FREEBSD+PF 在6.2上的架设放DDOS 攻击的网站[zzz] zzz, FREEBSD, DDOS, 架设, 攻击

jacky

现网站和外挂经常带arp和ddos攻击,本来用ros做网吧路由器顶不住ddos，只能换FB6.2+pf,前几天用FB6.1+PF，人多时出watchdog timeout,老大说用FB6.2可能不会出了，那就装起测测看，下面是安装步骤，操作一个写一个，

cd /usr/src/sys/i386/conf
cp GERENIC PFOK
ee FFOK

修改并加入下面东东

1. ident PFOK
   
2. device pf
   
3. device pflog
   
4. device pfsync
   
5. options ALTQ
   
6. options ALTQ_CBQ
   
7. options ALTQ_RED
   
8. options ALTQ_RIO
   
9. options ALTQ_HFSC
   
10. options ALTQ_PRIQ
    
11. options ALTQ_NOPCC
    
12. options PANIC_REBOOT_WAIT_TIME=0
    
13. options DEVICE_POLLING
    
14. options HZ=2000
    
15. options IPSTEALTH
    
16. # options RANDOM_IP_ID
    
17. options TCP_DROP_SYNFIN

复制代码

config PFOK
cd /usr/src/sys/i386/compile/PFOK
make depend
make
make install
reboot

ee /etc/sysctl.conf

1. net.inet.ip.forwarding=1
   
2. net.inet.ip.fastforwarding=1
   
3. net.inet.tcp.drop_synfin=1
   
4. net.inet.tcp.sendspace=65536
   
5. net.inet.tcp.recvspace=65536
   
6. #net.inet.udp.sendspace=65535
   
7. net.inet.udp.maxdgram=65535
   
8. net.local.stream.sendspace=65535
   
9. net.inet.tcp.rfc1323=1
   
10. #net.inet.tcp.rfc1644=1
    
11. net.inet.tcp.rfc3042=1
    
12. net.inet.tcp.rfc3390=1
    
13. kern.ipc.maxsockbuf=2097152
    
14. kern.maxfiles=65536
    
15. kern.maxfilesperproc=32768
    
16. kern.polling.enable=1
    
17. kern.polling.burst_max=500
    
18. kern.ipc.somaxconn=2048
    
19. kern.ipc.nmbclusters=32768
    
20. net.inet.tcp.delayed_ack=0
    
21. net.inet.icmp.icmplim=100
    
22. net.inet.icmp.icmplim_output=0
    
23. net.inet.tcp.drop_synfin=1

复制代码

ee /boot/loader.conf

1. autobootdelay="2"

复制代码

ee /etc/rc.conf

1. sendmail_enable="NONE"
   
2. sendmail_submit_enable="NO"
   
3. sendmail_outbound_enable="NO"
   
4. sendmail_msp_queue_enable="NO"
   
5. clear_tmp_enable="YES"
   
6. update_motd="NO"
   
7. tcp_drop_synfin="YES"
   
8. #icmp_drop_redirect="YES"
   
9. #icmp_log_redirect="YES"
   
10. #log_in_vain="YES"
    
11. #accounting_enable="YES"
    
12. pf_enable="YES"
    
13. pf_rules="/etc/pf.conf"
    
14. pf_flags=""
    
15. #pflog_enable="YES"
    
16. #pflog_logfile="/var/log/pflog"

复制代码

这里我就加了句pf_enable="YES"

uname -a
FreeBSD pf.com 6.2-RC1 FreeBSD 6.2-RC1 #0: Thu Nov 23 04:20:46 CST 2006 sshpf@pf.com:/usr/src/sys/i386/compile/PFOK i386


我的pf.conf

#pfctl -e -F all -f /etc/pf.conf

#只重新load过滤规则
#pfctl -F rules -Rf /etc/pf.conf

#pfctl -f /etc/pf.conf # 重新加载pf.conf 设定档
#pfctl -nf /etc/pf.conf # 确认语法有无符合，但不载入
#pfctl -Nf /etc/pf.conf # 只加载 NAT 的设定档
#pfctl -Rf /etc/pf.conf # 只加载防火墙的过滤设定档

#pfctl -sn # 显示现阶段 NAT 的规则
#pfctl -sr # 显示现阶段过滤的规则
#pfctl -ss # 显示现阶段封包运作状态
#pfctl -si # 显示现阶段过滤封包的统计资料
#pfctl -sa # 显示现阶段所有统计的数据

1. ext_if="rl0"
   
2. #edu_if=""
   
3. int_if="fxp0"
   
4. 
   
5. ext_addr="192.168.1.51"
   
6. 
   
7. int_net="172.16.0.0/16"
   
8. ext_net = "192.168.0.0/16"
   
9. loop = "{lo0, 127.0.0.1}"
   
10. OpenPorts = "{21, 22, 80, 88, 4899}"
    
11. InsideManagerIPs = "{172.16.0.100}"
    
12. InsiteManagerOpenPorts = "{21, 22, 23, 24, 25, 80, 4899}"
    
13. priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12}" # 定�x符合 RFC 1918 私有IP 部份
    
14. tcp_services = "{ 22, 88, 4899, 123 }" # 定�x port 22, 113 服��
    
15. icmp_types = "echoreq" # 定�x tcmp 回�����B
    
16. 
    
17. 
    
18. ## down inactive connection quickly
    
19. set optimization aggressive
    
20. 
    
21. # Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
    
22. scrub in all
    
23. 
    
24. nat on $ext_if from $int_net to any -> ($ext_if)
    
25. #nat on $ext_if from $int_net to $ext_net -> ($ext_if)
    
26. 
    
27. #web server map
    
28. #rdr pass on $ext_if proto tcp from any to $ext_if port {www,3389,4899,7745} -> $web_server
    
29. 
    
30. 
    
31. #----------------------------以下防DOS攻击--------------------------------
    
32. #每个IP最大可以有120个非并发的连接（为局域网用户访问本站考虑）
    
33. #每个IP最大连接建立的速率小于每秒8个
    
34. #单个IP的最大持续连接数 30
    
35. #违反以上规则，把这个ip添加到<abusive_hosts>表中
    
36. table <abusive_hosts> persist #维持一个持续的表
    
37. block in quick from <abusive_hosts> #阻止表中的ip
    
38. pass in on $int_if inet proto tcp from any to $int_if flags S/SA keep state \
    
39. (source-track rule,max-src-conn 100, max-src-conn-rate 15/3,max-src-states 30,overload <abusive_hosts> flush, src.track 1)
    
40. 
    
41. LSassVirusPort = "{445, 135, 139, 593, 512, 5554, 9996, 9995}"
    
42. block quick on $int_if inet proto tcp from any to any port $LSassVirusPort
    
43. 
    
44. BitTorrentPort= "{ 512, 2049, 4662, 6880, 6881, 6882, 6883, 6884, 6885, 6886, 6887, 6888, 6889, \
    
45. 6890, 8880, 8881, 8882, 8883, 8884, 8885, 8886, 8887, 8888, 8889, 8890, 6969, 10700, 21881}"
    
46. block quick on $int_if inet proto tcp from any to any port $BitTorrentPort
    
47. block quick on $int_if inet proto tcp from any port $BitTorrentPort to any
    
48. block quick on $ext_if inet proto tcp from any to any port $BitTorrentPort
    
49. block quick on $ext_if inet proto tcp from any port $BitTorrentPort to any
    
50. 
    
51. #gameClientPorts = "{4002, 2000, 3838, 4410, 4210, 4230, 5005, 4290, 10010 }"
    
52. #GameDenyClients ="{192.168.128.0/24, 192.168.132.0/24}"
    
53. #GameServerIps = "{204.251.15.167, 61.152.93.145}"
    
54. #block quick on $int_if inet proto tcp from $GameDenyClients to any port $gameClientPorts
    
55. #block quick on $ext_if from $GameServerIps to $GameDenyClients
    
56. #block quick on $int_if from $GameDenyClients to $GameServerIps
    
57. 
    
58. denyserverips = "{202.108.193.21}"
    
59. block quick on $int_if from any to $denyserverips
    
60. 
    
61. #LSassVirusIp ="{192.168.1.194}"
    
62. #block quick on $int_if from $LSassVirusIp to any

复制代码