Linux Server Hardening Against DDoS

Linux servers form the backbone of internet infrastructure, requiring robust DDoS protection configurations. Whether running web applications, game servers, or APIs, proper Linux hardening significantly improves attack resistance. These configurations apply across distributions like Ubuntu, CentOS, and Debian with minor syntax variations.

Kernel parameter tuning provides fundamental DDoS resistance. Edit /etc/sysctl.conf to increase TCP SYN backlog, enable SYN cookies, and reduce SYN-ACK retries. Configure connection tracking limits to prevent state table exhaustion. Enable reverse path filtering to block spoofed packets. These kernel-level protections defend against common network layer attacks without performance impact.

# Essential sysctl configurations for DDoS protection
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.conf.all.rp_filter = 1
net.core.somaxconn = 65535

Iptables rules create sophisticated traffic filtering. Implement connection limit modules to restrict connections per IP address. Create rate limiting rules for specific services. Block invalid packets and common attack patterns. Use ipset for efficient IP blacklisting during attacks. These rules provide granular control over allowed traffic patterns.

# Rate limiting SSH connections
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP

Web server configurations require attack-specific tuning. For Nginx, configure limit_req and limit_conn modules to control request rates. Set appropriate timeouts to free resources from slow attacks. Enable caching headers and gzip compression. Apache users should configure mod_evasive and mod_security for similar protections. These application-level defenses complement network filtering.