Postfix 电子邮件系统精要(1)(12)

文章由LinuxBoy分享于2019-03-26 08:03:10热评（47）

◆系统加固及安全

1、内核优化：用脚本实现

[root@mailserv2 ~]# more /usr/local/bin/kernel_optimize

#!/bin/bash

#kernel optimize optimize ,create by 2007-7-29

#enable broadcast echo protection

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#disble source routed packets

#for f in /proc/sys/net/ipv4/conf/*/accept_source_rout; do

# echo 0 > $f

#done

#enable tcp syn cookie protection

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#disable icmp redirect acceptance

for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do

echo 0 > $f

done

#don't send redirect messages

for f in /proc/sys/net/ipv4/conf/*/send_redirects; do

echo 0 > $f

done

#drop spoofed packets

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do

echo 1 > $f

done

#log packets with impossible addresses

for f in /proc/sys/net/ipv4/conf/*/log_martians; do

echo 1 > $f

done

2、防火墙策略：在配置postfix连接mysql数据库时，用户名postfix,密码postfix，类似的情形还有好几处呢。如果某人在别的机器用mysql客户端连接邮件服务器的mysql数据库，不费吹灰之力就可以把邮件帐号全删了，这肯定会激起用户的愤怒！赶快把这个漏洞堵上，下面是我的防火墙策略脚本：

[root@mailserv2 ~]# more /usr/local/bin/firewall

#!/bin/bash

#this is a common firewall created by 2007-7-29

#define some variable

IPT=/sbin/iptables

CONNECTION_TRACKING="1"

INTERNET="eth0"

CLASS_A="10.0.0.0/8"

CLASS_B="172.16.0.0/12"

CLASS_C="192.168.0.0/16"

CLASS_D_MULTICAST="224.0.0.0/4"

CLASS_E_RESERVED_NET="240.0.0.0/5"

BROADCAST_SRC="0.0.0.0"

BROADCAST_DEST="255.255.255.255"

IPADDR=220. 94.58.245

LOOPBACK_INTERFACE="lo"

#Remove any existing rules

$IPT -F

$IPT -X

#setting default firewall policy

$IPT --policy OUTPUT ACCEPT

$IPT --policy FORWARD DROP

$IPT -P INPUT DROP

#stop firewall

if [ "$1" = "stop" ]

then

echo "Filewall completely stopped!no firewall running!"

exit 0

#setting for loopback interface

$IPT -A INPUT -i lo -j ACCEPT

$IPT -A OUTPUT -o lo -j ACCEPT

# Stealth Scans and TCP State Flags

# All of the bits are cleared

$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

# SYN and FIN are both set

$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# SYN and RST are both set

$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

# FIN and RST are both set

$IPT -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP

# FIN is the only bit set, without the expected accompanying ACK

$IPT -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP

# PSH is the only bit set, without the expected accompanying ACK

$IPT -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP

# URG is the only bit set, without the expected accompanying ACK

$IPT -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP

# Using Connection State to By-pass Rule Checking

if [ "$CONNECTION_TRACKING" = "1" ]; then

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A INPUT -m state --state INVALID -j DROP

$IPT -A OUTPUT -m state --state INVALID -j DROP

##################################################################

# Source Address Spoofing and Other Bad Addresses

# Refuse spoofed packets pretending to be from

# the external interface.s IP address

$IPT -A INPUT -i $INTERNET -s $IPADDR -j DROP

# Refuse packets claiming to be from a Class A private network

$IPT -A INPUT -i $INTERNET -s $CLASS_A -j DROP

# Refuse packets claiming to be from a Class B private network

$IPT -A INPUT -i $INTERNET -s $CLASS_B -j DROP

# Refuse packets claiming to be from a Class C private network

$IPT -A INPUT -i $INTERNET -s $CLASS_C -j DROP

$IPT -A INPUT -i $INTERNET -s 0.0.0.0/8 -j DROP

$IPT -A INPUT -i $INTERNET -s 169.254.0.0/16 -j DROP

$IPT -A INPUT -i $INTERNET -s 192.0.2.0/24 -j DROP

###################################################################

#setting access rules

#enable ssh connect

$IPT -A INPUT -i $INTERNET -p tcp --dport 22 -j ACCEPT

$IPT -A INPUT -i $INTERNET -p tcp --dport 25 -j ACCEPT

$IPT -A INPUT -i $INTERNET -p tcp --dport 80 -j ACCEPT

$IPT -A INPUT -i $INTERNET -p tcp --dport 110 -j ACCEPT

$IPT -A INPUT -i $INTERNET -p tcp --dport 143 -j ACCEPT

$IPT -A INPUT -i $INTERNET -p tcp --dport 783 -j ACCEPT

$IPT -A INPUT -i $INTERNET -p tcp -s 127.0.0.1 --dport 3306 -j ACCEPT

$IPT -A INPUT -i $INTERNET -p tcp --dport 5666 -j ACCEPT

$IPT -A INPUT -i $INTERNET -p tcp --dport 10024 -j ACCEPT

$IPT -A INPUT -i $INTERNET -p tcp --dport 10025 -j ACCEPT

$IPT -A INPUT -i $INTERNET -p udp --dport 123 -j ACCEPT

$IPT -A INPUT -i $INTERNET -p icmp -j ACCEPT

“$IPT -A INPUT -i $INTERNET -p tcp -s 127.0.0.1 --dport 3306 -j ACCEPT”这条规则是阻止外部机器连接mysql数据库。端口5666是nagios监控所用。把内核优化和防火墙脚本加在文件/etc/rc.local中，实现开机即启。

[root@mailserv2 ~]# more /etc/rc.local

#!/bin/sh

# This script will be executed *after* all the other init scripts.

# You can put your own initialization stuff in here if you don't

# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local

################ normal services ############################

/usr/local/apache/bin/apachectl start

/usr/local/mysql/bin/mysqld_safe --user=mysql&

/usr/local/authlib/sbin/authdaemond start

############## postfix relatively ###########################

postfix start

/usr/local/imap/sbin/imapd start

################ antivirus and antispam #####################

/usr/bin/spamd --daemonize --pidfile /var/run/spamd.pid

/usr/local/sbin/amavisd start

/usr/local/clamav/sbin/clamd

############### system optimize #############################

/usr/local/bin/kernel_optimize

/usr/local/bin/firewall

################### NRPE nagios remote plugin execute $$$$$$$$$

/usr/local/nrpe/bin/nrpe -c /usr/local/nrpe/etc/nrpe.cfg -d

共14页: 上一页 1 2 3 4 5 6 7 8 9 10 11 12 13 14 下一页

推荐文章：

Postfix 电子邮件系统精要(1)(12)

最新Linux教程教程

Linux头条

Postfix 电子邮件系统精要(1)(12)

相关内容

最新Linux教程教程

Linux头条