whitelist
2. 分层防护策略
#!/bin/bash
# layered_defense.sh
# 网络层防护
network_layer_protection() {
echo "Configuring network layer protection..."
# 防止 IP 欺骗
iptables -A INPUT -s 127.0.0.0/8 ! -i lo -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 224.0.0.0/4 -j DROP
iptables -A INPUT -s 240.0.0.0/5 -j DROP
# 防止私有地址从公网接口进入
public_interface="eth0" # 根据实际情况修改
iptables -A INPUT -i $public_interface -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i $public_interface -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i $public_interface -s 192.168.0.0/16 -j DROP
# 防止广播和多播攻击
iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP
iptables -A INPUT -m pkttype --pkt-type multicast -j DROP
echo "Network layer protection configured"
}
# 传输层防护
transport_layer_protection() {
echo "Configuring transport layer protection..."
# TCP SYN Flood 防护
iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP
# 防止端口扫描
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# ICMP 限制
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
echo "Transport layer protection configured"
}
# 应用层防护
application_layer_protection() {
echo "Configuring application layer protection..."
# HTTP/HTTPS 连接限制
iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 20 -j REJECT
iptables -A INPUT -p tcp --dport 443 -m connlimit --connlimit-above 20 -j REJECT
# SSH 暴力破解防护
iptables -A INPUT -p tcp --dport 22 -m recent --name ssh_attack --set
iptables -A INPUT -p tcp --dport 22 -m recent --name ssh_attack --rcheck --seconds 60 --hitcount 4 -j DROP
# 防止常见攻击字符串
iptables -A INPUT -p tcp --dport 80 -m string --string "../" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 80 -m string --string "<script" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 80 -m string --string "SELECT * FROM" --algo bm -j DROP
echo "Application layer protection configured"
}
network_layer_protection
transport_layer_protection
application_layer_protection
10.1.2 深度防御策略
1. 多层防护配置
#!/bin/bash
# defense_in_depth.sh
# 边界防护
boundary_protection() {
echo "Configuring boundary protection..."
# 外网接口防护
external_interface="eth0"
# 拒绝直接访问内部服务
iptables -A FORWARD -i $external_interface -d 192.168.0.0/16 -p tcp --dport 3306 -j DROP # MySQL
iptables -A FORWARD -i $external_interface -d 192.168.0.0/16 -p tcp --dport 5432 -j DROP # PostgreSQL
iptables -A FORWARD -i $external_interface -d 192.168.0.0/16 -p tcp --dport 6379 -j DROP # Redis
iptables -A FORWARD -i $external_interface -d 192.168.0.0/16 -p tcp --dport 27017 -j DROP # MongoDB
# 限制出站连接
iptables -A FORWARD -s 192.168.0.0/16 -p tcp --dport 25 -j DROP # SMTP
iptables -A FORWARD -s 192.168.0.0/16 -p tcp --dport 587 -j DROP # SMTP TLS
iptables -A FORWARD -s 192.168.0.0/16 -p tcp --dport 465 -j DROP # SMTP SSL
echo "Boundary protection configured"
}
# 内网分段防护
internal_segmentation() {
echo "Configuring internal network segmentation..."
# DMZ 区域规则
dmz_network="192.168.10.0/24"
internal_network="192.168.20.0/24"
# DMZ 只能访问特定的内网服务
iptables -A FORWARD -s $dmz_network -d $internal_network -p tcp --dport 3306 -j ACCEPT # 数据库访问
iptables -A FORWARD -s $dmz_network -d $internal_network -p tcp --dport 6379 -j ACCEPT # Redis 访问
iptables -A FORWARD -s $dmz_network -d $internal_network -j DROP # 其他访问拒绝
# 内网不能直接访问 DMZ 的管理端口
iptables -A FORWARD -s $internal_network -d $dmz_network -p tcp --dport 22 -j DROP
iptables -A FORWARD -s $internal_network -d $dmz_network -p tcp --dport 3389 -j DROP
echo "Internal segmentation configured"
}
# 服务隔离
service_isolation() {
echo "Configuring service isolation..."
# Web 服务器只能访问数据库服务器
web_servers="192.168.10.10,192.168.10.11"
db_server="192.168.20.10"
iptables -A FORWARD -s $web_servers -d $db_server -p tcp --dport 3306 -j ACCEPT
iptables -A FORWARD -s $web_servers -d 192.168.20.0/24 -j DROP
# 数据库服务器不能主动连接外部
iptables -A FORWARD -s $db_server -d 0.0.0.0/0 -m conntrack --ctstate NEW -j DROP
echo "Service isolation configured"
}
boundary_protection
internal_segmentation
service_isolation
10.2 常见攻击防护
10.2.1 DDoS 攻击防护
1. SYN Flood 防护
#!/bin/bash
# syn_flood_protection.sh
# SYN Flood 防护配置
setup_syn_flood_protection() {
echo "Configuring SYN Flood protection..."
# 启用 SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# 调整 SYN 队列大小
echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog
echo 3 > /proc/sys/net/ipv4/tcp_synack_retries
echo 5 > /proc/sys/net/ipv4/tcp_syn_retries
# iptables SYN 限制
iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j ACCEPT
iptables -A INPUT -p tcp --syn -j LOG --log-prefix "SYN_FLOOD: "
iptables -A INPUT -p tcp --syn -j DROP
# 针对特定端口的 SYN 防护
iptables -A INPUT -p tcp --dport 80 --syn -m limit --limit 10/s --limit-burst 20 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 --syn -m limit --limit 10/s --limit-burst 20 -j ACCEPT
echo "SYN Flood protection configured"
}
# 连接限制
connection_limiting() {
echo "Configuring connection limiting..."
# 每个 IP 的并发连接限制
iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 32 -j REJECT
iptables -A INPUT -p tcp --dport 443 -m connlimit --connlimit-above 20 --connlimit-mask 32 -j REJECT
# 每个子网的连接限制
iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 100 --connlimit-mask 24 -j REJECT
# 新连接速率限制
iptables -A INPUT -p tcp --dport 80 -m recent --name http_conn --set
iptables -A INPUT -p tcp --dport 80 -m recent --name http_conn --rcheck --seconds 60 --hitcount 30 -j DROP
echo "Connection limiting configured"
}
# UDP Flood 防护
udp_flood_protection() {
echo "Configuring UDP Flood protection..."
# UDP 包速率限制
iptables -A INPUT -p udp -m limit --limit 5/s --limit-burst 10 -j ACCEPT
iptables -A INPUT -p udp -j LOG --log-prefix "UDP_FLOOD: "
iptables -A INPUT -p udp -j DROP
# DNS 查询限制
iptables -A INPUT -p udp --dport 53 -m recent --name dns_query --set
iptables -A INPUT -p udp --dport 53 -m recent --name dns_query --rcheck --seconds 60 --hitcount 20 -j DROP
echo "UDP Flood protection configured"
}
setup_syn_flood_protection
connection_limiting
udp_flood_protection
2. 高级 DDoS 防护
#!/bin/bash
# advanced_ddos_protection.sh
# 地理位置过滤
geo_filtering() {
echo "Configuring geographical filtering..."
# 需要安装 xtables-addons 和 GeoIP 数据库
# 阻止特定国家的访问(示例)
# iptables -A INPUT -m geoip --src-cc CN,RU,KP -j DROP
# 只允许特定国家访问管理端口
# iptables -A INPUT -p tcp --dport 22 -m geoip ! --src-cc US,CA,GB -j DROP
echo "Note: GeoIP filtering requires xtables-addons"
}
# 动态黑名单
dynamic_blacklist() {
echo "Configuring dynamic blacklist..."
# 创建黑名单链
iptables -N BLACKLIST
iptables -A INPUT -j BLACKLIST
# 自动加入黑名单的条件
# 1. 端口扫描检测
iptables -A INPUT -p tcp --tcp-flags ALL NONE -m recent --name portscan --set -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -m recent --name portscan --set -j DROP
# 2. 暴力破解检测
iptables -A INPUT -p tcp --dport 22 -m recent --name ssh_attack --update --seconds 60 --hitcount 4 -j DROP
iptables -A INPUT -p tcp --dport 22 -m recent --name ssh_attack --set
# 3. HTTP 攻击检测
iptables -A INPUT -p tcp --dport 80 -m string --string "../" --algo bm -m recent --name http_attack --set -j DROP
iptables -A INPUT -p tcp --dport 80 -m string --string "<script" --algo bm -m recent --name http_attack --set -j DROP
echo "Dynamic blacklist configured"
}
# 流量整形
traffic_shaping() {
echo "Configuring traffic shaping..."
# 使用 tc 进行流量控制
interface="eth0"
# 删除现有的 qdisc
tc qdisc del dev $interface root 2>/dev/null
# 创建根 qdisc
tc qdisc add dev $interface root handle 1: htb default 30
# 创建主类
tc class add dev $interface parent 1: classid 1:1 htb rate 100mbit
# 创建子类
tc class add dev $interface parent 1:1 classid 1:10 htb rate 50mbit ceil 80mbit # 高优先级
tc class add dev $interface parent 1:1 classid 1:20 htb rate 30mbit ceil 50mbit # 中优先级
tc class add dev $interface parent 1:1 classid 1:30 htb rate 20mbit ceil 30mbit # 低优先级
# 添加过滤器
tc filter add dev $interface protocol ip parent 1:0 prio 1 u32 match ip dport 22 0xffff flowid 1:10
tc filter add dev $interface protocol ip parent 1:0 prio 2 u32 match ip dport 80 0xffff flowid 1:20
tc filter add dev $interface protocol ip parent 1:0 prio 3 u32 match ip dport 443 0xffff flowid 1:20
# 配合 iptables 标记
iptables -t mangle -A OUTPUT -p tcp --sport 22 -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -p tcp --sport 80 -j MARK --set-mark 2
iptables -t mangle -A OUTPUT -p tcp --sport 443 -j MARK --set-mark 2
tc filter add dev $interface protocol ip parent 1:0 prio 4 handle 1 fw flowid 1:10
tc filter add dev $interface protocol ip parent 1:0 prio 5 handle 2 fw flowid 1:20
echo "Traffic shaping configured"
}
geo_filtering
dynamic_blacklist
traffic_shaping
10.2.2 端口扫描防护
1. 端口扫描检测
#!/bin/bash
# port_scan_protection.sh
# 端口扫描检测和防护
port_scan_detection() {
echo "Configuring port scan detection..."
# 检测 TCP 标志位异常
iptables -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 3/min --limit-burst 5 -j LOG --log-prefix "NULL_SCAN: "
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -m limit --limit 3/min --limit-burst 5 -j LOG --log-prefix "XMAS_SCAN: "
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# FIN 扫描检测
iptables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -m limit --limit 3/min --limit-burst 5 -j LOG --log-prefix "FIN_SCAN: "
iptables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP
echo "Port scan detection configured"
}
# 连接频率检测
connection_frequency_detection() {
echo "Configuring connection frequency detection..."
# 检测快速连接尝试
iptables -A INPUT -p tcp -m recent --name portscan --rcheck --seconds 86400 --hitcount 20 -j DROP
iptables -A INPUT -p tcp -m recent --name portscan --set
# 检测多端口连接
iptables -A INPUT -p tcp --dport 1:1023 -m recent --name lowports --update --seconds 60 --hitcount 10 -j DROP
iptables -A INPUT -p tcp --dport 1:1023 -m recent --name lowports --set
# 检测高端口扫描
iptables -A INPUT -p tcp --dport 1024:65535 -m recent --name highports --update --seconds 60 --hitcount 20 -j DROP
iptables -A INPUT -p tcp --dport 1024:65535 -m recent --name highports --set
echo "Connection frequency detection configured"
}
# 隐蔽端口保护
stealth_port_protection() {
echo "Configuring stealth port protection..."
# 对未开放端口不响应(隐蔽模式)
# 注意:这会让端口扫描器认为端口是过滤的而不是关闭的
# 常见服务端口的隐蔽保护
iptables -A INPUT -p tcp --dport 21 -j DROP # FTP
iptables -A INPUT -p tcp --dport 23 -j DROP # Telnet
iptables -A INPUT -p tcp --dport 25 -j DROP # SMTP
iptables -A INPUT -p tcp --dport 110 -j DROP # POP3
iptables -A INPUT -p tcp --dport 143 -j DROP # IMAP
iptables -A INPUT -p tcp --dport 993 -j DROP # IMAPS
iptables -A INPUT -p tcp --dport 995 -j DROP # POP3S
# 数据库端口保护
iptables -A INPUT -p tcp --dport 1433 -j DROP # SQL Server
iptables -A INPUT -p tcp --dport 1521 -j DROP # Oracle
iptables -A INPUT -p tcp --dport 3306 -j DROP # MySQL
iptables -A INPUT -p tcp --dport 5432 -j DROP # PostgreSQL
# 远程管理端口保护
iptables -A INPUT -p tcp --dport 3389 -j DROP # RDP
iptables -A INPUT -p tcp --dport 5900 -j DROP # VNC
echo "Stealth port protection configured"
}
port_scan_detection
connection_frequency_detection
stealth_port_protection
10.2.3 暴力破解防护
1. SSH 暴力破解防护
#!/bin/bash
# ssh_brute_force_protection.sh
# SSH 暴力破解防护
ssh_protection() {
echo "Configuring SSH brute force protection..."
# 基本的失败尝试限制
iptables -A INPUT -p tcp --dport 22 -m recent --name ssh_attack --set
iptables -A INPUT -p tcp --dport 22 -m recent --name ssh_attack --rcheck --seconds 60 --hitcount 4 -j DROP
# 更严格的保护(24小时封禁)
iptables -A INPUT -p tcp --dport 22 -m recent --name ssh_blacklist --rcheck --seconds 86400 -j DROP
iptables -A INPUT -p tcp --dport 22 -m recent --name ssh_attack --rcheck --seconds 60 --hitcount 4 -m recent --name ssh_blacklist --set -j DROP
# 只允许特定网段访问 SSH
iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP
echo "SSH brute force protection configured"
}
# Web 服务暴力破解防护
web_protection() {
echo "Configuring web brute force protection..."
# 登录页面保护
iptables -A INPUT -p tcp --dport 80 -m string --string "POST /login" --algo bm -m recent --name web_login --set
iptables -A INPUT -p tcp --dport 80 -m string --string "POST /admin" --algo bm -m recent --name web_login --set
iptables -A INPUT -p tcp --dport 80 -m recent --name web_login --rcheck --seconds 300 --hitcount 5 -j DROP
# 管理界面保护
iptables -A INPUT -p tcp --dport 80 -m string --string "/admin/" --algo bm -m recent --name admin_access --set
iptables -A INPUT -p tcp --dport 80 -m recent --name admin_access --rcheck --seconds 60 --hitcount 10 -j DROP
# WordPress 特定保护
iptables -A INPUT -p tcp --dport 80 -m string --string "wp-login.php" --algo bm -m recent --name wp_login --set
iptables -A INPUT -p tcp --dport 80 -m recent --name wp_login --rcheck --seconds 300 --hitcount 3 -j DROP
echo "Web brute force protection configured"
}
# FTP 暴力破解防护
ftp_protection() {
echo "Configuring FTP brute force protection..."
# FTP 连接限制
iptables -A INPUT -p tcp --dport 21 -m recent --name ftp_conn --set
iptables -A INPUT -p tcp --dport 21 -m recent --name ftp_conn --rcheck --seconds 60 --hitcount 3 -j DROP
# FTP 数据连接保护
iptables -A INPUT -p tcp --dport 20 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
echo "FTP brute force protection configured"
}
# 邮件服务保护
mail_protection() {
echo "Configuring mail service protection..."
# SMTP 认证失败保护
iptables -A INPUT -p tcp --dport 25 -m recent --name smtp_auth --set
iptables -A INPUT -p tcp --dport 25 -m recent --name smtp_auth --rcheck --seconds 300 --hitcount 5 -j DROP
# POP3/IMAP 保护
iptables -A INPUT -p tcp --dport 110 -m recent --name pop3_auth --set
iptables -A INPUT -p tcp --dport 110 -m recent --name pop3_auth --rcheck --seconds 300 --hitcount 5 -j DROP
iptables -A INPUT -p tcp --dport 143 -m recent --name imap_auth --set
iptables -A INPUT -p tcp --dport 143 -m recent --name imap_auth --rcheck --seconds 300 --hitcount 5 -j DROP
echo "Mail service protection configured"
}
ssh_protection
web_protection
ftp_protection
mail_protection
10.3 入侵检测与响应
10.3.1 实时入侵检测
1. 异常流量检测
#!/bin/bash
# intrusion_detection.sh
# 异常流量检测
anomalous_traffic_detection() {
echo "Configuring anomalous traffic detection..."
# 大包攻击检测
iptables -A INPUT -p tcp -m length --length 1000:65535 -m limit --limit 5/min -j LOG --log-prefix "LARGE_PACKET: "
iptables -A INPUT -p tcp -m length --length 1000:65535 -m recent --name large_packet --set
iptables -A INPUT -p tcp -m recent --name large_packet --rcheck --seconds 60 --hitcount 10 -j DROP
# 异常协议检测
iptables -A INPUT -p 47 -j LOG --log-prefix "GRE_TRAFFIC: " # GRE 协议
iptables -A INPUT -p 50 -j LOG --log-prefix "ESP_TRAFFIC: " # ESP 协议
iptables -A INPUT -p 51 -j LOG --log-prefix "AH_TRAFFIC: " # AH 协议
# 异常端口访问检测
iptables -A INPUT -p tcp --dport 1:1023 -m recent --name privileged_ports --set
iptables -A INPUT -p tcp -m recent --name privileged_ports --rcheck --seconds 60 --hitcount 20 -j LOG --log-prefix "PORT_SCAN: "
echo "Anomalous traffic detection configured"
}
# 恶意行为检测
malicious_behavior_detection() {
echo "Configuring malicious behavior detection..."
# SQL 注入检测
iptables -A INPUT -p tcp --dport 80 -m string --string "UNION SELECT" --algo bm -j LOG --log-prefix "SQL_INJECTION: "
iptables -A INPUT -p tcp --dport 80 -m string --string "DROP TABLE" --algo bm -j LOG --log-prefix "SQL_INJECTION: "
iptables -A INPUT -p tcp --dport 80 -m string --string "INSERT INTO" --algo bm -j LOG --log-prefix "SQL_INJECTION: "
# XSS 攻击检测
iptables -A INPUT -p tcp --dport 80 -m string --string "<script>" --algo bm -j LOG --log-prefix "XSS_ATTACK: "
iptables -A INPUT -p tcp --dport 80 -m string --string "javascript:" --algo bm -j LOG --log-prefix "XSS_ATTACK: "
# 目录遍历攻击检测
iptables -A INPUT -p tcp --dport 80 -m string --string "../" --algo bm -j LOG --log-prefix "DIR_TRAVERSAL: "
iptables -A INPUT -p tcp --dport 80 -m string --string "..\\" --algo bm -j LOG --log-prefix "DIR_TRAVERSAL: "
# 命令注入检测
iptables -A INPUT -p tcp --dport 80 -m string --string ";cat /etc/passwd" --algo bm -j LOG --log-prefix "CMD_INJECTION: "
iptables -A INPUT -p tcp --dport 80 -m string --string "|nc " --algo bm -j LOG --log-prefix "CMD_INJECTION: "
echo "Malicious behavior detection configured"
}
# 网络侦察检测
reconnaissance_detection() {
echo "Configuring reconnaissance detection..."
# OS 指纹识别检测
iptables -A INPUT -p tcp --tcp-flags ALL SYN -m recent --name os_fingerprint --set
iptables -A INPUT -p tcp -m recent --name os_fingerprint --rcheck --seconds 10 --hitcount 5 -j LOG --log-prefix "OS_FINGERPRINT: "
# 服务枚举检测
iptables -A INPUT -p tcp --dport 1:1023 -m recent --name service_enum --set
iptables -A INPUT -p tcp -m recent --name service_enum --rcheck --seconds 30 --hitcount 10 -j LOG --log-prefix "SERVICE_ENUM: "
# Banner 抓取检测
iptables -A INPUT -p tcp --tcp-flags PSH,ACK PSH,ACK -m length --length 0:100 -j LOG --log-prefix "BANNER_GRAB: "
echo "Reconnaissance detection configured"
}
anomalous_traffic_detection
malicious_behavior_detection
reconnaissance_detection
2. 自动响应系统
#!/bin/bash
# automated_response.sh
# 自动封禁系统
auto_ban_system() {
echo "Configuring automated ban system..."
# 创建动态封禁链
iptables -N AUTO_BAN
iptables -A INPUT -j AUTO_BAN
# 检查现有封禁
iptables -A AUTO_BAN -m recent --name banned --rcheck --seconds 3600 -j DROP
# 攻击检测和自动封禁
iptables -A AUTO_BAN -m recent --name attack_count --rcheck --seconds 300 --hitcount 5 -m recent --name banned --set -j DROP
echo "Automated ban system configured"
}
# 威胁等级响应
threat_level_response() {
echo "Configuring threat level response..."
# 低威胁:记录日志
iptables -A INPUT -p tcp --dport 80 -m string --string "robots.txt" --algo bm -j LOG --log-prefix "LOW_THREAT: "
# 中威胁:限制连接
iptables -A INPUT -p tcp --dport 22 -m recent --name medium_threat --set
iptables -A INPUT -p tcp --dport 22 -m recent --name medium_threat --rcheck --seconds 60 --hitcount 3 -j REJECT
# 高威胁:立即封禁
iptables -A INPUT -p tcp --dport 80 -m string --string "../../../etc/passwd" --algo bm -m recent --name banned --set -j DROP
iptables -A INPUT -p tcp --dport 80 -m string --string "<script>alert" --algo bm -m recent --name banned --set -j DROP
echo "Threat level response configured"
}
# 通知系统
notification_system() {
echo "Configuring notification system..."
# 创建通知脚本
cat > /usr/local/bin/security_alert.sh << 'EOF'
#!/bin/bash
# 安全事件通知脚本
send_alert() {
local event_type="$1"
local source_ip="$2"
local details="$3"
# 邮件通知
echo "Security Alert: $event_type from $source_ip - $details" | \
mail -s "Security Alert" admin@example.com
# 日志记录
logger -t SECURITY_ALERT "$event_type from $source_ip: $details"
# Slack 通知(如果配置了)
if [ -n "$SLACK_WEBHOOK" ]; then
curl -X POST -H 'Content-type: application/json' \
--data "{\"text\":\"Security Alert: $event_type from $source_ip\"}" \
"$SLACK_WEBHOOK"
fi
}
# 从日志中提取攻击信息
while read line; do
if echo "$line" | grep -q "SQL_INJECTION"; then
source_ip=$(echo "$line" | grep -oE "SRC=[0-9.]+" | cut -d'=' -f2)
send_alert "SQL Injection" "$source_ip" "Detected SQL injection attempt"
elif echo "$line" | grep -q "XSS_ATTACK"; then
source_ip=$(echo "$line" | grep -oE "SRC=[0-9.]+" | cut -d'=' -f2)
send_alert "XSS Attack" "$source_ip" "Detected XSS attack attempt"
elif echo "$line" | grep -q "PORT_SCAN"; then
source_ip=$(echo "$line" | grep -oE "SRC=[0-9.]+" | cut -d'=' -f2)
send_alert "Port Scan" "$source_ip" "Detected port scanning activity"
fi
done
EOF
chmod +x /usr/local/bin/security_alert.sh
# 配置日志监控
echo "tail -f /var/log/messages | /usr/local/bin/security_alert.sh &" >> /etc/rc.local
echo "Notification system configured"
}
auto_ban_system
threat_level_response
notification_system
10.3.2 日志分析与取证
1. 安全日志分析
#!/bin/bash
# security_log_analysis.sh
# 日志分析脚本
security_log_analysis() {
echo "Starting security log analysis..."
log_file="/var/log/messages"
report_file="/tmp/security_report_$(date +%Y%m%d_%H%M%S).txt"
{
echo "Security Log Analysis Report"
echo "Generated: $(date)"
echo "========================================"
echo "\n1. Attack Summary:"
echo "SQL Injection attempts: $(grep 'SQL_INJECTION' $log_file | wc -l)"
echo "XSS attack attempts: $(grep 'XSS_ATTACK' $log_file | wc -l)"
echo "Port scan attempts: $(grep 'PORT_SCAN' $log_file | wc -l)"
echo "Brute force attempts: $(grep 'ssh_attack' $log_file | wc -l)"
echo "DDoS attempts: $(grep 'SYN_FLOOD\|UDP_FLOOD' $log_file | wc -l)"
echo "\n2. Top Attack Sources:"
grep -E 'SQL_INJECTION|XSS_ATTACK|PORT_SCAN' $log_file | \
grep -oE 'SRC=[0-9.]+' | cut -d'=' -f2 | sort | uniq -c | sort -nr | head -10
echo "\n3. Attack Timeline (last 24 hours):"
grep -E 'SQL_INJECTION|XSS_ATTACK|PORT_SCAN' $log_file | \
grep "$(date '+%b %d')" | awk '{print $1, $2, $3}' | sort | uniq -c
echo "\n4. Targeted Services:"
grep 'DPT=' $log_file | grep -oE 'DPT=[0-9]+' | cut -d'=' -f2 | sort | uniq -c | sort -nr | head -10
echo "\n5. Blocked Connections:"
grep 'DROP\|REJECT' $log_file | wc -l
echo "\n6. Geographic Distribution (if GeoIP is available):"
# 这需要 GeoIP 工具
# grep -oE 'SRC=[0-9.]+' $log_file | cut -d'=' -f2 | sort -u | \
# while read ip; do geoiplookup $ip; done | cut -d':' -f2 | sort | uniq -c
} > $report_file
echo "Security analysis report saved to: $report_file"
}
# 实时威胁监控
real_time_threat_monitoring() {
echo "Starting real-time threat monitoring..."
# 监控脚本
cat > /usr/local/bin/threat_monitor.sh << 'EOF'
#!/bin/bash
# 实时威胁监控
monitor_threats() {
local threshold_sql=5
local threshold_scan=10
local threshold_brute=3
while true; do
# 检查最近5分钟的攻击
current_time=$(date '+%b %d %H:%M')
# SQL 注入检测
sql_count=$(grep "$current_time" /var/log/messages | grep 'SQL_INJECTION' | wc -l)
if [ $sql_count -gt $threshold_sql ]; then
echo "ALERT: High SQL injection activity detected ($sql_count attempts)"
# 自动封禁攻击源
grep "$current_time" /var/log/messages | grep 'SQL_INJECTION' | \
grep -oE 'SRC=[0-9.]+' | cut -d'=' -f2 | sort -u | \
while read ip; do
iptables -A INPUT -s $ip -j DROP
echo "Banned IP: $ip"
done
fi
# 端口扫描检测
scan_count=$(grep "$current_time" /var/log/messages | grep 'PORT_SCAN' | wc -l)
if [ $scan_count -gt $threshold_scan ]; then
echo "ALERT: High port scanning activity detected ($scan_count attempts)"
fi
# 暴力破解检测
brute_count=$(grep "$current_time" /var/log/messages | grep 'ssh_attack' | wc -l)
if [ $brute_count -gt $threshold_brute ]; then
echo "ALERT: SSH brute force attack detected ($brute_count attempts)"
fi
sleep 300 # 每5分钟检查一次
done
}
monitor_threats
EOF
chmod +x /usr/local/bin/threat_monitor.sh
# 启动监控(后台运行)
nohup /usr/local/bin/threat_monitor.sh > /var/log/threat_monitor.log 2>&1 &
echo "Real-time threat monitoring started"
}
# 取证数据收集
forensic_data_collection() {
echo "Collecting forensic data..."
forensic_dir="/tmp/forensic_$(date +%Y%m%d_%H%M%S)"
mkdir -p $forensic_dir
# 收集系统信息
uname -a > $forensic_dir/system_info.txt
date > $forensic_dir/collection_time.txt
uptime > $forensic_dir/uptime.txt
# 收集网络连接信息
netstat -tuln > $forensic_dir/listening_ports.txt
netstat -tun > $forensic_dir/active_connections.txt
ss -tuln > $forensic_dir/socket_stats.txt
# 收集防火墙规则
iptables-save > $forensic_dir/iptables_rules.txt
iptables -L -n -v > $forensic_dir/iptables_stats.txt
# 收集连接跟踪信息
cat /proc/net/nf_conntrack > $forensic_dir/conntrack.txt
# 收集日志文件
cp /var/log/messages $forensic_dir/
cp /var/log/secure $forensic_dir/ 2>/dev/null
cp /var/log/auth.log $forensic_dir/ 2>/dev/null
# 收集进程信息
ps aux > $forensic_dir/processes.txt
lsof -i > $forensic_dir/open_files.txt
# 创建压缩包
tar -czf $forensic_dir.tar.gz -C /tmp $(basename $forensic_dir)
echo "Forensic data collected in: $forensic_dir.tar.gz"
}
security_log_analysis
real_time_threat_monitoring
forensic_data_collection
10.4 合规性配置
10.4.1 安全标准合规
1. PCI DSS 合规配置
#!/bin/bash
# pci_dss_compliance.sh
# PCI DSS 合规配置
pci_dss_compliance() {
echo "Configuring PCI DSS compliance..."
# 要求 1: 安装和维护防火墙配置
# 默认拒绝策略
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# 要求 2: 不使用供应商提供的默认值
# 更改默认 SSH 端口(示例)
ssh_port=2222
iptables -A INPUT -p tcp --dport $ssh_port -s 192.168.1.0/24 -j ACCEPT
# 要求 3: 保护存储的持卡人数据
# 限制对数据库服务器的访问
db_server="192.168.10.100"
web_servers="192.168.10.10,192.168.10.11"
iptables -A FORWARD -s $web_servers -d $db_server -p tcp --dport 3306 -j ACCEPT
iptables -A FORWARD -d $db_server -p tcp --dport 3306 -j DROP
# 要求 4: 在开放的公共网络上传输持卡人数据时进行加密
# 强制使用 HTTPS
iptables -A INPUT -p tcp --dport 80 -j REDIRECT --to-port 443
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# 要求 7: 按业务需要限制对持卡人数据的访问
# 基于角色的访问控制
admin_network="192.168.1.0/24"
user_network="192.168.2.0/24"
# 管理员可以访问所有服务
iptables -A FORWARD -s $admin_network -j ACCEPT
# 普通用户只能访问 Web 服务
iptables -A FORWARD -s $user_network -d $web_servers -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s $user_network -d $web_servers -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -s $user_network -j DROP
# 要求 10: 跟踪和监控对网络资源和持卡人数据的所有访问
# 记录所有访问日志
iptables -A INPUT -j LOG --log-prefix "INPUT: "
iptables -A FORWARD -j LOG --log-prefix "FORWARD: "
iptables -A OUTPUT -j LOG --log-prefix "OUTPUT: "
echo "PCI DSS compliance configuration completed"
}
# HIPAA 合规配置
hipaa_compliance() {
echo "Configuring HIPAA compliance..."
# 访问控制
# 只允许授权人员访问医疗数据
medical_data_server="192.168.20.100"
authorized_users="192.168.20.10,192.168.20.11"
iptables -A FORWARD -s $authorized_users -d $medical_data_server -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -d $medical_data_server -j DROP
# 审计控制
# 记录所有对医疗数据的访问
iptables -A FORWARD -d $medical_data_server -j LOG --log-prefix "HIPAA_ACCESS: "
# 完整性控制
# 防止未授权的数据修改
iptables -A FORWARD -d $medical_data_server -p tcp --dport 80 -j DROP # 禁用 HTTP
# 传输安全
# 强制加密传输
iptables -A FORWARD -d $medical_data_server -p tcp ! --dport 443 -j DROP
echo "HIPAA compliance configuration completed"
}
# SOX 合规配置
sox_compliance() {
echo "Configuring SOX compliance..."
# 财务数据保护
financial_server="192.168.30.100"
finance_team="192.168.30.0/24"
# 限制对财务系统的访问
iptables -A FORWARD -s $finance_team -d $financial_server -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -d $financial_server -j DROP
# 审计跟踪
iptables -A FORWARD -d $financial_server -j LOG --log-prefix "SOX_AUDIT: "
# 职责分离
# IT 人员不能直接访问财务数据
it_network="192.168.100.0/24"
iptables -A FORWARD -s $it_network -d $financial_server -j DROP
echo "SOX compliance configuration completed"
}
pci_dss_compliance
hipaa_compliance
sox_compliance
10.4.2 审计和报告
1. 合规性检查脚本
#!/bin/bash
# compliance_check.sh
# 合规性检查
compliance_check() {
echo "Starting compliance check..."
report_file="/tmp/compliance_report_$(date +%Y%m%d_%H%M%S).txt"
{
echo "Compliance Check Report"
echo "Generated: $(date)"
echo "========================================"
echo "\n1. Firewall Configuration Check:"
# 检查默认策略
input_policy=$(iptables -L INPUT | head -1 | grep -o 'policy [A-Z]*' | cut -d' ' -f2)
forward_policy=$(iptables -L FORWARD | head -1 | grep -o 'policy [A-Z]*' | cut -d' ' -f2)
output_policy=$(iptables -L OUTPUT | head -1 | grep -o 'policy [A-Z]*' | cut -d' ' -f2)
echo "INPUT policy: $input_policy"
echo "FORWARD policy: $forward_policy"
echo "OUTPUT policy: $output_policy"
if [ "$input_policy" = "DROP" ] && [ "$forward_policy" = "DROP" ]; then
echo "✓ Default deny policy is properly configured"
else
echo "✗ Default deny policy is NOT properly configured"
fi
echo "\n2. Service Access Control:"
# 检查 SSH 访问限制
ssh_rules=$(iptables -L INPUT -n | grep ':22 ')
if [ -n "$ssh_rules" ]; then
echo "✓ SSH access rules are configured"
echo "SSH rules: $ssh_rules"
else
echo "✗ No SSH access rules found"
fi
# 检查 Web 服务配置
http_rules=$(iptables -L INPUT -n | grep ':80 ')
https_rules=$(iptables -L INPUT -n | grep ':443 ')
if [ -n "$https_rules" ]; then
echo "✓ HTTPS access is configured"
else
echo "✗ HTTPS access is not configured"
fi
echo "\n3. Logging Configuration:"
# 检查日志规则
log_rules=$(iptables -L -n | grep LOG | wc -l)
echo "Number of LOG rules: $log_rules"
if [ $log_rules -gt 0 ]; then
echo "✓ Logging is configured"
else
echo "✗ No logging rules found"
fi
echo "\n4. Attack Protection:"
# 检查 DDoS 保护
limit_rules=$(iptables -L -n | grep limit | wc -l)
echo "Number of rate limiting rules: $limit_rules"
# 检查连接限制
connlimit_rules=$(iptables -L -n | grep connlimit | wc -l)
echo "Number of connection limiting rules: $connlimit_rules"
# 检查 recent 模块使用
recent_rules=$(iptables -L -n | grep recent | wc -l)
echo "Number of recent tracking rules: $recent_rules"
echo "\n5. Network Segmentation:"
# 检查 FORWARD 链规则
forward_rules=$(iptables -L FORWARD -n | grep -v '^Chain\|^target' | wc -l)
echo "Number of FORWARD rules: $forward_rules"
if [ $forward_rules -gt 0 ]; then
echo "✓ Network segmentation rules are configured"
else
echo "✗ No network segmentation rules found"
fi
echo "\n6. Security Score:"
score=0
# 评分标准
[ "$input_policy" = "DROP" ] && score=$((score + 20))
[ "$forward_policy" = "DROP" ] && score=$((score + 20))
[ -n "$ssh_rules" ] && score=$((score + 15))
[ -n "$https_rules" ] && score=$((score + 15))
[ $log_rules -gt 0 ] && score=$((score + 10))
[ $limit_rules -gt 0 ] && score=$((score + 10))
[ $recent_rules -gt 0 ] && score=$((score + 10))
echo "Security Score: $score/100"
if [ $score -ge 80 ]; then
echo "Status: Compliant"
elif [ $score -ge 60 ]; then
echo "Status: Partially Compliant"
else
echo "Status: Non-Compliant"
fi
} > $report_file
echo "Compliance check report saved to: $report_file"
}
# 自动化合规性监控
automated_compliance_monitoring() {
echo "Setting up automated compliance monitoring..."
# 创建监控脚本
cat > /usr/local/bin/compliance_monitor.sh << 'EOF'
#!/bin/bash
# 合规性监控脚本
monitor_compliance() {
local alert_file="/tmp/compliance_alerts.log"
# 检查防火墙状态
if ! systemctl is-active --quiet iptables; then
echo "$(date): CRITICAL - iptables service is not running" >> $alert_file
fi
# 检查默认策略
input_policy=$(iptables -L INPUT | head -1 | grep -o 'policy [A-Z]*' | cut -d' ' -f2)
if [ "$input_policy" != "DROP" ]; then
echo "$(date): WARNING - INPUT policy is not DROP" >> $alert_file
fi
# 检查规则数量变化
current_rules=$(iptables -L | grep -c '^Chain\|^target')
expected_rules=50 # 根据实际情况设置
if [ $current_rules -lt $expected_rules ]; then
echo "$(date): WARNING - Rule count is below expected ($current_rules < $expected_rules)" >> $alert_file
fi
# 检查关键服务保护
ssh_protection=$(iptables -L INPUT -n | grep ':22 ' | wc -l)
if [ $ssh_protection -eq 0 ]; then
echo "$(date): CRITICAL - No SSH protection rules found" >> $alert_file
fi
# 检查日志配置
log_rules=$(iptables -L -n | grep LOG | wc -l)
if [ $log_rules -eq 0 ]; then
echo "$(date): WARNING - No logging rules configured" >> $alert_file
fi
# 发送告警(如果有)
if [ -f $alert_file ] && [ -s $alert_file ]; then
mail -s "Compliance Alert" admin@example.com < $alert_file
> $alert_file # 清空文件
fi
}
# 每小时检查一次
while true; do
monitor_compliance
sleep 3600
done
EOF
chmod +x /usr/local/bin/compliance_monitor.sh
# 添加到系统启动
echo "nohup /usr/local/bin/compliance_monitor.sh > /var/log/compliance_monitor.log 2>&1 &" >> /etc/rc.local
echo "Automated compliance monitoring configured"
}
compliance_check
automated_compliance_monitoring
10.5 安全配置模板
10.5.1 企业级安全模板
1. Web 服务器安全模板
#!/bin/bash
# web_server_security_template.sh
# Web 服务器安全配置模板
web_server_security() {
echo "Applying web server security template..."
# 清空现有规则
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
# 设置默认策略
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# 基础规则
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# SSH 访问(限制源地址和连接频率)
iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -m recent --name ssh_conn --set
iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -m recent --name ssh_conn --rcheck --seconds 60 --hitcount 4 -j DROP
iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
# HTTP/HTTPS 服务
# 防止 DDoS 攻击
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
# 连接数限制
iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 20 -j REJECT
iptables -A INPUT -p tcp --dport 443 -m connlimit --connlimit-above 20 -j REJECT
# 应用层攻击防护
iptables -A INPUT -p tcp --dport 80 -m string --string "../" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 80 -m string --string "<script" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 80 -m string --string "UNION SELECT" --algo bm -j DROP
# 地理位置限制(需要 GeoIP)
# iptables -A INPUT -p tcp --dport 80 -m geoip --src-cc CN,RU -j DROP
# 日志记录
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "INPUT_DROP: "
echo "Web server security template applied"
}
# 数据库服务器安全模板
database_server_security() {
echo "Applying database server security template..."
# 清空现有规则
iptables -F
iptables -X
# 设置默认策略
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# 基础规则
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# SSH 访问(仅管理网段)
iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
# 数据库访问(仅 Web 服务器)
web_servers="192.168.10.10,192.168.10.11,192.168.10.12"
iptables -A INPUT -p tcp --dport 3306 -s $web_servers -m connlimit --connlimit-above 10 -j REJECT
iptables -A INPUT -p tcp --dport 3306 -s $web_servers -j ACCEPT
# 出站连接(仅必要服务)
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT # DNS
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT # HTTP updates
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT # HTTPS updates
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT # NTP
# 备份服务器连接
backup_server="192.168.20.100"
iptables -A OUTPUT -p tcp -d $backup_server --dport 22 -j ACCEPT
# 监控和日志
iptables -A INPUT -j LOG --log-prefix "DB_INPUT_DROP: "
iptables -A OUTPUT -j LOG --log-prefix "DB_OUTPUT_DROP: "
echo "Database server security template applied"
}
# 邮件服务器安全模板
mail_server_security() {
echo "Applying mail server security template..."
# 清空现有规则
iptables -F
iptables -X
# 设置默认策略
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# 基础规则
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# SSH 访问
iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
# SMTP 服务
iptables -A INPUT -p tcp --dport 25 -m limit --limit 10/minute -j ACCEPT
iptables -A INPUT -p tcp --dport 587 -m limit --limit 10/minute -j ACCEPT # SMTP TLS
iptables -A INPUT -p tcp --dport 465 -m limit --limit 10/minute -j ACCEPT # SMTP SSL
# POP3/IMAP 服务
iptables -A INPUT -p tcp --dport 110 -j ACCEPT # POP3
iptables -A INPUT -p tcp --dport 995 -j ACCEPT # POP3S
iptables -A INPUT -p tcp --dport 143 -j ACCEPT # IMAP
iptables -A INPUT -p tcp --dport 993 -j ACCEPT # IMAPS
# 反垃圾邮件保护
iptables -A INPUT -p tcp --dport 25 -m recent --name smtp_conn --set
iptables -A INPUT -p tcp --dport 25 -m recent --name smtp_conn --rcheck --seconds 60 --hitcount 10 -j DROP
# 认证失败保护
iptables -A INPUT -p tcp --dport 110 -m recent --name pop3_auth --set
iptables -A INPUT -p tcp --dport 110 -m recent --name pop3_auth --rcheck --seconds 300 --hitcount 5 -j DROP
echo "Mail server security template applied"
}
web_server_security
# database_server_security
# mail_server_security
10.5.2 网络安全模板
1. 企业网关安全模板
#!/bin/bash
# enterprise_gateway_security.sh
# 企业网关安全配置
enterprise_gateway_security() {
echo "Configuring enterprise gateway security..."
# 网络接口定义
external_interface="eth0" # 外网接口
internal_interface="eth1" # 内网接口
dmz_interface="eth2" # DMZ 接口
# 网络段定义
internal_network="192.168.1.0/24"
dmz_network="192.168.10.0/24"
management_network="192.168.100.0/24"
# 清空规则
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# 设置默认策略
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# 基础规则
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# 管理访问
iptables -A INPUT -i $internal_interface -s $management_network -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i $internal_interface -s $management_network -p tcp --dport 443 -j ACCEPT
# NAT 配置
iptables -t nat -A POSTROUTING -o $external_interface -j MASQUERADE
# 内网到外网的访问控制
iptables -A FORWARD -i $internal_interface -o $external_interface -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $external_interface -o $internal_interface -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# DMZ 访问控制
# DMZ 可以访问外网
iptables -A FORWARD -i $dmz_interface -o $external_interface -j ACCEPT
iptables -A FORWARD -i $external_interface -o $dmz_interface -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# 外网到 DMZ 的特定服务
iptables -A FORWARD -i $external_interface -o $dmz_interface -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i $external_interface -o $dmz_interface -p tcp --dport 443 -j ACCEPT
# DMZ 到内网的限制访问
iptables -A FORWARD -i $dmz_interface -o $internal_interface -p tcp --dport 3306 -j ACCEPT # 数据库
iptables -A FORWARD -i $dmz_interface -o $internal_interface -p tcp --dport 6379 -j ACCEPT # Redis
iptables -A FORWARD -i $dmz_interface -o $internal_interface -j DROP
# 内网到 DMZ 的管理访问
iptables -A FORWARD -i $internal_interface -o $dmz_interface -s $management_network -p tcp --dport 22 -j ACCEPT
# 攻击防护
# SYN Flood 防护
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j ACCEPT
iptables -A FORWARD -p tcp --syn -j DROP
# 端口扫描防护
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
# ICMP 限制
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -j DROP
# 日志记录
iptables -A FORWARD -m limit --limit 5/min -j LOG --log-prefix "FORWARD_DROP: "
echo "Enterprise gateway security configured"
}
# VPN 服务器安全模板
vpn_server_security() {
echo "Configuring VPN server security..."
vpn_interface="tun0"
vpn_network="10.8.0.0/24"
# VPN 客户端访问
iptables -A INPUT -i $vpn_interface -j ACCEPT
iptables -A OUTPUT -o $vpn_interface -j ACCEPT
# VPN 流量转发
iptables -A FORWARD -i $vpn_interface -j ACCEPT
iptables -A FORWARD -o $vpn_interface -j ACCEPT
# NAT for VPN traffic
iptables -t nat -A POSTROUTING -s $vpn_network -o eth0 -j MASQUERADE
# OpenVPN 端口
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
# VPN 客户端限制
iptables -A INPUT -p udp --dport 1194 -m connlimit --connlimit-above 50 -j REJECT
echo "VPN server security configured"
}
enterprise_gateway_security
# vpn_server_security
10.6 本章小结
安全配置要点回顾
本章详细介绍了 iptables 的安全配置和防护策略,主要包括以下几个方面:
1. 安全策略设计原则
- 最小权限原则:只开放必要的服务和端口
- 默认拒绝策略:采用白名单方式,默认拒绝所有访问
- 深度防御策略:多层防护,分层安全控制
- 网络分段:隔离不同安全级别的网络区域
2. 常见攻击防护
- DDoS 攻击防护:SYN Flood、UDP Flood、连接限制
- 端口扫描防护:异常 TCP 标志位检测、连接频率限制
- 暴力破解防护:失败尝试限制、自动封禁机制
- 应用层攻击防护:SQL 注入、XSS、目录遍历等
3. 入侵检测与响应
- 实时检测:异常流量、恶意行为、网络侦察
- 自动响应:动态封禁、威胁等级响应、通知系统
- 日志分析:安全事件统计、攻击源分析、取证数据收集
4. 合规性配置
- 安全标准:PCI DSS、HIPAA、SOX 等合规要求
- 审计控制:访问记录、完整性保护、职责分离
- 自动化监控:合规性检查、告警机制
5. 安全配置模板
- 服务器模板:Web 服务器、数据库服务器、邮件服务器
- 网络模板:企业网关、VPN 服务器、DMZ 配置
最佳实践建议
安全策略制定
- 基于业务需求制定安全策略
- 定期评估和更新安全配置
- 建立安全事件响应流程
防护措施部署
- 采用多层防护策略
- 配置适当的攻击检测阈值
- 实施自动化响应机制
监控和审计
- 建立完善的日志记录机制
- 定期进行安全审计
- 监控合规性状态
持续改进
- 跟踪最新的安全威胁
- 更新防护规则和策略
- 进行安全培训和演练
安全配置检查清单
- [ ] 配置默认拒绝策略
- [ ] 实施最小权限原则
- [ ] 配置 DDoS 攻击防护
- [ ] 部署暴力破解防护
- [ ] 启用入侵检测机制
- [ ] 配置安全日志记录
- [ ] 实施网络分段控制
- [ ] 建立自动响应系统
- [ ] 配置合规性监控
- [ ] 定期进行安全评估
下一章预告
下一章我们将学习 iptables 的故障排除和调试技巧,包括: - 常见问题诊断 - 调试工具使用 - 性能问题排查 - 规则冲突解决 - 网络连通性测试
通过学习故障排除技巧,您将能够快速定位和解决 iptables 相关问题。
练习
理论练习
安全策略设计题
- 为一个电商网站设计完整的安全防护策略
- 包括网络分段、访问控制、攻击防护等
合规性配置题
- 根据 PCI DSS 要求配置支付系统的防火墙规则
- 确保满足相关合规性要求
威胁分析题
- 分析常见的网络攻击手段
- 设计相应的防护措施
实践练习
安全配置实施
- 使用本章提供的模板配置 Web 服务器安全
- 测试各种攻击防护效果
入侵检测配置
- 配置实时入侵检测系统
- 测试自动响应机制
合规性检查
- 运行合规性检查脚本
- 根据检查结果优化配置
思考题
如何平衡安全性和可用性?过度的安全措施可能带来什么问题?
在云环境中部署 iptables 安全策略有什么特殊考虑?
如何设计一个既安全又高效的企业网络架构?
面对新型攻击手段,如何快速更新防护策略?
如何建立有效的安全事件响应流程?
