4.1 Tips

De UnixWiki
Aller à : navigation, rechercher

Disable ICMP broadcast echo activity. Otherwise, your system could be used as part of a Smurf attack: 

 ndd -set /dev/ip ip_respond_to_echo_broadcast 0
 ndd -set /dev/ip ip_forward_directed_broadcasts 0

Disable ICMP routing redirects. Otherwise, your system could have its routing table misadjusted by an attacker. 

 ndd -set /dev/ip ip_send_redirects 0
 ndd -set /dev/ip ip_forward_directed_broadcasts 0

Disable ICMP broadcast probes. Otherwise, an attacker might be able to reverse engineer some details of your network infrastructure. 

 ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0
 ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0

Disable IP source routing. The only use of IP source routing these days is by attackers trying to spoof IP addresses that you would trust as internal hosts. 

 ndd -set /dev/ip ip_src_route_forward 0

Increase resiliance under heavy TCP load (which makes the system more resistant to SYN Flood attacks). 

 ndd -set /dev/tcp tcp_syn_rcvd_max 1024
 ndd -set /dev/tcp tcp_conn_request_max 200 ndd -set /dev/tcp tcp_time_wait_interval 60000

Increase TCP send and receive window sizes to at least 32 kbytes. But do not increase these above 64 kbytes unless you fully understand and support both RFC 1323 and RFC 2018. 

 The TCP send and receive spaces are 32 kbytes by default.
Récupérée de « https://futex.re/mediawiki/index.php?title=4.1_Tips&oldid=1421 »