- 论坛徽章:
- 0
|
环境:centos 5.3+Apache (httpd)服务器防DDOS模块mod_evasive+iptables
Apache (httpd)服务器防DDOS模块mod_evasive安装参考
http://www.linuxsir.org/main/node/244
iptables规则
- #more /etc/sysconfig/iptables
- # Generated by iptables-save v1.3.5 on Tue May 26 13:54:14 2009
- *nat
- :PREROUTING ACCEPT [21:1246]
- :POSTROUTING ACCEPT [1:92]
- :OUTPUT ACCEPT [1:92]
- COMMIT
- # Completed on Tue May 26 13:54:14 2009
- # Generated by iptables-save v1.3.5 on Tue May 26 13:54:14 2009
- *mangle
- :PREROUTING ACCEPT [29:1702]
- :INPUT ACCEPT [28:1458]
- :FORWARD ACCEPT [0:0]
- :OUTPUT ACCEPT [27:3056]
- :POSTROUTING ACCEPT [27:3056]
- COMMIT
- # Completed on Tue May 26 13:54:14 2009
- # Generated by iptables-save v1.3.5 on Tue May 26 13:54:14 2009
- *filter
- :INPUT ACCEPT [0:0]
- :FORWARD ACCEPT [0:0]
- :OUTPUT ACCEPT [27:3056]
- :RH-Firewall-1-INPUT - [0:0]
- #-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
- -N syn-flood
- -A FORWARD -p tcp --syn -j syn-flood
- -A INPUT -p tcp --syn -j syn-flood
- -A syn-flood -p tcp --syn -m limit --limit 3/s --limit-burst 1 -j ACCEPT
- -A syn-flood -j DROP
- -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
- -A INPUT -p tcp --syn -m state --state NEW -j DROP
- -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT
- -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
- -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
- #-A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 5 -j REJECT
- -A INPUT -p tcp --dport 80 -m recent --name BAD_HTTP_ACCESS --update --seconds 6
- 0 --hitcount 30 -j REJECT
- -A INPUT -p tcp --dport 80 -m recent --name BAD_HTTP_ACCESS --set -j ACCEPT
- -A INPUT -p tcp -m tcp --dport 2012 -j ACCEPT
- -A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
- -A INPUT -j RH-Firewall-1-INPUT
- -A FORWARD -j RH-Firewall-1-INPUT
- -A RH-Firewall-1-INPUT -i lo -j ACCEPT
- -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
- -A RH-Firewall-1-INPUT -p esp -j ACCEPT
- -A RH-Firewall-1-INPUT -p ah -j ACCEPT
- -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
- -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
- -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
- -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
- -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
- COMMIT
- # Completed on Tue May 26 13:54:14 2009
复制代码
NND怎么就是封不住压力测试过来的数据
ab -n 1000 -c 100 http://www.mysite.com/file.php
想请教一下各位有什么地方不对的或是有什么好的方案吗!多谢了 |
|