话说回来,不出现问题当然比出了问题再解决的好.包括服务商在内.谁都不想出现问题.所以试着包容.不要太苛刻了.

PS:以上内容属个人意见.仅供参考.

Related Posts

• APF:Linux下强大的防火墙组件 (8)
• DOS-Deflate:帮助您有效减轻 DOS 攻击伤害 (12)

APF(Advanced Policy Firewall)是 Rf-x Networks 出品的Linux环境下的软件防火墙,被大部分Linux服务器管理员所采用,使用iptables的规则,易于理解及使用.可算是Linux使用较多的防火墙.APF的配置参数众多,有效利用这些配置参数可加强你的服务器安全,APF应该在每一台Linux服务器中得到应用.

安装APF

1.下载最新的安装包并解压缩,APF项目详细信息.

#cd /usr/local/src
#wget http://www.rfxn.com/downloads/apf-current.tar.gz
#tar -zxf apf-current.tar.gz
#cd apf-9.7-1/

2.执行安装

#sh ./install.sh

结束安装好你会得到一些信息:

...
Installation Details:
Install path:         /etc/apf/
Config path:          /etc/apf/conf.apf
Executable path:      /usr/local/sbin/apf
...

3.进行详细配置

#vi /etc/apf/conf.apf

默认的参数适合大多数场合,按照需要进行修改即可

DEVEL_MODE="1" >> DEVEL_MODE="0"
RAB="0" >> RAB="1"
RAB_PSCAN_LEVEL="2" >> RAB_PSCAN_LEVEL="3"
TCR_PASS="1" >> TCR_PASS="0"
DLIST_PHP="0" >> DLIST_PHP="1"
DLIST_SPAMHAUS="0" >> DLIST_SPAMHAUS="1"
DLIST_DSHIELD="0" >> DLIST_DSHIELD="1"
DLIST_RESERVED="0" >> DLIST_RESERVED="1"

流入端口过滤

# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="20,21,22,25,26,53,80,110,143,443,465,993,995,3306"
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="21,53,465"

流出端口过滤,虚拟主机推荐开启

# Outbound (egress) filtering
EGF="1"
# Common outbound (egress) TCP ports
EG_TCP_CPORTS="21,22,25,26,37,43,53,80,110,113,443,465,3306"
# Common outbound (egress) UDP ports
EG_UDP_CPORTS="20,21,53,465"

ICMP过滤

# Common ICMP outbound (egress) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
EG_ICMP_TYPES="all"

另外还有两个值得注意的设置文件: /etc/apf/allow_hosts.rules 和 /etc/apf/deny_hosts.rules 可设置目标主机的过滤规则.如添加信任主机操作等.

启动APF

#/usr/local/sbin/apf -s

重启APF

#/usr/local/sbin/apf -r

查看运行日志

#tail -f /var/log/apf_log

添加为系统启动

#vi /etc/rc.local

在其中添加 "/usr/local/sbin/apf -s" 即可(不含双引号).

详细参数说明

usage /usr/local/sbin/apf [OPTION]
-s|--start ......................... load all firewall rules
-r|--restart ....................... stop (flush) & reload firewall rules
-f|--stop........ .................. stop (flush) all firewall rules
-l|--list .......................... list all firewall rules
-t|--status ........................ output firewall status log
-e|--refresh ....................... refresh & resolve dns names in trust rules
-a HOST CMT|--allow HOST COMMENT ... add host (IP/FQDN) to allow_hosts.rules and
 immediately load new rule into firewall
-d HOST CMT|--deny HOST COMMENT .... add host (IP/FQDN) to deny_hosts.rules and
 immediately load new rule into firewall
-u|--remove HOST ................... remove host from [glob]*_hosts.rules
 and immediately remove rule from firewall
-o|--ovars ......................... output all configuration options

此外,APF自9.6 (rev:2)版本之后增加了RAB模块.该模块取代了旧版本的antidos模块.可有效减轻拒绝服务攻击带来的影响,但需要iptables的内核模块ipt_recent的支持.如下图我在VPS上启动APF后的屏显,提示RAB模块无法启用.内核模块ipt_recent没有找到.因此建议在内核支持以及iptables模块支持的情况下使用.

Faq

Problem: If you get this error apf(xxxxx): {glob} unable to load iptables module (ip_tables), aborting.
Solution: Try changing SET_MONOKERN=”0″ to SET_MONOKERN=”1″ , then apf -r

Problem: If you get this message: apf(xxxxx): {glob} !!DEVELOPMENT MODE ENABLED!! – firewall will flush every 5 minutes.
Solution: you need to change DEVEL_MODE=1 to DEVEL_MODE=0, make sure your config is working first.

Via:http://www.securecentos.com/basic-security/install-firewall/

Related Posts

• DOS-Deflate:帮助您有效减轻 DOS 攻击伤害 (12)
• 设置pptpd与apf (0)
• VPS推荐:Photonvps (0)
• CentOS最小化安装Gnome和VNC (8)

诡谲在这里推荐VPS(vz)管理员使用DOS-Deflate脚本.通过APF添加动态过滤.脚本安装简单,防范攻击的效果也很不错.但是需要注意,安装前需确定Advanced Policy Firewall (APF)已经在你的系统安装并运行良好.否则将不会起到封禁攻击IP的作用.

安装step by step

1.以root用户登录终端.

2.下载安装脚本

#cd /usr/local/src
#wget http://www.inetbase.com/scripts/ddos/install.sh

3.安装防护

#sh ./install.sh

安装完成之后.可以在/usr/local/ddos/路径找到配置文件和sh脚本.配置十分简单,你只需编辑/usr/local/ddos/ddos.conf文件.

参数配置示范:

##### Paths of the script and other files
PROGDIR="/usr/local/ddos"
PROG="/usr/local/ddos/ddos.sh"
IGNORE_IP_LIST="/usr/local/ddos/ignore.ip.list"  # 白名单.如有反向代理,注意添加本机地址和本机外网IP地址,防止提供反向代理的主机被判定为攻击.
CRON="/etc/cron.d/ddos.cron"
APF="/etc/apf/apf"
IPT="/sbin/iptables"

##### frequency in minutes for running the script
##### Caution: Every time this setting is changed, run the script with --cron
##### option so that the new frequency takes effect
FREQ=1

##### How many connections define a bad IP? Indicate that below.  # 单IP发起连接数阀值,不建议设置太低.
NO_OF_CONNECTIONS=150

##### APF_BAN=1 (Make sure your APF version is atleast 0.96)
##### APF_BAN=0 (Uses iptables for banning ips instead of APF)
APF_BAN=1

##### KILL=0 (Bad IPs are'nt banned, good for interactive execution of script)
##### KILL=1 (Recommended setting)
KILL=1

##### An email is sent to the following address when an IP is banned.   # 当单IP发起的连接数超过阀值后,将发邮件给指定的收件人.
##### Blank would suppress sending of mails
EMAIL_TO="root"

##### Number of seconds the banned ip should remain in blacklist.   # 设置被挡IP多少秒后移出黑名单.
BAN_PERIOD=600


此外还要修改两个地方.

1. 在/usr/local/ddos/ddos.sh的第134行.注释掉这行,前面加'#'号

#echo $CURR_LINE_IP >> $IGNORE_IP_LIST

2.在同个文件大概117行处,将netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr > $BAD_IP_LIST注释掉然后在下面添加 netstat -ntu | awk '{print $5}' | egrep -o "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" | sort | uniq -c | sort -nr > $BAD_IP_LIST

模拟发起dos攻击后,系统管理员将收到邮件,告知过去1分钟禁止了哪些IP和其发起的连接数.

卸载

以root用户登录终端,下载反安装脚本

#wget http://www.inetbase.com/scripts/ddos/uninstall.ddos
#sh ./uninstall.ddos


Related Posts

• APF:Linux下强大的防火墙组件 (8)
• 设置pptpd与apf (0)
• VPS推荐:Photonvps (0)