选完虚拟机供应商、机器规格、操作系统啥的,机器启动后的第一件事是保护它的安全,尽可能减少被攻击面。我在这里只提供一些最基本建议,主要是在防火墙的设置方面。这里提供的一些指令假定你是用Debian 7或8。你如果用Ubuntu,这些指令基本上可以直接拿过来用。CentOS/Red Hat/Fedora方面的指令类似,请自行查询。如有需要,等我有空专门写CentOS/Red Hat/Fedora的设置。
以下指令都是root级别。我假定你已经通过命令行连到服务器上。请根据需要在命令行前自行添加sudo或变成root。
- 给服务器做软件更新,打补丁:
apt-get update
apt-get upgrade
(yum update) - 调整ssh接口端,防范ssh攻击:
Linux服务器默认ssh接口端是22。很多网络攻击就从这个接口强攻,用程序频繁自动发起无数次的连接申请,所谓的dictionary attack和brute-force attack。把默认的接口改成其它如50683,是防止这种攻击的有效手段。
用你熟悉的编辑器,打开/etc/ssh/sshd_config,然后查找”Port 22″,把22改成50683后保存文件。
接下来请重新启动ssh服务:
service ssh restart
注意以后的远程连接你要记得加-p 50683 - 建防火墙
apt-get install iptables
apt-get install iptables-persistent (运行这个指令,系统会问你要不要把现在的设置存下来,说要) - 基本的防火墙设定,IPv4
用你熟悉的编辑器,打开/etc/iptables/rules.v4,删除里面所有的内容,然后加下面的设置: - 基本的防火墙设定,IPv6
用你熟悉的编辑器,打开/etc/iptables/rules.v6,删除里面所有的内容,然后加下面的设置: - 激活防火墙
[code language=”text”]
iptables-restore < /etc/iptables/rules.v4 ip6tables-restore < /etc/iptables/rules.v6 [/code]
[code language=”text”]
*filter
# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn’t use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT
# Accept all established inbound connections
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
# Allow all outbound traffic – you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# VPN port and forwarding.
-A INPUT -p udp -m state –state NEW -m udp –dport 1194 -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -m state –state RELATED,ESTABLISHED -j ACCEPT
# Allow SSH connections
#
# The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state –state NEW –dport 50683 -j ACCEPT
# Allow ping
-A INPUT -p icmp -j ACCEPT
# Log iptables denied calls
-A INPUT -m limit –limit 5/min -j LOG –log-prefix “iptables denied: ” –log-level 7
# Drop all other inbound – default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT
[/code]
[code language=”text”]
*filter
# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s ::1/128 -j REJECT
# Allow ICMP
-A INPUT -p icmpv6 -j ACCEPT
# Allow SSH connections
#
# The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state –state NEW –dport 50683 -j ACCEPT
# Accept inbound traffic from established connections.
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
# Log what was incoming but denied (optional but useful).
-A INPUT -m limit –limit 5/min -j LOG –log-prefix “ip6tables_INPUT_denied: ” –log-level 7
# Reject all other inbound.
-A INPUT -j REJECT
# Log any traffic which was sent to you
# for forwarding (optional but useful).
-A FORWARD -m limit –limit 5/min -j LOG –log-prefix “ip6tables_FORWARD_denied: ” –log-level 7
# Reject all traffic forwarding.
-A FORWARD -j REJECT
COMMIT
[/code]
以上是一些很基本的保护措施。让服务器更安全,建议你以后安装Fail2Ban,使用ssh key认证,而不是简单的用户名密码认证,等等等等。接下来,我们就可以设置vpn服务器了。
PS. 本系列其它文章
自建vpn之一:挑选供应商
自建vpn之三:搭建openvpn service和生成客户端Profile
自建vpn之四:安装启动客户端