我们用的高防服务器只防流量攻击不防CC,现在的攻击多数都是混合型的,而且CC攻击很多,防CC只能自己搞了,按照第一篇的配置,在实际的使用中效果并不理想。限制每秒钟的请求数和ip连接数,属于杀敌一千自损八百的做法。是可以防小规模的cc攻击,但是不够灵活,限制严了,误杀率很大;限制少了,当攻击的ip量达到一定规模的时候,传递到后端的请求还是非常多,导致php撑不住挂掉。这里在上一篇的基础上详细介绍一下我在生产中使用的配置。
1.修改最大连接数
最大连接数不够的话,nginx日志中会出现"Too many open files"错误。系统默认的1024太小了,在/etc/security/limits.conf中增加:
* soft nproc 65535 * hard nproc 65535 * soft nofile 65535 * hard nofile 65535
2.sysctl优化
这个比较考验内功,暂时还没太多研究,从网上搬运了一份,以后在慢慢学习:
### ### GENERAL SYSTEM SECURITY OPTIONS ### ### # Controls the System Request debugging functionality of the kernel kernel.sysrq = 0 # Controls whether core dumps will append the PID to the core filename. # Useful for debugging multi-threaded applications. kernel.core_uses_pid = 1 #Allow for more PIDs kernel.pid_max = 65535 # The contents of /proc/<pid>/maps and smaps files are only visible to # readers that are allowed to ptrace() the process kernel.maps_protect = 1 #Enable ExecShield protection kernel.exec-shield = 1 kernel.randomize_va_space = 2 # Controls the maximum size of a message, in bytes kernel.msgmnb = 65535 # Controls the default maxmimum size of a mesage queue kernel.msgmax = 65535 # Restrict core dumps fs.suid_dumpable = 0 # Hide exposed kernel pointers kernel.kptr_restrict = 1 ### ### IMPROVE SYSTEM MEMORY MANAGEMENT ### ### # Increase size of file handles and inode cache fs.file-max = 209708 # Do less swapping vm.swappiness = 30 vm.dirty_ratio = 30 vm.dirty_background_ratio = 5 # specifies the minimum virtual address that a process is allowed to mmap vm.mmap_min_addr = 4096 # 50% overcommitment of available memory vm.overcommit_ratio = 50 vm.overcommit_memory = 0 # Set maximum amount of memory allocated to shm to 256MB kernel.shmmax = 268435456 kernel.shmall = 268435456 # Keep at least 64MB of free RAM space available vm.min_free_kbytes = 65535 ### ### GENERAL NETWORK SECURITY OPTIONS ### ### #Prevent SYN attack, enable SYNcookies (they will kick-in when the max_syn_backlog reached) net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_syn_retries = 2 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_max_syn_backlog = 4096 # Disables packet forwarding net.ipv4.ip_forward = 0 net.ipv4.conf.all.forwarding = 0 net.ipv4.conf.default.forwarding = 0 net.ipv6.conf.all.forwarding = 0 net.ipv6.conf.default.forwarding = 0 # Disables IP source routing net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 # Enable IP spoofing protection, turn on source route verification net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 # Disable ICMP Redirect Acceptance net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 # Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 # Decrease the time default value for tcp_fin_timeout connection net.ipv4.tcp_fin_timeout = 7 # Decrease the time default value for connections to keep alive net.ipv4.tcp_keepalive_time = 300 net.ipv4.tcp_keepalive_probes = 5 net.ipv4.tcp_keepalive_intvl = 15 # Don't relay bootp net.ipv4.conf.all.bootp_relay = 0 # Don't proxy arp for anyone net.ipv4.conf.all.proxy_arp = 0 # Turn on the tcp_timestamps, accurate timestamp make TCP congestion control algorithms work better net.ipv4.tcp_timestamps = 1 # Don't ignore directed pings net.ipv4.icmp_echo_ignore_all = 0 # Enable ignoring broadcasts request net.ipv4.icmp_echo_ignore_broadcasts = 1 # Enable bad error message Protection net.ipv4.icmp_ignore_bogus_error_responses = 1 # Allowed local port range net.ipv4.ip_local_port_range = 16384 65535 # Enable a fix for RFC1337 - time-wait assassination hazards in TCP net.ipv4.tcp_rfc1337 = 1 # Do not auto-configure IPv6 net.ipv6.conf.all.autoconf=0 net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.autoconf=0 net.ipv6.conf.default.accept_ra=0 net.ipv6.conf.eth0.autoconf=0 net.ipv6.conf.eth0.accept_ra=0 ### ### TUNING NETWORK PERFORMANCE ### ### # For high-bandwidth low-latency networks, use 'htcp' congestion control # Do a 'modprobe tcp_htcp' first net.ipv4.tcp_congestion_control = htcp # For servers with tcp-heavy workloads, enable 'fq' queue management scheduler (kernel > 3.12) net.core.default_qdisc = fq # Turn on the tcp_window_scaling net.ipv4.tcp_window_scaling = 1 # Increase the read-buffer space allocatable net.ipv4.tcp_rmem = 8192 87380 16777216 net.ipv4.udp_rmem_min = 16384 net.core.rmem_default = 262144 net.core.rmem_max = 16777216 # Increase the write-buffer-space allocatable net.ipv4.tcp_wmem = 8192 65536 16777216 net.ipv4.udp_wmem_min = 16384 net.core.wmem_default = 262144 net.core.wmem_max = 16777216 # Increase number of incoming connections net.core.somaxconn = 32768 # Increase number of incoming connections backlog net.core.netdev_max_backlog = 16384 net.core.dev_weight = 64 # Increase the maximum amount of option memory buffers net.core.optmem_max = 65535 # Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks net.ipv4.tcp_max_tw_buckets = 1440000 # try to reuse time-wait connections, but don't recycle them (recycle can break clients behind NAT) net.ipv4.tcp_tw_recycle = 0 net.ipv4.tcp_tw_reuse = 1 # Limit number of orphans, each orphan can eat up to 16M (max wmem) of unswappable memory net.ipv4.tcp_max_orphans = 16384 net.ipv4.tcp_orphan_retries = 0 # Increase the maximum memory used to reassemble IP fragments net.ipv4.ipfrag_high_thresh = 512000 net.ipv4.ipfrag_low_thresh = 446464 # don't cache ssthresh from previous connection net.ipv4.tcp_no_metrics_save = 1 net.ipv4.tcp_moderate_rcvbuf = 1 # Increase size of RPC datagram queue length net.unix.max_dgram_qlen = 50 # Don't allow the arp table to become bigger than this net.ipv4.neigh.default.gc_thresh3 = 2048 # Tell the gc when to become aggressive with arp table cleaning. # Adjust this based on size of the LAN. 1024 is suitable for most /24 networks net.ipv4.neigh.default.gc_thresh2 = 1024 # Adjust where the gc will leave arp table alone - set to 32. net.ipv4.neigh.default.gc_thresh1 = 32 # Adjust to arp table gc to clean-up more often net.ipv4.neigh.default.gc_interval = 30 # Increase TCP queue length net.ipv4.neigh.default.proxy_qlen = 96 net.ipv4.neigh.default.unres_qlen = 6 # Enable Explicit Congestion Notification (RFC 3168), disable it if it doesn't work for you net.ipv4.tcp_ecn = 1 net.ipv4.tcp_reordering = 3 # How many times to retry killing an alive TCP connection net.ipv4.tcp_retries2 = 15 net.ipv4.tcp_retries1 = 3 # Avoid falling back to slow start after a connection goes idle # keeps our cwnd large with the keep alive connections (kernel > 3.6) net.ipv4.tcp_slow_start_after_idle = 0 # Allow the TCP fastopen flag to be used, beware some firewalls do not like TFO! (kernel > 3.7) net.ipv4.tcp_fastopen = 3 # This will enusre that immediatly subsequent connections use the new values net.ipv4.route.flush = 1 net.ipv6.route.flush = 1 # 具体值根据服务器硬件计算,配置不当可能导致过早关闭TCP连接 # net.netfilter.nf_conntrack_max = 1048576 # net.netfilter.nf_conntrack_tcp_timeout_established = 1200
3.nginx和lua防御cc攻击
参考了opencdn团队的做法,通过nginx和lua来防御cc,原理见下面的参考文章,效果很棒
nginx需要编译lua模块,见:http://www.52os.net/articles/nginx-install-lua-and-lua-based-waf.html
在nginx.conf的http段中加入:
limit_req_zone $cookie_token zone=session_limit:20m rate=1r/s; limit_req_zone $binary_remote_addr $uri zone=auth_limit:20m rate=1r/m;
在server段中加入:
location / { limit_req zone=session_limit burst=5; rewrite_by_lua ' local random = ngx.var.cookie_random if (random == nil) then return ngx.redirect("/auth?url=" .. ngx.var.request_uri) end local token = ngx.md5("opencdn" .. ngx.var.remote_addr .. random) if (ngx.var.cookie_token ~= token) then return ngx.redirect("/auth?url=".. ngx.var.request_uri) end '; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://backend; } location /auth { limit_req zone=auth_limit burst=1; if ($arg_url = "") { return 403; } access_by_lua ' local random = math.random(9999) local token = ngx.md5("opencdn" .. ngx.var.remote_addr .. random) if (ngx.var.cookie_token ~= token) then ngx.header["Set-Cookie"] = {"token=" .. token, "random=" .. random} return ngx.redirect(ngx.var.arg_url) end '; }
这个方法会造成搜索引擎蜘蛛一直处在302中,不利于seo,可以通过智能dns来为蜘蛛指定单独的线路。和被打到宕机比起来,seo几乎可以无视
4.iptables限制tcp连接和频率
通过上述的配置,cc攻击流量就处在302中了,但是保险起见对ip进行连接频率和并发限制,限制单ip连接和频率,在/etc/sysconfig/iptables中加入:
#单个IP在60秒内只允许新建20个连接 -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 20 --name DEFAULT --rsource -j DROP -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -m recent --set --name DEFAULT --rsource #控制单个IP的最大并发连接数为20 -I INPUT -p tcp --dport 80 -m connlimit --connlimit-above 20 -j REJECT #每个IP最多20个初始连接 -A INPUT -p tcp --syn -m connlimit --connlimit-above 20 -j DROP
这样配置后,单个ip能建立的连接不是只有20个,具体能建立多少连接还要看tcp的超时设置,但单个ip不会建立大量的tcp连接消耗系统资源
5.使用fail2ban屏蔽攻击ip
通过上面设置nginx后,cc攻击请求变为302,直接由性能强劲的nginx处理。但是攻击ip还是在不停的访问服务器,消耗着服务器的资源,一旦达到一定数量级,也会严重影响到系统的性能,所以通过分析nginx的访问日志彻底屏蔽这些ip
安装fail2ban并升级iptables至最新:
yum install -y epel-release yum install -y fail2ban iptables python-inotify
先看下我nginx的访问日志格式 :
log_format main '$remote_addr $status $request $body_bytes_sent [$time_local]
攻击日志的效果:
159.138.198.106 302 GET /auth?url=/ HTTP/1.1 235 [17/Oct/2015:21:06:22 +0800] Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/600.4.10 (KHTML, like Gecko) Version/8.0.4 Safari/600.4.10 - - - - - -
cc攻击的ip会经过nginx和lua处理后,访问状态变为302,根据nginx的访问日志格式,过滤这些ip和302状态,加入黑名单即可。
新建fail2ban的规则文件/etc/fail2ban/filter.d/nginx-302-cc.conf,内容为:
[Definition] failregex = <HOST> 302.(GET|POST)*.*HTTP/1.*$ ignoreregex =
新建fail2ban的配置文件/etc/fail2ban/jail.d/nginx-anti-302.conf,内容为:
[nginx-anti-302] enabled = true port = http filter = nginx-302-cc logpath = /opt/nginx/logs/52os.net/access_web.log findtime = 60 #检测60秒内的日志 bantime = 900 #屏蔽ip的时间为15分钟 maxretry = 90 #达到90次就屏蔽 backend = pyinotify #使用pyinotify检测日志变化,被攻击时检测海量日志时性能最好 banaction = iptables-ipset-proto6-allports #使用ipset屏蔽IP,使用iptables屏蔽大量IP需要时非常慢,并且资源占用非常大
访客访问一次网站会产生2次302,这样配置后60秒内允许45次正常的访问,基本上不会屏蔽正常访客
如果使用iptables屏蔽,需注意fail2ban-0.9.3在执行iptables命令时,会加上了-w参数防止规则冲突,iptables-1.4.20以后才有这个参数,而CentOS 6 的iptables是1.4.7,导致iptables规则添加失败,解决方法是删除iptables-common.conf中的<lockingopt>
:
sed -i 's/iptables = iptables <lockingopt>/iptables = iptables/' /etc/fail2ban/action.d/iptables-common.conf
service fail2ban start
通过以上设置实现了:
- 增大了系统的吞吐量
- cc流量直接由高性能的nginx返回302,不会proxy_pass到后端的服务器或应用
- 限制单个ip建立的tcp连接数量和频率
- 恶意攻击ip实时黑名单
实际使用效果非常不错。面对专业的ddos玩家,在好的系统终有薄弱的环节,攻击达到一定规模,基本上是不可防的,但是可以尽量利用有限的资源和攻击者周旋,提高攻击的门槛。当然,要是烧的起钱,这篇文章可以无视
相关推荐
本文将详细介绍如何通过Nginx的配置来防御DDoS攻击。 首先,DDoS攻击分为四层流量攻击和七层应用攻击。四层攻击主要针对网络层的带宽,而七层攻击则针对应用程序的处理能力。Nginx作为应用服务器,主要关注七层防御...
Nginx,作为一个高效的反向代理和负载均衡器,可以通过多种策略来帮助抵挡DDoS攻击。 1. **分离主域名和图片域名** 分离主域名和图片域名可以有效分散流量,减轻服务器压力。单独的图片服务器可以减少读取Cookie...
**问题三:防止DDoS攻击** DDoS攻击是分布式拒绝服务攻击,通过大量源头同时发起攻击。防范措施包括: 1. **限制最大连接数**:设置Nginx的最大并发连接数,避免资源耗尽。 2. **缩短超时时间**:减少长时间未响应的...
Nginx提供了以下几种策略来抵御DDoS攻击: 1. **IP黑名单**:通过`deny`指令阻止特定IP地址或IP段的访问。在`nginx.conf`或相应的server block中添加规则,例如: ```nginx deny 192.168.0.0/24; ``` 2. **...
ddos攻击:分布式拒绝服务攻击,就是利用大量肉鸡或伪造IP,发起大量的服务器请求,最后导致服务器瘫痪的攻击。 cc攻击:类似于ddos攻击,不过它的特点是主要是发起大量页面请求,所以流量不大,但是却能导致页面...
通过proxy_pass指令指定后端服务器,proxy_set_header设置请求头,以及limit_conn和limit_rate限制连接数和带宽,防止DDoS攻击。 **4. Nginx的Rewrite规则** Nginx支持基于正则表达式的URL重写规则,通过`rewrite`...
6. **限速与限制连接**:Nginx可以通过`limit_conn`和`limit_req`模块来限制并发连接数和请求速率,防止DDoS攻击。例如: ``` limit_conn conn_limit_per_ip 10; limit_req zone=req_limit_per_ip burst=5 ...
1. IP限制:通过`allow`和`deny`指令控制特定IP或IP段的访问,防止DDoS攻击。 2. 防止目录遍历:禁用目录索引并限制对无效路径的访问,防止恶意用户获取系统信息。 3. 避免敏感文件暴露:隐藏`.htaccess`等敏感...
3. **限制速率**:通过 `limit_rate` 和 `limit_conn` 防止 DDoS 攻击。 **监控与故障排查** 1. **使用 `nginx -t` 检查配置文件语法是否正确**。 2. **通过 `/status` 端点查看 Nginx 运行状态(需要配置 `...
- **限速**:通过`limit_rate`限制客户端下载速度,防止DDoS攻击。 - **访问控制**:使用`allow`和`deny`控制IP访问权限。 - **Gzip压缩**:开启`gzip`压缩,减少网络传输数据量。 - **SSL/TLS**:配置HTTPS支持,...
根据给定的信息,本文将详细解释FreeBSD操作系统上部署Nginx、PHP、MySQL和Zend环境的方法,并介绍如何通过系统优化来防止DDoS攻击。同时,我们也会介绍一种简便的Ports安装方法。 ### 一、FreeBSD + Nginx + ...
- **安全设置**:使用 `limit_conn` 和 `limit_req` 模块限制并发连接和请求速率,防止 DDoS 攻击。 总结,Nginx 1.12.2 的安装和配置涉及到多个层面,从基础的系统环境准备到具体的负载均衡策略,每个环节都需要...
4. **限速限制**:通过 `limit_rate` 或 `limit_conn` 控制客户端的请求速率和连接数,防止 DDoS 攻击。 5. **错误页面**:自定义错误页面,提供更好的用户体验。 ### 四、监控与调试 - 使用 `nginx -t` 检查配置...
在当今数字化时代,网络安全威胁不断增加,包括但不限于DDoS攻击、SQL注入、XSS攻击等。这些威胁可能对网站造成严重的损害,如数据泄露、服务中断等。因此,合理地配置Nginx的安全策略可以有效地提高系统的安全性,...
8. **限速和限制连接**:`limit_rate`可以限制客户端下载速度,`limit_conn`和`limit_req`可以限制同一IP的连接数和请求速率,以防止DDoS攻击。 9. **SSL/TLS支持**:通过`ssl on`开启HTTPS,`ssl_certificate`和`...
在Linux环境下,防范CC(Challenge Collapsar)这种特定类型的DDoS攻击是一项重要的任务。CC攻击主要针对Web服务,通过模拟大量合法用户请求来耗尽服务器资源。 以下是一些在Linux系统下防止CC攻击的策略和工具: ...
- 资源限制:通过限速、连接数控制等手段防止DDoS攻击,保护服务器资源。 - 错误处理:自定义错误页面,提高用户体验。 6. 扩展与模块 Nginx有丰富的第三方模块,如mod_security用于安全防护,lua模块实现动态...
Nginx内置了负载均衡功能,但可以通过插件进一步增强,例如`ngx_http_upstream_hash_module`可以根据请求的URL哈希进行负载均衡,`ngx_http_limit_conn_module`限制每个IP的连接数,防止DDoS攻击。 2. **缓存文件包...
- 可以通过配置限制访问,防止DDoS攻击: ```nginx limit_conn zone_name max_conns; limit_rate rate; deny all; ``` `limit_conn`限制连接数,`limit_rate`限制速率,`deny`阻止所有请求。 以上仅是Nginx...
4. **限速与限流**:通过 limit_rate 和 limit_conn 指令,可以限制客户端的下载速度和连接数,防止 DDoS 攻击。 在实际部署中,`nginx-1.8.1` 包可能包含了 Nginx 的源代码、编译脚本、配置文件示例等,用户可以...