|
1) enable TCP SYN cookies
2) Put iptables and work with a decent limit / burst (5 SYN per sec is more than enough)
3) install snort (with the deep packet analyze patch) and make it log. or better, make iptables log or just block all the non serviced ports.
4) cat snort-log-here | sort | uniq > log-uniq.txt
5) less log-uniq.txt
6) add a limit / burst of 1 per sec for all these IPs
7) reduce the SYN timeout to 15 or 10 sec (the default is 3 minutes)
8) you are done.
If you do not want this thing to repeat all the days:
1) install grsec
2) compile a monolyte kernel
3) tune the kernel via sysctl
4) limit / burst in iptables to some decent value (5 syns per sec are ok for an average site this grants access to 4 new surfers every second).
5) tune the SYN expire time to 15 or 10 sec
6) close all non serviced ports.
7) enable TCP SYN cookies
8) you are done
hope this helps you.
If you want something more... ICQ me 171216535, but do not bother to contact me if you are on BSD. I hate BSD.
|