Linux漏洞修复:禁用外来的ICMP timestamp和禁止Traceroute探测

1、安装iptables服务

下载安装包,下载地址 http://mirrors.163.com/centos/7/os/x86_64/Packages/
然后使用 rpm 命令安装
sudo rpm -Uvh iptables-1.4.21-24.el7.x86_64.rpm
sudo rpm -Uvh iptables-services-1.4.21-24.el7.x86_64.rpm

2、重启iptables服务
sudo service iptables restart

3、直接在终端命令行输入如下命令,禁用外来的ICMP timestamp和禁止Traceroute探测
sudo iptables -A INPUT -p ICMP –icmp-type timestamp-request -j DROP
sudo iptables -A INPUT -p ICMP –icmp-type timestamp-reply -j DROP
sudo iptables -A INPUT -p ICMP –icmp-type time-exceeded -j DROP
sudo iptables -A OUTPUT -p ICMP –icmp-type time-exceeded -j DROP

4、执行命令对修改过的规则进行保存,使其永久生效
sudo service iptables save

5、检查新添加的规则是否生效
sudo iptables -L -n

生效的话会显示添加下面几条规则,13,14是ICMP timestamp 请求响应漏洞的规则,11是解决允许Traceroute探测的
DROP icmp — 0.0.0.0/0 0.0.0.0/0 icmp type 13
DROP icmp — 0.0.0.0/0 0.0.0.0/0 icmp type 14
DROP icmp — 0.0.0.0/0 0.0.0.0/0 icmp type 11
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP icmp — 0.0.0.0/0 0.0.0.0/0 icmp type 11

备注:
修改过的规则保存在/etc/sysconfig/iptables文件下

Generated by iptables-save v1.4.21 on Wed Jan 26 16:31:39 2022

*filter
:INPUT ACCEPT [76:7013]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [35:5448]
-A INPUT -p icmp -m icmp –icmp-type 13 -j DROP
-A INPUT -p icmp -m icmp –icmp-type 14 -j DROP
-A INPUT -p icmp -m icmp –icmp-type 11 -j DROP
-A OUTPUT -p icmp -m icmp –icmp-type 11 -j DROP
COMMIT

Completed on Wed Jan 26 16:31:39 2022

Original: https://www.cnblogs.com/nanqiang/p/15847573.html
Author: cicero
Title: Linux漏洞修复:禁用外来的ICMP timestamp和禁止Traceroute探测

原创文章受到原创版权保护。转载请注明出处:https://www.johngo689.com/10334/

转载文章受原作者版权保护。转载请注明原作者出处!

(0)

大家都在看

发表回复

登录后才能评论
免费咨询
免费咨询
扫码关注
扫码关注
联系站长

站长Johngo!

大数据和算法重度研究者!

持续产出大数据、算法、LeetCode干货,以及业界好资源!

2022012703491714

微信来撩,免费咨询:xiaozhu_tec

分享本页
返回顶部