Postfix 电子邮件系统精要(1)(12)
1、内核优化:用脚本实现
[root@mailserv2 ~]# more /usr/local/bin/kernel_optimize #!/bin/bash #kernel optimize optimize ,create by #enable broadcast echo protection echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts #disble source routed packets #for f in /proc/sys/net/ipv4/conf/*/accept_source_rout; do # echo 0 > $f #done #enable tcp syn cookie protection echo 1 > /proc/sys/net/ipv4/tcp_syncookies #disable icmp redirect acceptance for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f done #don't send redirect messages for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f done #drop spoofed packets for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done #log packets with impossible addresses for f in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $f done |
2、防火墙策略:在配置postfix连接mysql数据库时,用户名postfix,密码postfix,类似的情形还有好几处呢。如果某人在别的机器用mysql客户端连接邮件服务器的mysql数据库,不费吹灰之力就可以把邮件帐号全删了,这肯定会激起用户的愤怒!赶快把这个漏洞堵上,下面是我的防火墙策略脚本:
[root@mailserv2 ~]# more /usr/local/bin/firewall #!/bin/bash #this is a common firewall created by #define some variable IPT=/sbin/iptables CONNECTION_TRACKING="1" INTERNET="eth0" CLASS_A=" CLASS_B="172.16.0.0/12" CLASS_C="192.168.0.0/16" CLASS_D_MULTICAST="224.0.0.0/4" CLASS_E_RESERVED_NET="240.0.0.0/5" BROADCAST_SRC=" BROADCAST_DEST="255.255.255.255" IPADDR=220. 94.58.245 LOOPBACK_INTERFACE="lo" #Remove any existing rules $IPT -F $IPT -X #setting default firewall policy $IPT --policy OUTPUT ACCEPT $IPT --policy FORWARD DROP $IPT -P INPUT DROP #stop firewall if [ "$1" = "stop" ] then echo "Filewall completely stopped!no firewall running!" exit 0 fi #setting for loopback interface $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT # Stealth Scans and # All of the bits are cleared $IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # SYN and FIN are both set $IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP # SYN and RST are both set $IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP # FIN and RST are both set $IPT -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP # FIN is the only bit set, without the expected accompanying ACK $IPT -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP # PSH is the only bit set, without the expected accompanying ACK $IPT -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP # URG is the only bit set, without the expected accompanying ACK $IPT -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP # Using if [ "$CONNECTION_TRACKING" = "1" ]; then $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT -m state --state INVALID -j DROP $IPT -A OUTPUT -m state --state INVALID -j DROP fi ################################################################## # Source Address Spoofing and Other Bad Addresses # Refuse spoofed packets pretending to be from # the external interface.s IP address $IPT -A INPUT -i $INTERNET -s $IPADDR -j DROP # Refuse packets claiming to be from a Class A private network $IPT -A INPUT -i $INTERNET -s $CLASS_A -j DROP # Refuse packets claiming to be from a Class B private network $IPT -A INPUT -i $INTERNET -s $CLASS_B -j DROP # Refuse packets claiming to be from a Class C private network $IPT -A INPUT -i $INTERNET -s $CLASS_C -j DROP $IPT -A INPUT -i $INTERNET -s $IPT -A INPUT -i $INTERNET -s 169.254.0.0/16 -j DROP $IPT -A INPUT -i $INTERNET -s 192.0.2.0/24 -j DROP ################################################################### #setting access rules #enable ssh connect $IPT -A INPUT -i $INTERNET -p tcp --dport 22 -j ACCEPT $IPT -A INPUT -i $INTERNET -p tcp --dport 25 -j ACCEPT $IPT -A INPUT -i $INTERNET -p tcp --dport 80 -j ACCEPT $IPT -A INPUT -i $INTERNET -p tcp --dport 110 -j ACCEPT $IPT -A INPUT -i $INTERNET -p tcp --dport 143 -j ACCEPT $IPT -A INPUT -i $INTERNET -p tcp --dport 783 -j ACCEPT $IPT -A INPUT -i $INTERNET -p tcp -s 127.0.0.1 --dport 3306 -j ACCEPT $IPT -A INPUT -i $INTERNET -p tcp --dport 5666 -j ACCEPT $IPT -A INPUT -i $INTERNET -p tcp --dport 10024 -j ACCEPT $IPT -A INPUT -i $INTERNET -p tcp --dport 10025 -j ACCEPT $IPT -A INPUT -i $INTERNET -p udp --dport 123 -j ACCEPT $IPT -A INPUT -i $INTERNET -p icmp -j ACCEPT |
“$IPT -A INPUT -i $INTERNET -p tcp -s 127.0.0.1 --dport 3306 -j ACCEPT”这条规则是阻止外部机器连接mysql数据库。端口5666是nagios监控所用。把内核优化和防火墙脚本加在文件/etc/rc.local中,实现开机即启。
[root@mailserv2 ~]# more /etc/rc.local #!/bin/sh # # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff. touch /var/lock/subsys/local ################ normal services ############################ /usr/local/apache/bin/apachectl start /usr/local/mysql/bin/mysqld_safe --user=mysql& /usr/local/authlib/sbin/authdaemond start ############## postfix relatively ########################### postfix start /usr/local/imap/sbin/imapd start ################ antivirus and antispam ##################### /usr/bin/spamd --daemonize --pidfile /var/run/spamd.pid /usr/local/sbin/amavisd start /usr/local/clamav/sbin/clamd ############### system optimize ############################# /usr/local/bin/kernel_optimize /usr/local/bin/firewall ################### NRPE nagios remote plugin execute $$$$$$$$$ /usr/local/nrpe/bin/nrpe -c /usr/local/nrpe/etc/nrpe.cfg -d
评论暂时关闭