sysctl -a | grep syn
[root@metc apache2]# /sbin/sysctl -a | grep syn
net.ipv6.conf.default.max_desync_factor = 600
net.ipv6.conf.all.max_desync_factor = 600
net.ipv6.conf.eth0.max_desync_factor = 600
net.ipv6.conf.lo.max_desync_factor = 600
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv = 60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent = 120
net.ipv4.tcp_max_syn_backlog = 1280 net.ipv4.tcp_syncookies =1
net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_syn_retries = 5
fs.quota.syncs = 18
防范SYN攻击设置
#缩短SYN- Timeout时间:
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -jACCEPT
iptables -A INPUT -i eth0 -m limit --limit 1/sec --limit-burst 5 -jACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit--limit 1/s -j ACCEPT #防止各种端口扫描
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit--limit 1/s -j ACCEPT #Ping洪水攻击(Ping of Death)
#每秒 最多3个 syn 封包 进入 表达为 :
iptables -N syn-flood
iptables -A INPUT -p tcp --syn -jsyn-flood
iptables -A syn-flood -p tcp --syn -m limit --limit 1/s--limit-burst 3 -j RETURN
iptables -A syn-flood -j DROP
#设置syncookies:
sysctl -w net.ipv4.tcp_syncookies=1
/sbin/sysctl -w net.ipv4.tcp_max_syn_backlog=3000
/sbin/sysctl -w net.ipv4.tcp_synack_retries=1
/sbin/sysctl -w net.ipv4.tcp_syn_retries=1
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.all.forwarding=0
/sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
/sbin/sysctl -w net.ipv4.conf.default.accept_source_route=0
/sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
/sbin/sysctl -w net.ipv4.icmp_echo_ignore_all=1