Home PC Games Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ Configuring a Linux operating system against syn attack     - 64-bit Ubuntu 15.10 How to compile the latest version of the 32 Wine 1.7.53 (Linux)

- Java regular expressions examples (Programming)

- OpenSUSE installation on CentOS6 (GUI) (Linux)

- Oracle 11g partition maintenance (Nice) - Truncating And Partitions (Database)

- Normal start Lazarus 1.0.8 under Ubuntu (Linux)

- How do you prevent other users from accessing your home directory in Linux (Linux)

- Try to use Lets Encrypt (Linux)

- Ubuntu Server security risk checks (Linux)

- Ubuntu installation under Scrapy (Linux)

- Towards Docker (Server)

- CentOS7 installation performance monitoring system (Server)

- PHP Performance Analysis and Experiment: Performance Micro Analysis (Programming)

- CentOS / Linux install VNC Server (Linux)

- Linux memory management (Linux)

- Nine tips to protect the security of Linux desktop (Linux)

- To install MySQL 5.6 binary packages under CentOS 6.4 64bit (Database)

- struts2 completely the wrong way to capture 404 (Programming)

- FFmpeg compiled with only H264 decoding library (Programming)

- XenServer virtual machines installed in dual-card configuration (Server)

- CentOS terminal display Chinese (Linux)

 
         
  Configuring a Linux operating system against syn attack
     
  Add Date : 2017-01-08      
         
         
         
  Web hosting service providers in the operating process may be subject to hacker attacks, a common attack methods are SYN, DDOS, etc. By replacing the IP, to find the site of attack may be to avoid attacks, but the interrupt service time is relatively long. More thorough solution is to purchase a hardware firewall. However, hardware firewalls are expensive. You can consider using the Linux system itself provides firewall function to defense.
Against SYN SYN attack is to use TCP / IP protocol handshake principle 3, sending a large number of network packets to establish a connection, but does not actually establish a connection, eventually leading to the attacked server network queue is filled, it can not be accessed by normal users.
Linux kernel provides a number of SYN-related configuration, use the command: sysctl -a | grep syn see:
net.ipv4.tcp_max_syn_backlog = 1024 net.ipv4.tcp_syncookies = 0
net.ipv4.tcp_synack_retries = 5 net.ipv4.tcp_syn_retries = 5
tcp_max_syn_backlog SYN queue length, tcp_syncookies is a switch, is open SYN Cookie feature that can prevent some SYN attacks. tcp_synack_retries and tcp_syn_retries define SYN The number of retries. SYN queue length can be increased to accommodate more network connections waiting for a connection, open the SYN Cookie feature can prevent some SYN attacks, reduce the number of retries have some success.
Adjust these settings is:
Increase the SYN queue length to 2048:
sysctl -w net.ipv4.tcp_max_syn_backlog = 2048
Open SYN COOKIE functions:
sysctl -w net.ipv4.tcp_syncookies = 1
Reduce the number of retries:
sysctl -w net.ipv4.tcp_synack_retries = 3 sysctl -w net.ipv4.tcp_syn_retries = 3
In order to maintain the above configuration the system is restarted, the above command into /etc/rc.d/rc.local file.
Prevent the synchronization of packet flooding (Sync Flood)
# Iptables -A FORWARD -p tcp --syn -m limit --limit 1 / s -j ACCEPT
It was also writing
#iptables -A INPUT -p tcp --syn -m limit --limit 1 / s -j ACCEPT
--limit 1 / s to limit the number of concurrent syn 1 per second, you can modify according to their needs
Prevent all kinds of port scanning
# Iptables -A FORWARD -p tcp --tcp-flags SYN, ACK, FIN, RST RST -m limit --limit 1 / s -j ACCEPT
Ping Flood attacks (Ping of Death)
# Iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1 / s -j ACCEPT
     
         
         
         
  More:      
 
- Linux deploy Tutorial (Linux)
- Hadoop 2.5 Pseudo distribution installation (Server)
- MySQL binary packages install for RedHat Linux Enterprise 6.4 (Database)
- Dual system Linux (Ubuntu) into the Windows NTFS partition's mount error (Linux)
- Linux program analysis tool: ldd and nm (Linux)
- Installation Eduspec university management systems 17 Linux Mint (Server)
- DRBD switchover (Server)
- RedHat 6 xrdp use remote login interface (Linux)
- Storm basic framework for analysis (Programming)
- Hadoop - Task Scheduling System Comparison (Server)
- Sorting Algorithm (1) Quick Sort C ++ implementation (Programming)
- Hadoop scheduling availability of workflow platform - Oozie (Server)
- Linux system performance tuning of Analysis (Linux)
- Ubuntu 14.04 kernel after the restart boot black screen to solve (Linux)
- Ubuntu 15.10 / 14.04 install subtitling software Aegisub (Linux)
- Linux Nginx FastDFS integration module is installed Nginx and FastDFS (Server)
- Oracle to create an external table (Database)
- MyCAT log analysis (Database)
- Ubuntu 14.10 used ifconfig commands to manage your network configuration (Linux)
- Large site architecture study notes (Server)
     
           
     
  CopyRight 2002-2020 newfreesoft.com, All Rights Reserved.