心塞,服务器被攻击,直接凉了,无法对外提供服务,整整半个小时!!!
记录一下,做一个简单的基础防护!!!
切忌一定不要单机,多域名,多IP!!!
iptables :防火墙防护。
# sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -I INPUT -p tcp --dport 80 -m connlimit --connlimit-above 20 -j REJECT -I INPUT -p tcp --dport 443 -m connlimit --connlimit-above 20 -j REJECT #-A INPUT -p tcp -m state --state NEW -m tcp --dport 6379 -j ACCEPT #-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT #-A INPUT -p tcp -m state --state NEW -m tcp --dport 9090 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
nginx防护:
http模块配置
limit_rate_after 1m; #下载速度超过1M 限制速度为100K
limit_rate 100k;
限流策略:
limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=50r/s;
limit_conn conn_limit_per_ip 20;
limit_req zone=req_limit_per_ip burst=20;
server模块配置:
禁止各种代理或者压测工具访问
if ($http_user_agent ~* ApacheBench|WebBench|java) {
return 403;
}
if ($http_user_agent ~* (Wget|ab)) {
return 403;
}
if ($http_user_agent ~* LWP::Simple|BBBike|wget) {
return 403;
}
原文链接:https://blog.csdn.net/now19930616/article/details/88542559?ops_request_misc=&request_id=8976f0febf4a408baab16b68cd8a1251&biz_id=&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~koosearch~default-14-88542559-null-null.268%5Ev1%5Econtrol&utm_term=cc%E9%98%B2%E6%8A%A4
原创文章,作者:优速盾-小U,如若转载,请注明出处:https://www.cdnb.net/bbs/archives/20694