Anti Ddos configuration on a centos server
Well, DDos (Denial Of Service) Attacks are distributed hits to your server, coming from multiple sources at the same time.
Unlike an attack from a single location, where the source IP address can be blocked on the firewall level, denial of service attacks are very difficult to stop.
When the attack comes in, you'll be able to switch the ip address until the storm calms down.
1.Disable Ping-flood attacks
Add this to your /etc/sysctl.conf:
And run this on the shell to apply the changes immediately:
2. Use obscure ports for anything other than HTTP
3. Change your MySQL (/etc/my.cnf port=1234), FastCGI and all other daemons to run on unique port numbers.
4. Install all the latest security patches
5. Use private ip addresses for inter-server communications
6. If you have more than one machine on the same LAN, use the LAN private ip addresses to communicate between the machines.
This is particularly helpful when your data-center decides to null-route the public-facing ip address of your database server (why is it open in the first place?) and you want to allow the web server to continue communicating with the database uninterrupted.
7. Using private LAN ip addresses is more efficient and ensures no interruptions in case your public-facing ip address gets null-routed.
8. Use a Firewall
These two software firewalls are great for brute force detection and advanced policies that can detect anomalies common to DDoS attacks: APF and BFD. Both are from R-FX Networks
Unlike an attack from a single location, where the source IP address can be blocked on the firewall level, denial of service attacks are very difficult to stop.
When the attack comes in, you'll be able to switch the ip address until the storm calms down.
1.Disable Ping-flood attacks
Add this to your /etc/sysctl.conf:
Code:
nano /etc/sysctl.conf
net.inet.icmp.bmcastecho=1
net.inet.icmp.icmplim=1
Code:
sysctl net.inet.icmp.icmplim=1
sysctl net.inet.icmp.bmcastecho=1
3. Change your MySQL (/etc/my.cnf port=1234), FastCGI and all other daemons to run on unique port numbers.
4. Install all the latest security patches
5. Use private ip addresses for inter-server communications
6. If you have more than one machine on the same LAN, use the LAN private ip addresses to communicate between the machines.
This is particularly helpful when your data-center decides to null-route the public-facing ip address of your database server (why is it open in the first place?) and you want to allow the web server to continue communicating with the database uninterrupted.
7. Using private LAN ip addresses is more efficient and ensures no interruptions in case your public-facing ip address gets null-routed.
8. Use a Firewall
These two software firewalls are great for brute force detection and advanced policies that can detect anomalies common to DDoS attacks: APF and BFD. Both are from R-FX Networks
Comment