
首頁  •  tw 論壇 • 程式設計討論     • 

Linux 阻斷Dos服務攻擊


/proc/sys 網路安全選項的調整
· 讓系統對 ping 沒有反應
· 讓系統對廣播沒有反應
· 取消 IP source routing
· 開啟 TCP SYN Cookie 保護
· 取消 ICMP 接受 Redirect
· 開啟錯誤訊息保護
· 開啟 IP 欺騙保護
· 記錄Spoofed Packets, Source Routed Packets, Redirect Packets
Redhat 6.1 的做法:
[root@deep /]# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
[root@deep /]# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
[root@deep /]# for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
> echo 0 > $f
> done
[root@deep /]# echo 1 > /proc/sys/net/ipv4/tcp_syncookies
[root@deep /]# for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
> echo 0 > $f
> done
[root@deep /]# echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
[root@deep /]# for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
> echo 0 > $f
> done
[root@deep /]# for f in /proc/sys/net/ipv4/conf/*/log_martians; do
> echo 0 > $f
> done

Redhat 6.2 的做法:
編輯 \"/etc/sysctl.conf\" 檔案,並加入下面幾行,
# Enable ignoring ping request
net.ipv4.icmp_echo_ignore_all = 1
# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Enable IP spoofing protection, turn on Source Address Verification
net.ipv4.conf.all.rp_filter = 1
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1
最後重新啟動 network
[root@deep /]# /etc/rc.d/init.d/network restart

  • 贊助網站       

    完整房訊,房屋、店面熱門精選物件,廣利不動產 優質仲介,房屋租賃、買賣資訊透明,交易真安心!

  • 1 樓住戶:小優

    ## 設定核心的安全相關參數
    # -----------------------------------------------------------------------------
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    # 忽略發送至廣播位址的 PING 封包,以防內部電腦被當成 DDoS 攻擊的工具。
    echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
    # 忽略無效或錯誤的 ICMP 封包。
    echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
    # 阻擋來源路由封包,以防止入侵者藉由偽裝的方式入侵。
    echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
    # 阻擋 ICMP Redirect 封包 (路由器通知主機更改路由表的封包),以防靜態路由表被竄改。
    echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
    # 禁止送出 ICMP Redirect 封包,避免內部電腦被當成入侵的工具。
    echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
    # 開啟核心逆向過濾功能 (Reverse Path Filtering),以過濾不可能出現在某個網路介面的封包。
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies
    # 使用 SYN cookes 功能,防止 SYN Flood 攻擊。
    echo 3 > /proc/sys/net/ipv4/tcp_retries1
    echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
    echo 1400 > /proc/sys/net/ipv4/tcp_keepalive_time
    echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
    echo 0 > /proc/sys/net/ipv4/tcp_sack
    echo 0 > /proc/sys/net/ipv4/tcp_timestamps
    # 縮短 TCP 連線的重試次數與逾時時間,以減少 DoS 攻擊的危害

    2 樓住戶:小優

    nano -w /etc/sysctl.conf



    # Controls source route verification
    # Default should work for all interfaces
    net.ipv4.conf.default.rp_filter = 1
    # net.ipv4.conf.all.rp_filter = 1
    # net.ipv4.conf.lo.rp_filter = 1
    # net.ipv4.conf.eth0.rp_filter = 1

    # Disables IP source routing
    # Default should work for all interfaces
    net.ipv4.conf.default.accept_source_route = 0
    # net.ipv4.conf.all.accept_source_route = 0
    # net.ipv4.conf.lo.accept_source_route = 0
    # net.ipv4.conf.eth0.accept_source_route = 0

    # Controls the System Request debugging functionality of the kernel
    kernel.sysrq = 0

    # Controls whether core dumps will append the PID to the core filename.
    # Useful for debugging multi-threaded applications.
    kernel.core_uses_pid = 1

    # Increase maximum amount of memory allocated to shm
    # Only uncomment if needed!
    # kernel.shmmax = 67108864

    # Disable ICMP Redirect Acceptance
    # Default should work for all interfaces
    net.ipv4.conf.default.accept_redirects = 0
    # net.ipv4.conf.all.accept_redirects = 0
    # net.ipv4.conf.lo.accept_redirects = 0
    # net.ipv4.conf.eth0.accept_redirects = 0

    # Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
    # Default should work for all interfaces
    net.ipv4.conf.default.log_martians = 1
    # net.ipv4.conf.all.log_martians = 1
    # net.ipv4.conf.lo.log_martians = 1
    # net.ipv4.conf.eth0.log_martians = 1

    # Decrease the time default value for tcp_fin_timeout connection
    net.ipv4.tcp_fin_timeout = 25

    # Decrease the time default value for tcp_keepalive_time connection
    net.ipv4.tcp_keepalive_time = 1200

    # Turn on the tcp_window_scaling
    net.ipv4.tcp_window_scaling = 1

    # Turn on the tcp_sack
    net.ipv4.tcp_sack = 1

    # tcp_fack should be on because of sack
    net.ipv4.tcp_fack = 1

    # Turn on the tcp_timestamps
    net.ipv4.tcp_timestamps = 1

    # Enable TCP SYN Cookie Protection
    net.ipv4.tcp_syncookies = 1

    # Enable ignoring broadcasts request
    net.ipv4.icmp_echo_ignore_broadcasts = 1

    # Enable bad error message Protection
    net.ipv4.icmp_ignore_bogus_error_responses = 1

    # Make more local ports available
    # net.ipv4.ip_local_port_range = 1024 65000

    # Set TCP Re-Ordering value in kernel to ‘5′
    net.ipv4.tcp_reordering = 5

    # Lower syn retry rates
    net.ipv4.tcp_synack_retries = 2
    net.ipv4.tcp_syn_retries = 3

    # Set Max SYN Backlog to ‘2048′
    net.ipv4.tcp_max_syn_backlog = 2048

    # Various Settings
    net.core.netdev_max_backlog = 1024

    # Increase the maximum number of skb-heads to be cached
    net.core.hot_list_length = 256

    # Increase the tcp-time-wait buckets pool size
    net.ipv4.tcp_max_tw_buckets = 360000

    # This will increase the amount of memory available for socket input/output queues
    net.core.rmem_default = 65535
    net.core.rmem_max = 8388608
    net.ipv4.tcp_rmem = 4096 87380 8388608
    net.core.wmem_default = 65535
    net.core.wmem_max = 8388608
    net.ipv4.tcp_wmem = 4096 65535 8388608
    net.ipv4.tcp_mem = 8388608 8388608 8388608
    net.core.optmem_max = 40960

    如果希望屏蔽別人 ping 你的主機,則加入以下代碼︰


    # Disable ping requests
    net.ipv4.icmp_echo_ignore_all = 1



    /sbin/sysctl -p
    /sbin/sysctl -w net.ipv4.route.flush=1

     共 2 人回應  選擇頁數 【第1 頁】 
