Hey, some time ago, my friend's business server was down again, called me in the middle of the night to put out the fire. Log on to take a look, good guy, TCP connections soared to tens of thousands, SSH is almost jammed, the business is a long time to break the film. His machine, said what “high defense”, the result is just in the background of the firewall clicked a few buttons, installed a pagoda thing. These days, really think that buying a machine with defense can rest easy? Too naive.
High-defense server “high defense”, more often than not the service provider in the network entrance to you to carry the traffic, your own system if the same as the sieve, internal applications, a hit on the wear, then the money can be even spent in vain.
I've handled the maintenance and hardening of hundreds if not a thousand servers over the years.
I found a quite common problem: many administrators, especially those from business background, especially rely on the panel and visualization, think that clicking on the “one-click protection” will be all right. When really encountered some technical content of the CC attack or slow attack, immediately show the original form.
Attackers are no longer just SYN Flood script kiddies, they are focusing on the weakness of your default configuration at the system level and application level. Your CentOS 7, if you do not do any hardening, it is almost the same as running naked on the public network, the life and death of the business to the attacker's “mood”.
So, the core of this build idea we're talking about today is one sentence:Extend the “defense” attribute of high defense servers from the border of the server room to the bone marrow of your system.. Let the server itself become a hard nut to crack, with the high defense cleaning of the server room to form a deep defense.
The following set of combinations, is my battle summarized, according to do, not dare to say 100% invincible, but can help you carry 90% common attacks, stability to enhance a few orders of magnitude, said “stable as an old dog” is not an exaggeration.
Step 1: System Installation and Minimization Principles
Don't use “boutique mirrors” or “pagoda mirrors” that integrate a bunch of services. Start with the cleanest CentOS 7 Minimal ISO. During the installation process, do not select any additional packages except for the “Development Tools” group of packages that are necessary for your business. The first thing you do is update the system, and then shut down all the services that aren't working. I used to use this command first to see which services are booting up:
look as ifpostfix, avahi-daemon, cupsUnless you know exactly what it does and you need it for your business, it's not a good idea.systemctl disable && systemctl stop. It's an iron law that the fewer services you have, the less attack surface you are exposed to.
Step 2: Kernel parameter tuning, the cornerstone of volume resistance
The system default kernel parameters are for compatibility, not for high performance and resistance. We have to adjust them manually. Directly modify the/etc/sysctl.conf, add the following big paragraph. These parameters are adjusted by me according to the online high concurrency business, mainly to optimize the TCP connection processing, defense of SYN Flood and TIME_WAIT too much.
After saving, execute thesysctl -pin effect. Don't underestimate these numbers, they directly determine whether your server will gracefully queue up and process or just crash in the face of massive connection requests.
Step 3: The firewall is not just an “on/off” switch, it's the first gate!
CentOS 7 comes with firewalld which works pretty well, but for people looking for extreme performance and a sense of old-school control, I prefer to go straight to iptables. don't be afraid, the rules don't need to be memorized, I'll just give you a basic hardening script that works. Save it as/etc/iptables.sh, and set up power-up execution.
The meaning of this rule set is clear: only allow service ports that I explicitly release, and deny everything else. This is the plainest and most effective security principle. After executing the script, remember thatyum install iptables-servicesAnd thensystemctl enable iptablesSave and set to boot.
Step 4: Application Layer Protection, Here's the Main Battlefield
Once the system layer is hardened, attackers will focus their fire on your web or app. Take the most commonly used Nginx as an example, the default configuration is a “welcome to fight” configuration.
1. Hide version number: Add the following to the http section of nginx.confserver_tokens off.;Don't let your opponent know your weapon type.
2. Limiting the frequency of requests: This is a great tool for CC prevention. Define the restricted area in the http segment:
Then use it in a specific server or location:
Meaning, each IP up to 20 requests per second, allowing a short burst of 30, more than the direct return of 503. This value is adjusted according to your business, dynamic pages can be smaller, static can be larger.
3. Limit the number of concurrent connections: Similarly, defining connection zones and applying them can effectively stifle attacks where a single IP opens a large number of connections to drain your resources.
4. Optimize client timeout: Adjust the timing appropriately to allow slow attacks and resource holding attacks to be released as soon as possible.
For more complex business logic attacks (such as crazy CAPTCHA swiping, malicious crawlers), these basic rules may not be enough. This is when you need to get on a more specialized WAF. You can use the open source ModSecurity, but rule maintenance requires energy. I tested and found that for important production business, combined with a reliable cloud WAF service works better.
For example, you can DNS resolve a domain name to something likeCDN07Such service providers, in addition to the global acceleration they provide, their built-in intelligent WAF rule base is updated very timely, and can block a large number of SQL injection, XSS, 0day vulnerability exploitation and other application layer attacks, and the configuration is simple, which can save a lot of time to write their own rules and maintenance. It's equivalent to hiring a professional doorman, and the locks (system reinforcement) in your own home have to be more secure, which is double insurance.
Step 5: Monitoring and Alerting, Putting Eyes on the System
Machines configured as hard as they are are blind without monitoring. Don't wait for users to call and tell you that the site won't open before you realize it. The easiest thing to do is to usenetstatcommand to write a script to monitor TCP status:
Focus onTIME_WAIT, CLOSE_WAIT, SYN_RECVThe number of the If theSYN_RECVabnormally high, it may be a SYN Flood. if theESTABLISHEDAn unusually high number of connections and from a small number of IPs is probably a CC attack.
More specialized, get on Prometheus + Grafana, monitor system load, connections, traffic, application QPS. set up threshold alerts, and when an anomaly occurs, SMS, email, and nails it right away. This is the only way you can proactively identify problems.
After all this, your high defense CentOS 7 is really the soul of “defense”. It is no longer a passive target, but a fortress with active defense and warning capabilities.
Remember, there is no one-size-fits-all for security, and this configuration is a strong baseline. You'll need to continually observe and fine-tune those parameters (e.g., connection limits, request rates) based on the real-world traffic patterns of your business, and periodically look at logs to analyze anomalies.
At the end of the day, the nature of defense is to increase the cost and difficulty for attackers. When you do what you need to do at the system level, most automated attack tools and impatient attackers will back off and move on to easier targets. And your business will be as stable as an old dog in a stormy network environment. Don't be lazy, do it now and put this armor on your servers.