NGINX DDoS 방지 설정
in sysctl:
sysctl kern.maxfiles=90000
sysctl kern.maxfilesperproc=80000
sysctl net.inet.tcp.blackhole=2
sysctl net.inet.udp.blackhole=1
sysctl kern.polling.burst_max=1000
sysctl kern.polling.each_burst=50
sysctl kern.ipc.somaxconn=32768
sysctl net.inet.tcp.msl=3000
sysctl net.inet.tcp.maxtcptw=40960
sysctl net.inet.tcp.nolocaltimewait=1
sysctl net.inet.ip.portrange.first=1024
sysctl net.inet.ip.portrange.last=65535
sysctl net.inet.ip.portrange.randomized=0
in nginx configuration:
worker_processes 1;
worker_rlimit_nofile 80000;
events {
worker_connections 50000;
}
server_tokens off;
log_format IP `$remote_addr';
reset_timedout_connection on;
listen xx.xx.xx.xx:80 default rcvbuf=8192 sndbuf=16384 backlog=32000 accept_filter=httpready;
In the following way it is possible to realize filtration of url, in example for POST index.php?action=login which is with empty referral.
set $add 1;
location /index.php {
limit_except GET POST {
deny all;
}
set $ban "";
if ($http_referer = "" ) {set $ban $ban$add;}
if ($request_method = POST ) {set $ban $ban$add;}
if ($query_string = "action=login" ){set $ban $ban$add;}
if ($ban = 111 ) {
access_log /var/log/[133]nginx/ban IP;
return 404;
}
proxy_pass http://127.0.0.1:8000; #here is a patch
}
Further we cut it at pf level – loaded into IP table, hosts from which came too many hits. PF with tables works very quickly. Sources for parsing of logs (ddetect) you can find on http://www.comsys.com.ua/files Then Cron used once in a minute, to add into ip tables new IPs from a log. 25 Mbyte DDoS, which cuts IPs, the rests fall on nginx which by it is criterion pass IPs and the rests passed on the apache – LA 0, site works.
이 내용에 흥미가 있습니까?
현재 기사가 여러분의 문제를 해결하지 못하는 경우 AI 엔진은 머신러닝 분석(스마트 모델이 방금 만들어져 부정확한 경우가 있을 수 있음)을 통해 가장 유사한 기사를 추천합니다:
양식 제출 후 제출 버튼 비활성화텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
CC BY-SA 2.5, CC BY-SA 3.0 및 CC BY-SA 4.0에 따라 라이센스가 부여됩니다.