选完虚拟机供应商、机器规格、操作系统啥的,机器启动后的第一件事是保护它的安全,尽可能减少被攻击面。我在这里只提供一些最基本建议,主要是在防火墙的设置方面。这里提供的一些指令假定你是用Debian 7或8。你如果用Ubuntu,这些指令基本上可以直接拿过来用。CentOS/Red Hat/Fedora方面的指令类似,请自行查询。如有需要,等我有空专门写CentOS/Red Hat/Fedora的设置。
以下指令都是root级别。我假定你已经通过命令行连到服务器上。请根据需要在命令行前自行添加sudo或变成root。
- 给服务器做软件更新,打补丁:
apt-get update
apt-get upgrade
(yum update) - 调整ssh接口端,防范ssh攻击:
Linux服务器默认ssh接口端是22。很多网络攻击就从这个接口强攻,用程序频繁自动发起无数次的连接申请,所谓的dictionary attack和brute-force attack。把默认的接口改成其它如50683,是防止这种攻击的有效手段。
用你熟悉的编辑器,打开/etc/ssh/sshd_config,然后查找”Port 22″,把22改成50683后保存文件。
接下来请重新启动ssh服务:
service ssh restart
注意以后的远程连接你要记得加-p 50683 - 建防火墙
apt-get install iptables
apt-get install iptables-persistent (运行这个指令,系统会问你要不要把现在的设置存下来,说要) - 基本的防火墙设定,IPv4
用你熟悉的编辑器,打开/etc/iptables/rules.v4,删除里面所有的内容,然后加下面的设置: - 基本的防火墙设定,IPv6
用你熟悉的编辑器,打开/etc/iptables/rules.v6,删除里面所有的内容,然后加下面的设置: - 激活防火墙
iptables-restore < /etc/iptables/rules.v4 ip6tables-restore < /etc/iptables/rules.v6 [/code]
*filter # Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A INPUT -d 127.0.0.0/8 -j REJECT # Accept all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow all outbound traffic - you can modify this to only allow certain traffic -A OUTPUT -j ACCEPT # VPN port and forwarding. -A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT -A FORWARD -s 10.8.0.0/24 -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT # Allow SSH connections # # The -dport number should be the same port number you set in sshd_config # -A INPUT -p tcp -m state --state NEW --dport 50683 -j ACCEPT # Allow ping -A INPUT -p icmp -j ACCEPT # Log iptables denied calls -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Drop all other inbound - default deny unless explicitly allowed policy -A INPUT -j DROP -A FORWARD -j DROP COMMIT
*filter # Allow all loopback (lo0) traffic and reject traffic # to localhost that does not originate from lo0. -A INPUT -i lo -j ACCEPT -A INPUT ! -i lo -s ::1/128 -j REJECT # Allow ICMP -A INPUT -p icmpv6 -j ACCEPT # Allow SSH connections # # The -dport number should be the same port number you set in sshd_config # -A INPUT -p tcp -m state --state NEW --dport 50683 -j ACCEPT # Accept inbound traffic from established connections. -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Log what was incoming but denied (optional but useful). -A INPUT -m limit --limit 5/min -j LOG --log-prefix "ip6tables_INPUT_denied: " --log-level 7 # Reject all other inbound. -A INPUT -j REJECT # Log any traffic which was sent to you # for forwarding (optional but useful). -A FORWARD -m limit --limit 5/min -j LOG --log-prefix "ip6tables_FORWARD_denied: " --log-level 7 # Reject all traffic forwarding. -A FORWARD -j REJECT COMMIT
以上是一些很基本的保护措施。让服务器更安全,建议你以后安装Fail2Ban,使用ssh key认证,而不是简单的用户名密码认证,等等等等。接下来,我们就可以设置vpn服务器了。
PS. 本系列其它文章
自建vpn之一:挑选供应商
自建vpn之三:搭建openvpn service和生成客户端Profile
自建vpn之四:安装启动客户端