The heart of the people must not be. There are always some boring or intentional people on the Internet. I don't have much to say. On dry Goods, configure VPS APF to prevent small traffic DDoS attacks.
For large traffic DDoS attacks, the need for the computer room hardware firewall, the internal VPS may also be unable to carry.
1. Install DDoS deflate
The principle of DDoS deflate is to use the netstat command to find a single IP that emits an excessive amount of connectivity and to reject the IP using the iptables firewall. Because the iptables firewall is far more efficient than the Apache-level connection, the iptables becomes the "filter" that runs on the Apache front end. Similarly, DDoS deflate can also be set up to use APF (advanced firewall) for IP blocking.
1 2 3 |
wget http: www. inetbase.com/scripts/ddos/install. sh chmod +x install. Sh. /install. Sh |
main function and configuration
1, can set the IP White list, in the/usr/local/ddos/ignore.ip.list set can;
2, the main configuration file is located in/usr/local/ddos/ddos.conf, open this file, according to the prompts for a simple edit can;
3, DDoS deflate can block a certain IP, the interval preset when the automatic solution;
4, can be set in the configuration file how long time to check the network connection;
5, when blocking IP, you can set up an email alert
Simple configuration:
1 2 3 4 5 6 7 8 9 10 |
Freq=1 #检测的频率为1分钟 no_of_connections=100 #当单个IP超过100个连接请求时判定为DDOS apf_ban=1 #如果打算使用APF阻止IP, set to 1 (APF needs to be pre-installed) If Iptables is used, set to 0 kill=1 #是否阻止 email_to= "webmaster@firstVM.com" #接收邮件 ban_period=600 #阻止时长, 10 minutes |
2. Install configuration APF.
APF (Advanced Policy Firewall) is a software firewall in the Linux environment of Rf-x Networks, which is used by most Linux server administrators and is easy to understand and use using iptables rules.
It is suitable for people who are not familiar with Iptables, because its installation configuration is relatively simple, but the function is very powerful.
Script Installation:
1 2 3 4 |
Root@linux:/home/zhangy # wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz root@linux:/home/zhangy # Tar -xvzf apf-current.tar.gz root@linux:/home/zhangy # cd Apf-9.7-1 root@linux:/home/zhangy/apf-9.7-1 |
Ubuntu can be quickly installed:
1 |
sudo aptitude install Apf-firewall |
Configuration:
Page back and find:
1 2 3 4 5 6 7 8 9 10 11-12 |
# Configure Inbound (Ingress) accepted services. This is a optional # feature; Services and customized entries may is made directly to a IP ' s # Virtual net file located in the Vnet/directory. The Format is comma separated # and underscore separator for ranges. # Example: # ig_tcp_cports= "21,22,25,53,80,443,110,143,6000_7000" # ig_udp_cports= "20,21,53,123" # IG_ICMP_TYPES= " 3,5,11,0,30,8 "# Common Inbound (ingress) TCP ports |