IP Tables ile Oracle Sunucunuzu Koruyun
winscp ile linux sunucunuza bağlayıp fw adın bir dosya oluşturup aşağıdaki metni yapıştırın. root kullanıcı ile chmod +x fw hak verin. #sh fw ya da /scriptin/bulunduğu/path/fw şeklinde çalıştırabilirsiniz. Firmanın birinde bu script çok işimize yaramıştı. Ağa virus bulaşmış oracle sunucuya istemcilerin (client) erişmesini engelliyordu. Bu scripti çalıştırdıktan sonra oracle tarafında sorun kalmadı. Network mühendisleri sorunu çözene kadar bize vakit kazandırdı.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 |
#!/bin/bash # A sample firewall shell script IPT="/sbin/iptables" SPAMLIST="blockedip" SPAMDROPMSG="BLOCKED IP DROP" SYSCTL="/sbin/sysctl" BLOCKEDIPS="/root/scripts/blocked.ips.txt" # Stop certain attacks echo "Setting sysctl IPv4 settings..." $SYSCTL net.ipv4.ip_forward=0 $SYSCTL net.ipv4.conf.all.send_redirects=0 $SYSCTL net.ipv4.conf.default.send_redirects=0 $SYSCTL net.ipv4.conf.all.accept_source_route=0 $SYSCTL net.ipv4.conf.all.accept_redirects=0 $SYSCTL net.ipv4.conf.all.secure_redirects=0 $SYSCTL net.ipv4.conf.all.log_martians=1 $SYSCTL net.ipv4.conf.default.accept_source_route=0 $SYSCTL net.ipv4.conf.default.accept_redirects=0 $SYSCTL net.ipv4.conf.default.secure_redirects=0 $SYSCTL net.ipv4.icmp_echo_ignore_broadcasts=1 #$SYSCTL net.ipv4.icmp_ignore_bogus_error_messages=1 $SYSCTL net.ipv4.tcp_syncookies=1 $SYSCTL net.ipv4.conf.all.rp_filter=1 $SYSCTL net.ipv4.conf.default.rp_filter=1 $SYSCTL kernel.exec-shield=1 $SYSCTL kernel.randomize_va_space=1 echo "Starting IPv4 Firewall..." $IPT -F $IPT -X $IPT -t nat -F $IPT -t nat -X $IPT -t mangle -F $IPT -t mangle -X # load modules modprobe ip_conntrack [ -f "$BLOCKEDIPS" ] && BADIPS=$(egrep -v -E "^#|^$" "$") # interface connected to the Internet PUB_IF="eth1" #Unlimited traffic for loopback $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT # DROP all incomming traffic $IPT -P INPUT DROP $IPT -P OUTPUT DROP $IPT -P FORWARD DROP if [ -f "$" ]; then # create a new iptables list $IPT -N $SPAMLIST for ipblock in $BADIPS do $IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG " $IPT -A $SPAMLIST -s $ipblock -j DROP done $IPT -I INPUT -j $SPAMLIST $IPT -I OUTPUT -j $SPAMLIST $IPT -I FORWARD -j $SPAMLIST fi # Block sync $IPT -A INPUT -i $ -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Sync" $IPT -A INPUT -i $ -p tcp ! --syn -m state --state NEW -j DROP # Block Fragments $IPT -A INPUT -i $ -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets" $IPT -A INPUT -i $ -f -j DROP # Block bad stuff $IPT -A INPUT -i $ -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP $IPT -A INPUT -i $ -p tcp --tcp-flags ALL ALL -j DROP $IPT -A INPUT -i $ -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets" $IPT -A INPUT -i $ -p tcp --tcp-flags ALL NONE -j DROP # NULL packets $IPT -A INPUT -i $ -p tcp --tcp-flags SYN,RST SYN,RST -j DROP $IPT -A INPUT -i $ -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets" $IPT -A INPUT -i $ -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS $IPT -A INPUT -i $ -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan" $IPT -A INPUT -i $ -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans $IPT -A INPUT -i $ -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP # Allow full outgoing connection but no incomming stuff $IPT -A INPUT -i $ -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -o $ -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Allow ssh,ftp,telnet,smtp,oracle, oracle em $IPT -A INPUT -i $ -p tcp --destination-port 21 -j ACCEPT $IPT -A INPUT -i $ -p tcp --destination-port 22 -j ACCEPT $IPT -A INPUT -i $ -p tcp --destination-port 23 -j ACCEPT $IPT -A INPUT -i $ -p tcp --destination-port 25 -j ACCEPT $IPT -A INPUT -i $ -p tcp --destination-port 587 -j ACCEPT $IPT -A INPUT -i $ -p tcp --destination-port 1158 -j ACCEPT $IPT -A INPUT -i $ -p tcp --destination-port 1521 -j ACCEPT # Allow http / https (open port 80 / 443) #$IPT -A INPUT -i $ -p tcp --destination-port 80 -j ACCEPT #$IPT -A INPUT -o $ -p tcp --destination-port 443 -j ACCEPT # allow incomming ICMP ping pong stuff $IPT -A INPUT -i $ -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #$IPT -A OUTPUT -o $ -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow port 53 tcp/udp (DNS Server) $IPT -A INPUT -i $ -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #$IPT -A OUTPUT -o $ -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT -i $ -p tcp --destination-port 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #$IPT -A OUTPUT -o $ -p tcp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT # Open port 110 (pop3) / 143 #$IPT -A INPUT -i $ -p tcp --destination-port 110 -j ACCEPT #$IPT -A INPUT -i $ -p tcp --destination-port 143 -j ACCEPT ##### Add your rules below ###### # # ##### END your rules ############ # Do not log smb/windows sharing packets - too much logging #$IPT -A INPUT -p tcp -i $ --dport 137:139 -j REJECT #$IPT -A INPUT -p udp -i $ --dport 137:139 -j REJECT # log everything else and drop $IPT -A INPUT -j LOG $IPT -A FORWARD -j LOG $IPT -A INPUT -j DROP exit 0 |
Kategori seçin...