EMOS1.3安装后的相关安全设置
2024-06-05 21:17:47
emos 安装后的安全设置
这几天一直有学习postfix邮件系统,在extmail论坛里发现了EMOS1.3这个系统,决定自己试装下,安装过程比较傻瓜,整个系统也比较好用,就是软件包版本太低,希望软件作者能推出最新版本的EMOS,在此也非常感谢EMOS的作者.
装完EMOS1.3后,对这个系统做了一番设置,具体设置如下:(里面的有些脚借鉴了sery大哥的,在此也表示感谢!!)
#1、mysql数据库root 密码修改
mysqladmin -u root -p password postfix
输入原有密码(默认为空),直接回车,root 密码修改完毕
mysqladmin -u root -p password postfix
输入原有密码(默认为空),直接回车,root 密码修改完毕
#*****************************************************************************************************
#2、mysql数据库extmail密码修改
mysql -u root -ppostfix
use mysql;
SET PASSWORD FOR 'extmail'@'localhost' = PASSWORD('extmailserver');
同时还要修改以下文件的连接字符串:
/etc/postfix/mysql_virtual_alias_maps.cf
/etc/postfix/mysql_virtual_domains_maps.cf
/etc/postfix/mysql_virtual_mailbox_maps.cf
/etc/postfix/mysql_virtual_sender_maps.cf
/var/www/extsuite/extmail/webmail.cf
/var/www/extsuite/extman/webman.cf
/etc/authlib/authmysqlrc
#2、mysql数据库extmail密码修改
mysql -u root -ppostfix
use mysql;
SET PASSWORD FOR 'extmail'@'localhost' = PASSWORD('extmailserver');
同时还要修改以下文件的连接字符串:
/etc/postfix/mysql_virtual_alias_maps.cf
/etc/postfix/mysql_virtual_domains_maps.cf
/etc/postfix/mysql_virtual_mailbox_maps.cf
/etc/postfix/mysql_virtual_sender_maps.cf
/var/www/extsuite/extmail/webmail.cf
/var/www/extsuite/extman/webman.cf
/etc/authlib/authmysqlrc
#*****************************************************************************************************
#3、定期备份邮件数据脚本(/usr/local/bin/data_backup.sh)
mysql -u root -ppostfix
grant all on *.* to 'backup'@'localhost' identified by 'mailbackup';
flush privileges;
quit;
mkdir -p /var/data_bk/{mysqlbk,mailbk} --创建备份文件夹
chmod +x /usr/local/bin/data_backup.sh --添加执行权限
crontab -e
00 01 * * * /usr/local/bin/data_backup.sh --每天凌晨1点执行备份操作
#3、定期备份邮件数据脚本(/usr/local/bin/data_backup.sh)
mysql -u root -ppostfix
grant all on *.* to 'backup'@'localhost' identified by 'mailbackup';
flush privileges;
quit;
mkdir -p /var/data_bk/{mysqlbk,mailbk} --创建备份文件夹
chmod +x /usr/local/bin/data_backup.sh --添加执行权限
crontab -e
00 01 * * * /usr/local/bin/data_backup.sh --每天凌晨1点执行备份操作
#!/bin/bash
BackupPath=/var/data_bk
Mysql_bk_dir=$BackupPath/mysqlbk
Mail_bk_dir=$BackupPath/mailbk
LogFile=$BackupPath/backuplog
MailBoxDir=/home/domains
####################################################################
# define mysql variables #
####################################################################
NewFile="$Mysql_bk_dir"/postfix$(date +%Y%m%d).tgz
DumpFile="$Mysql_bk_dir"/postfix$(date +%Y%m%d).sql
OldFile="$Mysql_bk_dir"/postfix$(date +%Y%m%d --date='5 days ago').tgz
DbUser=backup
DbPasswd=mail&backup
DbName=extmail
####################################################################
# mysql backup proccess #
####################################################################
echo "-------------------------------------------" >> $LogFile
echo $(date +"%y-%m-%d %H:%M:%S") >> $LogFile
echo "--------------------------" >> $LogFile
#Delete Old File
if [ -f $OldFile ]
then
rm -f $OldFile >> $LogFile 2>&1
echo "[$OldFile]Delete Old File Success!" >> $LogFile
else
echo "[$OldFile]No Old Backup File!" >> $LogFile
fi
if [ -f $NewFile ]
then
echo "[$NewFile]The Backup File is exists,Can't Backup!" >> $LogFile
else
cd $Mysql_bk_dir
/usr/local/mysql/bin/mysqldump -u $DbUser -p$DbPasswd --opt $DbName > $DumpFile
tar czf $NewFile postfix$(date +%Y%m%d).sql >> $LogFile 2>&1
echo "[$NewFile]Backup Success!" >> $LogFile
rm -rf $DumpFile
fi
######################################################################
# backup mail's user directories and files #
######################################################################
MailFileBk=$Mail_bk_dir/mail$(date +%Y%m%d).tgz
OldMailFileBk=$Mail_bk_dir/mail$(date +%Y%m%d --date='14 days ago').tgz
if [ -f $OldMailFileBk ]
then
rm -rf $OldMailFileBk
fi
if [ -f $MailFileBk ]
then
echo "[$MailFileBk]The Backup File is exists,Can't Backup!" >> $LogFile
else
cd /home
tar czf $MailFileBk domains >> $LogFile 2>&1
fi
echo "-------------------------------------------" >> $LogFile
#*********************************************************************************************************8
#4、内核优化脚本(/usr/local/bin/kernel_optimize)
chmod +x /usr/local/bin/kernel_optimize ----添加执行权限
echo "/usr/local/bin/kernel_optimize" >> /etc/rc.local --开机自动运行
#4、内核优化脚本(/usr/local/bin/kernel_optimize)
chmod +x /usr/local/bin/kernel_optimize ----添加执行权限
echo "/usr/local/bin/kernel_optimize" >> /etc/rc.local --开机自动运行
#!/bin/bash
#kernel optimize optimize ,create by 2008-10-07
#enable broadcast echo protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#deny ping
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
#disble source routed packets
#for f in /proc/sys/net/ipv4/conf/*/accept_source_rout; do
# echo 0 > $f
#done
#enable tcp syn cookie protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#disable icmp redirect acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
#don't send redirect messages
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
#drop spoofed packets
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
#log packets with impossible addresses
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
#disble source routed packets
#for f in /proc/sys/net/ipv4/conf/*/accept_source_rout; do
# echo 0 > $f
#done
#enable tcp syn cookie protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#disable icmp redirect acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
#don't send redirect messages
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
#drop spoofed packets
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
#log packets with impossible addresses
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
#********************************************************************************************************
#5、防火墙设置脚本(/usr/local/bin/firewall)
chmod +x /usr/local/bin/firewall ---添加执行权限
echo "/usr/local/bin/firewall " >> /etc/rc.local ---开机自动运行
#5、防火墙设置脚本(/usr/local/bin/firewall)
chmod +x /usr/local/bin/firewall ---添加执行权限
echo "/usr/local/bin/firewall " >> /etc/rc.local ---开机自动运行
#!/bin/bash
#this is a common firewall created by 2008-10-7
#define some variable
IPT=/sbin/iptables
CONNECTION_TRACKING="1"
INTERNET="eth0"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
BROADCAST_SRC="0.0.0.0"
BROADCAST_DEST="255.255.255.255"
IPADDR=220. 94.58.245
LOOPBACK_INTERFACE="lo"
#Remove any existing rules
$IPT -F
$IPT -X
#setting default firewall policy
$IPT --policy OUTPUT ACCEPT
$IPT --policy FORWARD DROP
$IPT -P INPUT DROP
#stop firewall
if [ "$1" = "stop" ]
then
echo "Filewall completely stopped!no firewall running!"
exit 0
fi
#setting for loopback interface
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# Stealth Scans and TCP State Flags
# All of the bits are cleared
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# SYN and FIN are both set
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# SYN and RST are both set
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# FIN and RST are both set
$IPT -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
# FIN is the only bit set, without the expected accompanying ACK
$IPT -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
# PSH is the only bit set, without the expected accompanying ACK
$IPT -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
# URG is the only bit set, without the expected accompanying ACK
$IPT -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
# Using Connection State to By-pass Rule Checking
if [ "$CONNECTION_TRACKING" = "1" ]; then
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -A OUTPUT -m state --state INVALID -j DROP
fi
##################################################################
# Source Address Spoofing and Other Bad Addresses
# Refuse spoofed packets pretending to be from
# the external interface.s IP address
$IPT -A INPUT -i $INTERNET -s $IPADDR -j DROP
# Refuse packets claiming to be from a Class A private network
$IPT -A INPUT -i $INTERNET -s $CLASS_A -j DROP
# Refuse packets claiming to be from a Class B private network
$IPT -A INPUT -i $INTERNET -s $CLASS_B -j DROP
# Refuse packets claiming to be from a Class C private network
$IPT -A INPUT -i $INTERNET -s $CLASS_C -j DROP
$IPT -A INPUT -i $INTERNET -s 0.0.0.0/8 -j DROP
$IPT -A INPUT -i $INTERNET -s 169.254.0.0/16 -j DROP
$IPT -A INPUT -i $INTERNET -s 192.0.2.0/24 -j DROP
###################################################################
#setting access rules
#enable ssh connect
$IPT -A INPUT -i $INTERNET -p tcp --dport 22 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp --dport 25 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp --dport 110 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp --dport 143 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp -s 127.0.0.1 --dport 3306 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp --dport 10024 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp --dport 10025 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p tcp --dport 443 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p icmp -j ACCEPT
#***********************************************************************************************************
#6、extman后台访问授权
vi /etc/httpd/conf/vhost_extmail.conf
Alias /extmail /var/www/extsuite/extmail/html/
<Directory "/var/www/extsuite/extman/html">
AuthType Basic
Options None
AllowOverride None
Order allow,deny
Allow from 192.168.1.3
AuthName "Mail Server Manager"
AuthUserFile /etc/httpd/conf/htpasswd
Require valid-user
</Directory>
#6、extman后台访问授权
vi /etc/httpd/conf/vhost_extmail.conf
Alias /extmail /var/www/extsuite/extmail/html/
<Directory "/var/www/extsuite/extman/html">
AuthType Basic
Options None
AllowOverride None
Order allow,deny
Allow from 192.168.1.3
AuthName "Mail Server Manager"
AuthUserFile /etc/httpd/conf/htpasswd
Require valid-user
</Directory>
htpasswd -c /etc/httpd/conf/htpasswd kerry --添加认证用户
killall httpd
/etc/rc.d/init.d/httpd start
killall httpd
/etc/rc.d/init.d/httpd start
转载于:https://blog.51cto.com/kerry/104364
EMOS1.3安装后的相关安全设置相关推荐
- Linux下Nginx编译安装后的开机自启动设置
Linux下Nginx编译安装后的开机自启动设置 一.查看当前Nginx启动状态 二.而配置Nginx相关服务文件 三 .设置nginx命令 四.设置开机启动 五.测试开机启动 一.查看当前Nginx ...
- SQL Server 2012 下载和安装详细教程(附安装包 和安装后的 相关设置)
一.SQL Server 2012 下载 SqlServer2012版镜像,文件较大,将近4G. 链接:https://pan.baidu.com/s/1rzWWxn_L69BvLUYtodRtAg密 ...
- linux代码段起始地址设置,Arch Linux安装后的一些初始设置简介
配置有线网络. 没网络的时候,可以直接设定ip应急,后面 netctl 才是正规设置: 复制代码代码如下: # ip addr add 192.168.0.100/24 dev enp0s4 # ip ...
- win10中Android Studio (不含SDK) 安装后如何相关错误跳坑指南
win10系统下载最新的Android Studio3.1.3打开界面,创建第一个helloworld的android app,爆红一片,被坑了两天,提示错误如下: gradle sync faile ...
- SAP IDES ECC6.0 EHP4 安装后的RZ10参数设置 减小内存 SGEN 编译组件
====================================================== 2019/08/30: 我有已经安装好的IDES虚拟机, 解压即可用, 如需要, 可以留下 ...
- 在RHEL6.0 X64系统中安装oracle 11g数据库及安装后设置
前提条件: 1.查看系统版本 [root@server ~]#cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.1 ( ...
- 强烈推荐使用Atom-新安装后的有用设置
强烈推荐使用Atom 1 预览markdown文章 2 整合Git 3 设置自动换行 4 禁止保存时自动删除末尾空行 5 设置启动atom时的动作 6 设置文档在失去焦点或关闭时,自动保存 7 设置不 ...
- 安装Windows XP后的五个设置步骤
安装Windows XP后的五个设置步骤 安装Windows XP后的五个设置步骤 当你兴冲冲地买来XP的光盘,经过漫长的文件拷贝.Windows识别硬件和初始化系统后,终于进入Windows XP那 ...
- elementary OS 5 Juno (Pantheon) 安装后配置总结(干货很多)
欢迎加入 Ubuntu 阵营!elementary OS 是 Ubuntu 阵营中兼具实用和美观的发行版,的确值得安装尝试.这是一篇长文,我精简了一些内容,但是干货越多说得越详细,篇幅就会越大.已经克 ...
最新文章
- iphone6 微信浏览器高度适配的问题
- BB之Uncaught exception:net.rim.device.api....错误的解决之道
- python 语言教程(3)数据类型
- ML机器学习导论学习笔记
- rz安装 xshell_利用XShell上传、下载文件(使用sz与rz命令)
- 安规电容能用什么代替_电容系列之安规电容
- one microblog from 任志强
- Spring 自动装配 ‘byType’
- 重启模块与及关开邮件存储设置功能页面-PHP-shell-py
- 《一天聊一个设计模式》 策略
- C ++ 类 | 类与数组(Array)_4
- Dynamics 365-关于Solution的那些事(二)
- python教程吾爱破解_2020年最新python入门到精通教程
- shell之sed、awk
- 21天c语言 ppt,21天学通C语言 第1章 C语言与程序概述.ppt
- PHP文件向sqlite3数据库插入数据,出现UNIQUE constraint failed异常
- 393高校毕业设计选题
- go第三方日志库 Zap
- Thymeleaf 模板语言th:style添加background样式
- VVC中的熵编码-JVET提案Q2002