This article is a mirror article of machine translation, please click here to jump to the original article.

Architect_Programmer_Code Agriculture Network»Architect Other Technologies Windows/Linux Linux has several security settings to prevent DDoS attacks
View: 11726|Reply: 0

[linux] Linux has several security settings to prevent DDoS attacks

[Copy link]
Posted on 11/13/2014 6:03:02 PM | | |
Modify the sysctl parameter
$ sudo sysctl -a  | grep ipv4 | grep syn

The output is similar to the following:

net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_syncookies = 0
net.ipv4.tcp_synack_retries = 5
net.ipv4.tcp_syn_retries = 5



net.ipv4.tcp_syncookies is whether to turn on the SYN COOKIES function, "1" is on, "2" is off.
net.ipv4.tcp_max_syn_backlog is the length of the SYN queue, and increasing the queue length can accommodate more network connections waiting to be connected.
net.ipv4.tcp_synack_retries and net.ipv4.tcp_syn_retries define the number of SYN retries.

Add the following to /etc/sysctl.conf, and then execute "sysctl -p"!

net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2

Improve TCP connectivity

net.ipv4.tcp_rmem = 32768
net.ipv4.tcp_wmem = 32768
net.ipv4.sack=0 #我的Centos 5.4 hint does not have this keyword

Use iptables
Command:

# netstat -an | grep ":80" | grep ESTABLISHED


Let's see which IPs are suspicious~ For example: 221.238.196.83 has a lot of connections to this IP and is very suspicious, and I don't want it to be connected to 221.238.196.81 again. Commands available:

iptables -A INPUT -s 221.238.196.81 -p tcp -d 221.238.196.83 --dport 25 --syn -j ACCEPT

This is wrong


I think it should be written like this

iptables -A INPUT -s 221.238.196.83 -p tcp -j DROP




Discard packets from 221.238.196.83.

For SYN FLOOD attacks that forge the source IP address. This method is ineffective


Other references

Prevent Sync Flood

# iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

There are also people who write

# iptables -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT

--limit 1/s limit the number of syn concurrency to 1 per second, which can be modified according to your own needs to prevent various port scanning

# iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

Ping of Death

# iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT




BSD

Operation:

sysctl net.inet.tcp.msl=7500

In order for the restart to work, you can add the following line to /etc/sysctl.conf:

net.inet.tcp.msl=7500





Previous:QQ space sees
Next:Video: Thailand 2013 Divine Comedy "Want Your Heart to Change Your Phone Number"

Related Posts
Disclaimer:
All software, programming materials or articles published by Code Farmer Network are only for learning and research purposes; The above content shall not be used for commercial or illegal purposes, otherwise, users shall bear all consequences. The information on this site comes from the Internet, and copyright disputes have nothing to do with this site. You must completely delete the above content from your computer within 24 hours of downloading. If you like the program, please support genuine software, purchase registration, and get better genuine services. If there is any infringement, please contact us by email.
Mail To:help@itsvse.com