Apache Server guard against Dos

The Apache server's defenses against denial of service attacks are mainly achieved through the software Apache DoS evasive maneuvers Module. It is a mod_access replacement software that can be used against Dos attacks. The software can quickly deny duplicate requests from the same address to the same URL, by querying a hash table of each child process inside. to the site http://online/. securityfocus.com/data/tools/dospatch.tar.gz Download the software. The configuration of the software installation can be viewed in the Linux Chinese home page http://www.linux.gov.cn/Apache performance and Security Guide, the process is relatively simple, limited to the length of this is not covered. You can also use powerful Linux system commands to protect against Dos attacks.

Netstat-an | Grep-i "Server IP Address: 80" | awk {print $6} | Sort | uniq-c | Sort-n

This command automatically counts the number of States of the TCP connection, and if the SYN_RECV is high, it is not possible to exclude a denial-of-service attack based on the TCP protocol. Then you need to open tcp_syncookies:

Echo 1 >/proc/sys/net/ipv4/tcp_syncookies

If there is no/proc/sys/net/ipv4/tcp_syncookies, the kernel does not support syncookies and needs to recompile the kernel while reducing the number of SYN retries.

echo "1" >/proc/sys/net/ipv4/tcp_syn_retriesecho "1" >/proc/sys/net/ipv4/tcp_synack_retries

At the same time, increase syn_backlog to ensure user access:

echo "2048" >/proc/sys/net/ipv4/tcp_max_syn_backlog

Apache Server guard against Dos