Home PC Games Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ Linux system with a firewall to prevent the DOS attack     - JavaScript function part (Programming)

- Redis logging system (Database)

- To install Redis under Linux (Database)

- Linux operating system ARP Spoofing Defense (Linux)

- MySQL time field based partitioning scheme summary (Database)

- How to protect the Apache website under Linux system (Linux)

- MySQL various log summary (Database)

- Using Java arrays implement sequential stack (Programming)

- ActiveMQ5.10.2 version configuration JMX (Linux)

- Android custom slideshow menu slidmenu (Programming)

- Oracle GoldenGate Installation and Configuration Tutorial Introduction (Database)

- How to use Linux to download music from Grooveshark (Linux)

- Oracle 11g 10g induced into error (Database)

- How to download apk file from the Google Play store on Linux (Linux)

- ISO image to use offline upgrade Ubuntu (Linux)

- Linux kernel VLAN study notes (Programming)

- The Linux disguised as windows to make the system more secure (Linux)

- MongoDB 3.2 to upgrade from 3.0.7 (Database)

- OpenNMS compile under Linux (Server)

- Tsunami-udp accelerated network transmission (Linux)

 
         
  Linux system with a firewall to prevent the DOS attack
     
  Add Date : 2017-01-08      
         
         
         
  Protect against network attacks using Linux system firewall functions
Web hosting service providers in the operating process may be subject to hacker attacks, a common attack methods are SYN, DDOS, etc.
By replacing the IP, to find the site of attack may be to avoid attacks, but the interrupt service time is relatively long. More thorough
The solution is to purchase a hardware firewall. However, hardware firewalls are expensive. You can consider using Linux
The firewall function of the system itself to defense.
1. against SYN
SYN attack is to use TCP / IP protocol handshake principle 3, sending a large number of network packets to establish a connection, but not practical
To establish a connection, eventually leading to the attacked server network queue is filled, it can not be accessed by normal users.
Linux kernel provides a number of SYN-related configuration, use the command:
sysctl -a | grep syn
see:
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_syncookies = 0
net.ipv4.tcp_synack_retries = 5
net.ipv4.tcp_syn_retries = 5
tcp_max_syn_backlog SYN queue length, tcp_syncookies is a switch, is open SYN Cookie
Function, which can prevent some SYN attacks. tcp_synack_retries and tcp_syn_retries defined SYN
Retries.
SYN queue length can be increased to accommodate more network connections waiting for a connection, open the SYN Cookie feature can prevent some
SYN attack, reduce the number of retries have some success.
Adjust these settings is:
Increase the SYN queue length to 2048:
sysctl -w net.ipv4.tcp_max_syn_backlog = 2048
Open SYN COOKIE functions:
sysctl -w net.ipv4.tcp_syncookies = 1
Reduce the number of retries:
sysctl -w net.ipv4.tcp_synack_retries = 3
sysctl -w net.ipv4.tcp_syn_retries = 3
In order to maintain the above configuration the system is restarted, the above command into /etc/rc.d/rc.local file.
2. against DDOS
DDOS, Distributed Denial of access attacks, is the hacker organization means many hosts from different sources to a common port, such as 80,
25, etc. to send a large number of connections, but the client only to establish a connection, not a normal visit. Due to the general Apache configuration to accept the connection
Limited number (usually 256), these "fake" visit Apache will fill, normal access can not proceed.
Linux provides a tool called ipchains firewall can shield the connections from specific IP or IP address range for a specific port.
Using ipchains against DDOS, is the first to discover the source of attack address netstat command, then use the ipchains command block
attack. I found a block a.
*** Open ipchains function
First check ipchains service is set to start automatically:
chkconfig --list ipchains
Output is generally:
ipchains 0: off 1: off 2: on 3: on 4: on 5: on 6: off
If the 345 listed on, explain ipchains service has been set to start automatically
If not, you can use the command:
chkconfig --add ipchains
The ipchains service set to start automatically
Second, look at ipchains configuration file / etc / sysconfig / ipchains exists. If this file does not exist, ipchains

Even set to start automatically, it will not take effect. Default ipchains configuration file as follows:
# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
# Firewall; such entries will * not * be listed here.
: Input ACCEPT
: Forward ACCEPT
: Output ACCEPT
-A Input -s 0/0 -d 0/0 -i lo -j ACCEPT
domain via udp; # allow http, ftp, smtp, ssh, domain via tcp
-A Input -p tcp -s 0/0 -d 0/0 pop3 -y -j ACCEPT
-A Input -p tcp -s 0/0 -d 0/0 http -y -j ACCEPT
-A Input -p tcp -s 0/0 -d 0/0 https -y -j ACCEPT
-A Input -p tcp -s 0/0 -d 0/0 ftp -y -j ACCEPT
-A Input -p tcp -s 0/0 -d 0/0 smtp -y -j ACCEPT
-A Input -p tcp -s 0/0 -d 0/0 ssh -y -j ACCEPT
-A Input -p tcp -s 0/0 -d 0/0 domain -y -j ACCEPT
-A Input -p udp -s 0/0 -d 0/0 domain -j ACCEPT
# Deny icmp packet
# -A Input -p icmp -s 0/0 -d 0/0 -j DENY
# Default rules
-A Input -p tcp -s 0/0 -d 0/0 0: 1023 -y -j REJECT
-A Input -p tcp -s 0/0 -d 0/0 2049 -y -j REJECT
-A Input -p udp -s 0/0 -d 0/0 0: 1023 -j REJECT
-A Input -p udp -s 0/0 -d 0/0 2049 -j REJECT
-A Input -p tcp -s 0/0 -d 0/0 6000: 6009 -y -j REJECT
-A Input -p tcp -s 0/0 -d 0/0 7100 -y -j REJECT
If the / etc / sysconfig / ipchains file does not exist, you can create it with the above. Once created, start the ipchains service:
/etc/init.d/ipchains start
*** Find the source of attack with the netstat command
If you say that hacking is Web 80 port, to see the connection port 80 of the client IP and port, the command is as follows:
netstat -an -t tcp | grep ": 80" | grep ESTABLISHED | awk '{printf "% s% s \ n", $ 5, $ 6}' | sort
Output:
161.2.8.9:123 FIN_WAIT2
161.2.8.9:124 FIN_WAIT2
61.233.85.253:23656 FIN_WAIT2
...
The first column is the client IP and port, and the second column is the connection status
If the IP connection from the same lot (over 50), and are continuous port is very likely to attack.
If you only want to see the connection is established, use the command:
netstat -an -t tcp | grep ": 80" | grep ESTABLISHED | awk '{printf "% s% s \ n", $ 5, $ 6}' | sort
*** Source block attacks with ipchains
With ipchains blocking the source of attack, there are two ways. One is added to / etc / sysconfig / ipchains, the then restart
ipchains service. Another plus is the direct use ipchains command. After shielding, you may also need to restart the service attack,
Is an attack has been established connection failure
* Added / etc / sysconfig / ipchains
Suppose we want to prevent the 218.202.8.151 to 80 connections, edit / etc / sysconfig / ipchains file, in the: output ACCEPT
Join the following line:
-A Input -s 218.202.8.151 -d 0/0 http -y -j REJECT
Save your changes, restart the ipchains:
/etc/init.d/ipchains restart
If you want to stop the entire network is 218.202.8 segment, adding:
-A Input -s 218.202.8.0/255.255.255.0 -d 0/0 http -y -j REJECT
* Direct the command line
Add to / etc / sysconfig / ipchains file from ipchains both ways slower and in ipchains restart the moment,
It may be some connection to drilling. The most convenient way is to directly use the ipchains command.
Suppose we want to prevent the 218.202.8.151 to 80 connections, the command:
ipchains -I input 1 -p tcp -s 218.202.8.151 -d 0/0 http -y -j REJECT
If you want to stop the entire network is 218.202.8 segment, the command:
ipchains -I input 1 -p tcp -s 218.202.8.0/255.255.255.0 -d 0/0 http -y -j REJECT
Wherein, -I mean is inserted, input is the rule even, 1 is added to the first means.
You can edit a shell script, and easier to do this, the command:
vi blockit
content:
#! / Bin / sh
if [! -z "$ 1"]; then
echo "Blocking: $ 1"
ipchains -I input 1 -p tcp -s "$ 1" -d 0/0 http -y -j REJECT
else
echo "which ip to block?"
fi
Save, and then:
chmod 700 blockit
Instructions:
./blockit 218.202.8.151
./blockit 218.202.8.0/255.255.255.0
The above command line method rules established after restart will fail, you can use ipchains-save command to print the rules:
ipchains-save
Output:
: Input ACCEPT
: Forward ACCEPT
: Output ACCEPT
Saving `input '.
-A Input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i lo -j ACCEPT
-A Input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 110: 110 -p 6 -j ACCEPT -y
-A Input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 80:80 -p 6 -j ACCEPT -y
-A Input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 22:22 -p 6 -j ACCEPT -y
-A Input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 88:88 -p 6 -j ACCEPT -y
-A Input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 89:89 -p 6 -j ACCEPT -y
-A Input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 90:90 -p 6 -j ACCEPT -y
-A Input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 91:91 -p 6 -j ACCEPT -y
-A Input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 8180: 8180 -p 6 -j ACCEPT -y
-A Input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 443: 443 -p 6 -j ACCEPT -y
-A Input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 21:21 -p 6 -j ACCEPT -y
-A Input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 25:25 -p 6 -j ACCEPT -y
-A Input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 22:22 -p 6 -j ACCEPT -y
-A Input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 53:53 -p 6 -j ACCEPT -y
-A Input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 9095: 9095 -p 6 -j ACCEPT -y
-A Input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 8007: 8007 -p 6 -j ACCEPT -y
-A Input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 53:53 -p 17 -j ACCEPT
-A Input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 0: 1023 -p 6 -j REJECT -y
-A Input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 2049: 2049 -p 6 -j REJECT -y
-A Input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 0: 1023 -p 17 -j REJECT
-A Input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 2049: 2049 -p 17 -j REJECT
-A Input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 6000: 6009 -p 6 -j REJECT -y
-A Input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 7100: 7100 -p 6 -j REJECT -y
You need to put one of "Saving` input '. "Removed, and then save the other content to / etc / sysconfig / ipchains file,
Thus, the rule after the next reboot, the establishment can be revalidated.
3. If you are using iptables
Start enable iptables RH 8.0 over alternative ipchains, the two are very similar, there are differences of place.
* Enable iptables
If the / etc / sysconfig / iptables file under the no, you can create:
# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
# Firewall; such entries will * not * be listed here.
* Filter
: INPUT ACCEPT [0: 0]
: FORWARD ACCEPT [0: 0]
: OUTPUT ACCEPT [0: 0]
: RH-Lokkit-0-50-INPUT - [0: 0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport ftp -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport ssh -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport http -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport smtp -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport pop3 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport mysql -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2001 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport domain -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport domain -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0: 1023 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0: 1023 -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000: 6009 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT
COMMIT
The above configuration allows ftp, ssh, http, smtp, pop3, mysql, 2001 (Prim @ Hosting ACA port), domain port.
* Start iptables
/etc/init.d/iptables start
* Set the iptables to start automatically
chkconfig --level 2345 iptables on
* Using iptables shield IP
iptables -I RH-Lokkit-0-50-INPUT 1 -p tcp -m tcp -s 213.8.166.227 --dport 80 --syn -j REJECT
Noting the difference, and ipchains is:
-I Followed the rules of a different name parameters and ipchains is not uniform input, but is defined in the / etc / sysconfig / iptables in that
More -m tcp
Parameters specified port is --dport 80
More --syn parameters, can automatically detect sync attack
Prohibit the use iptables ping: -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 6 / min --limit-burst 2 -j ACCEPT-A INPUT -p icmp -m icmp --icmp -type 8 -j REJECT --reject-with icmp-port-unreachable
     
         
         
         
  More:      
 
- Java open source monitoring platform Zorka basic use (Linux)
- Command filter MySQL slow query log (Database)
- Use Elasticsearch + Logstash + Kibana set up centralized log Practice Analysis Platform (Server)
- Linux Operating System Security Management describes the top ten tricks (Linux)
- Linux find command usage summary (Linux)
- Linux shared libraries .so file name and Dynamic Link (Linux)
- Linux partition command (Linux)
- PHP CURL get cookies simulated login (Database)
- To install Emacs under CentOS 6.5 (Linux)
- RedHat Linux 7 build yum source server (Server)
- MySQL5.6.12 Waiting for commit lock lead to hang from the library housing problem analysis (Database)
- Postgres-X2 deployment steps (Database)
- Linux system started to learn: Teaches you install Ubuntu 15.04 on VirtualBox (Linux)
- Ubuntu 14.04 LTS compiler installation R Source Code (Linux)
- See Shell Script Linux Server network traffic (Server)
- Linux System Getting Started Learning: hard disk partition, and to deal with traps (Linux)
- Linux operating process information (Linux)
- CentOS yum configuration under local sources (Linux)
- Upgrading Oracle 11.2.0.1.0 to 11.2.0.3.0 (Database)
- Teach you the Ubuntu Server enabled SSH multifactor authentication (Server)
     
           
     
  CopyRight 2002-2020 newfreesoft.com, All Rights Reserved.