最近我的主机提供商给我发了一封关于我的服务器的某种攻击的信。 我没有进入安全,所以我find了一些教程,并closures所有未使用的端口与iptables。
这是我的iptables列表:
Chain INPUT (policy DROP) target prot opt source destination DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:www ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ACCEPT tcp -- anywhere anywhere tcp dpt:ssmtp ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s ACCEPT tcp -- anywhere anywhere tcp dpt:imap2 ACCEPT tcp -- anywhere anywhere tcp dpt:imaps ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:ftp Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:www state NEW ACCEPT tcp -- anywhere anywhere tcp dpt:domain state NEW ACCEPT udp -- anywhere anywhere udp dpt:domain state NEW ACCEPT tcp -- anywhere anywhere tcp spt:www ACCEPT tcp -- anywhere anywhere tcp spt:https ACCEPT tcp -- anywhere anywhere tcp spt:smtp ACCEPT tcp -- anywhere anywhere tcp spt:ssmtp ACCEPT tcp -- anywhere anywhere tcp spt:pop3 ACCEPT tcp -- anywhere anywhere tcp spt:pop3s ACCEPT tcp -- anywhere anywhere tcp spt:imap2 ACCEPT tcp -- anywhere anywhere tcp spt:imaps ACCEPT tcp -- anywhere anywhere tcp spt:ssh ACCEPT tcp -- anywhere anywhere tcp spt:ftp 由于某种原因,攻击已经停止,但是我不能再发送邮件了。
-P OUTPUT ACCEPT的作品,但它不是我的select。
需要帮助尽快。 谢谢
ACCEPT出站邮件连接时,您需要为dpt:smtp 。 出站邮件连接的源端口是随机的,它不是smtp端口。
但是,更重要的是,您需要弄清楚是什么导致了攻击,如果您的系统受到了攻击,则需要重新安装,以确保入侵者无法获得妥协。