系统屋 - 系统光盘下载网站!

当前位置:首页 > 系统教程 > Linux教程 > 详细页面

Linux系统如何防止CC攻击(2)

时间:2023-01-26来源:系统屋作者:qipeng

  免疫某些类型的小规模 DDos 攻击:

  # Connection Tracking. This option enables tracking of all connections from IP

  # addresses to the server. If the total number of connections is greater than

  # this value then the offending IP address is blocked. This can be used to help

  # prevent some types of DOS attack.

  #

  # Care should be taken with this option. It’s entirely possible that you will

  # see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD

  # and HTTP so it could be quite easy to trigger, especially with a lot of

  # closed connections in TIME_WAIT. However, for a server that is prone to DOS

  # attacks this may be very useful. A reasonable setting for this option might

  # be arround 200.

  #

  # To disable this feature, set this to 0

  CT_LIMIT = “200”##固定时间内同一个IP请求的此数

  # Connection Tracking interval. Set this to the the number of seconds between

  # connection tracking scans

  CT_INTERVAL = “30” ##指上面的固定时间,单位为秒

  # Send an email alert if an IP address is blocked due to connection tracking

  CT_EMAIL_ALERT = “1” ##是否发送邮件

  # If you want to make IP blocks permanent then set this to 1, otherwise blocks

  # will be temporary and will be cleared after CT_BLOCK_TIME seconds

  # 是否对可疑IP采取永久屏蔽,默认为0,即临时性屏蔽。

  CT_PERMANENT = “0”

  # If you opt for temporary IP blocks for CT, then the following is the interval

  # in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)

  # 临时性屏蔽时间

  CT_BLOCK_TIME = “1800”

  # If you don’t want to count the TIME_WAIT state against the connection count

  # then set the following to “1〃

  CT_SKIP_TIME_WAIT = “0” ##是否统计TIME_WAIT链接状态

  # If you only want to count specific states (e.g. SYN_RECV) then add the states

  # to the following as a comma separated list. E.g. “SYN_RECV,TIME_WAIT”

  # Leave this option empty to count all states against CT_LIMIT

  CT_STATES = “” ##是否分国家来统计,填写的是国家名

  # If you only want to count specific ports (e.g. 80,443) then add the ports

  # to the following as a comma separated list. E.g. “80,443〃

  #

  # Leave this option empty to count all ports against CT_LIMIT

  # 对什么端口进行检测,为空则检测所有,防止ssh的话可以为空,统计所有的。

  CT_PORTS = “”

  做了以上设置之后,可以先测试一下。如果没有问题的话,就更改为正式模式,刚才只是测试模式。

  # 把默认的1修改为0。

  TESTING = “0”

  在/etc/csf/下有csf.allow和csf.deny两个文件,

  allow是信任的IP,可以把自己的IP写到这里面防止误封。

  deny就是被封的IP。

  如果有调整需要重启一下cfs服务

  上面就是Linux防止CC攻击的方法介绍了,很多时候用户网站被CC攻击了自己都不知道,所以定期的检测是很有必要的。

 2/2   首页 上一页 1 2
分享到:

相关信息

  • Linux系统禁用ping命令的技巧

    Linux系统中的ping命令可用于网络故障的诊断,检查网络的连通性,但有时候会被黑客利用,有时为了保证系统网络的安全,会将ping命令禁止使用,那么要如何禁止ping命令呢?随小编一起来了解下吧。...

    2023-01-25

  • 在Linux上优化Mysql运行环境的技巧

    接触过Mysql的都是知道它是数据库,很多用户知道如何使用Mysql数据库,但对Mysql运行环境的优化却知之甚少,如果你想要掌握Mysql数据库,对Mysql运行环境的优化也要了解一些,下面小编就给大家介绍下Linux优化Mysql运行环境的...

    2023-01-25

评论

系统教程栏目

栏目热门教程

人气教程排行

站长推荐

热门系统下载

公众号