防止DDOS攻击（尽可能）

最近我的CENTOS机器遭到了很多攻击。我正在运行MRTG，当发生攻击时，TCP连接图就像疯了似的。它导致机器变得无法访问。在这里输入图像说明

这是我当前的/etc/sysctl.confconfiguration

# Kernel sysctl configuration file for Red Hat Linux # # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and # sysctl.conf(5) for more details. # Controls IP packet forwarding net.ipv4.ip_forward = 0 # Controls source route verification net.ipv4.conf.default.rp_filter = 1 # Do not accept source routing net.ipv4.conf.default.accept_source_route = 0 # Controls the System Request debugging functionality of the kernel kernel.sysrq = 1 # Controls whether core dumps will append the PID to the core filename # Useful for debugging multi-threaded applications kernel.core_uses_pid = 1 # Controls the use of TCP syncookies net.ipv4.tcp_syncookies = 1 # Controls the maximum size of a message, in bytes kernel.msgmnb = 65536 # Controls the default maxmimum size of a mesage queue kernel.msgmax = 65536 # Controls the maximum shared segment size, in bytes kernel.shmmax = 68719476736 # Controls the maximum number of shared memory segments, in pages kernel.shmall = 4294967296 net.ipv4.conf.all.rp_filter = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.rp_filter = 1 net.ipv4.tcp_max_syn_backlog = 1280

进一步在我的Iptables文件（/ etc / sysconfig / iptables）我只有这个设置

 # Generated by iptables-save v1.3.5 on Mon Feb 14 07:07:31 2011 *filter :INPUT ACCEPT [1139630:287215872] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1222418:555508541]

与上面的设置一起，大约有800个IP通过iptables文件通过如下线路被阻塞：

 -A INPUT -s 82.77.119.47 -j DROP

这些都是我的主持人join的，当我以电子邮件的方式向他们发送攻击时。

我没有专家，但我不知道这是否是理想的。

我的问题是，什么是一些好的东西添加到iptables文件和其他文件，这将使得攻击者更难攻击我的机器，而不closures任何非攻击用户。

提前致谢！