前幾天服務器被budgetvm給suspected了,原因是超負荷運行,後來他們在了解到我並沒有惡意使用服務器而是偶然的情況之後,給我推薦了csf來避免「尖峰」的出現。根據官方文檔安裝好之後,找了一些帖子做了設置,將其整合為本文內容。
csf防火牆功能:
1 防止暴力破解密碼,自動屏蔽連續登陸失敗的IP
2 管理網絡端口,只開放必要的端口
3 免疫小流量的 DDos 和 CC 攻擊。
csf防火牆提供了基於web GUI的管理方式,並且提供 cPanel 插件,而且還可以基於CLI來管理,不過很多面板都需要支付較高的費用才可使用,還是ssh連接方便一些。
csf的安裝:
一、安裝依賴包:
yum install perl-libwww-perl perl iptables
二、下載並安裝 CSF:
rm -fv csf.tgz
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
三、測試 CSF 是否能正常工作:
[root@localhost csf]# perl /etc/csf/csftest.pl
Testing ip_tables/iptable_filter…OK
Testing ipt_LOG…OK
Testing ipt_multiport/xt_multiport…OK
Testing ipt_REJECT…OK
Testing ipt_state/xt_state…OK
Testing ipt_limit/xt_limit…OK
Testing ipt_recent…OK
Testing xt_connlimit…OK
Testing ipt_owner/xt_owner…OK
Testing iptable_nat/ipt_REDIRECT…OK
Testing iptable_nat/ipt_DNAT…OK
RESULT: csf should function on this server
csf的配置:
CSF的配置文件是 /etc/csf/csf.conf
# Allow incoming TCP ports
# 推薦您更改 SSH 的默認端口(22)為其他端口,但請注意一定要把新的端口加到下一行中
TCP_IN = 「20,21,47,81,1723,25,53,80,110,143,443,465,587,993,995〃
# Allow outgoing TCP ports同上,把 SSH 的登錄端口加到下一行。
# 在某些程序要求打開一定範圍的端口的情況下,例如Pureftpd的passive mode,可使用類似 30000:35000 的方式打開30000-35000範圍的端口。
TCP_OUT = 「20,21,47,81,1723,25,53,80,110,113,443〃
# Allow incoming UDP ports
UDP_IN = 「20,21,53〃
# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = 「20,21,53,113,123〃
# Allow incoming PING 是否允許別人ping你的服務器,默認為1,允許。0為不允許。
ICMP_IN = 「1〃
以上這些配置大家一看就懂了,下面再介紹幾個比較常用的:
免疫某些類型的小規模 DDos 攻擊:
# Connection Tracking. This option enables tracking of all connections from IP
# addresses to the server. If the total number of connections is greater than
# this value then the offending IP address is blocked. This can be used to help
# prevent some types of DOS attack.
#
# Care should be taken with this option. It』s entirely possible that you will
# see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD
# and HTTP so it could be quite easy to trigger, especially with a lot of
# closed connections in TIME_WAIT. However, for a server that is prone to DOS
# attacks this may be very useful. A reasonable setting for this option might
# be arround 200.
#
# To disable this feature, set this to 0
CT_LIMIT = 「200″##固定時間內同一個IP請求的此數
# Connection Tracking interval. Set this to the the number of seconds between
# connection tracking scans
CT_INTERVAL = 「30″ ##指上面的固定時間,單位為秒
# Send an email alert if an IP address is blocked due to connection tracking
CT_EMAIL_ALERT = 「1″ ##是否發送郵件
# If you want to make IP blocks permanent then set this to 1, otherwise blocks
# will be temporary and will be cleared after CT_BLOCK_TIME seconds
# 是否對可疑IP採取永久屏蔽,默認為0,即臨時性屏蔽。
CT_PERMANENT = 「0″
# If you opt for temporary IP blocks for CT, then the following is the interval
# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)
# 臨時性屏蔽時間
CT_BLOCK_TIME = 「1800″
# If you don』t want to count the TIME_WAIT state against the connection count
# then set the following to 「1〃
CT_SKIP_TIME_WAIT = 「0″ ##是否統計TIME_WAIT鏈接狀態
# If you only want to count specific states (e.g. SYN_RECV) then add the states
# to the following as a comma separated list. E.g. 「SYN_RECV,TIME_WAIT」
# Leave this option empty to count all states against CT_LIMIT
CT_STATES = 「」 ##是否分國家來統計,填寫的是國家名
# If you only want to count specific ports (e.g. 80,443) then add the ports
# to the following as a comma separated list. E.g. 「80,443〃
#
# Leave this option empty to count all ports against CT_LIMIT
# 對什麼端口進行檢測,為空則檢測所有,防止ssh的話可以為空,統計所有的。
CT_PORTS = 「」
做了以上設置之後,可以先測試一下。如果沒有問題的話,就更改為正式模式,剛才只是測試模式。
# 把默認的1修改為0。
TESTING = 「0″
在/etc/csf/下面還有2個文件
csf.allow和csf.deny
這裏面保存的就是允許的IP和禁止的IP,可以手動編輯這兩個文件,比如想禁止某人來訪問本站,就把他的IP加入到csf.deny列表裏面去,或者是為了防止誤封。可以把自己的IP加入到csf.allow列表裏面去。加入之後記得重啟一下csf防火牆。
/etc/init.d/csf restart或者csf -r 都可以重啟。
參考:
http://configserver.com/cp/csf.html
http://www.linuxyan.com/linux-service/76.html
http://www.xp74.com/article/news/5088.htm
http://www.linuxidc.com/search.aspx?where=nkey&keyword=13050
