Centos7 firewall 和 SELinux 第一道防御墙

firewall 和 seLinux 是使用 centos7 部署网站必须使用的两个东西,除非你开发环境的时候 unable 不使用,但是生产环境必须使用。亲身经历,若不启用防火墙,在 US 的一台服务器,每天会有成万个不知名的请求,所以这篇文章有助你了解运维相关的知识。

Centos7 firewall 和 SELinux 第一道防御墙

firewall 基本了解

firewall 的状态

firewall 一般在开发环境中都不会使用
在生产环境中使用一些规则防止遭受攻击

  1. 查看状态:systemctl status firewalld

  2. 开启:systemctl start firewalld

  3. 停止:systemctl stop firewalld

  4. 重启:systemctl restart firewalld

  5. 重新加载:systemctl reload firewalld

  6. 启用:systemctl enable firewalld

  7. 禁止:systemctl disable firewalld

firewall 允许开放某个服务

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# for example, add http (the change will be valid at once)
[root@dlp ~]# firewall-cmd --add-service=http
success
[root@dlp ~]# firewall-cmd --list-service
dhcpv6-client http ssh
# for example, remove http
[root@dlp ~]# firewall-cmd --remove-service=http
success
[root@dlp ~]# firewall-cmd --list-service
dhcpv6-client ssh
# for example, add http permanently. (this permanent case, it's necessary to reload the Firewalld to enable the change)
[root@dlp ~]# firewall-cmd --add-service=http --permanent
success
[root@dlp ~]# firewall-cmd --reload
success
[root@dlp ~]# firewall-cmd --list-service
dhcpv6-client http ssh

firewall 允许开放某个端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# for example, add TCP 465
[root@dlp ~]# firewall-cmd --add-port=465/tcp
success
[root@dlp ~]# firewall-cmd --list-port
465/tcp
# for example, remove TCP 465
[root@dlp ~]# firewall-cmd --remove-port=465/tcp
success
[root@dlp ~]# firewall-cmd --list-port

# for example, add TCP 465 permanently
[root@dlp ~]# firewall-cmd --add-port=465/tcp --permanent
success
[root@dlp ~]# firewall-cmd --reload
success
[root@dlp ~]# firewall-cmd --list-port
465/tcp

firewall 开启 ICMP(Internet Control Message Protocol )

ICMP 是什么,如果感兴趣可以查询相关的资料
ICMP协议大致分为两类,一种是查询报文,一种是差错报文。其中查询报文有以下几种用途:
ping查询、子网掩码查询(用于无盘工作站在初始化自身的时候初始化子网掩码)、时间戳查询(可以用来同步时间)
ICMP的应用:ping、Traceroute
这里大概了解这么多久基本明白了,下面的 echo-request 就是 ping

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# for example, add echo-request to prohibit it
[root@dlp ~]# firewall-cmd --add-icmp-block=echo-request
success
[root@dlp ~]# firewall-cmd --list-icmp-blocks
echo-request
# for example, remove echo-request
[root@dlp ~]# firewall-cmd --remove-icmp-block=echo-request
success
[root@dlp ~]# firewall-cmd --list-icmp-blocks

# display ICMP types
[root@dlp ~]# firewall-cmd --get-icmptypes
destination-unreachable echo-reply echo-request parameter-problem redirect
router-advertisement router-solicitation source-quench time-exceeded

检查 SElinux 有没有开启

1. 检查 SELinux 是否开启:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# display current mode
[root@dlp ~]# getenforce
Enforcing
# enforcing ⇒ SELinux is enabled (default)
# permissive ⇒ MAC is not enabled, but only records audit logs according to Policies
# disabled ⇒ SELinux is disabled
possible to display with the command, too ("Current mode" line)
[root@dlp ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28

2. 可以临时关闭使用 SElinux

1
2
3
4
5
6
7
8
9
10
[root@dlp ~]# getenforce 
Enforcing
# switch to "Permissive" with "setenforce 0"
[root@dlp ~]# setenforce 0
[root@dlp ~]# getenforce
Permissive
# switch to "Enforcing" with "setenforce 1"
[root@dlp ~]# setenforce 1
[root@dlp ~]# getenforce
Enforcing

3. 永久关闭使用 SElinux

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[root@dlp ~]# vi /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
# change value you'd like to set
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted

# restart to apply changing
[root@dlp ~]# reboot

4. 需要注意的问题

如果将 SELinux 将 “Disabled” 改回 “Enforcing/Permissive”状态
除了在文件里面改回 Enforcing/Permissive
还要一些操作
因为文件系统是 disable SELinux 的状态了

1
2
3
# set re-labeling like follows, then it will be done on next system restarting
[root@dlp ~]# touch /.autorelabel
[root@dlp ~]# reboot
文章对你有用?给博主一个支持
0%