Счетчик

Яндекс.Метрика
Cервер и сайт запущен 2011.02.01 на Debian

Защита от DDOS правилами iptables 

### 1: Drop invalid packets ###

iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP 

### 2: Drop TCP packets that are new and are not SYN ###

iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP

### 3: Drop SYN packets with suspicious MSS value ###

iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP 

### 4: Block packets with bogus TCP flags ###

iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP

iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP

iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP

iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP

iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP

iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP

iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP

iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP

iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP

iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP

iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP

iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP 

### 5: Block spoofed packets ###

iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP

iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP

iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP

iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP

iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP

iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP

iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP

iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP

iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP 

### 6: Drop ICMP (you usually don't need this protocol) ###

iptables -t mangle -A PREROUTING -p icmp -j DROP 

### 7: Drop fragments in all chains ###

iptables -t mangle -A PREROUTING -f -j DROP 

### 8: Limit connections per source IP ###

iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset 

### 9: Limit RST packets ###

iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT

iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP 

### 10: Limit new TCP connections per second per source IP ###

iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT

iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP 

### 11: Use SYNPROXY on all ports (disables connection limiting rule) ###

# Hidden - unlock content above in "Mitigating SYN Floods With SYNPROXY" section

### SSH brute-force protection ###

iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set

iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP 

### Protection against port scanning ###

iptables -N port-scanning

iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN

iptables -A port-scanning -j DROP

iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m hashlimit --hashlimit-upto 1/hour --hashlimit-burst 2 --hashlimit-mode srcip --hashlimit-name SSH --hashlimit-htable-expire 60000 -j ACCEPT

iptables -A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j DROP

iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j ACCEPT

iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP

iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j ACCEPT

iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP

iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT

iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j DROP

iptables -A INPUT -s 78.27.124.225/32 -j DROP

iptables -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT

iptables -A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT

iptables -A INPUT -i eth0 -p icmp -m icmp --icmp-type 3 -j ACCEPT

iptables -A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT

iptables -A INPUT -i eth0 -p icmp -m icmp --icmp-type 12 -j ACCEPT

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables-save >/etc/firewall.conf

а в файл nano /etc/network/interfaces в конце добавим

post-up iptables-restore < /etc/firewall.rules

Если заметили что чего то не хватает, пишите дополню или исправлю.

 

 

Партнеры

skid.crm

Система СКИД - онлайн приложение

для автоматизации строительного
контроля и ведения документации
по строительным объектам