半瓶
{ Keywords : 互联网 数据库 网站架构 伪文艺 }
使用Linux系统,特别是放到互联网上,为了安全性考虑,需要限制一些端口,也就是关闭一些服务程序。
首先查看正在监听的有哪些连接:
[root@linux ~]# netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 4638/portmap
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 8769/cupsd
tcp 0 0 0.0.0.0:600 0.0.0.0:* LISTEN 4658/rpc.statd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 4878/sendmail: acce
tcp 0 0 :::22 :::* LISTEN 4844/sshd
找到对应的启动程序:
[root@linux ~]# which rpc.statd
/sbin/rpc.statd
使用rmp处理:
[root@linux ~]# rpm -qf /sbin/rpc.statd
nfs-utils-1.0.6-87.EL4[root@linux ~]# ls /etc/init.d/nfs*
/etc/init.d/nfs /etc/init.d/nfslock
[root@linux ~]# /etc/init.d/nfslock status
rpc.statd (pid 4658) is running...
[root@linux ~]# /etc/init.d/nfs status
rpc.svcgssd is stopped
rpc.mountd is stopped
nfsd is stopped
rpc.rquotad is stopped
关闭该程序:
[root@linux ~]# /etc/init.d/nfslock stop
Stopping NFS statd: [ OK ]
这时已经看不到nfs程序了:
[root@linux ~]# netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 4638/portmap
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 8769/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 4878/sendmail: acce
tcp 0 0 :::22 :::* LISTEN 4844/sshd
同样的办法处理internet打印的服务:
[root@linux ~]# which cupsd
/usr/sbin/cupsd
[root@linux ~]# rpm -qf /usr/sbin/cupsd
cups-1.1.22-0.rc1.9.27[root@linux ~]# rpm -qc cups |grep init
/etc/rc.d/init.d/cups[root@linux ~]# /etc/rc.d/init.d/cups stop
Stopping cups: [ OK ]
[root@linux ~]# netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 4638/portmap
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 4878/sendmail: acce
tcp 0 0 :::22 :::* LISTEN 4844/sshd
但是现在只是关闭这些服务程序,这些程序重启后还会自动起来。
这时需要用Linux的chkconfig命令设置run level,将3和5这2个纯文本和X window的level关闭:
[root@linux ~]# chkconfig --list|grep portmap
portmap 0:off 1:off 2:off 3:on 4:on 5:on 6:off[root@linux ~]# chkconfig --level 35 portmap off
[root@linux ~]# chkconfig --list|grep portmap
portmap 0:off 1:off 2:off 3:off 4:on 5:off 6:off[root@linux ~]# chkconfig --list|grep cups
cups 0:off 1:off 2:on 3:on 4:on 5:on 6:off
cups-config-daemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off
cups-lpd: off
[root@linux ~]# chkconfig --level 235 cups off
[root@linux ~]# chkconfig --list|grep cups
cups 0:off 1:off 2:off 3:off 4:on 5:off 6:off
cups-config-daemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off
cups-lpd: off[root@linux ~]# chkconfig --list|grep rpc
rpcidmapd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
rpcgssd 0:off 1:off 2:off 3:on 4:on 5:on 6:off[root@linux ~]# chkconfig --level 35 rpcidmapd off
[root@linux ~]# chkconfig --level 35 rpcgssd off
[root@linux ~]# chkconfig --list|grep rpc
rpcidmapd 0:off 1:off 2:off 3:off 4:on 5:off 6:off
rpcgssd 0:off 1:off 2:off 3:off 4:on 5:off 6:off[root@linux ~]# chkconfig --list|grep sendmail
sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@linux ~]# chkconfig --level 35 sendmail off
[root@linux ~]# chkconfig --list|grep sendmail
sendmail 0:off 1:off 2:on 3:off 4:on 5:off 6:off
再重启发现只有我们想要的SSH服务了:
[root@linux ~]# reboot
Broadcast message from root (pts/1) (Wed Nov 18 15:35:37 2009):
The system is going down for reboot NOW!
[root@linux ~]# netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 4759/sshd
但是发现现在虽然SSH可用,但日志记录了以下内容:
[root@linux ~]# cat /var/log/secure
Nov 18 16:13:55 linux sshd[4785]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
这可能是ipv4与ipv6冲突造成的,修改配置文件即可:
[root@linux ~]# vi /etc/ssh/sshd_config
Port 22
#Protocol 2,1
ListenAddress 0.0.0.0
#ListenAddress ::
当然,这里的ssh服务的安全性还需要进一步配置,本文不再详述。
分享这篇文章
技术组织
