Preventing DDOS/SYN attacks (as far as possible)
Posted
by
Godius
on Server Fault
See other posts from Server Fault
or by Godius
Published on 2011-03-04T15:09:17Z
Indexed on
2011/03/04
15:26 UTC
Read the original article
Hit count: 304
Recently my CENTOS machine has been under many attacks. I run MRTG and the TCP connections graph shoots up like crazy when an attack is going on. It results in the machine becoming inaccessible.
My MRTG graph: mrtg graph
This is my current /etc/sysctl.conf config
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Controls IP packet forwarding
net.ipv4.ip_forward = 0
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 1
# Controls whether core dumps will append the PID to the core filename
# Useful for debugging multi-threaded applications
kernel.core_uses_pid = 1
# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1
# Controls the maximum size of a message, in bytes
kernel.msgmnb = 65536
# Controls the default maxmimum size of a mesage queue
kernel.msgmax = 65536
# Controls the maximum shared segment size, in bytes
kernel.shmmax = 68719476736
# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 4294967296
net.ipv4.conf.all.rp_filter = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.tcp_max_syn_backlog = 1280
Futher more in my Iptables file (/etc/sysconfig/iptables ) I only have this setup
# Generated by iptables-save v1.3.5 on Mon Feb 14 07:07:31 2011
*filter
:INPUT ACCEPT [1139630:287215872]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1222418:555508541]
Together with the settings above, there are about 800 IP's blocked via the iptables file by lines like:
-A INPUT -s 82.77.119.47 -j DROP
These have all been added by my hoster, when Ive emailed them in the past about attacks.
Im no expert, but im not sure if this is ideal.
My question is, what are some good things to add to the iptables file and possibly other files which would make it harder for the attackers to attack my machine without closing out any non-attacking users.
Thanks in advance!
© Server Fault or respective owner