Apache's anti-attack

zhaozj2021-02-16  88

See if this is helpful to you

A. IBM AIX 4.3.X

B. Sun Solaris 7

C. Compaq Tru64 UNIX 5.x

D. HP HP-UX 11.0 (Research ONGOING)

E. Linux Kernel 2.2 (Tested Both SUSE Linux 7.0 and Redhat 7.0)

F. FreeBSD

G. Irix 6.5.10

Some of the adjustment parameters and syntax described below will not be automatically activated after restarting, so if you need to keep these parameters for a long time, you need to add these real-time commands to the following startup files:

AIX - /etc/rc.net

Solaris - /etc/init.d/inetinit

Tru64 UNIX - Use sysconfigdb or dxkernetuner command

HP-UX - /etc/rc.config.d/nddconf

Linux kernel 2.2 - /etc/sysctl.conf

Freebsd - /etc/rc.conf

Irix - Use the system command

============================================================================================================================================================================================================= ===========

Here are some IP stack adjustment suggestions:

1. Adjust TCP Send and Acceptable Space (TCP Send and Receive Spaces)

TCP sent and accepted space directly affects TCP Window Size Parameter, a certain extent of window size adds to more efficient transmission, especially some of services that require large amounts of transport such as FTP and HTTP, default Some settings are not per system is optimized, usually we need to add this window size of 32768 bytes. Unless you set it clearly, it is clear about RFC1323 (http://www.ietf.org/rfc/rfc1323.txt?num/rfc/rfc1323) and RFC2018 (http://www.ieetf.org/rfc/rfc2018.txt? Number = 2018), otherwise you don't add this value to above 64k bytes.

A. AIX

/ usr / sbin / no -o tcp_sendspace = 32768

/ usr / sbin / no -o tcp_recvspace = 32768

B. Solaris

/ usr / sbin / ndd -set / dev / tcp tcp_xmit_hiwat 32768

/ usr / sbin / ndd -set / dev / tcp TCP_RECV_HIWAT 32768

C. Tru64 UNIX

No recommended adjustments.

D. HP-UX

By default, TCP sends and accept spaces have been set to 32768.

E. Linux kernel 2.2

Linux automatically assigns TCP sends and accept spaces and supports RFC1323 (Large Window Support, Net.ipv4.tcp_window_scaling) and RFC2018 (Sack Support, Net.IPv4.tcp_sack) by default.

F. FreeBSD

Sysctl -w net.inet.tcp.sendspace = 32768

Sysctl -w net.inet.tcp.recvspace = 32768

G. Irix

By default, TCP sends and accept spaces are set to 64K bytes. 2, adjust the interface sequence to prevent SYN attacks

Various web applications must generally open one or several ports for external use, so it will definitely be launched to reject the service attack to these ports by malicious attackers. One of the very popular attacks is Synflood, when the attack occurs The source IP address of the client is forged. The current IP routing mechanism only checks the destination IP address and forwards. After the IP package arrives at the host, the return path cannot be reached through the route, so the destination host cannot pass the TCP three handshake establish connection. During this period, since the TCP socket cache queue is quickly filled, the new connection request is rejected. In order to prevent these attacks, some UNIX variants use a socket connection request queue that separate inbounds, a queue is a queue for half open sleeve interface (SYN reception, SYN | ACK), and another queue is waiting for a full-opening excuse to wait an Accept () call. Increase these two queues can easily mitigate these SYN FLOOD attacks and minimize the effects of the server:

A. AIX

/ usr / sbin / no -o clean_partial_conns = 1

This setting indicates that the kernel randomly removes the half open set interface from the Q0 queue to add the required space for the new socket.

B. Solaris

/ usr / sbin / ndd -set / dev / tcp TCP_CONN_REQ_MAX_Q 1024

Make the Q queue has an interface waiting for an Accept () call from the application.

/ usr / sbin / ndd -set / dev / tcp TCP_CONN_REQ_MAX_Q0 2048

Make the Q0 team to maintain a semi-open sleeve interface.

C. Tru64 UNIX

/ sbin / sysconfig -r socket sominconn = 65535

The value of this SominConn determines how many of the same entry SYN packets can be handled simultaneously.

/ sbin / sysconfig -r socket somaxconn = 65535

This SomaxConn value sets the system that can keep how many standby TCP connections.

D. HP-UX

/ usr / sbin / ndd -set TCP_SYN_RCVD_MAX 1024

/ usr / sbin / ndd -set TCP_CONN_REQUEST_MAX 200

E. Linux kernel 2.2

/ sbin / sysctl -w net.ipv4.tcp_max_syn_backlog = 1280

Effectively add Q0 socket queue size.

/ sbin / sysctl -w net.ipv4.tcp_syn_cookies = 1

Enable TCP SYN Cookies support to effectively reduce the SYN FLOOD attack, but this parameter causes some performance issues to some big windows (see RFC1323 and RFC2018.

F. FreeBSD

Sysctl -w kern.ipc.somaxconn = 1024

G. Irix

The listen () queue is hardly set to 32. However, the system actually uses the number of pending connections ((3 * backlog) / 2) 1, where the BACKLOG value is 49.

3, adjust the redirects parameter

Malicious users can use IP to modify the routing table in the remote host. In the well-designed network, the redirect settings of the end are unwanted, send and accept the redirected packets to be turned off.

A. AIX

/ usr / sbin / no-ipignoreredirects = 1

/ usr / sbin / no-ipsendredirects = 0

B. Solaris

/ usr / sbin / ndd -set / dev / ip ip_ignore_redirect 1

/ usr / sbin / ndd -set / dev / ip ip_send_redirects 0

C. Tru64 UNIX

No recommended adjustment settings.

D. HP-UX / USR / SBIN / NDD -SET / DEV / IP IP_SEND_REDIRECTS 0

E. Linux kernel 2.2

/ SBIN / SYSCTL -W NET.IPV4.CONF.ALL.SEND_REDIRECTS = 0

/ sbin / sysctl -w net.ipv4.conf.all.accept_redirects = 0

F. FreeBSD

Sysctl -w net.inet.icmp.drop_redirect = 1

Sysctl -w net.inet.icmp.log_redirect = 1

Sysctl -w net.inet.ip.redirect = 0

Sysctl -w net.inet6.ip6.redirect = 0

G. Irix

/ usr / sbin / systune icmp_dropredirects to 1

4, adjust the ARP cleaning settings

ARP entries that fill the IP routing buffer allows malicious users to generate resource depletion and performance reduction attacks. In Solaris, there are 2 parameters to manage intervals cleanup IP routing buffers, which can be adjusted by arp_cleanup_interval, AIX can be set via arp_cleanup_interval, ARP_KILLC.

A. AIX

/ usr / sbin / no -o arpt_killc = 20

B. Solaris

/ usr / sbin / ndd -set / dev / arp_cleanup_interval 60000

C. Tru64 UNIX

No reference adjustment settings.

D. HP-UX

The default is set to 5 minutes.

E. Linux kernel 2.2

No reference adjustment settings.

F. FreeBSD

Sysctl -w net.link.ether.inet.max_age = 1200

G. Irix

No reference adjustment settings.

5, adjust the setting of the source routing

By source routing, an attacker can attempt to reach the internal IP address - including the address in RFC1918, so that the source routing packet can prevent your internal network from being detected.

A. AIX

/ usr / sbin / no-ipsrcrouteend = 0

Close the source routing packet.

/ usr / sbin / no-ipsrcrouteforward = 0

If your system wants to do routing, such as a firewall, this parameter is important, close this feature, you can prevent forwarding source routing packets.

B. Solaris

/ usr / sbin / ndd -set / dev / ip ip_src_route_forward 0

If your system wants to do routing, such as a firewall, this parameter is important, close this feature, you can prevent forwarding source routing packets.

C. Tru64 UNIX

No recommended adjustments.

D. HP-UX

NDD -SET / DEV / IP IP_FORWARD_SRC_ROUTED 0

Closing this feature can be well prevented from forwarding the source routing packet.

E. Linux kernel 2.2

/ sbin / sysctl -w net.ipv4.conf.all.accept_source_route = 0

Discard all source address packets.

/ sbin / sysctl -w net.ipv4.conf.all.Forwarding = 0

/ sbin / sysctl -w net.ipv4.conf.all.mc_forwarding = 0

Do not transfer the originate routing frame.

F. FreeBSD

sysctl -w net.inet.ip.sourceRoute = 0

Sysctl -w net.inet.ip.accept_sourceRoute = 0

G. Irix

/ usr / sbin / systune ipforward to 2

6. Adjust Time_Wait Setting Settings

On some busy web servers, many sockets may be in the Time_Wait state, which is caused by some unregularly encoded client applications that are not caused by the correct handling interface, which may cause an attack of DDOS. A. AIX

No recommended settings.

B. Solaris

/ usr / sbin / ndd -set / dev / tcp_time_wait_interval 60000

This parameter affects the number of times of TCP socket to keep the TIME_WAIT state. By default, it is too high for a busy web server, so you need to set it below every 60 seconds, this parameter name applies to Solaris7 or a higher version, Solaris 7 previous version, its name is incorrect, identified as TCP_Close_Wait_Interval.

C. Tru64 UNIX

No recommended adjustment settings.

D. HP-UX

NDD -SET / DEV / TCP TCP_TIME_WAIT_INTERVAL 60000

The socket will keep the TIME_WAIT state no more than 60 seconds.

E. Linux kernel 2.2

/ sbin / sysctl -w net.ipv4.vs.timeout_timeWait = 60

The socket will keep the TIME_WAIT state no more than 60 seconds.

F. FreeBSD

No recommended adjustment settings.

G. Irix

/ usr / sbin / systune TCP_2MSL TO 60

7. Adjust the broadcast ECHO response

The Smurf attack is a forged address to be sent by sending ICMP 8 0 information to a broadcast address, and some IP stacks will respond to this information by default, so this feature must be closed. If this host is used as a firewall, it cannot handle the processing broadcast.

A. AIX

/ usr / sbin / no -o directed_broadcast = 0

Do not respond directly.

B. Solaris

/ usr / sbin / ndd -set / dev / ip ip_respond_to_echo_broadcast 0

Do not respond directly.

/ usr / sbin / ndd -set / dev / ip ip_forward_directed_broadcasts 0

Do not forward direct broadcast.

C. Tru64 UNIX

No recommended adjustment settings.

D. HP-UX

NDD -SET / DEV / IP IP_RESPOND_TO_ECHO_BROADCAST 0

Do not respond directly.

NDD -SET / DEV / IP IP_FORWARD_DIRECTED_BROADCASTS 0

Do not forward direct broadcast.

E. Linux kernel 2.2

/ sbin / sysctl -w net.ipv4.icmp_echo_ignore_broadcasts = 1

Do not respond directly.

F. FreeBSD

Sysctl -w net.inet.icmp.bmcastecho = 0

G. Irix

/ usr / sbin / systune allow_brdaddr_srcaddr to 0

8. Adjustment to other broadcast probes

Others have 2 broadcast probes that allow malicious users, one is that address mask queries can be used to detect network segments and ranges. Timestamp broadcasts can map and identify host types.

A. AIX

/ usr / sbin / no-icmpaddressmask = 0

Prevent address masks.

B. Solaris

/ usr / sbin / ndd -set / dev / ip ip_respond_to_address_mask_broadcast 0

Prevent address masks.

/ usr / sbin / ndd -set / dev / ip ip_respond_to_timestamp_broadcast 0

Close the response to the timestamp broadcast query.

C. Tru64 UNIX

No recommended adjustments.

D. HP-UX

NDD -SET / DEV / IP IP_RESPOND_TO_ADDRESS_MASK_BROADCAST 0 prevents the network mask that leaks the host configuration.

NDD -SET / DEV / IP IP_RESPOND_TO_TIMESTAMP_BROADCAST 0

Close the response to the timestamp broadcast query.

E. Linux kernel 2.2

No recommended adjustments.

F. FreeBSD

Sysctl -w net.inet.icmp.maskrepl = 0

G. Irix

Use ipfilterd to block unwanted ICMP types.

9, adjust the parameters to support RFC1948

The following adjustments will take RFC1948 (http://www.ietf.org/rfc/rfc1948.txt?number=1948)

TCP / IP serial number generating technology to ensure that the sequence number to a TCP socket is very difficult to guess:

B. Solaris

Set TCP_STRONG_ISS = 2 in / etc / default / inetinit.

This needs to be restarted to enable.

G. Irix

/ usr / sbin / systune tcpiss_md5 to 1

转载请注明原文地址:https://www.9cbs.com/read-12080.html

New Post(0)