- 论坛徽章:
- 0
|
求助:日志老报no more recursive clients : quota reached
FreeBSD是稳定安全的系统,你可以在防火墙和系统变量中设置防止攻击:
/etc/sysctl.conf(防止泛洪攻击)
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
/etc/rc.conf
tcp_drop_synfin="YES"
icmp_drop_redirect="YES"
/etc/ipfw.conf
add 00100 deny log ip from any to any ipopt rr
add 00200 deny log ip from any to any ipopt ts
add 00300 deny log ip from any to any ipopt ssrr
add 00400 deny log ip from any to any ipopt lsrr
add 00500 deny tcp from any to any in tcpflags syn,fin
add 00600 deny icmp from any to any icmptypes 0
add 00700 deny icmp from any to any icmptypes 8
add 00800 check-state
add 00900 allow tcp from any to any out keep-state setup
add 01000 allow all from any to any via lo
add 01100 allow tcp from any to any out
add 01200 allow udp from any to any out
add 01300 allow udp from any 53 to me in recv 网卡设备名
add 01400 allow udp from any to me 53 in recv 网卡设备名
add 09999 deny all any from any to any
此外,FreeBSD推荐使用的BIND版本是8.3.4或8.3.6,因为9.0及其以上版本太复杂了,安全性、稳定性无法控制。BSD的另一个版本——号称最安全的,连续3年不出安全问题的系统——OpenBSD甚至还在使用4.x的BIND,据我所知,大多数ISP的BIND版本也是8.x的。毕竟稳定是第一位的,不要追求高版本。
因此我建议你使用FreeBSD4.8所带的BIND8.3.4,并按以下说明打补丁:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:19.bind.asc |
|