Linux 阻斷Dos服務攻擊

房東：阿龍
發表時間：2007-03-09

/proc/sys 網路安全選項的調整
· 讓系統對 ping 沒有反應
· 讓系統對廣播沒有反應
· 取消 IP source routing
· 開啟 TCP SYN Cookie 保護
· 取消 ICMP 接受 Redirect
· 開啟錯誤訊息保護
· 開啟 IP 欺騙保護
· 記錄Spoofed Packets, Source Routed Packets, Redirect Packets
Redhat 6.1 的做法:
[root@deep /]# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
[root@deep /]# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
[root@deep /]# for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
> echo 0 > $f
> done
[root@deep /]# echo 1 > /proc/sys/net/ipv4/tcp_syncookies
[root@deep /]# for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
> echo 0 > $f
> done
[root@deep /]# echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
[root@deep /]# for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
> echo 0 > $f
> done
[root@deep /]# for f in /proc/sys/net/ipv4/conf/*/log_martians; do
> echo 0 > $f
> done

Redhat 6.2 的做法:
編輯 "/etc/sysctl.conf" 檔案，並加入下面幾行，
# Enable ignoring ping request
net.ipv4.icmp_echo_ignore_all = 1
# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Enable IP spoofing protection, turn on Source Address Verification
net.ipv4.conf.all.rp_filter = 1
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1
最後重新啟動 network
[root@deep /]# /etc/rc.d/init.d/network restart

贊助網站

廣利不動產-新板特區指名度最高、值得您信賴的好房仲
您的托付,廣利用心為您服務
廣利不動產-板橋在地生根最實在--新板特區指名度最高、值得您信賴的好房仲
完整房訊，房屋、店面熱門精選物件，廣利不動產優質仲介，房屋租賃、買賣資訊透明，交易真安心！

1 樓住戶：小優
發表時間：2007-03-09

/etc/rc.d/rc.local
## 設定核心的安全相關參數
# -----------------------------------------------------------------------------
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# 忽略發送至廣播位址的 PING 封包，以防內部電腦被當成 DDoS 攻擊的工具。
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# 忽略無效或錯誤的 ICMP 封包。
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# 阻擋來源路由封包，以防止入侵者藉由偽裝的方式入侵。
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# 阻擋 ICMP Redirect 封包 (路由器通知主機更改路由表的封包)，以防靜態路由表被竄改。
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
# 禁止送出 ICMP Redirect 封包，避免內部電腦被當成入侵的工具。
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# 開啟核心逆向過濾功能 (Reverse Path Filtering)，以過濾不可能出現在某個網路介面的封包。
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# 使用 SYN cookes 功能，防止 SYN Flood 攻擊。
echo 3 > /proc/sys/net/ipv4/tcp_retries1
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
# 縮短 TCP 連線的重試次數與逾時時間，以減少 DoS 攻擊的危害

2 樓住戶：小優
發表時間：2007-03-09

nano -w /etc/sysctl.conf

如果該檔案為空，則輸入以下內容，否則請根據情況自己做調整︰

Quote:

# Controls source route verification
# Default should work for all interfaces
net.ipv4.conf.default.rp_filter = 1
# net.ipv4.conf.all.rp_filter = 1
# net.ipv4.conf.lo.rp_filter = 1
# net.ipv4.conf.eth0.rp_filter = 1

# Disables IP source routing
# Default should work for all interfaces
net.ipv4.conf.default.accept_source_route = 0
# net.ipv4.conf.all.accept_source_route = 0
# net.ipv4.conf.lo.accept_source_route = 0
# net.ipv4.conf.eth0.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

# Increase maximum amount of memory allocated to shm
# Only uncomment if needed!
# kernel.shmmax = 67108864

# Disable ICMP Redirect Acceptance
# Default should work for all interfaces
net.ipv4.conf.default.accept_redirects = 0
# net.ipv4.conf.all.accept_redirects = 0
# net.ipv4.conf.lo.accept_redirects = 0
# net.ipv4.conf.eth0.accept_redirects = 0

# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
# Default should work for all interfaces
net.ipv4.conf.default.log_martians = 1
# net.ipv4.conf.all.log_martians = 1
# net.ipv4.conf.lo.log_martians = 1
# net.ipv4.conf.eth0.log_martians = 1

# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 25

# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1200

# Turn on the tcp_window_scaling
net.ipv4.tcp_window_scaling = 1

# Turn on the tcp_sack
net.ipv4.tcp_sack = 1

# tcp_fack should be on because of sack
net.ipv4.tcp_fack = 1

# Turn on the tcp_timestamps
net.ipv4.tcp_timestamps = 1

# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1

# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Make more local ports available
# net.ipv4.ip_local_port_range = 1024 65000

# Set TCP Re-Ordering value in kernel to ‘5′
net.ipv4.tcp_reordering = 5

# Lower syn retry rates
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 3

# Set Max SYN Backlog to ‘2048′
net.ipv4.tcp_max_syn_backlog = 2048

# Various Settings
net.core.netdev_max_backlog = 1024

# Increase the maximum number of skb-heads to be cached
net.core.hot_list_length = 256

# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 360000

# This will increase the amount of memory available for socket input/output queues
net.core.rmem_default = 65535
net.core.rmem_max = 8388608
net.ipv4.tcp_rmem = 4096 87380 8388608
net.core.wmem_default = 65535
net.core.wmem_max = 8388608
net.ipv4.tcp_wmem = 4096 65535 8388608
net.ipv4.tcp_mem = 8388608 8388608 8388608
net.core.optmem_max = 40960

如果希望屏蔽別人 ping 你的主機，則加入以下代碼︰

Quote:

# Disable ping requests
net.ipv4.icmp_echo_ignore_all = 1

編輯完成後，請執行以下命令使變動立即生效︰

Code:

/sbin/sysctl -p
/sbin/sysctl -w net.ipv4.route.flush=1

　共 2 人回應　　選擇頁數【第1 頁】

姓名：

佈告內容：

其他選項: