Futex le 15 septembre 2012 à 15:28

2012-09-15T15:28:28Z

Nouvelle page

Rendre la pile non executable dans /etc/system:
noexec_user_stack=1

Il faut passer le champ tcp_strong_iss à 2 (par défaut il est à 1, on peut prévoir le numéro de séquence TCP)
ndd -set /dev/tcp tcp_strong_iss 2
To configure this behavior to be the default after future reboots, put the line TCP_STRONG_ISS=2 in the file /etc/default/inetinit

Disable ICMP broadcast echo activity. Otherwise, your system could be used as part of a Smurf attack:
ndd -set /dev/ip ip_respond_to_echo_broadcast 0
ndd -set /dev/ip ip6_respond_to_echo_multicast 0
ndd -set /dev/ip ip_forward_directed_broadcasts 0

Disable ICMP routing redirects.
ndd -set /dev/ip ip_ignore_redirect 1
ndd -set /dev/ip ip6_ignore_redirect 1
ndd -set /dev/ip ip_send_redirects 0
ndd -set /dev/ip ip6_send_redirects 0

Disable ICMP broadcast probes.
ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0
ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0

Disable IP source routing.
ndd -set /dev/ip ip_forward_src_routed 0
ndd -set /dev/ip ip6_forward_src_routed 0

Enforce strict multi-homing for non-forwarding multi-homed systems.
ndd -set /dev/ip ip_strict_dst_multihoming 1
ndd -set /dev/ip ip6_strict_dst_multihoming 1

Increase resiliance under heavy TCP load (which makes the system more resistant to SYN Flood attacks).
ndd -set /dev/tcp tcp_conn_req_max_q 1024
ndd -set /dev/tcp tcp_conn_req_max_q0 4096
ndd -set /dev/tcp tcp_time_wait_interval 60000

Defend against TCP connection hijacking by following the recommendations of RFC 1948.
ndd -set /dev/tcp tcp_strong_iss 2
To configure this behavior to be the default after future reboots, put the line TCP_STRONG_ISS=2 in the file /etc/default/inetinit

Increase TCP send and receive window sizes to at least 32 kbytes.
ndd -set /dev/tcp tcp_xmit_hwat 32768
ndd -set /dev/tcp tcp_recv_hwat 32768

8.1 Tips - Historique des versions

Futex le 15 septembre 2012 à 15:28