When the ORACLE database was recently installed under CentOS Linux, it was shown that the EM installation failed because of the network port, so it was intended to shut down the firewall first.
It's nice to see the configuration instructions for the firewall. Perform the "Setup" command to start the text mode configuration Utility, select "Firewall Configuration" in "Select a tool", then select the "Run Tool" button, the firewall configuration interface appears, set the security level to Disabled, and select OK.
or by command:
#/sbin/iptables-i input-p tcp–dport 80-j ACCEPT
#/sbin/iptables-i input-p tcp–dport 22-j ACCEPT
#/etc/rc.d/init.d/iptables Save
After this reboot the computer, the firewall has opened 80 and 22 ports by default
You should also not reboot the computer here:
#/etc/init.d/iptables restart
Firewall shutdown, turn off its services:
To view firewall information:
#/etc/init.d/iptables status
To turn off the Firewall service:
#/etc/init.d/iptables stop
Permanently closed. Do not know how a permanent method:
#chkconfig –level iptables off
Read several page content is wrong, the following is the correct way:
#/sbin/iptables-i input-p TCP--dport 80-j ACCEPT
#/sbin/iptables-i input-p TCP--dport 22-j ACCEPT
And then Save:
#/etc/rc.d/init.d/iptables Save
and check to see if you already have:
[Root@vcentos ~]#/etc/init.d/iptables status Table:filter Chain INPUT (policy ACCEPT) num target prot opt source Destina tion 1 ACCEPT UDP--0.0.0.0/0 0.0.0.0/0 UDP dpt:80 2 ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:80 3 RH-FIREWALL-1-INP UT All--0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) num Target prot opt source destination 1 rh-firewall-1 -input All--0.0.0.0/0 0.0.0.0/0
The server suffers a large number of syn_recv,80 end numbers, the site is not open
No hard defense
Is there any way to solve it?
1
Sysctl-w Net.ipv4.tcp_syncookies=1 #启用使用syncookies
Sysctl-w Net.ipv4.tcp_synack_retries=1 #降低syn重试次数
Sysctl-w Net.ipv4.tcp_syn_retries=1 #降低syn重试次数
Sysctl-w net.ipv4.tcp_max_syn_backlog=6000 #最大半连接数
Sysctl-w net.ipv4.conf.all.send_redirects=0
Sysctl-w net.ipv4.conf.all.accept_redirects=0 #不接受重定向的icmp數據包
Sysctl-w net.ipv4.tcp_fin_timeout=30
Sysctl-w net.ipv4.tcp_keepalive_time=60
Sysctl-w net.ipv4.tcp_window_scaling=1
Sysctl-w net.ipv4.icmp_echo_ignore_all=1 #禁止ICMP
Sysctl-w Net.ipv4.icmp_echo_ignore_broadcasts=1 #ICMP禁止广播
2. Limit the number of connections per unit time
Such as
Iptables-n Syn-flood
Iptables-a forward-p TCP--syn-j Syn-flood
Iptables-a input-p TCP--syn-j Syn-flood
Iptables-a syn-flood-p tcp--syn-m limit--limit 3/s--limit-burst 1-j accep
Iptables-a syn-flood-j DROP
Iptables-a input-i eth0-p TCP! --syn-m State--state New-j DROP
Iptables-a input-p TCP--syn-m State--state new-j DROP
3 If it's still not working,
Iptables-a input-p TCP--dport 80-m recent--name bad_http_access--update--seconds--hitcount 30-j
Iptables-a input-p TCP--dport 80-m recent--name bad_http_access--set-j accep
Such as attacks over the flow of traffic than your server, then there is no way, if the flow is not large, the above methods, you can temporarily guarantee that your 80 can access
If your kernel already supports iptables connlimit can be used, iptables settings can also be used
Iptables-i forward-p TCP--syn-m connlimit--connlimit-above 5-j DROP
Or
Iptables-a input-p TCP--syn--dport 80-m connlimit--connlimit-above 5-j REJECT
What's really working against SYN-Flood is:
Sysctl-w Net.ipv4.tcp_syncookies=1 #启用使用syncookies
Sysctl-w Net.ipv4.tcp_synack_retries=1 #降低syn重试次数
Other iptables limiting speed features cannot be used against SYN flood (denial of service is not blocked, but it does prevent server crash).