|
楼主 |
发表于 2010-12-19 20:48:18
|
显示全部楼层
CENT OS 系统参数优化
安装完毕后启动iptable,只开放需要的端口(setup命令端口开启)
防止同步包洪水(Sync Flood)
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
防止各种端口扫描
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
Ping 洪水攻击(Ping of Death)
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog
echo 1 > /proc/sys/net/ipv4/tcp_synack_retries
echo 1 > /proc/sys/net/ipv4/tcp_syn_retries
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
Deflate防DDOS,我把下的源文件放在 /usr/src 中 ,iptables规则会自己增加
如何确认是否受到DDOS攻击?
执行:netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
执行后,将会显示服务器上所有的每个IP多少个连接数。
1、安装DDoS deflate
wget http://www.inetbase.com/scripts/ddos/install.sh //下载DDoS deflate
chmod 0700 install.sh //添加权限
./install.sh //执行
2、配置DDoS deflate
下面是DDoS deflate的默认配置位于/usr/local/ddos/ddos.conf ,内容如下:
##### Paths of the script and other files
PROGDIR="/usr/local/ddos"
PROG="/usr/local/ddos/ddos.sh"
IGNORE_IP_LIST="/usr/local/ddos/ignore.ip.list" //IP地址白名单
CRON="/etc/cron.d/ddos.cron" //定时执行程序
APF="/etc/apf/apf"
IPT="/sbin/iptables"
##### frequency in minutes for running the script
##### Caution: Every time this setting is changed, run the script with --cron
##### option so that the new frequency takes effect
FREQ=1 //检查时间间隔,默认1分钟
##### How many connections define a bad IP? Indicate that below.
NO_OF_CONNECTIONS=150 //最大连接数,超过这个数IP就会被屏蔽,一般默认即可
##### APF_BAN=1 (Make sure your APF version is atleast 0.96)
##### APF_BAN=0 (Uses iptables for banning ips instead of APF)
APF_BAN=1 //使用APF还是iptables。推荐使用iptables,将APF_BAN的值改为0即可。
##### KILL=0 (Bad IPs are'nt banned, good for interactive execution of script)
##### KILL=1 (Recommended setting)
KILL=1 //是否屏蔽IP,默认即可
##### An email is sent to the following address when an IP is banned.
##### Blank would suppress sending of mails
EMAIL_TO="root" //当IP被屏蔽时给指定邮箱发送邮件,推荐使用,换成自己的邮箱即可
##### Number of seconds the banned ip should remain in blacklist.
BAN_PERIOD=600 //禁用IP时间,默认600秒,可根据情况调整
用户可根据给默认配置文件加上的注释提示内容,修改配置文件。
优化Linux内核参数
vi /etc/sysctl.conf
• 修改下面项目数值
net.ipv4.tcp_syncookies=1 #启用使用syncookies
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.all.accept_redirects=0 #不接受重定向的ICMP數據包
net.ipv4.tcp_window_scaling=1
net.ipv4.icmp_echo_ignore_all=1 #禁止ICMP,可选项目,默认为0
net.ipv4.icmp_echo_ignore_broadcasts=1 #ICMP禁止广播 可选项目
• 在末尾增加以下内容:
# Add
net.ipv4.tcp_max_syn_backlog = 6000 #最大半连接数
net.core.netdev_max_backlog = 32768
net.core.somaxconn = 32768
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1 #降低syn重试次数
net.ipv4.tcp_syn_retries = 1 #降低syn重试次数
net.ipv4.tcp_tw_recycle = 1
#net.ipv4.tcp_tw_len = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 60
net.ipv4.ip_local_port_range = 1024 65535
修改php-fpm.conf最大连接
1. /usr/local/php/etc/php-fpm.conf , 修改php-fpm.conf最大连接为160:
<value name="max_children">160</value> 说明每个PHP进程使用20M, 因为我内存为4G,
2. <value name="display_errors">0</value> 关闭错误输出(0为关闭)
修改php.ini文件
手工修改:
查找/usr/local/webserver/php/etc/php.ini中的extension_dir = "./"
修改为extension_dir = "/usr/local/webserver/php/lib/php/extensions/no-debug-non-zts-20060613/"
并在此行后增加以下几行,然后保存:
extension = "memcache.so"
extension = "pdo_mysql.so"
extension = "imagick.so"
再查找output_buffering = Off
修改为output_buffering = On
自动修改:若嫌手工修改麻烦,可执行以下shell命令,自动完成对php.ini文件的修改:
sed -i 's#extension_dir = "./"#extension_dir = "/usr/local/webserver/php/lib/php/extensions/no-debug-non-zts-20060613/"\nextension = "memcache.so"\nextension = "pdo_mysql.so"\nextension = "imagick.so"\n#' /usr/local/webserver/php/etc/php.ini
sed -i 's#output_buffering = Off#output_buffering = On#' /usr/local/webserver/php/etc/php.ini
sed -i "s#; always_populate_raw_post_data = On#always_populate_raw_post_data = On#g" /usr/local/webserver/php/etc/php.ini
重要提示,如果出现502错误,请参考下面变换 eaccelerator 和 Zend optimizer位置:
[eaccelerator]
zend_extension="/usr/local/php/lib/php/extensions/no-debug-non-zts-20060613/eaccelerator.so"
eaccelerator.shm_size="128" 此项改为128
eaccelerator.cache_dir="/usr/local/eaccelerator_cache"
eaccelerator.enable="1"
eaccelerator.optimizer="1"
eaccelerator.check_mtime="1"
eaccelerator.debug="0"
eaccelerator.filter=""
eaccelerator.shm_max="0"
eaccelerator.shm_ttl="3600"
eaccelerator.shm_prune_period="3600"
eaccelerator.shm_only="0"
eaccelerator.compress="1"
eaccelerator.compress_level="9"
eaccelerator.keys = "disk_only"
eaccelerator.sessions = "disk_only"
eaccelerator.content = "disk_only"
[Zend Optimizer]
zend_optimizer.optimization_level=1
zend_extension="/usr/local/zend/ZendOptimizer.so"
禁用部分危险的函数:
方法如下:
打开/usr/local/php/lib/php.ini和
/usr/local/php-fcgi/lib/php.ini
更改
disable_functions =
为
disable_functions = system,passthru,shell_exec,exec, proc_open,popen
重启LNMP
系统利用ntpdate同步标准时间.
没有安装ntpdate的可以yum一下:
yum install -y ntp
加入定时计划任务,每隔10分钟同步一下时钟
crontab -e
19 * * * * /usr/sbin/ntpdate ntp.api.bz
最后运行 clock –w 把时间写入到cmos
系统自动更新update的配置 - 待完善 |
|