Linux安全优化

iptables
iptables -A INPUT -p all -m state --state INVALID -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p icmp --icmp-type 0 -m length --length :100 -m limit --limit 6/s --limit-burst 10 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m length --length :100 -m limit --limit 6/s --limit-burst 10 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -m length --length :100 -m limit --limit 6/s --limit-burst 10 -j ACCEPT
iptables -A INPUT -p icmp -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --syn -m state --state NEW --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --syn -m state --state NEW --dport 1433 -j ACCEPT
iptables -A INPUT -p tcp --syn -m state --state NEW --dport 3389 -j ACCEPT
iptables -A INPUT -p tcp --syn -m state --state NEW --dport 5022 -j ACCEPT
iptables -A INPUT -p udp --dport 3389 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dport 80,1433,3389,5022 -j DROP

netfilter
net.ipv4.tcp_fastopen = 1
net.ipv4.tcp_thin_linear_timeouts= 0
net.ipv4.tcp_thin_dupack= 0
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.ip_conntrack_max = 655360
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
kernel.exec-shield = 1
kernel.randomize_va_space = 1