开启防火墙
sudo systemctl start firewalld.service
sudo systemctl enable firewalld.service
创建脚本路径
mkdir -p /usr/local/feng/firewalld
设置icmp拦截
写入文档
cat << 'EOF' | sudo tee /usr/local/feng/firewalld/icmp.rule
#!/bin/bash
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin; export PATH
# 设置icmp拦截
AICMP="destination-unreachable echo-request echo-reply parameter-problem redirect router-advertisement router-solicitation source-quench time-exceeded"
for tyicmp in $AICMP
do
firewall-cmd --permanent --add-icmp-block=${tyicmp}
done
firewall-cmd --reload
EOF
# 然后执行
bash /usr/local/feng/firewalld/icmp.rule
防止暴力破解
cat << 'EOF' | sudo tee /usr/local/feng/firewalld/firewall.deny
tail /var/log/secure -n 10000 |awk '/Failed/{print $(NF-3)}'|sort|uniq -c|awk '{print $2"="$1;}' | sort -g -t '=' -k2 > /tmp/black.txt #尝试登录的次数和ip
DEFINE="3" #单个ip尝试登录最大值
for i in `cat /tmp/black.txt`
do
IP=`echo $i |awk -F= '{print $1}'`
NUM=`echo $i|awk -F= '{print $2}'`
if [ $NUM -gt $DEFINE ]; then
grep $IP /etc/hosts.deny > /dev/null
if [ $? -gt 0 ]; then
firewall-cmd --zone=drop --permanent --add-source=$IP
fi
fi
done
firewall-cmd --reload
EOF
# 然后执行
bash /usr/local/feng/firewalld/firewall.deny
配置自动添加ip拦截
echo "30 * * * * root bash /usr/local/feng/firewalld/firewall.deny" | sudo tee -a /etc/crontab