| 精做高難度防水抓漏/壁癌/油漆等工程 責任施工、合約保固! |  | 油漆工程,講究細部修整 防潮粉刷,免費估價! |
| 精做高難度防水抓漏/壁癌/油漆等工程 責任施工、合約保固! | | 油漆工程,講究細部修整 防潮粉刷,免費估價! |
Linux 阻斷Dos服務攻擊 |
| 房東:阿龍 發表時間:2007-03-09 |
/proc/sys 網路安全選項的調整 · 讓系統對 ping 沒有反應 · 讓系統對廣播沒有反應 · 取消 IP source routing · 開啟 TCP SYN Cookie 保護 · 取消 ICMP 接受 Redirect · 開啟錯誤訊息保護 · 開啟 IP 欺騙保護 · 記錄Spoofed Packets, Source Routed Packets, Redirect Packets Redhat 6.1 的做法: [root@deep /]# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all [root@deep /]# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts [root@deep /]# for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do > echo 0 > $f > done [root@deep /]# echo 1 > /proc/sys/net/ipv4/tcp_syncookies [root@deep /]# for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do > echo 0 > $f > done [root@deep /]# echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses [root@deep /]# for f in /proc/sys/net/ipv4/conf/*/rp_filter; do > echo 0 > $f > done [root@deep /]# for f in /proc/sys/net/ipv4/conf/*/log_martians; do > echo 0 > $f > done Redhat 6.2 的做法: 編輯 "/etc/sysctl.conf" 檔案,並加入下面幾行, # Enable ignoring ping request net.ipv4.icmp_echo_ignore_all = 1 # Enable ignoring broadcasts request net.ipv4.icmp_echo_ignore_broadcasts = 1 # Disables IP source routing net.ipv4.conf.all.accept_source_route = 0 # Enable TCP SYN Cookie Protection net.ipv4.tcp_syncookies = 1 # Disable ICMP Redirect Acceptance net.ipv4.conf.all.accept_redirects = 0 # Enable bad error message Protection net.ipv4.icmp_ignore_bogus_error_responses = 1 # Enable IP spoofing protection, turn on Source Address Verification net.ipv4.conf.all.rp_filter = 1 # Log Spoofed Packets, Source Routed Packets, Redirect Packets net.ipv4.conf.all.log_martians = 1 最後重新啟動 network [root@deep /]# /etc/rc.d/init.d/network restart |
|
|
廣利不動產-新板特區指名度最高、值得您信賴的好房仲 您的托付,廣利用心為您服務 廣利不動產-板橋在地生根最實在--新板特區指名度最高、值得您信賴的好房仲 完整房訊,房屋、店面熱門精選物件,廣利不動產 優質仲介,房屋租賃、買賣資訊透明,交易真安心! |
| 1 樓住戶:小優 發表時間:2007-03-09 |
/etc/rc.d/rc.local ## 設定核心的安全相關參數 # ----------------------------------------------------------------------------- echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # 忽略發送至廣播位址的 PING 封包,以防內部電腦被當成 DDoS 攻擊的工具。 echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # 忽略無效或錯誤的 ICMP 封包。 echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # 阻擋來源路由封包,以防止入侵者藉由偽裝的方式入侵。 echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # 阻擋 ICMP Redirect 封包 (路由器通知主機更改路由表的封包),以防靜態路由表被竄改。 echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects # 禁止送出 ICMP Redirect 封包,避免內部電腦被當成入侵的工具。 echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter # 開啟核心逆向過濾功能 (Reverse Path Filtering),以過濾不可能出現在某個網路介面的封包。 echo 1 > /proc/sys/net/ipv4/tcp_syncookies # 使用 SYN cookes 功能,防止 SYN Flood 攻擊。 echo 3 > /proc/sys/net/ipv4/tcp_retries1 echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1400 > /proc/sys/net/ipv4/tcp_keepalive_time echo 0 > /proc/sys/net/ipv4/tcp_window_scaling echo 0 > /proc/sys/net/ipv4/tcp_sack echo 0 > /proc/sys/net/ipv4/tcp_timestamps # 縮短 TCP 連線的重試次數與逾時時間,以減少 DoS 攻擊的危害 |
| 2 樓住戶:小優 發表時間:2007-03-09 |
nano -w /etc/sysctl.conf 如果該檔案為空,則輸入以下內容,否則請根據情況自己做調整︰ Quote: # Controls source route verification # Default should work for all interfaces net.ipv4.conf.default.rp_filter = 1 # net.ipv4.conf.all.rp_filter = 1 # net.ipv4.conf.lo.rp_filter = 1 # net.ipv4.conf.eth0.rp_filter = 1 # Disables IP source routing # Default should work for all interfaces net.ipv4.conf.default.accept_source_route = 0 # net.ipv4.conf.all.accept_source_route = 0 # net.ipv4.conf.lo.accept_source_route = 0 # net.ipv4.conf.eth0.accept_source_route = 0 # Controls the System Request debugging functionality of the kernel kernel.sysrq = 0 # Controls whether core dumps will append the PID to the core filename. # Useful for debugging multi-threaded applications. kernel.core_uses_pid = 1 # Increase maximum amount of memory allocated to shm # Only uncomment if needed! # kernel.shmmax = 67108864 # Disable ICMP Redirect Acceptance # Default should work for all interfaces net.ipv4.conf.default.accept_redirects = 0 # net.ipv4.conf.all.accept_redirects = 0 # net.ipv4.conf.lo.accept_redirects = 0 # net.ipv4.conf.eth0.accept_redirects = 0 # Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets # Default should work for all interfaces net.ipv4.conf.default.log_martians = 1 # net.ipv4.conf.all.log_martians = 1 # net.ipv4.conf.lo.log_martians = 1 # net.ipv4.conf.eth0.log_martians = 1 # Decrease the time default value for tcp_fin_timeout connection net.ipv4.tcp_fin_timeout = 25 # Decrease the time default value for tcp_keepalive_time connection net.ipv4.tcp_keepalive_time = 1200 # Turn on the tcp_window_scaling net.ipv4.tcp_window_scaling = 1 # Turn on the tcp_sack net.ipv4.tcp_sack = 1 # tcp_fack should be on because of sack net.ipv4.tcp_fack = 1 # Turn on the tcp_timestamps net.ipv4.tcp_timestamps = 1 # Enable TCP SYN Cookie Protection net.ipv4.tcp_syncookies = 1 # Enable ignoring broadcasts request net.ipv4.icmp_echo_ignore_broadcasts = 1 # Enable bad error message Protection net.ipv4.icmp_ignore_bogus_error_responses = 1 # Make more local ports available # net.ipv4.ip_local_port_range = 1024 65000 # Set TCP Re-Ordering value in kernel to ‘5′ net.ipv4.tcp_reordering = 5 # Lower syn retry rates net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_syn_retries = 3 # Set Max SYN Backlog to ‘2048′ net.ipv4.tcp_max_syn_backlog = 2048 # Various Settings net.core.netdev_max_backlog = 1024 # Increase the maximum number of skb-heads to be cached net.core.hot_list_length = 256 # Increase the tcp-time-wait buckets pool size net.ipv4.tcp_max_tw_buckets = 360000 # This will increase the amount of memory available for socket input/output queues net.core.rmem_default = 65535 net.core.rmem_max = 8388608 net.ipv4.tcp_rmem = 4096 87380 8388608 net.core.wmem_default = 65535 net.core.wmem_max = 8388608 net.ipv4.tcp_wmem = 4096 65535 8388608 net.ipv4.tcp_mem = 8388608 8388608 8388608 net.core.optmem_max = 40960 如果希望屏蔽別人 ping 你的主機,則加入以下代碼︰ Quote: # Disable ping requests net.ipv4.icmp_echo_ignore_all = 1 編輯完成後,請執行以下命令使變動立即生效︰ Code: /sbin/sysctl -p /sbin/sysctl -w net.ipv4.route.flush=1 |
| 姓名: | |||
| 佈告內容: | |||
| 其他選項: | |||
|
| |||