心塞,服务器被攻击,直接凉了,无法对外提供服务,整整半个小时!!!
记录一下,做一个简单的基础防护!!!
切忌一定不要单机,多域名,多IP!!!
iptables :防火墙防护。
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-I INPUT -p tcp --dport 80 -m connlimit --connlimit-above 20 -j REJECT
-I INPUT -p tcp --dport 443 -m connlimit --connlimit-above 20 -j REJECT
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 6379 -j ACCEPT
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 9090 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMITnginx防护:
http模块配置
limit_rate_after 1m; #下载速度超过1M 限制速度为100K
limit_rate 100k;
限流策略:
limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=50r/s;
limit_conn conn_limit_per_ip 20;
limit_req zone=req_limit_per_ip burst=20;
server模块配置:
禁止各种代理或者压测工具访问
if ($http_user_agent ~* ApacheBench|WebBench|java) {
return 403;
}
if ($http_user_agent ~* (Wget|ab)) {
return 403;
}
if ($http_user_agent ~* LWP::Simple|BBBike|wget) {
return 403;
}