Use the firewall function of Linux to defend against Network Attacks

VM service providers may be attacked by hackers during operation. Common attacks include SYN and DDOS attacks. By changing the IP address, it is possible to find the attacked site to avoid the attack, but the service interruption takes a long time. A thorough solution is to add a hardware firewall. However, hardware firewalls are expensive. You can consider using the firewall function provided by the Linux system to defend against attacks.

1. resist SYN

SYN attacks use the three-way handshake principle of the TCP/IP protocol to send a large number of network packets that establish connections, but do not actually establish connections. As a result, the network queue of the attacked server is full, cannot be accessed by normal users.

The Linux Kernel provides several SYN-related configurations. Run the following command:

Sysctl-a | grep syn
 

See:

Net. ipv4.tcp _ max_syn_backlog = 1024
Net. ipv4.tcp _ syncookies = 0
Net. ipv4.tcp _ synack_retries = 5
Net. ipv4.tcp _ syn_retries = 5
 

Tcp_max_syn_backlog is the length of the SYN queue, and tcp_syncookies are a function. Whether to enable the SYN Cookie function can prevent some SYN attacks. Tcp_synack_retries and tcp_syn_retries define the number of retries of SYN.
Increasing the SYN queue length can accommodate more network connections waiting for connection. Enabling the SYN Cookie function can prevent some SYN attacks and reduce the number of retries.

To adjust the preceding settings, follow these steps:

Increase the SYN queue length to 2048:

Sysctl-w net. ipv4.tcp _ max_syn_backlog = 2048
 

Enable the syn cookie function:

Sysctl-w net. ipv4.tcp _ syncookies = 1
 

Reduce the number of retries:

Sysctl-w net. ipv4.tcp _ synack_retries = 3
Sysctl-w net. ipv4.tcp _ syn_retries = 3
 

To maintain the preceding configuration during system restart, you can add the preceding command to the/etc/rc. d/rc. local file.

2. Resist DDOS attacks

DDOS and distributed denial of access (DDOS) attacks mean that hackers send a large number of connections to common ports, such as 80 and 25, to many hosts from different sources. However, these clients only establish connections, not normal access. Generally, due to the limited number of accepted connections configured by Apache (usually 256), these "fake" access will fill up Apache and normal access will fail. Linux provides a firewall tool called ipchains to shield connections from specific IP addresses or IP address segments to specific ports. To use ipchains to defend against DDOS attacks, you must first use the netstat command to find the source address of the attack, and then use the ipchains command to block the attack. One block is found.

Enable Ipchains

First, check whether the ipchains service is set to auto start:

Chkconfig -- list ipchains
 

The output is generally:

Ipchains 0: off 1: off 2: on 3: on 4: on 5: on 6: off
 

If column 345 is on, the ipchains service has been set to auto start. If not, run the following command:

Chkconfig -- add ipchains
 

Set ipchains to auto start.
Next, check whether the ipchains configuration file/etc/sysconfig/ipchains exists. If this file does not exist, ipchains will not take effect even if it is set to automatic start. The default ipchains configuration file is as follows:

English Code
 

 

If the/etc/sysconfig/ipchains file does not exist, you can use the above content to create it. After creation, start ipchains Server:

# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through
# Firewall; such entries will ** not * be listed here.
: Input ACCEPT
: Forward ACCEPT
: Output ACCEPT
-A input-s 0/0-d 0/0-I lo-j ACCEPT
# Allow http, ftp, smtp, ssh, domain via tcp; domain via udp
-A input-p tcp-s 0/0-d 0/0 pop3-y-j ACCEPT
-A input-p tcp-s 0/0-d 0/0 http-y-j ACCEPT
-A input-p tcp-s 0/0-d 0/0 https-y-j ACCEPT
-A input-p tcp-s 0/0-d 0/0 ftp-y-j ACCEPT
-A input-p tcp-s 0/0-d 0/0 smtp-y-j ACCEPT
-A input-p tcp-s 0/0-d 0/0 ssh-y-j ACCEPT
-A input-p TCP/IP 0/0-d 0/0 domain-y-j ACCEPT
-A input-p udp-s 0/0-d 0/0 domain-j ACCEPT
# Deny icmp packet
#-A input-p icmp-s 0/0-d 0/0-j DENY
# Default rules
-A input-p tcp-s 0/0-d 0/0-y-j REJECT
-A input-p tcp-s 0/0-d 0/0 2049-y-j REJECT
-A input-p udp-s 0/0-d 0/0-j REJECT
-A input-p udp-s 0/0-d 0/0 2049-j REJECT
-A input-p tcp-s 0/0-d 0/0 6000: 6009-y-j REJECT
-A input-p tcp-s 0/0-d 0/0 7100-y-j REJECT
 

If the/etc/sysconfig/ipchains file does not exist, you can use the above content to create it. After creation, start ipchains Server:

/Etc/init. d/ipchains start
 

Use the netstat command to find the attack source

If the hacker attacks port 80 on the Web, view the IP address and port of the Client Connected to port 80. The command is as follows:

Netstat-an-t tcp | grep ": 80" | grep ESTABLISHED | awk {printf "% s", $5, $6} | sort
 

Output:

161.2.8.9: 123 FIN_WAIT2
161.2.8.9: 124 FIN_WAIT2
61.233.85.253: 23656 FIN_WAIT2
...
 

The first column is the Client IP address and port, and the second column is the connection status. If there are many connections from the same IP address (more than 50 connections) and they are continuous ports, it is likely to be an attack. If you only want to view the established connection, run the following command:

Netstat-an-t tcp | grep ": 80" | grep ESTABLISHED | awk {printf "% s", $5, $6} | sort
 

Use Ipchains to block attack sources

You can use ipchains to block attack sources in two ways. One is to add it to/etc/sysconfig/ipchains and restart the ipchains service. The other is to directly use the ipchains command. After the attack is blocked, you may need to restart the attacked service, which means that the established attack connection is invalid.

Add/etc/sysconfig/ipchains

Assume that the connection from 218.202.8.151 to 80 is blocked. Edit the/etc/sysconfig/ipchains file and add it below the output ACCEPT line:

-A input-s 218.202.8.151-d 0/0 http-y-j REJECT
 

Save the changes and restart ipchains:

/Etc/init. d/ipchains restart
 

If you want to block the entire network segment of 218.202.8, add:

-A input-s 218.202.8.0/255.255.255.0-d 0/0 http-y-j REJECT
 

Use command line

The method of adding the/etc/sysconfig/ipchains file and restarting ipchains is slow, and some connections may be drilled in when ipchains are restarted. The most convenient method is to directly use the ipchains command. If the connection from 218.202.8.151 to 80 is blocked, run the following command:

Ipchains-I input 1-p tcp-s 218.202.8.151-d 0/0 http-y-j REJECT
 

If you want to block the entire network segment of 218.202.8, run the following command:

Ipchains-I input 1-p tcp-s 218.202.8.0/255.255.255.0-d 0/0 http-y-j REJECT
 

Here,-I indicates insertion, input indicates rule connection, and 1 indicates adding to the first one.

You can edit a shell script to make it easier. The command is as follows:

Vi blockit
 

Content:

#! /Bin/sh
If [! -Z "$1"]; then
Echo "Blocking: $1"
Ipchains-I input 1-p tcp-s "$1"-d 0/0 http-y-j REJECT
Else
Echo "which ip to block? "
Fi
 

Save, and then:

Chmod 700 blockit
 

Usage:

./Blockit 218.202.8.151
./Blockit 218.202.8.0/255.255.255.0
 

The rules created by the preceding command line method will expire after the restart. You can use the ipchains-save command to print the rules:

Ipchains-save
 

Output:

: Input ACCEPT
: Forward ACCEPT
: Output ACCEPT
Saving 'input.
-A input-s 0.0.0.0/0.0.0.0-d 0.0.0.0/0.0.0.0-I lo-j ACCEPT
-A input-s 0.0.0.0/0.0.0.0-d 0.0.0.0/0.0.0.0 110:110-p 6-j ACCEPT-y
-A input-s 0.0.0.0/0.0.0.0-d 0.0.0.0/0.0.0.0 80: 80-p 6-j ACCEPT-y
-A input-s 0.0.0.0/0.0.0.0-d 0.0.0.0/0.0.0.0 22: 22-p 6-j ACCEPT-y
-A input-s 0.0.0.0/0.0.0.0-d 0.0.0.0/0.0.0.0 88: 88-p 6-j ACCEPT-y
-A input-s 0.0.0.0/0.0.0.0-d 0.0.0.0/0.0.0.0 89: 89-p 6-j ACCEPT-y
-A input-s 0.0.0.0/0.0.0.0-d 0.0.0.0/0.0.0.0 90: 90-p 6-j ACCEPT-y
-A input-s 0.0.0.0/0.0.0.0-d 0.0.0.0/0.0.0.0 91: 91-p 6-j ACCEPT-y
-A input-s 0.0.0.0/0.0.0.0-d 0.0.0.0/0.0.0.0 8180: 8180-p 6-j ACCEPT-y
-A input-s 0.0.0.0/0.0.0.0-d 0.0.0.0/0.0.0.0 443: 443-p 6-j ACCEPT-y
-A input-s 0.0.0.0/0.0.0.0-d 0.0.0.0/0.0.0.0 21:21-p 6-j ACCEPT-y
-A input-s 0.0.0.0/0.0.0.0-d 0.0.0.0/0.0.0.0 25:25-p 6-j ACCEPT-y
-A input-s 0.0.0.0/0.0.0.0-d 0.0.0.0/0.0.0.0 22: 22-p 6-j ACCEPT-y
-A input-s 0.0.0.0/0.0.0.0-d 0.0.0.0/0.0.0.0 53: 53-p 6-j ACCEPT-y
-A input-s 0.0.0.0/0.0.0.0-d 0.0.0.0/0.0.0.0 9095: 9095-p 6-j ACCEPT-y
-A input-s 0.0.0.0/0.0.0.0-d 0.0.0.0/0.0.0.0 8007: 8007-p 6-j ACCEPT-y
-A input-s 0.0.0.0/0.0.0.0-d 0.0.0.0/0.0.0.0 53: 53-p 17-j ACCEPT
-A input-s 0.0.0.0/0.0.0.0-d 0.0.0.0/0.0.0.0 0: 1023-p 6-j REJECT-y
-A input-s 0.0.0.0/0.0.0.0-d 0.0.0.0/0.0.0.0 2049: 2049-p 6-j REJECT-y
-A input-s 0.0.0.0/0.0.0.0-d 0.0.0.0/0.0.0.0 :1023-p 17-j REJECT
-A input-s 0.0.0.0/0.0.0.0-d 0.0.0.0/0.0.0.0