#缩短SYN- Timeout时间: iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT iptables -A INPUT -i eth0 -m limit --limit 1/sec --limit-burst 5 -j ACCEPT #每秒 最多3个 syn 封包 进入 表达为 : iptables -N syn-flood iptables -A INPUT -p tcp --syn -j syn-flood iptables -A syn-flood -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j RETURN iptables -A syn-flood -j REJECT #设置syncookies: sysctl -w net.ipv4.tcp_syncookies=1 sysctl -w net.ipv4.tcp_max_syn_backlog=3072 sysctl -w net.ipv4.tcp_synack_retries=0 sysctl -w net.ipv4.tcp_syn_retries=0 sysctl -w net.ipv4.conf.all.send_redirects=0 sysctl -w net.ipv4.conf.all.accept_redirects=0 sysctl -w net.ipv4.conf.all.forwarding=0 sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 #防止PING: sysctl -w net.ipv4.icmp_echo_ignore_all=1 #拦截具体IP范围: iptables -A INPUT -s 10.0.0.0/8 -i eth0 -j DROP 转载地址:http://www.hit008.com/read.php?30 转载请保留固定链接: https://linuxeye.com/security/668.html |