【发布时间】:2014-07-11 03:27:41
【问题描述】:
如何保护 apache 网络服务器免受 DOS、DDOS 攻击。
注意:已经在 iptables 中添加了规则。我仍然收到 syn 请求。
错误:-
[root@471283-app2 ~]# dmesg | grep -i syn
megasas: fasync_helper was not called first
possible SYN flooding on port 80. Sending cookies.
possible SYN flooding on port 80. Sending cookies.
possible SYN flooding on port 80. Sending cookies.
possible SYN flooding on port 8080. Sending cookies.
possible SYN flooding on port 25. Sending cookies.
[root@471283-app2 ~]# netstat -n | grep :80 | grep SYN |wc -l
64
iptables 规则
[root@471283-app2 ~]# iptables -L -v
Chain INPUT (policy ACCEPT 331M packets, 6033G bytes)
pkts bytes target prot opt in out source destination
24621 1320K ACCEPT tcp -- any any 173.4.4.4/24 anywhere tcp dpt:ssh
1314K 77M ACCEPT tcp -- eth0 any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 5/sec burst 5
20245 1196K DDOS_SYNFLOOD tcp -- any any anywhere anywhere tcp dpt:http flags:FIN,SYN,RST,ACK/SYN
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 321M packets, 6110G bytes)
pkts bytes target prot opt in out source destination
Chain DDOS_SYNFLOOD (1 references)
pkts bytes target prot opt in out source destination
18656 1108K ACCEPT all -- any any anywhere anywhere limit: avg 1/sec burst 3
1589 87748 DROP all -- any any anywhere anywhere
【问题讨论】:
-
您需要向我们提供更多详细信息。最重要的是——攻击对你的伤害程度如何?是否最大化您的入站带宽?您的出站带宽?你的内存?你的连接限制?还是什么?
-
我的服务器有 24 GB 内存。
-
# httpd -l 在模块中编译:core.c prefork.c http_core.c mod_so.c
-
Apache conf Timeout 100 KeepAlive on MaxKeepAliveRequests 150 KeepAliveTimeout 5
StartServers 20 MinSpareServers 20 MaxSpareServers 50 ServerLimit 1180 MaxClients 1180 MaxRequestsPerChild 1180 -
Tomcat 配置