Shulou(Shulou.com)06/01 Report--

This article shows you how to prevent DOSS and CC attacks in the Linux system, the content is concise and easy to understand, it will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

1. Resist SYN

SYN attack uses the principle of 3-way handshake of TCP/IP protocol to send a large number of network packets to establish a connection, but it is not practical.

Establish a connection, which eventually leads to the network queue of the attacked server being occupied and unable to be accessed by normal users.

The Linux kernel provides several SYN-related configurations with commands:

Sysctl-a | grep syn

See:

Net.ipv4.tcp_max_syn_backlog = 1024

Net.ipv4.tcp_syncookies = 0

Net.ipv4.tcp_synack_retries = 5

Net.ipv4.tcp_syn_retries = 5

Tcp_max_syn_backlog is the length of the SYN queue, tcp_syncookies is a switch, whether to turn on SYN Cookie

Function, which prevents some SYN attacks. Tcp_synack_retries and tcp_syn_retries define SYN

The number of retries of.

Increasing the length of the SYN queue can accommodate more network connections waiting for the connection. Turning on the SYN Cookie function can block some of them.

SYN attack, reducing the number of retries also has a certain effect.

The way to adjust the above settings is:

Increase the SYN queue length to 2048:

Sysctl-w net.ipv4.tcp_max_syn_backlog=2048

Turn on the SYN COOKIE feature:

Sysctl-w net.ipv4.tcp_syncookies=1

Reduce the number of retries:

Sysctl-w net.ipv4.tcp_synack_retries=3

Sysctl-w net.ipv4.tcp_syn_retries=3

In order to maintain the above configuration when the system restarts, you can add the above command to the / etc/rc.d/rc.local file.

two。 Resist DDOS

DDOS, a distributed denial of access attack, means that hackers organize many hosts from different sources to common ports, such as 80

25, etc., send a large number of connections, but these clients only establish connections, not normal access. Due to the accepted connection of the general Apache configuration

The number is limited (usually 256), and these "fake" visits fill up the Apache so that normal access cannot be made.

Linux provides a firewall tool called ipchains that blocks connections to specific ports from specific IP or IP address ranges.

To use ipchains to defend against DDOS is to first discover the attack source address through the netstat command, and then block it with the ipchains command.

attack. Found one to block one.

* enable ipchains function

First check to see if the ipchains service is set to start automatically:

Chkconfig-list ipchains

The output is generally:

Ipchains 0:off 1:0ff 2:on 3:on 4:on 5:on 6:off

If 345 is listed as on, the ipchains service has been set to start automatically

If not, you can use the command:

Chkconfig-add ipchains

Set the ipchains service to start automatically

Second, check to see if the ipchains configuration file / etc/sysconfig/ipchains exists. If this file does not exist, ipchains

Even if it is set to start automatically, it will not take effect. The default ipchains configuration file is as follows:

# Firewall configuration written by lokkit

# Manual customization of this file is not recommended.

# Note: ifup-post will punch the current nameservers through the

# firewall; such entries will * not* be listed here.

: input ACCEPT

: forward ACCEPT

Utput ACCEPT

-An input-s 0 ACCEPT 0-d 0 lo 0 ACCEPT

# allow http,ftp,smtp,ssh,domain via tcp; domain via udp

-An input-p tcp-s 0 pop3 0-d 0 pop3-y-j ACCEPT

-An input-p tcp-s 0 http 0-d 0 http-y-j ACCEPT

-An input-p tcp-s 0 https 0-d 0 https-y-j ACCEPT

-An input-p tcp-s 0 ftp 0-d 0 ftp-y-j ACCEPT

-An input-p tcp-s 0 smtp 0-d 0 smtp-y-j ACCEPT

-An input-p tcp-s 0 ssh 0-d 0 ssh-y-j ACCEPT

-An input-p tcp-s 0 domain 0-d 0 domain-y-j ACCEPT

-An input-p udp-s 0ax 0-d 0max 0 domain-j ACCEPT

# deny icmp packet

#-An input-p icmp-s 0lap 0-d 0lap 0-j DENY

# default rules

-An input-p tcp-s 0ax 0-d 0lap 0 0 REJECT 1023-y-j REJECT

-An input-p tcp-s 0ax 0-d 0max 0 2049-y-j REJECT

-An input-p udp-s 0ax 0-d 0max 0 0 REJECT 1023-j REJECT

-An input-p udp-s 0ax 0-d 0max 0 2049-j REJECT

-An input-p tcp-s 0ax 0-d 0max 06000 REJECT 6009-y-j

-An input-p tcp-s 0ax 0-d 0max 0 7100-y-j REJECT

If the / etc/sysconfig/ipchains file does not exist, you can create it with the above. After creation, start the ipchains service:

/ etc/init.d/ipchains start

* use netstat command to discover the source of attack

If the hacker attacks Web port 80, look at the client IP and port connected to port 80, and the command is as follows:

Netstat-an-t tcp | grep ": 80" | grep ESTABLISHED | awk'{printf "% s% sn", $5 for 6}'| sort

Output:

161.2.8.9:123 FIN_WAIT2

161.2.8.9:124 FIN_WAIT2

61.233.85.253:23656 FIN_WAIT2

...

The first column is the client IP and port, and the second column is the connection status

If there are many connections (more than 50) from the same IP and all of them are contiguous ports, it is likely to be an attack.

Http://bbs.92bbs.net/read-tid-31313.html

If you only want to see the established connections, use the command:

Netstat-an-t tcp | grep ": 80" | grep ESTABLISHED | awk'{printf "% s% sn", $5 for 6}'| sort

* use ipchains to block the source of attack

There are two ways to block the source of an attack with ipchains. One is to add to / etc/sysconfig/ipchains and restart.

Ipchains service. The other is to add it directly with the ipchains command. After blocking, you may need to restart the attacked service

Is that the established attack connection fails.

* join / etc/sysconfig/ipchains

Suppose you want to block the connection from 218.202.8.151 to 80, edit the / etc/sysconfig/ipchains file, in utput ACCEPT

Add the following line:

-An input-s 218.202.8.151-d 0 http-y-j REJECT

Save the changes and restart ipchains:

/ etc/init.d/ipchains restart

If you want to block the entire network segment of 218.202.8, add:

-An input-s 218.202.8.0 http-y-j REJECT

* use the command line directly

The method of adding / etc/sysconfig/ipchains file and restarting ipchains is slow, and at the moment of ipchains restart

There may be a partial connection drilled in. The most convenient way is to use the ipchains command directly.

Assuming that you want to block the connection from 218.202.8.151 to 80, the command:

Ipchains-I input 1-p tcp-s 218.202.8.151-d 0 REJECT 0 http-y-j REJECT

If you want to block the entire network segment of 218.202.8, the command:

Ipchains-I input 1-p tcp-s 218.202.8.0 to 255.255.255.0-d to 0 http-y-j REJECT

Where-I means insert, input is a regular company, and 1 means to add to the first one.

You can edit a shell script to do this more easily, with the command:

Vi blockit

Content:

#! / bin/sh

If [!-z "$1"]; then

Echo "Blocking: $1"

Ipchains-I input 1-p tcp-s "$1"-d 0lap 0 http-y-j REJECT

Else

Echo "which ip to block"

Fi

Save and then:

Chmod 700 blockit

How to use it:

. / blockit 218.202.8.151

. / blockit 218.202.8.0/255.255.255.0

The rules established by the above command line method will expire after being restarted. You can print the rules with the ipchains-save command:

Ipchains-save

Output:

: input ACCEPT

: forward ACCEPT

Utput ACCEPT

Saving `input'.

-An input-s 0.0.0.0amp 0.0.0.0-d 0.0.0.0Universe 0.0.0.0-I lo-j ACCEPT

-An input-s 0.0.0.0max 0.0.0.0-d 0.0.0.0Universe 0.0.0.0 110pur110-p 6-j ACCEPT-y

-An input-s 0.0.0.0amp 0.0.0.0-d 0.0.0.0max 0.0.0.0 80:80-p 6-j ACCEPT-y

-An input-s 0.0.0.0amp 0.0.0.0-d 0.0.0.0max 0.0.0.0 22:22-p 6-j ACCEPT-y

-An input-s 0.0.0.0amp 0.0.0.0-d 0.0.0.0max 0.0.0.0 88:88-p 6-j ACCEPT-y

-An input-s 0.0.0.0amp 0.0.0.0-d 0.0.0.0max 0.0.0.0 89:89-p 6-j ACCEPT-y

-An input-s 0.0.0.0amp 0.0.0.0-d 0.0.0.0max 0.0.0.0 90:90-p 6-j ACCEPT-y

-An input-s 0.0.0.0amp 0.0.0.0-d 0.0.0.0max 0.0.0.0 91:91-p 6-j ACCEPT-y

-An input-s 0.0.0.0max 0.0.0.0-d 0.0.0.0Universe 0.0.0.0 8180 purl 8180-p 6-j ACCEPT-y

-An input-s 0.0.0.0amp 0.0.0.0-d 0.0.0.0Universe 0.0.0.0 443-p 6-j ACCEPT-y

-An input-s 0.0.0.0amp 0.0.0.0-d 0.0.0.0max 0.0.0.0 21:21-p 6-j ACCEPT-y

-An input-s 0.0.0.0amp 0.0.0.0-d 0.0.0.0max 0.0.0.0 25:25-p 6-j ACCEPT-y

-An input-s 0.0.0.0amp 0.0.0.0-d 0.0.0.0max 0.0.0.0 22:22-p 6-j ACCEPT-y

-An input-s 0.0.0.0amp 0.0.0.0-d 0.0.0.0max 0.0.0.0 53:53-p 6-j ACCEPT-y

-An input-s 0.0.0.0amp 0.0.0.0-d 0.0.0.0Universe 0.0.0.0 9095pur9095-p 6-j ACCEPT-y

-An input-s 0.0.0.0max 0.0.0.0-d 0.0.0.0Universe 0.0.0.0 8007 8007-p 6-j ACCEPT-y

-An input-s 0.0.0.0amp 0.0.0.0-d 0.0.0.0Universe 0.0.0.0 53:53-p 17-j ACCEPT

-An input-s 0.0.0.0amp 0.0.0.0-d 0.0.0.0Universe 0.0.0.0 1023-p 6-j REJECT-y

-An input-s 0.0.0.0Universe 0.0.0.0-d 0.0.0.0Universe 0.0.0.0 2049 REJECT-y

-An input-s 0.0.0.0amp 0.0.0.0-d 0.0.0.0Universe 0.0.0.0 1023-p 17-j REJECT

-An input-s 0.0.0.0amp 0.0.0.0-d 0.0.0.0Universe 0.0.0.0 2049 purl 2049-p 17-j REJECT

-An input-s 0.0.0.0max 0.0.0.0-d 0.0.0.0Universe 0.0.0.0 6000 REJECT 6009-p 6-j REJECT-y

-An input-s 0.0.0.0amp 0.0.0.0-d 0.0.0.0Universe 0.0.0.0 7100purr 7100-p 6-j REJECT-y

Http://bbs.92bbs.net/read-tid-31313.html

You need to put the "Saving `input'." Remove and save the rest to the / etc/sysconfig/ipchains file

In this way, the established rules can take effect again after the next restart.

3. If you use iptables

RH 8.0 began to enable iptables instead of ipchains, the two are very similar, but also have differences.

* enable iptables

If there is no iptables file under / etc/sysconfig/, you can create:

# Firewall configuration written by lokkit

# Manual customization of this file is not recommended.

# Note: ifup-post will punch the current nameservers through the

# firewall; such entries will * not* be listed here.

* filter

: INPUT ACCEPT [0:0]

: FORWARD ACCEPT [0:0]

: OUTPUT ACCEPT [0:0]

: RH-Lokkit-0-50-INPUT-[0:0]

-An INPUT-j RH-Lokkit-0-50-INPUT

-A RH-Lokkit-0-50-INPUT-I lo-j ACCEPT

-A RH-Lokkit-0-50-INPUT-p tcp-m tcp-- dport ftp-j ACCEPT

-A RH-Lokkit-0-50-INPUT-p tcp-m tcp-- dport ssh-j ACCEPT

-A RH-Lokkit-0-50-INPUT-p tcp-m tcp-- dport http-j ACCEPT

-A RH-Lokkit-0-50-INPUT-p tcp-m tcp-- dport smtp-j ACCEPT

-A RH-Lokkit-0-50-INPUT-p tcp-m tcp-- dport pop3-j ACCEPT

-A RH-Lokkit-0-50-INPUT-p tcp-m tcp-- dport mysql-j ACCEPT

-A RH-Lokkit-0-50-INPUT-p tcp-m tcp-- dport 2001-j ACCEPT

-A RH-Lokkit-0-50-INPUT-p tcp-m tcp-- dport domain-j ACCEPT

-A RH-Lokkit-0-50-INPUT-p udp-m udp-- dport domain-j ACCEPT

-A RH-Lokkit-0-50-INPUT-p tcp-m tcp-- dport 0tcp 1023-- syn-j REJECT

-A RH-Lokkit-0-50-INPUT-p tcp-m tcp-- dport 2049-- syn-j REJECT

-A RH-Lokkit-0-50-INPUT-p udp-m udp-- dport 0pur1023-j REJECT

-A RH-Lokkit-0-50-INPUT-p udp-m udp-- dport 2049-j REJECT

-A RH-Lokkit-0-50-INPUT-p tcp-m tcp-- dport 6000 tcp 6009-- syn-j REJECT

-A RH-Lokkit-0-50-INPUT-p tcp-m tcp-- dport 7100-- syn-j REJECT

COMMIT

The above configuration allows ftp, ssh, http, smtp, pop3, mysql, 2001 (Prim@Hosting ACA port), domain port.

* start iptables

/ etc/init.d/iptables start

* set iptables to start automatically

Chkconfig-level 2345 iptables on

* use iptables to block IP

Iptables-I RH-Lokkit-0-50-INPUT 1-p tcp-m tcp-s 213.8.166.227-dport 80-- syn-j REJECT

Notice that the differences from ipchains are:

The parameter of the rule name followed by-I is different from ipchains, not the unified input, but the one defined in / etc/sysconfig/iptables

Too much-m tcp

The parameter for the specified port is-- dport 80

Too many parameters-- syn, which can automatically detect sync attacks

Use iptables to disable ping:

-An INPUT-p icmp- m icmp--icmp-type 8-m limit--limit 6/min-- limit-burst 2-j ACCEPT

-An INPUT-p icmp- m icmp--icmp-type 8-j REJECT-- reject-with icmp-port-unreachable

Allow an ip connection

-I RH-Firewall-1-INPUT 1-p tcp-m tcp-s 192.168.0.51-- syn-j ACCEPT

The above is how to prevent DOSS and CC attacks in Linux system. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.