이 름 : 바다아이
|
조회수 : 11617
짧은 주소 : https://www.bada-ie.com/su/?931591783726
따로 패키지를 설치할 필요는 없습니다. freebsd 에 이미 다 설치되어 있습니다.
여러가지 있는데 필요없는 부분은 버리시고
꼭 필요한 부분만 설정하시면 됩니다.
아래보면 trusted 파일 만들어서 ssh 접속 제한 하는 부분 있는데요
고정 아이피 이용자 아니시면 해당 부분 없애시고 그냥 any 쓰시면 됩니다.
대신 port 를 좀 바꾸시면 되겠네요...
Next, we will change our rc.conf file to look more natural:
# vi /etc/rc.conf
Change it to look like this:
#----------- NETWORKING ------------------------------------------------#
hostname="ceph.domain1.com"# replace ceph.domain1.com with your domain
ifconfig_vtnet0="dhcp"
static_routes=linklocal
route_linklocal="-net 169.254.0.0/16 -interface vtnet0"#--------- SERVICES BSD LOCAL ----------------------------------------#
sshd_enable="YES"
ntpd_enable="YES"pf_enable="YES"pf_rules="/etc/pf.conf"pf_flags=""pflog_enable="YES" pflog_logfile="/var/log/pflog" pflog_flags=""
With ee editor, create file /etc/pf.conf:
# vi /etc/pf.conf
Insert this: (replace any IP addresses with yours)
#######################################################################
me="vtnet0"table<bruteforcers> persist
table<trusted> persist file "/etc/trusted"
icmp_types = "echoreq"
junk_ports="{ 135,137,138,139,445,68,67,3222 }"
junk_ip="224.0.0.0/4"setloginterface vtnet0
scrub on vtnet0 reassemble tcp no-dfrandom-id# ---- First rule obligatory "Pass all on loopback"passquickon lo0 all# ---- Block junk logsblockquickproto { tcp, udp } fromanyto$junk_ipblockquickproto { tcp, udp } fromanytoanyport$junk_ports# ---- Second rule "Block all in and pass all out"blockinlogallpassoutallkeepstate############### FIREWALL ################################################ ---- Allow all traffic from my Homepassquickproto {tcp, udp} from1.2.3.4to$mekeepstate# ---- block SMTP out blockquickproto tcp from$metoanyport25# ---- Allow incoming Web trafficpassquickproto tcp fromanyto$meport { 80, 443 } flags S/SA keepstate# ---- Allow my team member SSH access passquickproto tcp from1.2.3.5to$meport ssh flags S/SA keepstate# ---- Block bruteforcersblocklogquickfrom<bruteforcers># ---- Allow SSH from trusted sources, but block bruteforcerspassquickproto tcp from<trusted>to$meport ssh \
flags S/SA keepstate \
(max-src-conn 10, max-src-conn-rate 20/60, \
overload<bruteforcers> flush global)
# ---- Allow ICMP passininetproto icmp all icmp-type $icmp_typeskeepstatepassoutinetproto icmp all icmp-type $icmp_typeskeepstate
Create /etc/trusted file. In this file, we will put IPs that we "trust".
# vi /etc/trusted
Add some IP's:
# Hosting1.2.0.0/16# My friends1.2.4.0/24
Now some explanation. Junk ports and junk IPs are just some ports/IPs that
we don't want to see in logs. We have done this with this rule:
# ---- Block junk logsblockquickproto { tcp, udp } fromanyto$junk_ipblockquickproto { tcp, udp } fromanytoanyport$junk_ports
These are just defaults and you don't have to worry about it:
icmp_types = "echoreq"setloginterface vtnet0
scrub on vtnet0 reassemble tcp no-dfrandom-idpassquickon lo0 allblockinlogallpassoutallkeepstate
This rule blocks outgoing SMTP traffic from your server (which is the defaulton Vultr).
# ---- block SMTP out blockquickproto tcp from$metoanyport25
Except bruteforcers the rest is pretty straight forward.
# ---- Allow SSH from trusted sources, but block bruteforcerspassquickproto tcp from<trusted>to$meport ssh \
flags S/SA keepstate \
(max-src-conn 10, max-src-conn-rate 20/60, \
overload<bruteforcers> flush global)
Bruteforcers just says: Allow from<trusted> IPs toport22 but only 10 concurrent connections
can be made from one source IP. If it's more than 10, block this IP and put it intable
bruteforcers. The same goes for20/60rule. It means a max of 20 connections in60 seconds.
Enable firewall:
# vi /etc/rc.conf
Uncomment these lines:
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
Reboot:
# reboot
If you have done everything right, then you will be able to login and the firewall will be
enabled. You don't have to reboot every time you change the /etc/pf.conf file. Just do:
# /etc/rc.d/pf reload
See who is trying to connect to your server in real-time:
# tcpdump -n -e -ttt -i pflog0
Show history:
# tcpdump -n -e -ttt -r /var/log/pflog
See if you have someone in bruteforcers table:
# pfctl -t bruteforcers -T show
And that's it. You have successfully implemented PF firewall on FreeBSD server!
출처 : https://www.vultr.com/docs/how-to-secure-freebsd-with-pf-firewall
|
|
번 호
카테고리
제 목
이름
조회수
Copyright ⓒ 2001.12. bada-ie.com. All rights reserved.
이 사이트는 리눅스에서 firefox 기준으로 작성되었습니다. 기타 브라우저에서는 다르게 보일 수 있습니다.
[ Ubuntu + GoLang + PostgreSQL + Mariadb ]
서버위치 : 오라클 클라우드 춘천 실행시간 : 0.13251 초 to webmaster... gogo sea. gogo sea.