Network protection of CentOS7 system
1. Linux run level
The combination of functions/resources provided by the system during operation - different levels provide different services
Main operating levels
- rescue.target
//Rescue mode, used when the system needs to be repaired - multi-user.target
// multi-user mode, no desktop - graphical.target
// graphics mode
1) Check the number of tasks
- Find out the process and ID information of a certain name: pgrep -l keyword
[root@centos7 ~]# pgrep -l httpd //列出进程名包含httpd的任务
114655 httpd
114657 httpd
114658 httpd //httpd会启用多个进程
114659 httpd
114660 httpd
114661 httpd
[root@centos7 ~]#
- Count the number of all processes in the current system
[root@centos7 ~]# pgrep -c . //选项-c表示统计,'.'表示匹配任意字符
238
[root@centos7 ~]#
2) Toggle levels to save system resources
In most cases, the server does not need to be running in graphical mode
- As long as you switch to multi-user mode, you can reduce the consumption of basic resources by 30%~40%
Switch format: systemctl isolate system level
systemctl isolate multi-user.target //切换至多用户模式
systemctl isolate graphical.target //切换至图形模式
systemctl get-default //查看默认级别
systemctl set-default multi-user.target //设置默认运行级别
Execute the switch operation and change to multi-user mode to run:
[root@centos7 ~]# systemctl isolate multi-user.target
[root@centos7 ~]#
After the switch is complete, log in to the system again as the root user (if you log in remotely through SSH, you generally do not need to log in again), and check the number of currently running tasks again (it will be greatly reduced):
[root@centos7 ~]# pgrep -c .
160
[root@centos7 ~]#
3) Set the default run level of the virtual machine to multi-user mode
[root@centos7 ~]# systemctl isolate multi-user.target //设置运行级别为多用户级别,不影响默认级别
[root@centos7 ~]# systemctl get-default //查看当前默认级别
graphical.target //发现默认级别为图像模式
[root@centos7 ~]#
[root@centos7 ~]# systemctl set-default multi-user.target //设置默认级别为多用户模式
Removed symlink /etc/systemd/system/default.target.
Created symlink from /etc/systemd/system/default.target to /usr/lib/systemd/system/multi-user.target.
[root@centos7 ~]#
[root@centos7 ~]# systemctl get-default //再次查看默认级别
multi-user.target //此时默认级别已被修改为多用户模式
[root@centos7 ~]#
2. SELinux protection
Security E nhanced Linux , the security -enhanced Linux system is derived from the US National Security Agency (NSA) mandatory protection and control security policy-mainly providing policy protection for files, processes, etc. in the Linux system. Users only assign "required" minimum privilege
processes
only Access "needed" resources
Network services can only open "needed" ports
2.1 Three operating states of SELinux
- Enforce, enforce (enforce protection strictly by model policy)
- Permissive, loose (if there is a violation, it will be recorded, but there is no restriction)
- Disable, disabled (the kernel does not load SELinux)
2.2 Check the current SELinux running status
[root@centos7 ~]# getenforce
Enforcing
[root@centos7 ~]#
2.3 Switch between "Enforced" and "Loose" mode, it will no longer take effect after restarting
[root@centos7 ~]# setenforce 0 //切换为宽松模式
[root@centos7 ~]#getenforce //确认结果
Permissive
[root@centos7 ~]# setenforce 1 //切换为强制模式
[root@centos7 ~]# getenforce //确认结果
Enforcing
2.4 Permanently configure SELinux running status
[root@centos7 ~]# vim /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive 此行决定每次开机后的SELinux状态
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
3. SELinux protects the web directory
1) First create the webpage directory and file /webdir1/index.html, the content is sss666
[root@centos7 ~]# mkdir /webdir1
[root@centos7 ~]# vim /webdir1/index.html
<h1>sss666</h1>
[root@centos7 ~]# ls -dZ /webdir1/ //检查目录的SELinux属性
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /webdir1/
[root@centos7 ~]#
2) Then mv the /webdir1 directory to the /var/www/html/ directory
[root@centos7 ~]# mv /webdir1/ /var/www/html/
[root@centos7 ~]# ls -dZ /var/www/html/webdir1/ //再次检查/var/www/html/webdir1/目录的SELinux属性
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /var/www/html/webdir1/
[root@centos7 ~]#
Note: If you create a new directory directly under the /var/www/html/ directory, the SELinux attribute of the web directory /var/www/html will be inherited by default; but if you come from another mv directory, the SELinux attribute will not be changed automatically.
3) Make sure you can access http://virtual machine IP address/webdir1/
If you access the newly deployed /var/www/html/webdir1 directory from a browser, you will be prompted to be rejected.
This is because the SELinux security mechanism prevents access to this directory /var/www/html/webdir1/, but access to the original http://virtual machine IP address/ is still unaffected.
To solve the problem of accessing the moved-in directory /var/www/html/webdir1/, either disable the SELinux mechanism or adjust the SELinux security attributes for this directory.
① : Disable SELinux mechanism
[root@centos7 ~]# getenforce
Enforcing
[root@centos7 ~]# setenforce 0
[root@centos7 ~]# getenforce
Permissive
[root@centos7 ~]#
Successful access
②: Adjust the SELinux security attributes of this directory
[root@centos7 ~]# setenforce 1 //先将SELinux机制调回来
[root@centos7 ~]# getenforce
Enforcing
[root@centos7 ~]#
[root@centos7 ~]# chcon -R /var/www/html/webdir1/ --reference=/var/www //参照模板目录修改SELinux属性
[root@centos7 ~]#
[root@centos7 ~]# ls -dZ /var/www/html/webdir1/ //确认修改结果
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/webdir1/
[root@centos7 ~]#
Visit again successfully
4. SELinux protects web ports
1) Configure the httpd service to listen on port 82
Add a configuration file to enable the httpd service to listen on port 82:
[root@centos7 ~]# vim /etc/httpd/conf.d/port82.conf
Listen 82
[root@centos7 ~]# httpd -t //检查语法,确认没有错误
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::f17c:c729:6d95:d760. Set the 'ServerName' directive globally to suppress this message
Syntax OK
[root@centos7 ~]#
When trying to restart the httpd service, it will prompt failure:
[root@centos7 ~]# systemctl restart httpd
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
[root@centos7 ~]#
This is because SELinux only allows Web services to use a few ports such as 80 and 81 by default, which can be viewed by the following command:
[root@centos7 ~]# semanage port -l | grep http_port_t
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
[root@centos7 ~]#
2) Make sure you can access http://virtual machine IP address: 82/
To solve the problem of Web port restrictions, either disable the SELinux mechanism, or adjust the SELinux port protection strategy and add the ports you want to open. If you adopt the latter method, you can refer to the following operations.
According to the prompt when restarting the httpd service fails, execute the journalctl -xe command:
[root@centos7 ~]# journalctl -xe
......
***** Plugin bind_ports (99.5 confidence) suggests ************************
If you want to allow /usr/sbin/httpd to bind to network port 82
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 82
where PORT_TYPE is one of the following: http_cache_port_t, http_port_t, j
[root@centos7 ~]#
According to the above prompt information, to obtain the command result, perform the following operations:
[root@centos7 ~]# semanage port -a -t http_port_t -p tcp 82 //允许Web网站使用82端口
[root@centos7 ~]# semanage port -l | grep http_port_t //确认设置结果
http_port_t tcp 82, 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
[root@centos7 ~]#
Then restart the httpd service again, and it can be used normally.
[root@centos7 ~]# systemctl restart httpd
[root@centos7 ~]#
Visit http://virtual machine IP address: 82/ from the browser, and you can also access it successfully.
5. Firewalld network protection
1) Enable firewall
2) Open the firewall-config configuration tool
You need to switch to graphical mode and log in as root.
[root@centos7 ~]# firewall-config
......
You can open the graphical firewall configuration tool:
3) Confirm that the default security zone is public
As shown in the figure above, if it has not been modified, the default security zone should be public (shown in bold in the zone).
If not, you can also change it through the menu "Options" - "Change Default Zone", just select public.
4) Set the policy to allow access to the httpd service
Select "Permanent" in "Configuration", select "public" in "Area", and check "httpd" in "Service".
5) Set the policy to allow access to the tcp/82 port of the machine
Select "Permanent" in "Configuration", select "public" in "Area", click "Add" in "Port", and fill in the pop-up window according to the prompts.
6) Overload the firewall
7) Verify the effect of firewall protection
Normal access to the web when the firewall allows
Visit http://virtual machine IP address/ from another host in the same network (be careful not to access from the web server locally, because the local access does not need to go through the firewall, here I use the browser of the real machine), can be accessed successfully.
8) If you do not open "http", the default public security zone will deny access to the Web
Adjust the firewall policy, uncheck "http", and reload the firewall.
Accessing http://virtual machine IP address/ from other hosts again will be rejected.
9) After stopping the firewall service (not protected), the web service can also be accessed normally
If the firewalld service is stopped:
[root@centos7 ~]# systemctl stop firewalld.service
[root@centos7 ~]#
The web service of this host can also be accessed normally from other hosts.