1.减缓SYN flood危害
减少发送syn+ack包时重试次数(默认是10)
sysctl -w net.ipv4.tcp_synack_retries = 3
sysctl -w net.ipv4.tcp_syn_retries = 3
SYN cookies技术
synctl -w net.ipv4.tcp_syncookies = 1
增加backlog队列
synctl -w net.ipv4.tcp_max_syv_backlog = 2048
2.抵抗扫描
禁掉ICMP包,让主机不能被ping
sysctl -w net.ipv4.icmp_echo_ignore_all = 1
通过iptables防止扫描
iptables -A FORWARD -p tcp -syn -m limit -limit 1/s -limit-burst 5 -j ACCEPT
iptables -A FORWARD -p tcp -tcp-flags SYN,ACK,FIN,RST RST -m limit -limit 1/s -j ACCEPT
iptables -A FORWARD -p icmp -icmp-type echo-request -m limit -limit 1/s -j ACCEPT