zoukankan      html  css  js  c++  java

  • iptable防范ddos攻击

    Basic DoS Protection https://github.com/MPOS/php-mpos/wiki/Basic-DoS-Protection

    # Rule 1: Limit New Connections To Something Sane.
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT

# Rule 2: Limit Existing Connections To Something Sane.
iptables -A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 50/second --limit-burst 50 -j ACCEPT

# Rule 3: Wow Lets Just Drop Anything We Don't Like The Look Of
iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP

# Rule 4: Come In Or Go away, Don't Knock On My Door.
iptables -N PORT_SCANNING
iptables -A PORT_SCANNING -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN
iptables -A PORT_SCANNING -j DROP

# Rule 5: For You LAND Lovers Argghh!(Local Area Network Denial)
iptables -A INPUT -s YOURSERVERIP/32 -j DROP

# Rule 6: Ho-Ho-Ho, Wait.. Its Not Christmas.. (XMAS Packets)
iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP

# Rule 7: OMG The Servers Seeing Blue (Smurf Attacks)
iptables -A INPUT -p icmp -m limit --limit 2/second --limit-burst 2 -j ACCEPT
or
iptables -A INPUT -p icmp -j DROP

# Rule 8: The More Advanced SYN Filter (Mod of top rule)
iptables -A INPUT -p tcp -m state --state NEW -m limit --limit 2/second --limit-burst 2 -j ACCEPT
or
iptables -D INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT

# Rule 9: NO UDP EXCEPT DNS - UDP CAN GO CLIMB A TREE
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --sport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp -j DROP
iptables -A OUTPUT -p udp -j DROP

    TL;DR I Just Want To Copy And Paste.

    iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 50/second --limit-burst 50 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
iptables -A PORT_SCANNING -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN
iptables -A PORT-SCANNING -j DROP
  • 相关阅读:
    面向切面编程AOP——加锁、cache、logging、trace、同步等这些较通用的操作,如果都写一个类,则每个用到这些功能的类使用多继承非常难看,AOP就是解决这个问题的,python AOP就是装饰器
    主机异常流量示例
    python代码安全扫描工具
    联邦学习
    数据库索引数据结构总结——ART树就是前缀树
    路由器安全——破解wifi密码,同时中间人攻击
    机器学习(四)--- 从gbdt到xgboost
    Visual Studio 2013新建工程导入现有代码文件夹并且保持目录结构
    腾讯发展重心不再是微信
    linux gz 解压缩
  • 原文地址:https://www.cnblogs.com/liujitao79/p/4059417.html
Copyright © 2011-2022 走看看