Polskie Forum Użytkowników Debiana

Witam.

Poczytałem trochę o iptables, jednak mimo wszystko boję się zastosować go na żywo na serwerze, gdyż łączność z nim mam tylko przez ssh - w razie zerwania połączenia będzie po prostu tragedia.

Mój problem polega na tym, że na jednej maszynie (VPS) uruchamiam serwer http oraz serwer do rozgrywki online (SA-MP). Maszynkę bardzo łatwo zapchać, gdyż mam pasmo zaledwie 2Mbps i 256mb pamięci.
Wszystko jest tak zoptymalizowane i wyliczone, że pamięci zabraknąć nie powinno nawet przy maksymalnym obciążeniu (dwa, w porywach do czterech zespawnowanych php5-fcgi na jeden proces), jednak zastanawiam się jak to będzie z łączem.

Serwer gry online przy maksymalnym obciążeniu będzie zżerał około 1Mbps, czyli połowę mojego łącza. Wystarczy jednak script kiddie floodujący serwer httpd odwołaniami i leżymy.
Właśnie dlatego potrzebuję iptables, aby zabezpieczyć się przed tego rodzaju DoS.

Wiem, że jest możliwość ograniczenia liczby łącznych odwołań na dany port, ale czy w ten sposób nie zablokuję strony (portu 80) wszystkim graczom?
Jeżeli nie ma sposobu na obejście tego i rzeczywiście strona na czas ataku będzie nieczynna, to pozostaje pytanie co w takiej sytuacji z serwerem. On, działający na porcie 7777, będzie działał w porządku?
Istnieje prosty sposób na nadanie priorytetu serwerowi?

Zapewne będę jeszcze spamował z prośbami o pomoc przy konfiguracji, bo to dla mnie dość niebezpieczna zabawa przez ssh. Z góry przepraszam.

Pozdrawiam, liczę na odpowiedź. :-)

Wicko pisze:Poczytałem trochę o iptables, jednak mimo wszystko boję się zastosować go na żywo na serwerze, gdyż łączność z nim mam tylko przez ssh - w razie zerwania połączenia będzie po prostu tragedia.

Aby obronić się przed syn flood wystarczy w iptables:

Kod: Zaznacz cały

echo "1" > /proc/sys/net/ipv4/tcp_syncookies

Z tym, że najpierw cokolwiek ustawisz

O tym co napisałem u góry poczytaj troszkę itd.

Pozdrawiam.

Jeżeli ktoś będzie ci chciał zarżnąć łącze, to to zrobi i żadna konfiguracja iptables go w tym nie powstrzyma

.

Rad pisze:Jeżeli ktoś będzie ci chciał zarżnąć łącze, to to zrobi i żadna konfiguracja iptables go w tym nie powstrzyma .

Ale dobra konfiguracja iptables ustrzeże go przed 99% ataków dzieci bawiących się w krakerów, odpalających skrypty, o których nawet pojęcia nie mają.

Pozdrawiam.

Witam serdecznie.
Znalazłem takie coś i pomyślałem, że nada się w moim przypadku.
Co wy na to? Coś pominąć, usunąć?

Kod: Zaznacz cały

INET_IP=`ifconfig ppp0 | grep inet | awk '{print $2}'| awk -F: '{print $2}'`

# wlaczenie w kernelu forwardowania
#echo 1 > /proc/sys/net/ipv4/ip_forward

# czyscimy wszystko
iptables -F -t nat
iptables -X -t nat
iptables -F -t filter
iptables -X -t filter

##################################################################
################################################################## 
# ochrona przed atakiem typu Smurf                             
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts        
#blokada ipspoofing                                           
echo "1" >/proc/sys/net/ipv4//conf/all/rp_filter              
#ochrona przed atakami syn cokkies                            
echo "1" >/proc/sys/net/ipv4/tcp_syncookies                    
#brak reakcji na falszywe komunikaty o bledach                 
echo "1" >/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 
# nie akceptujemy pakietow "source route"               
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route        
# nie przyjmujemy pakietow ICMP redirect                       
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects          
# wlacza logowanie dziwnych (spoofed, source routed, redirects)
#echo 1 > /proc/sys/net/ipv4/conf/all/log_martians             
##################################################################
##################################################################

# usuwanie polityki dzialan
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Metoda ACK (nmap -sA)
iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH ACK  -m limit --limit 1/hour #-j LOG --log-prefix " $LOG Skanowanie ACK"
iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH ACK -j DROP

# Skanowanie FIN (nmap -sF)
iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH FIN  -m limit --limit 1/hour #-j LOG --log-prefix " $LOG Skanowanie FIn"
iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH FIN -j DROP

# Metoda Xmas Tree (nmap -sX)
iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH FIN,URG,PSH  -m limit --limit 1/hour #-j LOG --log-prefix " $LOG Skanowanie Xmas Tre"
iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH FIN,URG,PSH -j DROP

# Skanowanie Null (nmap -sN)
iptables -A INPUT -m conntrack --ctstate INVALID -p tcp --tcp-flags ! SYN,RST,ACK,FIN,PSH,URG SYN,RST,ACK,FIN,PSH,URG  -m limit --limit 1/hour #-j LOG --log-prefix " $LOG Skanowanie Null"
iptables -A INPUT -m conntrack --ctstate INVALID -p tcp --tcp-flags ! SYN,RST,ACK,FIN,PSH,URG SYN,RST,ACK,FIN,PSH,URG -j DROP

# Lancuch syn-flood (obrona przed DoS)
iptables -N syn-flood
iptables -A INPUT -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 #-j LOG --log-level debug --log-prefix "SYN-FLOOD: "
iptables -A syn-flood -j DROP
iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# odblokowanie lo
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# ping
iptables -A INPUT -p icmp -s 0/0 -m limit --limit 3/s --limit-burst 4 -j ACCEPT

# SSH
iptables -A INPUT -s 0/0 -d $INET_IP -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 0/0 -p tcp --dport 22 -m state --state NEW -j ACCEPT

# server www 
iptables -A INPUT -s 0/0 -d $INET_IP -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 0/0 -p tcp --dport 80 -m state --state NEW -j ACCEPT

# server ftp
iptables -A INPUT -s 0/0 -d $INET_IP -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -s 0/0 -p tcp --dport 21 -m state --state NEW -j ACCEPT

# server samp
iptables -A INPUT -s 0/0 -d $INET_IP -p udp --dport 7777 -j ACCEPT
iptables -A INPUT -s 0/0 -p udp --dport 7777 -m state --state NEW -j ACCEPT

# POLACZENIA NAWIAZANE
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -A FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -A OUTPUT -j ACCEPT -m state --state ESTABLISHED,RELATED

Widzę, że można tam kilka zbędnych argumentów, jak -s, po prostu usunąć ale mam jeszcze jakąś godzinkę, więc postanowiłem zapytać.
SA-MP to taki rodzaj społeczności, w której wszyscy chcą wszystko zniszczyć, stąd wybrałem taką konfigurację.

Wicko pisze:łączność z nim mam tylko przez ssh - w razie zerwania połączenia będzie po prostu tragedia.

Spróbuj zatem iptables-apply, to narzędzie mające właśnie takie stresy łagodzić

Ledwo wystartowałem

Kod: Zaznacz cały

tcp        0      0 ***:www h091203132103.nep:59735 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:59479 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:59223 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:58967 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:58711 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:57431 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:36695 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:36439 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:36183 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:35927 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:35671 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:35415 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:35159 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:34903 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:34135 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:33879 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:33623 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:33367 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:33111 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:32855 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:40791 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:40535 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:40279 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:40023 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:39767 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:39511 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:39255 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:38999 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:38743 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:38487 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:38231 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:37975 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:37719 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:37463 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:37207 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:36951 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:44887 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:44631 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:44375 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:43607 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:43351 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:43095 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:42839 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:42583 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:42327 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:41815 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:41303 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:41047 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:47703 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:47447 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:47191 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:46935 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:46167 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:45399 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:45143 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:51540 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:60500 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:60756 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:59476 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:59988 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:60244 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:58452 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:58708 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:58964 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:59220 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:57940 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:35924 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:36180 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:36436 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:36692 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:34900 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:35156 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:35412 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:35668 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:33876 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:34132 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:32852 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:33108 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:33364 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:33620 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:40020 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:40276 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:40532 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:40788 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:38996 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:39252 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:39508 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:39764 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:37972 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:38228 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:38484 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:38740 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:36948 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:37204 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:37460 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:37716 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:44372 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:44628 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:44884 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:43092 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:43348 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:43604 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:43860 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:42068 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:42324 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:42580 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:42836 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:41044 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:41300 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:41556 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:41812 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:47700 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:46164 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:46676 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:46932 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:45140 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:45396 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:45652 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:45908 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:57173 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:53333 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:60501 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:59733 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:60245 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:59989 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:58453 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:59221 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:58965 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:57941 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:36181 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:35925 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:36693 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:36437 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:35157 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:34901 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:35669 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:35413 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:34133 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:33877 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:33109 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:32853 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:33621 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:33365 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:40277 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:40021 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:40789 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:40533 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:39253 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:38997 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:39765 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:39509 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:38229 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:37973 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:38741 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:38485 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:37205 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:36949 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:37717 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:37461 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:44373 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:44117 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:44885 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:44629 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:43349 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:43093 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:43605 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:42325 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:42581 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:41301 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:41045 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:41813 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:41557 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:48469 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:48725 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:47957 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:46421 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:46165 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:46933 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:46677 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:45397 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:45141 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:45909 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:45653 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:53586 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:59986 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:60242 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:59474 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:59730 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:57938 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:58962 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:59218 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:58450 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:58706 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:35410 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:35666 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:34898 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:35154 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:36434 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:36690 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:35922 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:36178 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:33362 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:33618 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:32850 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:33106 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:34386 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:34642 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:34130 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:39506 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:39762 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:38994 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:39250 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:40530 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:40786 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:40018 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:40274 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:37458 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:37714 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:36946 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:37202 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:38482 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:38738 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:37970 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:38226 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:43602 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:43858 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:43090 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:43346 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:44626 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:44882 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:44114 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:44370 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:41554 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:41810 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:41042 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:41298 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:42578 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:42834 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:42066 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:42322 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:48722 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:45650 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:45138 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:45394 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:46674 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:46930 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:46162 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:55635 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:56659 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:54355 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:60243 TIME_WAIT  -
tcp        0      0 ***:www h091203132103.nep:59987 TIME_WAIT  -

[ Dodano: 2009-02-21, 23:00 ]
Posłuchajcie moi drodzy. Odpaliłem powyższy skrypt wcześniej nadając mu +x i dostaję:

Kod: Zaznacz cały

/etc/init.d/iptbl1: line 13: /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts: Operation not permitted
/etc/init.d/iptbl1: line 17: /proc/sys/net/ipv4/tcp_syncookies: Operation not permitted
/etc/init.d/iptbl1: line 19: /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses: Operation not permitted
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name

Sparawa jest dla mnie o tyle dziwna, że pytając Google o ostatnią sentencję z pierwszych linijek dostaję tylko wyniki dotyczące pingowania.
Jakieś propozycje?

Nie masz załadowanego modułu ip_conntrack:

Kod: Zaznacz cały

lsmod | grep ip_conntrack

lub

Kod: Zaznacz cały

grep CONNTRACK /boot/config

Mógłby ktoś opisać bądź podać jakiś link do poradnika jak zabezpieczyć się przed tego typu atakami.

Przed DoS można się zabezpieczyć poprzez moduł limit w iptables dla pakietów SYN (tylko TCP - i to starczy bo to on przetrzymuje dane sesji w buforze).
Dokładnie w przypadku DoS możesz jeszcze zrobić loga takiej nadmiarowej komunikacji i jakimś skryptem czytać te logi i na bieżąco dodawać odpowiednie regułki blokujące - to już będzie system aktywengo przeciwdziałania (prawie IPS). Czego nie zrobisz już w przypadku DDoS, wtedy zostaje tylko limit, który w zulełności na początek powinien wystarczyć.
Co do modułu limit nalezy pamietać, że zapiś 1/s tak naprawde oznacza 5 na sekundę bo domyslnie opcja --limit-burst jest ustawiona na 5.

Polskie Forum Użytkowników Debiana

Konfiguracja iptables, zabezpieczenie przed DoS

Konfiguracja iptables, zabezpieczenie przed DoS

Re: Konfiguracja iptables, zabezpieczenie przed DoS.