Use Linux firewall features protect against network attacks Web hosting service provider in the business process may be attacked by hackers, common attack patterns have DDOS SYN, etc.
Through replacement of IP, find the attacked site may avoid attacks, but the interrupt service time for a relatively long. More thorough solution is to install a hardware firewall. However, expensive hardware firewall. You can consider using Linux system itself provide firewall features to protect against.? 1. resist SYNSYN attacks is to use the TCP/IP Protocol 3-way handshake in principle, to send a flood of establishing a connection to the network packets, but does not actually connect, eventually leading to the attacked Server network queue becomes full, can not be normal user access. The Linux kernel provides a number of SYN-related configuration, use the command: sysctl-a | grepsyn see: net.ipv4.tcp_max_syn_backlog = 1024net.ipv4.tcp_syncookies = 0net.ipv4.tcp_synack_retries = 5net.ipv4.tcp_syn_retries = 5tcp_max_syn_backlog is SYN queue length, tcp_syncookies is a switch that is turned SYNCookie feature, which can prevent some SYN attacks. Tcp_synack_retries and define the SYN tcp_syn_retries retries. Increase the SYN queue length can accommodate more waiting to connect network connections, open SYNCookie function can block some SYN attacks, reduce the number of retries have a certain effect. Adjust these settings by increasing the SYN queue length to 2048: sysctl-wnet.ipv4.tcp_max_syn_backlog = 2048 open SYNCOOKIE function: sysctl-wnet.ipv4.tcp_syncookies = 1 to reduce the number of retries: sysctl-wnet.ipv4.tcp_synack_retries = 3sysctl-wnet.ipv4.tcp_syn_retries = 3 in order to maintain your system restarts, the configure the command added to/etc/rc.d/rc.local file. 2. protect against DDOSDDOS, distributed denial of access to the attack, the hacker organizations from different sources many hosts, to common ports, such as 80, 25, sending a large number of connections, but the client connections only, not the normal access. Due to the General Apache configured to accept connections limited (usually 256), these "false" access will make Apache occupy, normal access impossible. Linux provides call ipchains Firewall tool, you can shield from a particular IP or IP address of the connection to a specific port. Using ipchains against DDOS, was first discovered by the netstat command to attack the source address, and then use ipchains command blocking attacks. Find a block of one. * ** Open ipchains function first check whether the set to ipchains service starts automatically: chkconfig--listipchains output normally: ipchains0: off1: off2: on3: on4: on5: on6: 345 as on of if the service is already set to ipchains to automatically start and if not, you can use the command: chkconfig--addipchains will set the ipchains service to automatically start second configuration file, see ipchains/etc/sysconfig/ipchains exists. If this file does not exist, even if it is set to ipchains starts automatically, nor does it take effect. The default configuration file ipchains reads as follows: # Firewallconfigurationwrittenbylokkit # Manualcustomizationofthisfileisnotrecommended. # Note: ifup-postwillpunchthecurrentnameserversthroug te # firewall; suchentrieswill * not * belistedere.: inputACCEPT: forwardACCEPT: outputACCEPT-Ainput-s0/0-d0/0-ilo-jACCEPT # allowhttp, ftp, smtp, ssh, domainviatcp; domainviaudp-Ainput-ptcp-s0/0-d0/0pop3-y-jACCEPT-Ainput-ptcp-s0/0-d0/0http-y-jACCEPT-Ainput-ptcp-s0/0-d0/0https-y-jACCEPT-Ainput-ptcp-s0/0-d0/0ftp-y-jACCEPT-Ainput-ptcp-s0/0-d0/0smtp-y-jACCEPT-Ainput-ptcp-s0/0-d0/0ssh-y-jACCEPT-Ainput-ptcp-s0/0-d0/0domain-y-jACCEPT-Ainput-pudp-s0/0-d0/0domain-jACCEPT # denyicmppacket #-AinpuT-picmp-s0/0-d0/0-jDENY # defaultrules-Ainput-ptcp-s0/0-d0/00: 1023-y-jREJECT-Ainput-ptcp-s0/0-d0/02049-y-jREJECT-Ainput-pudp-s0/0-d0/00: 1023-jREJECT-Ainput-pudp-s0/0-d0/02049-jREJECT-Ainput-ptcp-s0/0-d0/06000: 6009-y-jREJECT-Ainput-ptcp-s0/0-d0/07100-y-jREJECT if/etc/sysconfig/ipchains file does not exist, you can use the above content creation. Once created, start the ipchains clothing:/etc/init.d/ipchainsstart *** use the netstat command found attack sources if that hacker attacks are Web80 port, view the connection port 80 the client IP and port, the commands are as follows: netstat-an-ttcp | grep ": 80" | awk ' grepESTABLISHED | {printf "% s% s\n", $ 5, $ 6} ' | sort output: 161.2.8.9: 123FIN_WAIT2161.2.8.9: 124FIN_WAIT261.233.85.253: 23656FIN_WAIT2 ... The first column is the client IP and port, the second column is the connection state if you come from the same IP connection a lot (more than 50), and are continuously port, it may well be attacks. If you only want to view established connections, use the command: netstat-an-ttcp | grep ": 80" | awk ' grepESTABLISHED | {printf "% s% s\n", $ 5, $ 6} ' | sort *** with ipchains blocking attacks from sources with ipchains blocking attacks, there are two ways. One is to join/etc/sysconfig/ipchains, and then restart the ipchains. Another way is to directly use ipchains command added. Shielded, you may need to restart the attacked service, is already established a connection failure * joined the attack/etc/sysconfig/ipchains assumes that you want to block is 218.202.8.151 to 80, edit/etc/sysconfig/ipchains file: outputACCEPT line following accession:-Ainput-s218.202.8.151-d0/0http-y-jREJECT save changes and restart the ipchains:/etc/init.d/ipchainsrestart if you want to block is the entire segment, 218.202.8 joined:-Ainput-s218.202.8.0/255.255.255.0-d0/0http-y-jREJECT * directly using the command line since joining/etc/sysconfig/ipchains file and ipchains, slow, but at the moment of ipchains restart, you might have some connection to drill into. The most convenient way is to directly use ipchains command. Suppose you want to block is 218.202.8.151 to 80 connection, command: ipchains-Iinput1-ptcp-s218.202.8.151-d0/0http-y-jREJECT if you want to block is the entire segment, 218.202.8: ipchains-Iinput1-ptcp-s218.202.8.0/255.255.255.0-d0/0http-y-jREJECT where-I mean is inserted, the input is the rule even, 1 refers to the first one. You can edit a shell script to make it easier to do it, command: viblockit: #!/bin/s if [!-z "$ 1"]; tenecho "Blocking: $ 1" ipchains-Iinput1-ptcp-s "$ 1"-d0/0http-y-jREJECTelseecho "whichiptoblock?" I save, and then use method:: chmod700blockit./blockit218.202.8.151./blockit218.202.8.0/255.255.255.0 the command-line method for the establishment of rules to restart after failure, you can use ipchains-save command to print rule: ipchains-save output:: inputACCEPT: forwardACCEPT: outputACCEPTSaving would input'.-Ainput-s0.0.0.0/0.0.0.0-d0.0.0.0/0.0.0.0-ilo-jACCEPT-Ainput-s0.0.0.0/0.0.0.0-d0.0.0.0/0.0.0.0110: 110-p6-jACCEPT-y-Ainput-s0.0.0.0/0.0.0.0-d0.0.0.0/0.0.0.080: 80-p6-jACCEPT-y-Ainput-s0.0.0.0/0.0.0.0-d0.0.0.0/0.0.0.022: 22-p6-jACCEPT-y-Ainput-s0.0.0.0/0.0.0.0-d0.0.0.0/0.0.0.088: 88-p6-jACCEPT-y-Ainput-s0.0.0.0/0.0.0.0-d0.0.0.0/0.0.0.089: 89-p6-jACCEPT-y-Ainput-s0.0.0.0/0.0.0.0-d0.0.0.0/0.0.0.090: 90-p6-jACCEPT-y-Ainput-s0.0.0.0/0.0.0.0-d0.0.0.0/0.0.0.091: 91-p6-jACCEPT-y-Ainput-s0.0.0.0/0.0.0.0-d0.0.0.0/0.0.0.08180: 8180-p6-jACCEPT-y-Ainput-s0.0.0.0/0.0.0.0-d0.0.0.0/0.0.0.0443: 443-p6-jACCEPT-y-Ainput-s0.0.0.0/0.0.0.0-d0.0.0.0/0.0.0.021: 21-p6-jACCEPT-y-Ainput-s0.0.0.0/0.0.0.0-d0.0.0.0/0.0.0.025: 25-p6-jACCEPT-y-Ainput-s0.0.0.0/0.0.0.0-d0.0.0.0/0.0.0.022: 22-p6-jACCEPT-y-Ainput-s0.0.0.0/0.0.0.0-d0.0.0.0/0.0.0.053: 53-p6-jACCEPT-y-Ainput-s0.0.0.0/0.0.0.0-d0.0.0.0/0.0.0.09095: 9095-p6-jACCEPT-y-Ainput-s0.0.0.0/0.0.0.0-d0.0.0.0/0.0.0.08007: 8007-p6-jACCEPT-y-Ainput-s0.0.0.0/0.0.0.0-d0.0.0.0/0.0.0.053: 53-p17-jACCEPT-Ainput-s0.0.0.0/0.0.0.0-d0.0.0.0/0.0.0.00: 1023-p6-jREJECT-y-Ainput-s0.0.0.0/0.0.0.0-d0.0.0.0/0.0.0.02049: 2049-p6-jREJECT-y-Ainput-s0.0.0.0/0.0.0.0-d0.0.0.0/0.0.0.00: 1023-p17-jREJECT-Ainput-s0.0.0.0/0.0.0.0-d0.0.0.0/0.0.0.02049: 2049-p17-jREJECT-Ainput-s0.0.0.0/0.0.0.0-d0.0.0.0/0.0.0.06000: 6009-p6-jREJECT-y-Ainput-s0.0.0.0/0.0.0.0-d0.0.0.0/0.0.0.07100: 7100-p6-jREJECT-y you need to put the "Saving would input '." To remove, and then save the contents of the other to/etc/sysconfig/ipchains file so that the next time you restart, the establishment of rules to take effect. 3. If you use more than the opening of the iptables iptablesRH8.0 alternative ipchains, both of which are very similar, there are differences. * Enable iptables fails if/etc/sysconfig/, you can create iptables file: # Firewallconfigurationwrittenbylokkit # Manualcustomizationofthisfileisnotrecommended. # Note: ifup-postwillpunchthecurrentnameserversthroug te # firewall; suchentrieswill * not * belistedhere. * filter: INPUTACCEPT [0: 0]: FORWARDACCEPT [0: 0]: OUTPUTACCEPT [0: 0]: RH-Lokkit-0-50-INPUT-[0: 0]-AINPUT-jRH-Lokkit-0-50-INPUT-ARH-Lokkit-0-50-INPUT-ilo-jACCEPT-ARH-Lokkit-0-50-INPUT-ptcp-mtcp--dportftp-jACCEPT-ARH-Lokkit-0-50-INPUT-ptcp-mtcp--dportssh-jACCEPT-ARH-Lokkit-0-50-INPUT-ptcp-mtcp--dporthttp-jACCEPT-ARH-Lokkit-0-50-INPUT-ptcp-mtcp--dportsmtp-jACCEPT-ARH-Lokkit-0-50-INPUT-ptcp-mtcp--dportpop3-jACCEPT-ARH-Lokkit-0-50-INPUT-ptcp-mtcp--dportmysql-jACCEPT-ARH-Lokkit-0-50-INPUT-Ptcp-mtcp--dport2001-jACCEPT-ARH-Lokkit-0-50-INPUT-ptcp-mtcp--dportdomain-jACCEPT-ARH-Lokkit-0-50-INPUT-pudp-mudp--dportdomain-jACCEPT-ARH-Lokkit-0-50-INPUT-ptcp-mtcp--dport0: 1023--syn-jREJECT-ARH-Lokkit-0-50-INPUT-ptcp-mtcp--dport2049--syn-jREJECT-ARH-Lokkit-0-50-INPUT-pudp-mudp--dport0: 1023-jREJECT-ARH-Lokkit-0-50-INPUT-pudp-mudp--dport2049-jREJECT-ARH-Lokkit-0-50-INPUT-ptcp-mtcp--dport6000: 6009--syn-jREJECT-ARH-Lokkit-0-50-INPUT-ptcp-mtcp--dport7100--syn-jREJECTCOMMIT above configuration allows the ftp, ssh, http, smtp, pop3, mysql, 2001 (& nbspPrim @ Hosting ACA port), port domain. * Starting iptables/etc/init.d/iptables iptablesstart * set to automatically start chkconfig--level2345iptableson * iptables shielding IPiptables-IRH-Lokkit-0-50-INPUT1-ptcp-mtcp-s213.8.166.227--dport80--syn-jREJECT notes, and ipchains difference is:-I followed by rule name parameters and ipchains, is not a uniform input, but rather in the defined the/etc/sysconfig/iptables more-mtcp specifies the port parameter is much more--dport80--syn parameter, you can automatically detect attacks using iptables prevent sync ping:-AINPUT-picmp-micmp--icmp-type8-mlimit--limit6/min--limit-burst2-jACCEPT-AINPUT-picmp-micmp--icmp-type8-jREJECT--reject-withicmp-port-unreachable
No comments:
Post a Comment