月度归档： 2019年10月

我們想要封殺的主動探測行為：

0000-00-00 00:00:00 WARNING common.py:238 unsupported addrtype 69, maybe wrong password or encryption method
0000-00-00 00:00:00 WARNING tcprelay.py:521 Protocol ERROR, TCP ogn data ... from ::ffff:119.96.105.1:50522 via port 443 by UID 443
0000-00-00 00:00:00 ERROR tcprelay.py:1097 can not parse header when handling connection from ::ffff:119.96.105.1:50522


安裝 Fail2ban：

yum -y install epel-release
yum -y install fail2ban

添加 Filter：（e.g. /etc/fail2ban/filter.d/ssr.conf）

[INCLUDES]
before = common.conf

[Definition]

failregex = ^.+ERROR.+can not parse header when handling connection from +<HOST>

ignoreregex =

添加 Jail：（e.g. /etc/fail2ban/jail.d/01-ssr.conf）

[ssr]
enabled = true
port = 0:65535
logpath = (Log to watch)
maxretry = 1
bantime = 86400
findtime = 300

（可選）禁用 FirewallD，使用 iptables 進行封禁：（個人覺得 f2b 跟 iptables 更合得來）

mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.disabled

啟動 Fail2ban：

systemctl enable fail2ban
systemctl start fail2ban

查看 Jail 規則狀態：

fail2ban-client status ssr

這幾天接連數台伺服器端口被牆，同時遭到來自海外雲服務商主機的 TCP SYN Flood 攻擊，於是寫個 SYN Flood 簡單防護指南。

> /etc/sysctl.conf

# TCP SYN Flood Protection
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 3


參考連結: https://www.ndchost.com/wiki/server-administration/hardening-tcpip-syn-flood