zoukankan      html  css  js  c++  java

  • iptable防范ddos攻击

    Basic DoS Protection https://github.com/MPOS/php-mpos/wiki/Basic-DoS-Protection

    # Rule 1: Limit New Connections To Something Sane.
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT

# Rule 2: Limit Existing Connections To Something Sane.
iptables -A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 50/second --limit-burst 50 -j ACCEPT

# Rule 3: Wow Lets Just Drop Anything We Don't Like The Look Of
iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP

# Rule 4: Come In Or Go away, Don't Knock On My Door.
iptables -N PORT_SCANNING
iptables -A PORT_SCANNING -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN
iptables -A PORT_SCANNING -j DROP

# Rule 5: For You LAND Lovers Argghh!(Local Area Network Denial)
iptables -A INPUT -s YOURSERVERIP/32 -j DROP

# Rule 6: Ho-Ho-Ho, Wait.. Its Not Christmas.. (XMAS Packets)
iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP

# Rule 7: OMG The Servers Seeing Blue (Smurf Attacks)
iptables -A INPUT -p icmp -m limit --limit 2/second --limit-burst 2 -j ACCEPT
or
iptables -A INPUT -p icmp -j DROP

# Rule 8: The More Advanced SYN Filter (Mod of top rule)
iptables -A INPUT -p tcp -m state --state NEW -m limit --limit 2/second --limit-burst 2 -j ACCEPT
or
iptables -D INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT

# Rule 9: NO UDP EXCEPT DNS - UDP CAN GO CLIMB A TREE
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --sport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp -j DROP
iptables -A OUTPUT -p udp -j DROP

    TL;DR I Just Want To Copy And Paste.

    iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 50/second --limit-burst 50 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
iptables -A PORT_SCANNING -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN
iptables -A PORT-SCANNING -j DROP
  • 相关阅读:
    BZOJ 2456 mode
    BZOJ 1041 [HAOI2008]圆上的整点
    东北育才 第6天和第7天
    POJ 3692 Kindergarten(最大团问题)
    KM算法及其应用
    UVA 11582 Colossal Fibonacci Numbers!(循环节打表+幂取模)
    ZOJ 3960 What Kind of Friends Are You?(读题+思维)
    POJ 2349 Arctic Network(最小生成树中第s大的边)
    HDU 1576 A/B(欧几里德算法延伸)
    NYOJ 1013 除法表达式(欧几里德算法+唯一分解定理)
  • 原文地址:https://www.cnblogs.com/liujitao79/p/4059417.html
Copyright © 2011-2022 走看看