你是否有遇到這樣的情況���,明明服務(wù)器正常運(yùn)行����,用戶訪問網(wǎng)站人數(shù)正常,卻出現(xiàn)網(wǎng)頁很卡���,直到奔潰的情況���,出現(xiàn)這種情況多半是被CC攻擊了����,預(yù)防勝于治療,下面小編以Linux系統(tǒng)為例�,給大家介紹下Linux如何防止CC攻擊。
什么是CC攻擊
cc攻擊簡(jiǎn)單就是(ChallengeCollapsar)
CC攻擊的原理就是攻擊者控制某些主機(jī)不停地發(fā)大量數(shù)據(jù)包給對(duì)方服務(wù)器造成服務(wù)器資源耗盡�����,一直到宕機(jī)崩潰���。CC主要是用來攻擊頁面的��,每個(gè)人都有這樣的體驗(yàn):當(dāng)一個(gè)網(wǎng)頁訪問的人數(shù)特別多的時(shí)候�����,打開網(wǎng)頁就慢了���,CC就是模擬多個(gè)用戶(多少線程就是多少用戶)不停地進(jìn)行訪問那些需要大量數(shù)據(jù)操作(就是需要大量CPU時(shí)間)的頁面�����,造成服務(wù)器資源的浪費(fèi)����,CPU長(zhǎng)時(shí)間處于100%�,永遠(yuǎn)都有處理不完的連接直至就網(wǎng)絡(luò)擁塞,正常的訪問被中止�。
防止CC攻擊方法
用防止這CC攻擊有兩種方法
第一種就是利用本機(jī)的防火墻來解決可以安裝CSF之內(nèi)的防火墻,這種的弊端是只能防止小規(guī)模的CC攻擊和DDOS(我的站在阿里云�����,所以不用太擔(dān)心DDOS)CC攻擊比較猛的話機(jī)器也直接CUP跑滿了�。
第二種方式是添加CDN,這種防止CC攻擊的方法是最好的��,不過CDN一般都要錢����。
現(xiàn)在就來談?wù)劸唧w換防護(hù)�����,
首先安裝CSF防火墻�����,這個(gè)比較簡(jiǎn)單而且不用改域名什么的��,小規(guī)模的就直接解決了�����。
一、安裝依賴包:
yum install perl-libwww-perl perl iptables
二�、下載并安裝 CSF:
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
三、測(cè)試 CSF 是否能正常工作:
?���。踨oot@localhost csf]# perl /etc/csf/csftest.pl
Testing ip_tables/iptable_filter.。.OK
Testing ipt_LOG.��。.OK
Testing ipt_multiport/xt_multiport.�����。.OK
Testing ipt_REJECT.。.OK
Testing ipt_state/xt_state.��。.OK
Testing ipt_limit/xt_limit.�。.OK
Testing ipt_recent.。.OK
Testing xt_connlimit.���。.OK
Testing ipt_owner/xt_owner.��。.OK
Testing iptable_nat/ipt_REDIRECT.�����。.OK
Testing iptable_nat/ipt_DNAT.����。.OK
RESULT: csf should function on this server
四���、csf的配置:
CSF的配置文件是
vim /etc/csf/csf.conf
# Allow incoming TCP ports
# 推薦您更改 SSH 的默認(rèn)端口(22)為其他端口��,但請(qǐng)注意一定要把新的端口加到下一行中
TCP_IN = “20��,21�����,47�����,81�,1723,25��,53����,80,110��,143����,443��,465����,587��,993�,995〃
# Allow outgoing TCP ports同上�����,把 SSH 的登錄端口加到下一行。
# 在某些程序要求打開一定范圍的端口的情況下����,例如Pureftpd的passive mode��,可使用類似 30000:35000 的方式打開30000-35000范圍的端口�。
TCP_OUT = “20,21�,47,81�,1723,25�����,53���,80���,110�����,113�,443〃
# Allow incoming UDP ports
UDP_IN = “20�,21,53〃
# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = “20��,21����,53,113��,123〃
# Allow incoming PING 是否允許別人ping你的服務(wù)器���,默認(rèn)為1����,允許���。0為不允許�。
ICMP_IN = “1〃
以上這些配置大家一看就懂了���,下面再介紹幾個(gè)比較常用的:
上一頁12下一頁共2頁
免疫某些類型的小規(guī)模 DDos 攻擊:
# Connection Tracking. This option enables tracking of all connections from IP
# addresses to the server. If the total number of connections is greater than
# this value then the offending IP address is blocked. This can be used to help
# prevent some types of DOS attack.
#
# Care should be taken with this option. It’s entirely possible that you will
# see false-positives. Some protocols can be connection hungry�����, e.g. FTP���, IMAPD
# and HTTP so it could be quite easy to trigger, especially with a lot of
# closed connections in TIME_WAIT. However��, for a server that is prone to DOS
# attacks this may be very useful. A reasonable setting for this option might
# be arround 200.
#
# To disable this feature��, set this to 0
CT_LIMIT = “200”##固定時(shí)間內(nèi)同一個(gè)IP請(qǐng)求的此數(shù)
# Connection Tracking interval. Set this to the the number of seconds between
# connection tracking scans
CT_INTERVAL = “30” ##指上面的固定時(shí)間���,單位為秒
# Send an email alert if an IP address is blocked due to connection tracking
CT_EMAIL_ALERT = “1” ##是否發(fā)送郵件
# If you want to make IP blocks permanent then set this to 1���, otherwise blocks
# will be temporary and will be cleared after CT_BLOCK_TIME seconds
# 是否對(duì)可疑IP采取永久屏蔽,默認(rèn)為0�,即臨時(shí)性屏蔽。
CT_PERMANENT = “0”
# If you opt for temporary IP blocks for CT�����, then the following is the interval
# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)
# 臨時(shí)性屏蔽時(shí)間
CT_BLOCK_TIME = “1800”
# If you don’t want to count the TIME_WAIT state against the connection count
# then set the following to “1〃
CT_SKIP_TIME_WAIT = “0” ##是否統(tǒng)計(jì)TIME_WAIT鏈接狀態(tài)
# If you only want to count specific states (e.g. SYN_RECV) then add the states
# to the following as a comma separated list. E.g. “SYN_RECV,TIME_WAIT”
# Leave this option empty to count all states against CT_LIMIT
CT_STATES = “” ##是否分國(guó)家來統(tǒng)計(jì)�,填寫的是國(guó)家名
# If you only want to count specific ports (e.g. 80,443) then add the ports
# to the following as a comma separated list. E.g. “80��,443〃
#
# Leave this option empty to count all ports against CT_LIMIT
# 對(duì)什么端口進(jìn)行檢測(cè)���,為空則檢測(cè)所有���,防止ssh的話可以為空,統(tǒng)計(jì)所有的�。
CT_PORTS = “”
做了以上設(shè)置之后,可以先測(cè)試一下�。如果沒有問題的話,就更改為正式模式�����,剛才只是測(cè)試模式�。
# 把默認(rèn)的1修改為0。
TESTING = “0”
在/etc/csf/下有csf.allow和csf.deny兩個(gè)文件�����,
allow是信任的IP,可以把自己的IP寫到這里面防止誤封��。
deny就是被封的IP��。
如果有調(diào)整需要重啟一下cfs服務(wù)
上面就是Linux防止CC攻擊的方法介紹了�,很多時(shí)候用戶網(wǎng)站被CC攻擊了自己都不知道���,所以定期的檢測(cè)是很有必要的���。
