8.4 Tips

De UnixWiki
Aller à : navigation, rechercher

Activer l'ASLR 

 echo 2 > /proc/sys/kernel/randomize_va_space

Disable ICMP broadcast echo activity. Otherwise, your system could be used as part of a Smurf attack: 

 sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1

Disable ICMP routing redirects. Otherwise, your system could have its routing table misadjusted by an attacker. 

 sysctl -w net.ipv4.conf.all.accept_redirects=0
 sysctl -w net.ipv6.conf.all.accept_redirects=0
 sysctl -w net.ipv4.conf.all.send_redirects=0
 sysctl -w net.ipv6.conf.all.send_redirects=0

Disable ICMP broadcast probes. 

 You will have to block these with a packet filter like iptables

Disable IP source routing. The only use of IP source routing these days is by attackers trying to spoof IP addresses that you would trust as internal hosts. 

 sysctl -w net.ipv4.conf.all.accept_source_route=0
 sysctl -w net.ipv4.conf.all.forwarding=0
 sysctl -w net.ipv4.conf.all.mc_forwarding=0

Enforce sanity checking, also called ingress filtering or egress filtering. 

 sysctl -w net.ipv4.conf.all.rp_filter=1

Log and drop "Martian" packets. 

 sysctl -w net.ipv4.conf.all.log_martians=1

Increase resiliance under heavy TCP load (which makes the system more resistant to SYN Flood attacks). 

 sysctl -w net.ipv4.tcp_max_syn_backlog=1280
 sysctl -w net.ipv4.tcp_syncookies=1
 Already drops inactive TCP connections within 60 seconds

Increase TCP send and receive window sizes to at least 32 kbytes. 

 The kernel supports RFC 1323 and RFC 2018 and dynamically adjusts the TCP send and receive space by default
Récupérée de « https://futex.re/mediawiki/index.php?title=8.4_Tips&oldid=2349 »