Linux Firewall prevents dos and DDoS attacks

Source: Internet
Author: User

Use the firewall function of Linux to defend against Network Attacks
VM service providers may be attacked by hackers during operation. Common attacks include SYN and DDoS attacks. By changing the IP address, it is possible to find the attacked site to avoid the attack, but the service interruption takes a long time. A thorough solution is to add a hardware firewall. However, hardware firewalls are expensive. You can consider using the firewall function provided by the Linux system to defend against attacks.
1. resist SYN
SYN attacks use the three-way handshake principle of the TCP/IP protocol to send a large number of network packets that establish connections, but do not actually establish connections. As a result, the network queue of the attacked server is full, cannot be accessed by normal users.
The Linux Kernel provides several syn-related configurations. Run the following command:
Sysctl-A | grep SYN
See:
Net. ipv4.tcp _ max_syn_backlog = 1024
Net. ipv4.tcp _ syncookies = 0
Net. ipv4.tcp _ synack_retries = 5
Net. ipv4.tcp _ syn_retries = 5
Tcp_max_syn_backlog is the length of the SYN queue, and tcp_syncookies are a function. Whether to enable the SYN Cookie function can prevent some SYN attacks. Tcp_synack_retries and tcp_syn_retries define the number of retries of syn.
Increasing the SYN queue length can accommodate more network connections waiting for connection. Enabling the SYN Cookie function can prevent some SYN attacks and reduce the number of retries.
To adjust the preceding settings, follow these steps:
Increase the SYN queue length to 2048:
Sysctl-W net. ipv4.tcp _ max_syn_backlog = 2048
Enable the SYN Cookie function:
Sysctl-W net. ipv4.tcp _ syncookies = 1
Reduce the number of retries:
Sysctl-W net. ipv4.tcp _ synack_retries = 3
Sysctl-W net. ipv4.tcp _ syn_retries = 3
To maintain the preceding configuration during system restart, you can add the preceding command to the/etc/rc. d/rc. Local file.
2. Resist DDoS attacks
DDoS and distributed denial of access (DDoS) attacks mean that hackers send a large number of connections to common ports, such as 80 and 25, to many hosts from different sources. However, these clients only establish connections, not normal access. Generally, due to the limited number of accepted connections configured by Apache (usually 256), these "fake" access will fill up Apache and normal access will fail.
Linux provides a firewall tool called ipchains to shield connections from specific IP addresses or IP address segments to specific ports. To use ipchains to defend against DDoS attacks, you must first use the netstat command to find the source address of the attack, and then use the ipchains command to block the attack. One block is found.
* ** Enable the ipchains Function
First, check whether the ipchains service is set to auto start:
Chkconfig -- list ipchains
The output is generally:
Ipchains 0: off 1: off 2: On 3: On 4: On 5: on 6: Off
If the column 345 is on, the ipchains service has been set to auto start.
If not, run the following command:
Chkconfig -- add ipchains
Set ipchains to auto start
Next, check whether the ipchains configuration file/etc/sysconfig/ipchains exists. If this file does not exist, ipchains
It does not take effect even if it is set to automatic start. The default ipchains configuration file is as follows:
# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: IFUP-post will punch the current nameservers through
# Firewall; such entries will ** not * be listed here.
: Input accept
: Forward accept
: Output accept
-A input-s 0/0-D 0/0-I lo-J accept
# Allow HTTP, FTP, SMTP, ssh, domain via TCP; domain via UDP
-A input-p tcp-s 0/0-D 0/0 POP3-y-J accept
-A input-p tcp-s 0/0-D 0/0 http-y-J accept
-A input-p tcp-s 0/0-D 0/0 https-y-J accept
-A input-p tcp-s 0/0-D 0/0 FTP-y-J accept
-A input-p tcp-s 0/0-D 0/0 SMTP-y-J accept
-A input-p tcp-s 0/0-D 0/0 ssh-y-J accept
-A input-P TCP/IP 0/0-D 0/0 domain-y-J accept
-A input-P udp-s 0/0-D 0/0 domain-J accept
# Deny ICMP Packet
#-A input-p icmp-s 0/0-D 0/0-J deny
# Default rules
-A input-p tcp-s 0/0-D 0/0-y-J reject
-A input-p tcp-s 0/0-D 0/0 2049-y-J reject
-A input-p udp-s 0/0-D 0/0-J reject
-A input-p udp-s 0/0-D 0/0 2049-J reject
-A input-p tcp-s 0/0-D 0/0 6000: 6009-y-J reject
-A input-p tcp-s 0/0-D 0/0 7100-y-J reject
If the/etc/sysconfig/ipchains file does not exist, you can use the above content to create it. After creation, start ipchains Server:
/Etc/init. d/ipchains start
* ** Use the netstat command to find the attack source
If the hacker attacks port 80 on the web, view the IP address and port of the Client Connected to port 80. The command is as follows:
Netstat-an-t tcp | grep ": 80" | grep established | awk '{printf "% S % s \ n", $5, $6}' | sort
Output:
161.2.8.9: 123 fin_wait2
161.2.8.9: 124 fin_wait2
61.233.85.253: 23656 fin_wait2
...
The first column is the Client IP address and port, and the second column is the connection status.
If there are many connections from the same IP address (more than 50 connections) and they are continuous ports, it is likely to be an attack.
If you only want to view the established connection, run the following command:
Netstat-an-t tcp | grep ": 80" | grep established | awk '{printf "% S % s \ n", $5, $6}' | sort
* ** Use ipchains to block attack sources
You can use ipchains to block attack sources in two ways. One is to add it to/etc/sysconfig/ipchains and restart the ipchains service. The other is to directly use the ipchains command. After the attack is blocked, you may need to restart the attacked service. The attack connection has expired.
* Add/etc/sysconfig/ipchains
Assume that the connection from 218.202.8.151 to 80 is blocked. Edit the/etc/sysconfig/ipchains file in: Output accept
Add the following lines:
-A input-s 218.202.8.151-D 0/0 http-y-J reject
Save the changes and restart ipchains:
/Etc/init. d/ipchains restart
If you want to block the entire network segment of 218.202.8, add:
-A input-s 218.202.8.0/255.255.255.0-D 0/0 http-y-J reject
* Directly use the command line
The method of adding the/etc/sysconfig/ipchains file and restarting ipchains is slow, and some connections may be drilled in when ipchains are restarted. The most convenient method is to directly use the ipchains command.
If the connection from 218.202.8.151 to 80 is blocked, run the following command:
Ipchains-I input 1-P TCP-s 218.202.8.151-D 0/0 http-y-J reject
If you want to block the entire network segment of 218.202.8, run the following command:
Ipchains-I input 1-P TCP-s 218.202.8.0/255.255.255.0-D 0/0 http-y-J reject
Here,-I indicates insertion, input indicates rule connection, and 1 indicates adding to the first one.
You can edit a shell script to make it easier. The command is as follows:
VI blockit
Content:
#! /Bin/sh
If [! -Z "$1"]; then
Echo "Blocking: $1"
Ipchains-I input 1-P TCP-s "$1"-D 0/0 http-y-J reject
Else
Echo "which IP to block? "
Fi
Save, and then:
Chmod 700 blockit
Usage:
./Blockit 218.202.8.151
./Blockit 218.202.8.0/255.255.255.0
The rules created by the preceding command line method will expire after the restart. You can use the ipchains-save command to print the rules:
Ipchains-save
Output:
: Input accept
: Forward accept
: Output accept
Saving 'input '.
-A input-s 0.0.0.0/0.0.0.0-D 0.0.0.0/0.0.0.0-I lo-J accept
-A input-s 0.0.0.0/0.0.0.0-D 0.0.0.0/0.0.0.0 110:110-P 6-J accept-y
-A input-s 0.0.0.0/0.0.0.0-D 0.0.0.0/0.0.0.0 80: 80-P 6-J accept-y
-A input-s 0.0.0.0/0.0.0.0-D 0.0.0.0/0.0.0.0 22: 22-P 6-J accept-y
-A input-s 0.0.0.0/0.0.0.0-D 0.0.0.0/0.0.0.0 88: 88-P 6-J accept-y
-A input-s 0.0.0.0/0.0.0.0-D 0.0.0.0/0.0.0.0 89: 89-P 6-J accept-y
-A input-s 0.0.0.0/0.0.0.0-D 0.0.0.0/0.0.0.0 90: 90-P 6-J accept-y
-A input-s 0.0.0.0/0.0.0.0-D 0.0.0.0/0.0.0.0 91: 91-P 6-J accept-y
-A input-s 0.0.0.0/0.0.0.0-D 0.0.0.0/0.0.0.0 8180: 8180-P 6-J accept-y
-A input-s 0.0.0.0/0.0.0.0-D 0.0.0.0/0.0.0.0 443: 443-P 6-J accept-y
-A input-s 0.0.0.0/0.0.0.0-D 0.0.0.0/0.0.0.0 21:21-P 6-J accept-y
-A input-s 0.0.0.0/0.0.0.0-D 0.0.0.0/0.0.0.0 25:25-P 6-J accept-y
-A input-s 0.0.0.0/0.0.0.0-D 0.0.0.0/0.0.0.0 22:22-P 6-J accept-y
-A input-s 0.0.0.0/0.0.0.0-D 0.0.0.0/0.0.0.0 53: 53-P 6-J accept-y
-A input-s 0.0.0.0/0.0.0.0-D 0.0.0.0/0.0.0.0 9095: 9095-P 6-J accept-y
-A input-s 0.0.0.0/0.0.0.0-D 0.0.0.0/0.0.0.0 8007: 8007-P 6-J accept-y
-A input-s 0.0.0.0/0.0.0.0-D 0.0.0.0/0.0.0.0 53: 53-p 17-J accept
-A input-s 0.0.0.0/0.0.0.0-D 0.0.0.0/0.0.0.0 0: 1023-P 6-J reject-y
-A input-s 0.0.0.0/0.0.0.0-D 0.0.0.0/0.0.0.0 2049: 2049-P 6-J reject-y
-A input-s 0.0.0.0/0.0.0.0-D 0.0.0.0/0.0.0.0 :1023-p 17-J reject
-A input-s 0.0.0.0/0.0.0.0-D 0.0.0.0/0.0.0.0 2049: 2049-p 17-J reject
-A input-s 0.0.0.0/0.0.0.0-D 0.0.0.0/0.0.0.0 6000: 6009-P 6-J reject-y
-A input-s 0.0.0.0/0.0.0.0-D 0.0.0.0/0.0.0.0 7100: 7100-P 6-J reject-y
You need to set "Saving 'input '. "Remove and save the other content to the/etc/sysconfig/ipchains file. In this way, after the next restart, the created rule will take effect again.
3. If iptables is used
In rh 8.0 and later versions, iptables is enabled to replace ipchains. The two are very similar and different.
* Enable iptables
If the iptables file does not exist in/etc/sysconfig/, you can create:
# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: IFUP-post will punch the current nameservers through
# Firewall; such entries will ** not * be listed here.
* Filter
: Input accept [0: 0]
: Forward accept [0: 0]
: Output accept [0: 0]
: RH-Lokkit-0-50-INPUT-[0: 0]
-A input-J RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT-I lo-J accept
-A RH-Lokkit-0-50-INPUT-p tcp-m tcp -- dport FTP-J accept
-A RH-Lokkit-0-50-INPUT-p tcp-m tcp -- dport ssh-J accept
-A RH-Lokkit-0-50-INPUT-p tcp-m tcp -- dport http-J accept
-A RH-Lokkit-0-50-INPUT-p tcp-m tcp -- dport SMTP-J accept
-A RH-Lokkit-0-50-INPUT-p tcp-m tcp -- dport POP3-J accept
-A RH-Lokkit-0-50-INPUT-p tcp-m tcp -- dport mysql-J accept
-A RH-Lokkit-0-50-INPUT-p tcp-m tcp -- dport 2001-J accept
-A RH-Lokkit-0-50-INPUT-p tcp-m tcp -- dport domain-J accept
-A RH-Lokkit-0-50-INPUT-p udp-m udp -- dport domain-J accept
-A RH-Lokkit-0-50-INPUT-p tcp-m tcp -- dport -- syn-J reject
-A RH-Lokkit-0-50-INPUT-p tcp-m tcp -- dport 2049 -- syn-J reject
-A RH-Lokkit-0-50-INPUT-p udp-m udp -- dport-J reject
-A RH-Lokkit-0-50-INPUT-p udp-m udp -- dport 2049-J reject
-A RH-Lokkit-0-50-INPUT-p tcp-m tcp -- dport 6000: 6009 -- syn-J reject
-A RH-Lokkit-0-50-INPUT-p tcp-m tcp -- dport 7100 -- syn-J reject
Commit
The preceding configuration allows FTP, ssh, HTTP, SMTP, POP3, MySQL, 2001 (prim @ hosting ACA port), and domain port.
* Start iptables
/Etc/init. d/iptables start
* Set iptables to auto start
Chkconfig -- level 2345 iptables on
* Use iptables to shield IP addresses
Iptables-I RH-Lokkit-0-50-INPUT 1-P TCP-M TCP-s 213.8.166.227 -- dport 80 -- syn-J reject
Note that the difference with ipchains is:
-The parameters of the rule name after I are different from those of ipchains. They are not uniform input, but defined in/etc/sysconfig/iptables, with-M TCP added, the parameter of the specified port is -- dport 80, and the -- SYN parameter is added to automatically detect sync attacks.
Disable Ping using iptables:
-A input-p icmp-m icmp -- ICMP-type 8-m limit -- limit 6/min -- limit-burst 2-J accept
-A input-p icmp-m icmp -- ICMP-type 8-J reject -- reject-with ICMP-Port-unreachable
######################################## ######################################## #


Anti-DDoS in Linux
Method 1: first, this simple method is ineffective. in Linux, Apache is generally used as a Web service software. Generally, port 80 is set according to access habits. You can change the service port and edit the httpd. conf file. The path is unknown in Linux.
Find/-name httpd. conf
Then
VI $ PATH $/httpd. conf
Find
Listen: 80

Change
Listen: 8080
Restart Apache so that your site runs under port 8080.
Method 2: If the attacker pays enough attention to you in method 1, the attacker will attack your port 8080 again, so it will still die badly. How can this effectively prevent the attack. This requires iptables. Install iptables and configure it again.
Download iptables:
Http://www.netfilter.org/downloads.html
The download file name is generally iptables-1. *. * .tar.bz2
Decompress the package after the download.
Tar-xvjf./iptables-1. *. * .tar.bz2-C/usr/src
I decompressed it to/usr/src.
Then
CD/usr/src/iptables-1 .*.*
Installation:
/Bin/sh-C make
/Bin/sh-C make install
You can use iptables-V to check whether the installation is correct.
Use this command to fix the problem.
CP./iptables/sbin
Iptables usage:
Disable the ICMP service after iptables is installed.
Iptables-A output-p icmp-D 0/0-J Drop
What is this? The simplest and most intuitive way is that the IP address on your server cannot be pinged, which can prevent some attacks.
For example, if you contact your ISP and you know the source IP address of the DDOS service 200.200.200.1, you can use the following command to block data streams from this IP address.
Iptables-A input-s 200.200.200.1-J Drop
Note: The 200.200.200.1/24 200.200.200. * format is valid. I believe everyone knows this.
After the command is executed, enter the command
Iptables-l
The following result is displayed.
Chain input (Policy accept)
Target prot opt source destination

Drop all -- 200.200.200.1 anywhere
Each time you enter an iptables command, there will be a corresponding num number. For example, if you run this command for the first time, the corresponding Input ID is 1. to delete this restriction
Iptables-D input 1
You can.
Because in the Process of DDoS, many IP addresses are forged. If you can find the MAC address of their source (You are too powerful, it is too relevant) you can also use this command to disable data streams from this MAC address:
Iptables-A input -- Mac-source 00: 0b: AB: 45: 56: 42-J Drop
The above are some simple applications. For some other applications, I will provide the English document below. You can use iptables to prevent DDoS attacks based on your own situation.
By the way, after you enter some restrictions after installing iptables for the first time, you have to submit the rules again after the server is started. This is too troublesome. What should I do? You only need to use this command.
/Etc/init. d/iptables start
An English document is provided:
Http://www.cae.wisc.edu/site/public? Title = liniptables
In addition, there is another article about how Linux protects against DDoS attacks.
Http://www.yolinux.com/TUTORIALS
... Ternetsecurity.html
I will write so much about iptables in the future.
In the end, I have to talk about it. If it is a large-scale distributed attack, I suggest you refer your domain name to 127.0.0.1.

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.