Web hosting service provider in the business process may be attacked by hackers, common attack patterns have DDOS SYN, etc.
Through replacement of IP, find the attacked site may avoid attacks, but the interrupt service time for a relatively long. More thorough solution is to install a hardware firewall. However, expensive hardware firewall. You can consider using Linux system itself provide firewall features to protect against. 1. resist SYNSYN attacks is to use the TCP/IP Protocol 3-way handshake in principle, to send a flood of establishing a connection to the network packets, but does not actually connect, eventually leading to the attacked Server network queue becomes full, can not be normal user access. The Linux kernel provides a number of SYN-related configuration, use the command: sysctl-a | grepsyn see: net.ipv4.tcp_max_syn_backlog = 1024net.ipv4.tcp_syncookies = 0net.ipv4.tcp_synack_retries = 5net.ipv4.tcp_syn_retries = 5tcp_max_syn_backlog is SYN queue length, tcp_syncookies is a switch that is turned SYNCookie feature, which can prevent some SYN attacks. Tcp_synack_retries and define the SYN tcp_syn_retries retries. Increase the SYN queue length can accommodate more waiting to connect network connections, open SYNCookie function can block some SYN attacks, reduce the number of retries have a certain effect. Adjust these settings by increasing the SYN queue length to 2048: sysctl-wnet.ipv4.tcp_max_syn_backlog = 2048 open SYNCOOKIE function: sysctl-wnet.ipv4.tcp_syncookies = 1 to reduce the number of retries: sysctl-wnet.ipv4.tcp_synack_retries = 3sysctl-wnet.ipv4.tcp_syn_retries = 3 in order to maintain your system restarts, the configure the command added to/etc/rc.d/rc.local file. 2. protect against DDOSDDOS, distributed denial of access to the attack, the hacker organizations from different sources many hosts, to common ports, such as 80, 25, sending a large number of connections, but the client connections only, not the normal access. Due to the General Apache configured to accept connections limited (usually 256), these "false" access will make Apache occupy, normal access impossible. Linux provides call ipchains Firewall tool, you can shield from a particular IP or IP address of the connection to a specific port. Using ipchains against DDOS, was first discovered by the netstat command to attack the source address, and then use ipchains command blocking attacks. Find a block of one. * ** Open ipchains function first check whether the set to ipchains service starts automatically: chkconfig--listipcains output normally: ipchains0: off1: off2: on3: on4: on5: on6: 345 as on of if the service is already set to ipchains to automatically start and if not, you can use the command: chkconfig--addipcains will set the ipchains service to automatically start second configuration file, see ipchains/etc/sysconfig/ipchains exists. If this file does not exist, even if it is set to ipcains starts automatically, nor does it take effect. The default configuration file ipchains reads as follows: # Firewallconfigurationwrittenbylokkit # Manualcustomizationofthisfileisnotrecommended. # Note: ifup-postwillpunchthecurrentnameserversthroug te # firewall; suchentrieswill * not * belistedere.: inputACCEPT: forwardACCEPT: outputACCEPT-Ainput-s0/0-d0/0-ilo-jACCEPT # allowhttp, ftp, smtp, ssh, domainviatcp; domainviaudp-Ainput-ptcp-s0/0-d0/0pop3-y-jACCEPT-Ainput-ptcp-s0/0-d0/0http-y-jACCEPT-Ainput-ptcp-s0/0-d0/0https-y-jACCEPT-Ainput-ptcp-s0/0-d0/0ftp-y-jACCEPT-Ainput-ptcp-s0/0-d0/0smtp-y-jACCEPT-Ainput-ptcp-s0/0-d0/0ssh-y-jACCEPT-Ainput-ptcp-s0/0-d0/0domain-y-jACCEPT-Ainput-pudp-s0/0-d0/0domain-jACCEPT # denyicmppacket #-Ainput-picmp-s0/0-d0/0-jDENY# Defaultrules-Ainput-ptcp-s0/0-d0/00: 1023-y-jREJECT-Ainput-ptcp-s0/0-d0/02049-y-jREJECT-Ainput-pudp-s0/0-d0/00: 1023-jREJECT-Ainput-pudp-s0/0-d0/02049-jREJECT-Ainput-ptcp-s0/0-d0/06000: 6009-y-jREJECT-Ainput-ptcp-s0/0-d0/07100-y-jREJECT if/etc/sysconfig/ipchains file does not exist, you can use the above content creation. Once created, start the ipchains clothing:/etc/init.d/ipchainsstart *** use the netstat command found attack sources if that hacker attacks are Web80 port, view the connection port 80 the client IP and port, the commands are as follows: netstat-an-ttcp | grep ": 80" | awk ' grepESTABLISHED | {printf "% s% s\n", $ 5, $ 6} ' | sort output: 161.2.8.9: 123FIN_WAIT2161.2.8.9: 124FIN_WAIT261.233.85.253: 23656FIN_WAIT2 ... The first column is the client IP and port, the second column is the connection state if you come from the same IP connection a lot (more than 50), and are continuously port, it may well be attacks. If you only want to view established connections, use the command: netstat-an-ttcp | grep ": 80" | awk ' grepESTABLISHED | {printf "% s% s\n", $ 5, $ 6} ' | sort *** with ipchains blocking attacks from sources with ipchains blocking attacks, there are two ways. One is to join/etc/sysconfig/ipchains, and then restart the ipchains. Another way is to directly use ipchains command added. Shielded, you may need to restart the attacked service, is already established a connection failure * joined the attack/etc/sysconfig/ipcains assumes that you want to block is 218.202.8.151 to 80, edit/etc/sysconfig/ipchains file: outputACCEPT line following accession:-Ainput-s218.202.8.151-d0/0http-y-jREJECT save changes and restart the ipchains:/etc/init.d/ipchainsrestart if you want to block is the entire segment, 218.202.8 joined:-Ainput-s218.202.8.0/255.255.255.0-d0/0http-y-jREJECT * directly using the command line since joining/etc/sysconfig/ipchains file and ipchains, slow, but at the moment of ipchains restart, you might have some connection to drill into. The most convenient way is to directly use ipchains command. Suppose you want to block is 218.202.8.151 to 80 connection, command: ipchains-Iinput1-ptcp-s218.202.8.151-d0/0http-y-jREJECT if you want to block is the entire segment, 218.202.8: ipchains-Iinput1-ptcp-s218.202.8.0/255.255.255.0-d0/0http-y-jREJECT where-I mean is inserted, the input is the rule even, 1 refers to the first one.
No comments:
Post a Comment