13.5 Tips

De UnixWiki
Aller à : navigation, rechercher

Vérifier que la stack n'est pas exécutable 

 # sedmgr
 Stack Execution Disable (SED) mode: select
 SED configured in kernel: select

Modifier le SED d'un programme (Insertion d'un tag dans le header COFF) 

 # sedmgr -c exempt getenvaddress

Afficher le SED d'un programme 

  # sedmgr -d getenvaddress
  getenvaddress : system

Decrease the ARP cache cleanup interval. 

 no -o arpt_killc=20

Disable ICMP broadcast echo activity. Otherwise, your system could be used as part of a Smurf attack: 

 no -o directed_broadcast=0

Disable ICMP routing redirects. Otherwise, your system could have its routing table misadjusted by an attacker. 

 no -o ipignoreredirects=1
 no -o ipsendredirects=0

Disable ICMP broadcast probes. Otherwise, an attacker might be able to reverse engineer some details of your network infrastructure. 

 no -o icmpaddressmask=0

Disable IP source routing. The only use of IP source routing these days is by attackers trying to spoof IP addresses that you would trust as internal hosts 

 no -o ipsrcroutesend=0
 no -o ipsrcrouteforward=0

Increase resiliance under heavy TCP load (which makes the system more resistant to SYN Flood attacks). 

 no -o clean_partial_conns=1

Increase TCP send and receive window sizes to at least 32 kbytes. 

 no -o tcp_sendspace=32768
 no -o tcp_recvspace=32768
Récupérée de « https://futex.re/mediawiki/index.php?title=13.5_Tips&oldid=1512 »