Teach you to set up Linux system firewall and TCP parameter settings __linux

The network is becoming more and more popular, along with the network attack also more and more, how can better to defend against the network attack. A more thorough solution is to install a hardware firewall. However, the hardware firewall price is more expensive. Consider using Linux system firewall capabilities to defend against. Here's how to set up your Linux system firewall.

1. Resist SYN

SYN attack is to use TCP/IP protocol 3 times handshake principle, send a lot of connection network packet, but do not actually establish the connection, the end result is the network queue of the attack server is occupied, cannot be accessed by the normal user.

The Linux kernel provides several SYN-related configurations, using the command:
sysctl-a | grep syn

See: Net.ipv4.tcp_max_syn_backlog = 1024 Net.ipv4.tcp_syncookies = 0 net.ipv4.tcp_synack_retries = 5 net.ipv4.tcp_syn_re Tries = 5

Tcp_max_syn_backlog is the length of the SYN queue, tcp_syncookies is a switch and whether the SYN cookie feature is turned on to prevent a partial SYN attack. Tcp_synack_retries and Tcp_syn_retries define the number of retries for syn.

Increasing the SYN queue length can accommodate more network connections waiting to be connected, opening the SYN cookie feature to prevent partial SYN attacks, and reducing the number of retries has some effect.

The method for adjusting the above settings is:

Increase the SYN queue length to 2048:
Sysctl-w net.ipv4.tcp_max_syn_backlog=2048

To turn on the SYN cookie feature:
Sysctl-w Net.ipv4.tcp_syncookies=1

To reduce the number of retries: sysctl-w net.ipv4.tcp_synack_retries=3 sysctl-w net.ipv4.tcp_syn_retries=3

The above commands can be added to the/etc/rc.d/rc.local file in order to maintain the configuration above when the system restarts.

2. Protect Against DDoS

DDOS, distributed denial of access attacks, refers to the hacker organizations from different sources of many hosts, to common ports, such as 80,25, such as sending a large number of connections, but these clients only establish connections, not normal access. Because the general Apache configuration has a limited number of accepted connections (usually 256), these "fake" accesses will fill Apache and normal access cannot take place.

Linux provides a firewall tool called IPChains that can mask connections to specific ports from specific IP or IP address segments. Using IPChains to defend against DDoS is to first discover the attack source address through the netstat command, and then block the attack with the IPChains command. Found a block one.

Turn on the IPChains feature

First check to see if the IPChains service is set to start automatically:
Chkconfig--list IPChains

The output is generally:
IPChains 0:off 1:off 2:on 3:on 4:on 5:on 6:off

If the 345 column is on, the IPChains service is set to start automatically

If not, you can use the command:
Chkconfig--add IPChains

To set the IPChains service to start automatically

Second, see if the IPChains configuration file/etc/sysconfig/ipchains exists. If this file does not exist, IPChains

It does not take effect even if it is set to start automatically. The default IPChains configuration file is as follows: # firewall configuration written by lokkit   # Manual  customization of this file is not recommended.   # note: ifup-post will punch the current nameservers through  the   # firewall; such entries will *not* be listed here.  : input accept  : forward accept  : output accept  -a input -s 0/ 0 -d 0/0 -i lo -j accept   # allow http,ftp,smtp,ssh,domain  VIA TCP; DOMAIN VIA UDP  -a input -p tcp -s 0/0 -d  0/0 pop3 -y -j accept  -a input -p tcp -s 0/0 -d 0/ 0 http -y -j accept  -a input -p tcp -s 0/0 -d 0/0  https&nbSp;-y -j accept  -a input -p tcp -s 0/0 -d 0/0 ftp  -y -j accept  -A INPUT -P TCP -S 0/0 -D 0/0 SMTP -Y  -j accept  -A INPUT -P TCP -S 0/0 -D 0/0 SSH -Y  -j accept  -A INPUT -P TCP -S 0/0 -D 0/0 DOMAIN -Y  -j accept  -A INPUT -P UDP -S 0/0 -D 0/0 DOMAIN -J  accept   # deny icmp packet   #-a input -p icmp -s 0/0  -d 0/0 -j deny   # default rules  -a input -p tcp -s  0/0 -d 0/0 0:1023 -y -j reject  -a input -p tcp -s  0/0 -d 0/0 2049 -y -j reject  -A INPUT -P UDP -s 0/0 -d 0/0 0:1023 -j reject  -a input -p udp -s  0/0 -d 0/0 2049 -j reject  -a input -p tcp -s 0/0  -d 0/0 6000:6009 -y -j reject  -a input -p tcp -s  0/0 -d 0/0 7100 -y -j reject 

If the/etc/sysconfig/ipchains file does not exist, you can create it with the above content. After creation, start IPChains clothing:

/etc/init.d/ipchains start

Find the source of the attack with the netstat command

If the hacker attacks the Web 80 port, look at the client IP and port connected to port 80, the command is as follows:

Netstat-an-t TCP | grep ": 80" | grep established | awk {printf '%s%s\n ', $5,$6} | Sort

Output: 161.2.8.9:123 fin_wait2 161.2.8.9:124 fin_wait2 61.233.85.253:23656 fin_wait2 ...

The first column is the client IP and port, and the second column is the connection state

If there are a lot of connections from the same IP (more than 50) and are contiguous ports, it is likely to be an attack.

If you want to see only established connections, use the command:
Netstat-an-t TCP | grep ": 80" | grep established | awk {printf '%s%s\n ', $5,$6} | Sort

So you complete the Linux system firewall settings, I hope this article will help.