在ConfigServer安全和防火墙(CSF)配置文件中,更新CT_LIMIT
值以限制每个IP地址的连接数。 这是防止某些类型的拒绝服务(DOS)攻击的简单技巧。
注意
要立即停止拒绝服务(DoS)攻击,请阅读此空路由示例。
1. /etc/csf/csf.conf
SSH以root身份进入您的服务器。 编辑/etc/csf/csf.conf
文件。
Terminal
$ ssh root@yourserver #login as root
$ vim /etc/csf/csf.conf
2. CT_LIMIT
查找CT_LIMIT
并将其更新为150,这意味着如果与服务器的连接总数超过150,则IP地址将被阻止。 保存并退出。
/etc/csf/csf.conf
###############################################################################
# SECTION:Connection Tracking
###############################################################################
# Connection Tracking. This option enables tracking of all connections from IP
# addresses to the server. If the total number of connections is greater than
# this value then the offending IP address is blocked. This can be used to help
# prevent some types of DOS attack.
#
# Care should be taken with this option. It's entirely possible that you will
# see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD
# and HTTP so it could be quite easy to trigger, especially with a lot of
# closed connections in TIME_WAIT. However, for a server that is prone to DOS
# attacks this may be very useful. A reasonable setting for this option might
# be around 300.
#
# To disable this feature, set this to 0
CT_LIMIT = "150"
3.重新启动CSF
$ csf -r
参考文献
翻译自: https://mkyong.com/linux/csf-how-to-limit-the-number-of-connections-per-ip-address/