◆系统加固及安全
1、内核优化:用脚本实现
[root@mailserv2 ~]# more /usr/local/bin/kernel_optimize
#!/bin/bash
#kernel optimize optimize ,create by 2007-7-29
#enable broadcast echo protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#disble source routed packets
#for f in /proc/sys/net/ipv4/conf/*/accept_source_rout; do
# echo 0 > $f
#done
#enable tcp syn cookie protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#disable icmp redirect acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
#don’t send redirect messages
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
#drop spoofed packets
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
#log packets with impossible addresses
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
|
2、 防火墙策略:在配置postfix连接mysql数据库时,用户名postfix,密码 postfix,类似的情形还有好几处呢。如果某人在别的机器用mysql客户端连接邮件服务器的mysql数据库,不费吹灰之力就可以把邮件帐号全删 了,这肯定会激起用户的愤怒!赶快把这个漏洞堵上,下面是我的防火墙策略脚本:
[root@mailserv2 ~]# more /usr/local/bin/firewall
#!/bin/bash
#this is a common firewall created by 2007-7-29
#define some variable
IPT=/sbin/iptables
CONNECTION_TRACKING=”1″
INTERNET=”eth0″
CLASS_A=”10.0.0.0/8″
CLASS_B=”172.16.0.0/12″
CLASS_C=”192.168.0.0/16″
CLASS_D_MULTICAST=”224.0.0.0/4″
CLASS_E_RESERVED_NET=”240.0.0.0/5″
BROADCAST_SRC=”0.0.0.0″
BROADCAST_DEST=”255.255.255.255″
IPADDR=220. 94.58.245
LOOPBACK_INTERFACE=”lo”
#Remove any existing rules
$IPT -F
$IPT -X
#setting default firewall policy
$IPT –policy OUTPUT ACCEPT
$IPT –policy FORWARD DROP
$IPT -P INPUT DROP
#stop firewall
if [ “$1” = “stop” ]
then
echo “Filewall completely stopped!no firewall running!”
exit 0
fi
#setting for loopback interface
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# Stealth Scans and TCP State Flags
# All of the bits are cleared
$IPT -A INPUT -p tcp –tcp-flags ALL NONE -j DROP
# SYN and FIN are both set
$IPT -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
# SYN and RST are both set
$IPT -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
# FIN and RST are both set
$IPT -A INPUT -p tcp –tcp-flags FIN,RST FIN,RST -j DROP
# FIN is the only bit set, without the expected accompanying ACK
$IPT -A INPUT -p tcp –tcp-flags ACK,FIN FIN -j DROP
# PSH is the only bit set, without the expected accompanying ACK
$IPT -A INPUT -p tcp –tcp-flags ACK,PSH PSH -j DROP
# URG is the only bit set, without the expected accompanying ACK
$IPT -A INPUT -p tcp –tcp-flags ACK,URG URG -j DROP
# Using Connection State to By-pass Rule Checking
if [ “$CONNECTION_TRACKING” = “1” ]; then
$IPT -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -m state –state INVALID -j DROP
$IPT -A OUTPUT -m state –state INVALID -j DROP
fi
##################################################################
# Source Address Spoofing and Other Bad Addresses
# Refuse spoofed packets pretending to be from
# the external interface.s IP address
$IPT -A INPUT -i $INTERNET -s $IPADDR -j DROP
# Refuse packets claiming to be from a Class A private network
$IPT -A INPUT -i $INTERNET -s $CLASS_A -j DROP
# Refuse packets claiming to be from a Class B private network
$IPT -A INPUT -i $INTERNET -s $CLASS_B -j DROP
# Refuse packets claiming to be from a Class C private network
$IPT -A INPUT -i $INTERNET -s $CLASS_C -j DROP
$IPT -A INPUT -i $INTERNET -s 0.0.0.0/8 -j DROP
$IPT -A INPUT -i $INTERNET -s 169.254.0.0/16 -j DROP
$IPT -A INPUT -i $INTERNET -s 192.0.2.0/24 -j DROP
###################################################################
#setting access rules
#enable ssh connect
$IPT -A INPUT -i $INTERNET -p tcp –dport 22 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp –dport 25 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp –dport 80 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp –dport 110 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp –dport 143 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp –dport 783 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp -s 127.0.0.1 –dport 3306 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp –dport 5666 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp –dport 10024 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp –dport 10025 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p udp –dport 123 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p icmp -j ACCEPT
|
“$IPT -A INPUT -i $INTERNET -p tcp -s 127.0.0.1 –dport 3306 -j ACCEPT”这条规则是阻止外部机器连接mysql数据库。端口5666是nagios监控所用。把内核优化和防火墙脚 本加在文件/etc/rc.local中,实现开机即启。
[root@mailserv2 ~]# more /etc/rc.local
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don’t
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
################ normal services ############################
/usr/local/apache/bin/apachectl start
/usr/local/mysql/bin/mysqld_safe –user=mysql&
/usr/local/authlib/sbin/authdaemond start
############## postfix relatively ###########################
postfix start
/usr/local/imap/sbin/imapd start
################ antivirus and antispam #####################
/usr/bin/spamd –daemonize –pidfile /var/run/spamd.pid
/usr/local/sbin/amavisd start
/usr/local/clamav/sbin/clamd
############### system optimize #############################
/usr/local/bin/kernel_optimize
/usr/local/bin/firewall
################### NRPE nagios remote plugin execute $$$$$$$$$
/usr/local/nrpe/bin/nrpe -c /usr/local/nrpe/etc/nrpe.cfg -d
|
◆关 于多邮件域和用户限额
Postfix支持多邮件域,当我们用postfixadmin创建多个邮件域的时候,别忘记在 DNS服务器上做好主机记录解析和MX解析。多邮件域的情形是多个mx记录指向同一个主机ip地址。
默认情况下,postfix 数据库的mailbox表的字段”quota”值是”0″,它表示用户的油箱大小是100M,假如我们要把用户的邮箱大小设置成500M,则只需连接数据 库postfix更改mailbox表”quota”字段的值为”524288000″。
mysql> use postfix;
mysql> update mailbox set quota=’524288000′;
Query OK, 1 row affected (0.03 sec)
Rows matched: 191 Changed: 1 Warnings: 0
|
498)this.style.width=498;”> |
图 10 |
所 有的工作都做完以后,重启linux。检查进程看与postfix相关的守护进程是否在运行,然后在用foxmail来收发邮件,再也 webmail(extmail)方式收发。尽管postfix涉及很多方面的内容,但在大部分情况下,通过日志文件/var/log/maillog可 以得出一些非常有用的信息,从排除故障这个角度讲,postfix的日志文件将会为排除故障提供很好的帮助。
[root@mailserv2 ~]# ps auxww //部分进程快照
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
vmail 1481 0.0 1.2 12644 6568 ? S Oct03 0:00 /usr/local/apache/bin/httpd -k start
postfix 1622 0.0 0.2 4000 1276 ? S Oct02 0:08 anvil -l -t unix -u
vmail 1843 0.0 1.2 12644 6568 ? S Oct03 0:00 /usr/local/apache/bin/httpd -k start
root 1972 0.0 0.1 1688 620 ? Ss Sep20 2:41 syslogd -m 0
root 1975 0.0 0.0 1644 400 ? Ss Sep20 0:01 klogd -x
root 1994 0.0 0.1 5424 984 ? Ss Sep20 0:22 /usr/sbin/sshd
ntp 2012 0.0 0.9 4672 4672 ? SLs Sep20 0:00 ntpd -u ntp:ntp -p /var/run/ntpd.pid -g
root 2027 0.0 0.2 5224 1104 ? Ss Sep20 0:00 crond
root 2042 0.0 0.0 2200 424 ? Ss Sep20 0:00 /usr/sbin/atd
root 2050 0.0 1.3 12644 7016 ? Ss Sep20 0:00 /usr/local/apache/bin/httpd -k start
root 2056 0.0 0.0 1628 400 ? S Sep20 0:18 /usr/local/authlib/sbin/courierlogger -pid=/usr/local/authlib/var/spool/authdaemon/pid -start /usr/local/authlib/libexec/courier-authlib/authdaemond
root 2067 0.0 0.1 2732 848 ? S Sep20 0:00 /usr/local/authlib/libexec/courier-authlib/authdaemond
root 2075 0.0 0.1 2776 1008 ? S Sep20 0:10 /usr/local/authlib/libexec/courier-authlib/authdaemond
root 2076 0.0 0.1 2776 1008 ? S Sep20 0:11 /usr/local/authlib/libexec/courier-authlib/authdaemond
root 2077 0.0 0.1 2776 1008 ? S Sep20 0:10 /usr/local/authlib/libexec/courier-authlib/authdaemond
root 2078 0.0 0.1 2776 1008 ? S Sep20 0:10 /usr/local/authlib/libexec/courier-authlib/authdaemond
root 2079 0.0 0.1 2776 1008 ? S Sep20 0:10 /usr/local/authlib/libexec/courier-authlib/authdaemond
root 2143 0.0 0.2 3972 1244 ? Ss Sep20 4:57 /usr/libexec/postfix/master
postfix 2146 0.0 0.2 4040 1308 ? S Sep20 1:44 qmgr -l -t fifo -u
root 2153 0.0 0.0 1624 404 ? S Sep20 0:00 /usr/local/authlib/sbin/courierlogger -pid=/var/run/imapd.pid -start -name=imapd /usr/local/imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 143 /usr/local/imap/sbin/imaplogin /usr/local/imap/bin/imapd Maildir
root 2154 0.0 0.1 1728 536 ? S Sep20 0:00 /usr/local/imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 143 /usr/local/imap/sbin/imaplogin /usr/local/imap/bin/imapd Maildir
root 2159 0.0 0.0 1628 404 ? S Sep20 0:03 /usr/local/authlib/sbin/courierlogger -pid=/var/run/pop3d.pid -start -name=pop3d /usr/local/imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 110 /usr/local/imap/sbin/pop3login /usr/local/imap/bin/pop3d Maildir
root 2160 0.0 0.1 1728 536 ? S Sep20 0:03 /usr/local/imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 110 /usr/local/imap/sbin/pop3login /usr/local/imap/bin/pop3d Maildir
amavis 2169 0.0 17.2 113196 89072 ? Ss Sep20 7:00 /usr/local/clamav/sbin/clamd
root 2251 0.0 0.0 1624 440 tty1 Ss+ Sep20 0:00 /sbin/mingetty tty1
root 2252 0.0 0.0 1624 436 tty2 Ss+ Sep20 0:00 /sbin/mingetty tty2
root 2253 0.0 0.0 1624 440 tty3 Ss+ Sep20 0:00 /sbin/mingetty tty3
root 2254 0.0 0.0 1624 440 tty4 Ss+ Sep20 0:00 /sbin/mingetty tty4
root 2255 0.0 0.0 1624 440 tty5 Ss+ Sep20 0:00 /sbin/mingetty tty5
root 2256 0.0 0.0 1628 444 tty6 Ss+ Sep20 0:00 /sbin/mingetty tty6
root 3626 0.0 0.2 4440 1104 ? S Sep20 0:00 /bin/sh /usr/local/mysql/bin/mysqld_safe –user=mysql
mysql 3644 0.0 4.1 133256 21460 ? Sl Sep20 8:33 /usr/local/mysql/libexec/mysqld –basedir=/usr/local/mysql –datadir=/usr/local/mysql/var –user=mysql –pid-file=/usr/local/mysql/var/mailserv2.pid –skip-locking
root 12456 0.0 0.4 8272 2504 ? Ss 20:13 0:00 sshd: root@pts/2
root 12458 0.0 0.2 4624 1456 pts/2 Ss+ 20:13 0:00 -bash
amavis 12624 0.0 9.7 59064 50236 ? Ss 20:21 0:01 amavisd (master)
postfix 14269 0.0 0.2 4132 1460 ? S 22:07 0:00 trivial-rewrite -n rewrite -t unix -u
amavis 14518 0.0 10.6 63740 54748 ? S 22:18 0:05 amavisd (ch18-avail)
amavis 14875 0.0 10.4 62724 53768 ? S 22:43 0:04 amavisd (ch11-avail)
amavis 14883 0.1 10.3 62592 53452 ? S 22:44 0:04 amavisd (ch14-avail)
root 14890 0.0 0.4 8276 2512 ? Ss 22:45 0:00 sshd: root@pts/1
root 14892 0.0 0.2 4616 1444 pts/1 Ss 22:45 0:00 -bash
amavis 15160 0.0 10.2 61812 52728 ? S 22:59 0:02 amavisd (ch5-avail)
amavis 15164 0.1 10.3 62464 53488 ? S 22:59 0:04 amavisd (ch13-avail)
amavis 15211 0.1 10.3 62020 53060 ? S 23:03 0:04 amavisd (ch13-avail)
amavis 15292 0.0 10.2 61700 52648 ? S 23:08 0:02 amavisd (ch7-avail)
amavis 15383 0.1 10.2 62124 52964 ? S 23:12 0:03 amavisd (ch8-avail)
postfix 15762 0.0 0.4 4520 2300 ? S 23:40 0:00 smtpd -n smtp -t inet -u
postfix 15865 0.0 0.2 4004 1156 ? S 23:47 0:00 pickup -l -t fifo -u
root 15941 0.0 0.1 4220 940 pts/1 R+ 23:55 0:00 ps auxww
nagios 18752 0.0 0.1 4836 944 ? Ss Sep22 0:05 ../bin/nrpe -c nrpe.cfg -d
vmail 24853 0.0 1.2 12644 6664 ? S Oct04 0:00 /usr/local/apache/bin/httpd -k start
vmail 24854 0.0 1.2 12644 6596 ? S Oct04 0:00 /usr/local/apache/bin/httpd -k start
vmail 24884 0.0 1.2 12644 6568 ? S Oct04 0:00 /usr/local/apache/bin/httpd -k start
vmail 24885 0.0 1.3 12780 6696 ? S Oct04 0:00 /usr/local/apache/bin/httpd -k start
vmail 24886 0.0 1.2 12644 6568 ? S Oct04 0:00 /usr/local/apache/bin/httpd -k start
vmail 24967 0.0 1.2 12644 6596 ? S Oct04 0:00 /usr/local/apache/bin/httpd -k start
vmail 24970 0.0 1.2 12644 6552 ? S Oct04 0:00 /usr/local/apache/bin/httpd -k start
vmail 28305 0.0 1.3 12788 6724 ? S Oct02 0:00 /usr/local/apache/bin/httpd -k start
root 29390 0.0 5.5 33232 28576 ? Ss Oct01 0:00 /usr/bin/spamd –daemonize –pidfile /var/run/spamd.pid
root 29392 0.0 5.2 33232 27068 ? S Oct01 0:00 spamd child
root 29393 0.0 5.2 33232 26988 ? S Oct01 0:00 spamd child
|