維泰 蔡, profile picture
Uploaded by維泰 蔡
PDF, PPTX1,174 views

Linux 系統管理與安全:系統防駭與資訊安全

This document provides instructions on configuring Linux security features such as SSH key-based authentication, firewall rules using iptables, SELinux concepts, and the Fail2ban utility. It discusses generating SSH keys, editing SSH configuration files, setting default firewall policies and rules for input, output, and forwarding, as well as network address translation rules. It also covers SELinux file and process context types and restoring default contexts. Lastly, it explains how to install, configure, and check the status of Fail2ban to automatically ban IPs with too many failed login attempts.

Embed presentation

Download as PDF, PPTX
• • • • • •
•
• • • • •
•
• • • • • •
• • • • •
• •
• • authorized_keys • id_rsa • id_rsa.pub   • known_hosts • $  ssh-­‐keygen -­‐t  rsa -­‐b  2048 • 600 .ssh 700
• •
• ~/.ssh/authorized_keys • ssh-­‐copy-­‐id   • • /etc/ssh/sshd_config • PasswordAuthentication no
• $  last • $  who • $  lastlog
• • • •
• • • • • • • • • • • • • •
• • •
• • • •
•
• • • • • • • • •
• • • • • • •
• • • •
• • <Directory  /var/www> Options  –Indexes </Directory> • /etc/apache2/httpd-­‐conf • ServerTokens Prod • ServerSignature Off • /etc/php5/php.ini • expose_php =  Off
• •
• • SQL   $SQL  =  "SELECT  *  FROM  users  WHERE  (name  =  '"  +  $user  +  "') and  (pw  =  '"+  $pass  +"');" $user   $pass   1'  OR  '1'='1 SQL   $SQL  =  "SELECT  *  FROM  users  WHERE  (name  =  '1'  OR  '1'='1') and  (pw  =  '1'  OR  '1'='1');" $SQL  =  "SELECT  *  FROM  users;"
•
• • • • • • •
• •
• •
•
•
•
• • • phpMyAdmin •
• • • • • firewalld iptables-­‐service • #  systemctl stop  firewalld • #  systemctl mask  firewalld • #  yum  install  iptables-­‐services
• iptables-­‐service #  systemctl enable  iptables • / / iptables #  systemctl [stop|start|restart]  iptables • iptable #  service  iptables save • iptables #  iptables -­‐L   • ssh
• • INPUT  -­‐ • OUTPUT  -­‐ • FORWARD  -­‐ • (first  match)   • vs.  
• #  vim  my_firewall.sh #!/bin/bash #   iptables iptables -­‐F #   SSH   tcp 22 iptables -­‐A  INPUT  -­‐p  tcp -­‐-­‐dport 22  -­‐j  ACCEPT #   INPUT FORWARD OUTPUT   iptables -­‐P  INPUT  DROP iptables -­‐P  FORWARD  DROP iptables -­‐P  OUTPUT  ACCEPT #   localhost   iptables -­‐A  INPUT  -­‐i lo  -­‐j  ACCEPT #   iptables -­‐A  INPUT  -­‐m  state  -­‐-­‐state  ESTABLISHED,RELATED  -­‐j  ACCEPT -­‐i < > -­‐p  < > -­‐-­‐dport < > -­‐-­‐sport  < > -­‐m < >-­‐A  ( ) -­‐I  ( ) -­‐D  ( ) -­‐-­‐state  INVALID   -­‐-­‐state  ESTABLISHED   -­‐-­‐state  NEW   -­‐-­‐state  RELATED  
#   IP   iptables -­‐A  INPUT  -­‐s  192.168.0.100  -­‐j  ACCEPT iptables -­‐A  INPUT  -­‐s  140.115.0.0/16  -­‐j  ACCEPT #   6881-­‐6890   bittorrent tcp iptables -­‐A  INPUT  -­‐p  tcp -­‐-­‐dport 6881:6890  -­‐j  ACCEPT #   IP   21   tcp iptables -­‐A  INPUT  -­‐s  192.168.0.20  -­‐p  tcp -­‐-­‐dport 21  -­‐j  ACCEPT #   /sbin/service  iptables save #   iptables -­‐L  -­‐v -­‐s  < IP> -­‐d  < IP> Q REJECT   DROP   -­‐j ACCEPT ( ) -­‐j REJECT ( ) -­‐j DROP ( )
• • • #  echo  1  >  /proc/sys/net/ipv4/ip_forward #   port  80   172.31.0.23   port  80 iptables -­‐t  nat -­‐A  PREROUTING  -­‐i eth0  -­‐p  tcp -­‐-­‐dport 80  -­‐j  DNAT  -­‐-­‐to  172.31.0.23:80 #   IP   192.168.1.0/24   eth0 IP   1.2.3.0/24 iptables -­‐t  nat -­‐A  POSTROUTING  -­‐s  192.168.1.0/24  -­‐o  eth1  -­‐j  SNAT  -­‐-­‐to  1.2.3.0/24 #   IP   192.168.1.0/24   eth0 IP   eth1   IP iptables  -­‐t  nat  -­‐A  POSTROUTING  -­‐s  192.168.1.0/24  -­‐o  eth1  -­‐j  MASQUERADE Q SNAT DNAT   MASQUERADE   A SNAT   IP DNAT   IP MASQUERADE   IP
1. # iptables -­‐A INPUT -­‐s 140.115.1.1 -­‐j REJECT 2. # iptables -­‐A INPUT -­‐s 140.115.1.31 -­‐p UDP -­‐-­‐ dport 5566 -­‐j ACCEPT
• • • • • #  ls  -­‐Z
• • #  chcon [-­‐R]  [-­‐t  type]  [-­‐u  user]  [-­‐r  role]   • #  restorecon [-­‐Rv]   root:~/  #  ls  -­‐Z -­‐rw-­‐-­‐-­‐-­‐-­‐-­‐-­‐.  root  root system_u:object_r:admin_home_t:s0 anaconda-­‐ks.cfg -­‐rw-­‐r-­‐-­‐r-­‐-­‐.  root  root unconfined_u:object_r:admin_home_t:s0 latest.zip -­‐rw-­‐r-­‐-­‐r-­‐-­‐.  root  root unconfined_u:object_r:admin_home_t:s0 number -­‐rw-­‐r-­‐-­‐r-­‐-­‐.  root  root unconfined_u:object_r:admin_home_t:s0 phpmyadmin_4.4.0.zip Identify  :  Role  :  Type :   :  
• • • • • Fail2ban #  yum  install  fail2ban • #  vim  /etc/fail2ban/jail.local • #  systemctl enable  fail2ban  &&  systemctl start  fail2ban
• #  fail2ban-­‐client  status • #  fail2ban-­‐client  status  sshd #  fail2ban-­‐client  status  sshd Status  for  the  jail:  sshd |-­‐ Filter |    |-­‐ Currently  failed:  1 |    |-­‐ Total  failed:          1 |    `-­‐ File  list:                /var/log/secure `-­‐ Actions |-­‐ Currently  banned:  0 |-­‐ Total  banned:          0 `-­‐ Banned  IP  list:
Linux 系統管理與安全:系統防駭與資訊安全

More Related Content

PDF
Linux 系統管理與安全:基本 Linux 系統知識
by維泰 蔡
 
PDF
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
by維泰 蔡
 
PDF
R-House (LSRC)
byFernand Galiana
 
PDF
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
byRetrieva inc.
 
DOC
Rac
byMohsen B
 
PDF
Containers for sysadmins
byCarlos de Alfonso Laguna
 
PPTX
Creating "Secure" PHP applications, Part 2, Server Hardening
byarchwisp
 
PDF
Setting up a HADOOP 2.2 cluster on CentOS 6
byManish Chopra
 
Linux 系統管理與安全:基本 Linux 系統知識
by維泰 蔡
 
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
by維泰 蔡
 
R-House (LSRC)
byFernand Galiana
 
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
byRetrieva inc.
 
Rac
byMohsen B
 
Containers for sysadmins
byCarlos de Alfonso Laguna
 
Creating "Secure" PHP applications, Part 2, Server Hardening
byarchwisp
 
Setting up a HADOOP 2.2 cluster on CentOS 6
byManish Chopra
 

What's hot

PPTX
What is suid, sgid and sticky bit
byMeenu Chopra
 
PPTX
Opendaylight app development
byvjanandr
 
PDF
Kernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
byAnne Nicolas
 
PDF
IPv6 for Pentesters
bycamsec
 
PDF
SSH: Seguranca no Acesso Remoto
byTiago Cruz
 
ODP
Getting started with RDO Havana
byDan Radez
 
PDF
Crash_Report_Mechanism_In_Tizen
byLex Yu
 
DOC
Capital onehadoopclass
byDoug Chang
 
PDF
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
byAnne Nicolas
 
ODP
Analysis of Compromised Linux Server
byanandvaidya
 
PDF
Linux Commands - 3
byKanchilug
 
KEY
/etc/rc.d配下とかのリーディング勉強会
byNaoya Nakazawa
 
ODP
Triangle OpenStack meetup 09 2013
byDan Radez
 
PDF
Importance of SSHFP for Network Devices
byAPNIC
 
PDF
Importance of sshfp and configuring sshfp for network devices
byMuhammad Moinur Rahman
 
PDF
Kernel Recipes 2017: Performance Analysis with BPF
byBrendan Gregg
 
ODP
Proxy arp
byMarian Marinov
 
PDF
Debugging Ruby Systems
byEngine Yard
 
PDF
Debugging Ruby
byAman Gupta
 
PDF
YOW2020 Linux Systems Performance
byBrendan Gregg
 
What is suid, sgid and sticky bit
byMeenu Chopra
 
Opendaylight app development
byvjanandr
 
Kernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
byAnne Nicolas
 
IPv6 for Pentesters
bycamsec
 
SSH: Seguranca no Acesso Remoto
byTiago Cruz
 
Getting started with RDO Havana
byDan Radez
 
Crash_Report_Mechanism_In_Tizen
byLex Yu
 
Capital onehadoopclass
byDoug Chang
 
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
byAnne Nicolas
 
Analysis of Compromised Linux Server
byanandvaidya
 
Linux Commands - 3
byKanchilug
 
/etc/rc.d配下とかのリーディング勉強会
byNaoya Nakazawa
 
Triangle OpenStack meetup 09 2013
byDan Radez
 
Importance of SSHFP for Network Devices
byAPNIC
 
Importance of sshfp and configuring sshfp for network devices
byMuhammad Moinur Rahman
 
Kernel Recipes 2017: Performance Analysis with BPF
byBrendan Gregg
 
Proxy arp
byMarian Marinov
 
Debugging Ruby Systems
byEngine Yard
 
Debugging Ruby
byAman Gupta
 
YOW2020 Linux Systems Performance
byBrendan Gregg
 

Viewers also liked

PPT
Donate Organs
byRamesh Kumar
 
PPTX
Web_DBの監視
byii012014
 
PPTX
Groovy Introduction for Java Programmer
byLi Ding
 
PDF
配布用Cacti running with cherokee
byyut148atgmaildotcom
 
DOC
Nagios的安装部署和与cacti的整合(linuxtone)
byYiwei Ma
 
PDF
Cheatsheet: Hex file headers and regex
byKasper de Waard
 
PDF
Tmux quick-reference
byRamesh Kumar
 
PDF
RHEL roadmap
byRamesh Kumar
 
PDF
Webサーバ勉強会#5mod sedについて
byyut148atgmaildotcom
 
PDF
UNIX SHELL IN DBA EVERYDAY
byAndrejs Vorobjovs
 
PDF
Cacti manual
byRamesh Kumar
 
PPT
Sorting techniques in Perl
byYogesh Sawant
 
PDF
Unix interview questions
byKalyan Hadoop
 
PDF
Hadoopp0f 150325024427-conversion-gate01
byKalyan Hadoop
 
TXT
Url
byRadien software
 
PDF
shell script introduction
byJie Jin
 
PPTX
Recommender system
byJie Jin
 
PDF
Course 102: Lecture 13: Regular Expressions
byAhmed El-Arabawy
 
PPTX
sed -- A programmer's perspective
byLi Ding
 
PDF
Orienit hadoop practical cluster setup screenshots
byKalyan Hadoop
 
Donate Organs
byRamesh Kumar
 
Web_DBの監視
byii012014
 
Groovy Introduction for Java Programmer
byLi Ding
 
配布用Cacti running with cherokee
byyut148atgmaildotcom
 
Nagios的安装部署和与cacti的整合(linuxtone)
byYiwei Ma
 
Cheatsheet: Hex file headers and regex
byKasper de Waard
 
Tmux quick-reference
byRamesh Kumar
 
RHEL roadmap
byRamesh Kumar
 
Webサーバ勉強会#5mod sedについて
byyut148atgmaildotcom
 
UNIX SHELL IN DBA EVERYDAY
byAndrejs Vorobjovs
 
Cacti manual
byRamesh Kumar
 
Sorting techniques in Perl
byYogesh Sawant
 
Unix interview questions
byKalyan Hadoop
 
Hadoopp0f 150325024427-conversion-gate01
byKalyan Hadoop
 
Url
byRadien software
 
shell script introduction
byJie Jin
 
Recommender system
byJie Jin
 
Course 102: Lecture 13: Regular Expressions
byAhmed El-Arabawy
 
sed -- A programmer's perspective
byLi Ding
 
Orienit hadoop practical cluster setup screenshots
byKalyan Hadoop
 

Similar to Linux 系統管理與安全:系統防駭與資訊安全

TXT
Command
bygajshield
 
PDF
Complete squid &amp; firewall configuration. plus easy mac binding
byChanaka Lasantha
 
TXT
Linuxserver harden
byGregory Hanis
 
TXT
Firewall
bydcs2004
 
PDF
Athenticated smaba server config with open vpn
byChanaka Lasantha
 
PDF
Unidade3 roteiro proxy
byLeandro Almeida
 
PDF
IPTables Lab
byKaan Aslandağ
 
DOCX
25 most frequently used linux ip tables rules examples
byTeja Bheemanapally
 
DOCX
25 most frequently used linux ip tables rules examples
byTeja Bheemanapally
 
PDF
Configuration IPTables On CentOS 8
byKaan Aslandağ
 
PDF
CentOS Linux Server Hardening
byMyOwn Telco
 
PPTX
How to convert your Linux box into Security Gateway - Part 1
byn|u - The Open Security Community
 
PDF
25 most frequently used linux ip tables rules examples
bychinkshady
 
PDF
Fail2ban
byRuslan Conk
 
PPTX
Firewalls rules using iptables in linux
byaamir lucky
 
PDF
Reducing iptables configuration complexity using chains
byDieter Adriaenssens
 
PDF
k8s from kube-proxy and iptables-by Martynas.pdf
byssuserff7364
 
PDF
Introduction to firewalls through Iptables
byBud Siddhisena
 
DOCX
Cent os 5 ssh
byAlejandro Besne
 
PDF
Linux Hardening - nullhyd
byn|u - The Open Security Community
 
Command
bygajshield
 
Complete squid &amp; firewall configuration. plus easy mac binding
byChanaka Lasantha
 
Linuxserver harden
byGregory Hanis
 
Firewall
bydcs2004
 
Athenticated smaba server config with open vpn
byChanaka Lasantha
 
Unidade3 roteiro proxy
byLeandro Almeida
 
IPTables Lab
byKaan Aslandağ
 
25 most frequently used linux ip tables rules examples
byTeja Bheemanapally
 
25 most frequently used linux ip tables rules examples
byTeja Bheemanapally
 
Configuration IPTables On CentOS 8
byKaan Aslandağ
 
CentOS Linux Server Hardening
byMyOwn Telco
 
How to convert your Linux box into Security Gateway - Part 1
byn|u - The Open Security Community
 
25 most frequently used linux ip tables rules examples
bychinkshady
 
Fail2ban
byRuslan Conk
 
Firewalls rules using iptables in linux
byaamir lucky
 
Reducing iptables configuration complexity using chains
byDieter Adriaenssens
 
k8s from kube-proxy and iptables-by Martynas.pdf
byssuserff7364
 
Introduction to firewalls through Iptables
byBud Siddhisena
 
Cent os 5 ssh
byAlejandro Besne
 
Linux Hardening - nullhyd
byn|u - The Open Security Community
 

Recently uploaded

PDF
final.pdf
byomarbishtawi04
 
PDF
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
PDF
Logical Optimal Actions – Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PDF
AI TOOLS FOR PRODUCTIVITY IN MODERN TIMES.pdf
bySantunu
 
PDF
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
PDF
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
PDF
apidays Paris 2025 | API Layer7 Security: Real-World Use Cases (BBVA & Nexi)
byapidays
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PDF
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
PPTX
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PDF
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
PDF
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
PDF
apidays New York 2025 | AI in Application Security
byapidays
 
PPTX
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PDF
Reality Drift: Why Systems Keep Working After Meaning Drops Out
byReality Drift Archive | A. Jacobs
 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
final.pdf
byomarbishtawi04
 
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
Logical Optimal Actions – Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
AI TOOLS FOR PRODUCTIVITY IN MODERN TIMES.pdf
bySantunu
 
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
apidays Paris 2025 | API Layer7 Security: Real-World Use Cases (BBVA & Nexi)
byapidays
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
apidays New York 2025 | AI in Application Security
byapidays
 
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
Reality Drift: Why Systems Keep Working After Meaning Drops Out
byReality Drift Archive | A. Jacobs
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 

Linux 系統管理與安全:系統防駭與資訊安全

  • 2.
  • 3.
  • 5.
  • 6.
  • 8.
  • 9.
  • 10.
  • 11.
    • • authorized_keys • id_rsa •id_rsa.pub   • known_hosts • $  ssh-­‐keygen -­‐t  rsa -­‐b  2048 • 600 .ssh 700
  • 12.
  • 13.
    • ~/.ssh/authorized_keys • ssh-­‐copy-­‐id   • •/etc/ssh/sshd_config • PasswordAuthentication no
  • 14.
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
  • 22.
  • 23.
  • 24.
  • 25.
    • • <Directory  /var/www> Options –Indexes </Directory> • /etc/apache2/httpd-­‐conf • ServerTokens Prod • ServerSignature Off • /etc/php5/php.ini • expose_php =  Off
  • 27.
  • 28.
    • • SQL   $SQL  = "SELECT  *  FROM  users  WHERE  (name  =  '"  +  $user  +  "') and  (pw  =  '"+  $pass  +"');" $user   $pass   1'  OR  '1'='1 SQL   $SQL  =  "SELECT  *  FROM  users  WHERE  (name  =  '1'  OR  '1'='1') and  (pw  =  '1'  OR  '1'='1');" $SQL  =  "SELECT  *  FROM  users;"
  • 29.
  • 30.
  • 32.
  • 33.
  • 34.
  • 35.
  • 36.
  • 37.
  • 39.
    • • • • • firewalld iptables-­‐service •#  systemctl stop  firewalld • #  systemctl mask  firewalld • #  yum  install  iptables-­‐services
  • 40.
    • iptables-­‐service #  systemctlenable  iptables • / / iptables #  systemctl [stop|start|restart]  iptables • iptable #  service  iptables save • iptables #  iptables -­‐L   • ssh
  • 41.
    • • INPUT  -­‐ •OUTPUT  -­‐ • FORWARD  -­‐ • (first  match)   • vs.  
  • 42.
    • #  vim my_firewall.sh #!/bin/bash #   iptables iptables -­‐F #   SSH   tcp 22 iptables -­‐A  INPUT  -­‐p  tcp -­‐-­‐dport 22  -­‐j  ACCEPT #   INPUT FORWARD OUTPUT   iptables -­‐P  INPUT  DROP iptables -­‐P  FORWARD  DROP iptables -­‐P  OUTPUT  ACCEPT #   localhost   iptables -­‐A  INPUT  -­‐i lo  -­‐j  ACCEPT #   iptables -­‐A  INPUT  -­‐m  state  -­‐-­‐state  ESTABLISHED,RELATED  -­‐j  ACCEPT -­‐i < > -­‐p  < > -­‐-­‐dport < > -­‐-­‐sport  < > -­‐m < >-­‐A  ( ) -­‐I  ( ) -­‐D  ( ) -­‐-­‐state  INVALID   -­‐-­‐state  ESTABLISHED   -­‐-­‐state  NEW   -­‐-­‐state  RELATED  
  • 43.
    #   IP  iptables -­‐A  INPUT  -­‐s  192.168.0.100  -­‐j  ACCEPT iptables -­‐A  INPUT  -­‐s  140.115.0.0/16  -­‐j  ACCEPT #   6881-­‐6890   bittorrent tcp iptables -­‐A  INPUT  -­‐p  tcp -­‐-­‐dport 6881:6890  -­‐j  ACCEPT #   IP   21   tcp iptables -­‐A  INPUT  -­‐s  192.168.0.20  -­‐p  tcp -­‐-­‐dport 21  -­‐j  ACCEPT #   /sbin/service  iptables save #   iptables -­‐L  -­‐v -­‐s  < IP> -­‐d  < IP> Q REJECT   DROP   -­‐j ACCEPT ( ) -­‐j REJECT ( ) -­‐j DROP ( )
  • 44.
    • • • #  echo  1 >  /proc/sys/net/ipv4/ip_forward #   port  80   172.31.0.23   port  80 iptables -­‐t  nat -­‐A  PREROUTING  -­‐i eth0  -­‐p  tcp -­‐-­‐dport 80  -­‐j  DNAT  -­‐-­‐to  172.31.0.23:80 #   IP   192.168.1.0/24   eth0 IP   1.2.3.0/24 iptables -­‐t  nat -­‐A  POSTROUTING  -­‐s  192.168.1.0/24  -­‐o  eth1  -­‐j  SNAT  -­‐-­‐to  1.2.3.0/24 #   IP   192.168.1.0/24   eth0 IP   eth1   IP iptables  -­‐t  nat  -­‐A  POSTROUTING  -­‐s  192.168.1.0/24  -­‐o  eth1  -­‐j  MASQUERADE Q SNAT DNAT   MASQUERADE   A SNAT   IP DNAT   IP MASQUERADE   IP
  • 46.
    1. # iptables-­‐A INPUT -­‐s 140.115.1.1 -­‐j REJECT 2. # iptables -­‐A INPUT -­‐s 140.115.1.31 -­‐p UDP -­‐-­‐ dport 5566 -­‐j ACCEPT
  • 49.
  • 50.
    • • #  chcon [-­‐R] [-­‐t  type]  [-­‐u  user]  [-­‐r  role]   • #  restorecon [-­‐Rv]   root:~/  #  ls  -­‐Z -­‐rw-­‐-­‐-­‐-­‐-­‐-­‐-­‐.  root  root system_u:object_r:admin_home_t:s0 anaconda-­‐ks.cfg -­‐rw-­‐r-­‐-­‐r-­‐-­‐.  root  root unconfined_u:object_r:admin_home_t:s0 latest.zip -­‐rw-­‐r-­‐-­‐r-­‐-­‐.  root  root unconfined_u:object_r:admin_home_t:s0 number -­‐rw-­‐r-­‐-­‐r-­‐-­‐.  root  root unconfined_u:object_r:admin_home_t:s0 phpmyadmin_4.4.0.zip Identify  :  Role  :  Type :   :  
  • 52.
    • • • • • Fail2ban #  yum install  fail2ban • #  vim  /etc/fail2ban/jail.local • #  systemctl enable  fail2ban  &&  systemctl start  fail2ban
  • 53.
    • #  fail2ban-­‐client  status • # fail2ban-­‐client  status  sshd #  fail2ban-­‐client  status  sshd Status  for  the  jail:  sshd |-­‐ Filter |    |-­‐ Currently  failed:  1 |    |-­‐ Total  failed:          1 |    `-­‐ File  list:                /var/log/secure `-­‐ Actions |-­‐ Currently  banned:  0 |-­‐ Total  banned:          0 `-­‐ Banned  IP  list: