8.1 Tips

De UnixWiki
Aller à : navigation, rechercher

Rendre la pile non executable dans /etc/system: 

 noexec_user_stack=1

Il faut passer le champ tcp_strong_iss à 2 (par défaut il est à 1, on peut prévoir le numéro de séquence TCP) 

 ndd -set /dev/tcp tcp_strong_iss 2
 To configure this behavior to be the default after future reboots, put the line TCP_STRONG_ISS=2 in the file /etc/default/inetinit

Disable ICMP broadcast echo activity. Otherwise, your system could be used as part of a Smurf attack: 

 ndd -set /dev/ip ip_respond_to_echo_broadcast 0
 ndd -set /dev/ip ip6_respond_to_echo_multicast 0
 ndd -set /dev/ip ip_forward_directed_broadcasts 0

Disable ICMP routing redirects. 

 ndd -set /dev/ip ip_ignore_redirect 1
 ndd -set /dev/ip ip6_ignore_redirect 1
 ndd -set /dev/ip ip_send_redirects 0
 ndd -set /dev/ip ip6_send_redirects 0

Disable ICMP broadcast probes. 

 ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0
 ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0

Disable IP source routing. 

 ndd -set /dev/ip ip_forward_src_routed 0
 ndd -set /dev/ip ip6_forward_src_routed 0

Enforce strict multi-homing for non-forwarding multi-homed systems. 

 ndd -set /dev/ip ip_strict_dst_multihoming 1
 ndd -set /dev/ip ip6_strict_dst_multihoming 1

Increase resiliance under heavy TCP load (which makes the system more resistant to SYN Flood attacks). 

 ndd -set /dev/tcp tcp_conn_req_max_q 1024
 ndd -set /dev/tcp tcp_conn_req_max_q0 4096
 ndd -set /dev/tcp tcp_time_wait_interval 60000

Defend against TCP connection hijacking by following the recommendations of RFC 1948. 

 ndd -set /dev/tcp tcp_strong_iss 2
 To configure this behavior to be the default after future reboots, put the line TCP_STRONG_ISS=2 in the file /etc/default/inetinit

Increase TCP send and receive window sizes to at least 32 kbytes. 

 ndd -set /dev/tcp tcp_xmit_hwat 32768
 ndd -set /dev/tcp tcp_recv_hwat 32768
Récupérée de « https://futex.re/mediawiki/index.php?title=8.1_Tips&oldid=1744 »