zoukankan      html  css  js  c++  java
  • iptable防范ddos攻击

    Basic DoS Protection https://github.com/MPOS/php-mpos/wiki/Basic-DoS-Protection

    # Rule 1: Limit New Connections To Something Sane.
    iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT
    
    # Rule 2: Limit Existing Connections To Something Sane.
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 50/second --limit-burst 50 -j ACCEPT
    
    # Rule 3: Wow Lets Just Drop Anything We Don't Like The Look Of
    iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
    iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
    iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
    iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
    iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
    iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
    
    # Rule 4: Come In Or Go away, Don't Knock On My Door.
    iptables -N PORT_SCANNING
    iptables -A PORT_SCANNING -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN
    iptables -A PORT_SCANNING -j DROP
    
    # Rule 5: For You LAND Lovers Argghh!(Local Area Network Denial)
    iptables -A INPUT -s YOURSERVERIP/32 -j DROP
    
    # Rule 6: Ho-Ho-Ho, Wait.. Its Not Christmas.. (XMAS Packets)
    iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
    
    # Rule 7: OMG The Servers Seeing Blue (Smurf Attacks)
    iptables -A INPUT -p icmp -m limit --limit 2/second --limit-burst 2 -j ACCEPT
    or
    iptables -A INPUT -p icmp -j DROP
    
    # Rule 8: The More Advanced SYN Filter (Mod of top rule)
    iptables -A INPUT -p tcp -m state --state NEW -m limit --limit 2/second --limit-burst 2 -j ACCEPT
    or
    iptables -D INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT
    
    # Rule 9: NO UDP EXCEPT DNS - UDP CAN GO CLIMB A TREE
    iptables -A INPUT -p udp --sport 53 -j ACCEPT
    iptables -A INPUT -p udp --dport 53 -j ACCEPT
    iptables -A OUTPUT -p udp --sport 53 -j ACCEPT
    iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
    iptables -A INPUT -p udp -j DROP
    iptables -A OUTPUT -p udp -j DROP
    

    TL;DR I Just Want To Copy And Paste.

    iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 50/second --limit-burst 50 -j ACCEPT
    iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
    iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
    iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
    iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
    iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
    iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
    iptables -A PORT_SCANNING -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN
    iptables -A PORT-SCANNING -j DROP
    
  • 相关阅读:
    登录被浏览器记住密码后,密码填充到密码框问题
    ThreadLocal为什么不使用Thread-value实现
    Linux AIO
    关于文件和socket读写的系统调用和库函数的一些小问题
    Maestro OAuth实现分析
    MySQL 两表join时加锁情况
    mysql基础之锁协议,事务隔离级别,加锁顺序
    MySQL中Timestamp和DateTime在JDBC和shell中的表现差异
    从git的问题模型理解git
    JVM类加载的符号解析
  • 原文地址:https://www.cnblogs.com/liujitao79/p/4059417.html
Copyright © 2011-2022 走看看