前几天我这博客被无聊的人用CC攻击了,造成下午宕机几个小时,这也是我这博客开站一来第一次大故障了,呵呵
我用防止这CC攻击有两种方法
第一种就是利用本机的防火墙来解决可以安装CSF之内的防火墙,这种的弊端是只能防止小规模的CC攻击和DDOS(我的站在阿里云,所以不用太担心DDOS)CC攻击比较猛的话机器也直接CUP跑满了。
第二种方式是添加CDN,这种防止CC攻击的方法是最好的,不过CDN一般都要钱,于是我找到一个https://www.yundun.cn/login,说是专门防CC DDOS的,其实也就是一个CDN,有免费的套餐,足够我这小站用了。
现在就来谈谈我的具体换防护把,
首先安装CSF防火墙,这个比较简单而且不用改域名什么的,小规模的就直接解决了。
一、安装依赖包:
yum install perl-libwww-perl perl iptables
二、下载并安装 CSF:
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
三、测试 CSF 是否能正常工作:
[root@localhost csf]# perl /etc/csf/csftest.pl Testing ip_tables/iptable_filter...OK Testing ipt_LOG...OK Testing ipt_multiport/xt_multiport...OK Testing ipt_REJECT...OK Testing ipt_state/xt_state...OK Testing ipt_limit/xt_limit...OK Testing ipt_recent...OK Testing xt_connlimit...OK Testing ipt_owner/xt_owner...OK Testing iptable_nat/ipt_REDIRECT...OK Testing iptable_nat/ipt_DNAT...OK RESULT: csf should function on this server
四、csf的配置:
CSF的配置文件是
vim /etc/csf/csf.conf # Allow incoming TCP ports # 推荐您更改 SSH 的默认端口(22)为其他端口,但请注意一定要把新的端口加到下一行中 TCP_IN = “20,21,47,81,1723,25,53,80,110,143,443,465,587,993,995〃 # Allow outgoing TCP ports同上,把 SSH 的登录端口加到下一行。 # 在某些程序要求打开一定范围的端口的情况下,例如Pureftpd的passive mode,可使用类似 30000:35000 的方式打开30000-35000范围的端口。 TCP_OUT = “20,21,47,81,1723,25,53,80,110,113,443〃 # Allow incoming UDP ports UDP_IN = “20,21,53〃 # Allow outgoing UDP ports # To allow outgoing traceroute add 33434:33523 to this list UDP_OUT = “20,21,53,113,123〃 # Allow incoming PING 是否允许别人ping你的服务器,默认为1,允许。0为不允许。 ICMP_IN = “1〃 以上这些配置大家一看就懂了,下面再介绍几个比较常用的: 免疫某些类型的小规模 DDos 攻击: # Connection Tracking. This option enables tracking of all connections from IP # addresses to the server. If the total number of connections is greater than # this value then the offending IP address is blocked. This can be used to help # prevent some types of DOS attack. # # Care should be taken with this option. It’s entirely possible that you will # see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD # and HTTP so it could be quite easy to trigger, especially with a lot of # closed connections in TIME_WAIT. However, for a server that is prone to DOS # attacks this may be very useful. A reasonable setting for this option might # be arround 200. # # To disable this feature, set this to 0 CT_LIMIT = "200"##固定时间内同一个IP请求的此数 # Connection Tracking interval. Set this to the the number of seconds between # connection tracking scans CT_INTERVAL = "30" ##指上面的固定时间,单位为秒 # Send an email alert if an IP address is blocked due to connection tracking CT_EMAIL_ALERT = "1" ##是否发送邮件 # If you want to make IP blocks permanent then set this to 1, otherwise blocks # will be temporary and will be cleared after CT_BLOCK_TIME seconds # 是否对可疑IP采取永久屏蔽,默认为0,即临时性屏蔽。 CT_PERMANENT = "0" # If you opt for temporary IP blocks for CT, then the following is the interval # in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins) # 临时性屏蔽时间 CT_BLOCK_TIME = "1800" # If you don’t want to count the TIME_WAIT state against the connection count # then set the following to “1〃 CT_SKIP_TIME_WAIT = "0" ##是否统计TIME_WAIT链接状态 # If you only want to count specific states (e.g. SYN_RECV) then add the states # to the following as a comma separated list. E.g. “SYN_RECV,TIME_WAIT” # Leave this option empty to count all states against CT_LIMIT CT_STATES = "" ##是否分国家来统计,填写的是国家名 # If you only want to count specific ports (e.g. 80,443) then add the ports # to the following as a comma separated list. E.g. “80,443〃 # # Leave this option empty to count all ports against CT_LIMIT # 对什么端口进行检测,为空则检测所有,防止ssh的话可以为空,统计所有的。 CT_PORTS = "" 做了以上设置之后,可以先测试一下。如果没有问题的话,就更改为正式模式,刚才只是测试模式。 # 把默认的1修改为0。 TESTING = "0"
在/etc/csf/下有csf.allow和csf.deny两个文件,
allow是信任的IP,可以把自己的IP写到这里面防止误封。
deny就是被封的IP。
如果有调整需要重启一下cfs服务
按照上面的方法安装设置CSF基本上小CC攻击就解决了,我的站刚加好也解决了,可以第二天攻击加大了,没办法只有用第二种办法了
注册了云盾帐号,认证域名,更改域名指向到云盾的域名,我加完之后再也没有收到攻击。
在此感谢云盾https://www.yundun.cn/login
3431
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
