« 8.1 Tips » : différence entre les versions
Aller à la navigation
Aller à la recherche
Aucun résumé des modifications |
(Aucune différence)
|
Dernière version du 15 septembre 2012 à 15:28
Rendre la pile non executable dans /etc/system:
noexec_user_stack=1
Il faut passer le champ tcp_strong_iss à 2 (par défaut il est à 1, on peut prévoir le numéro de séquence TCP)
ndd -set /dev/tcp tcp_strong_iss 2 To configure this behavior to be the default after future reboots, put the line TCP_STRONG_ISS=2 in the file /etc/default/inetinit
Disable ICMP broadcast echo activity. Otherwise, your system could be used as part of a Smurf attack:
ndd -set /dev/ip ip_respond_to_echo_broadcast 0 ndd -set /dev/ip ip6_respond_to_echo_multicast 0 ndd -set /dev/ip ip_forward_directed_broadcasts 0
Disable ICMP routing redirects.
ndd -set /dev/ip ip_ignore_redirect 1 ndd -set /dev/ip ip6_ignore_redirect 1 ndd -set /dev/ip ip_send_redirects 0 ndd -set /dev/ip ip6_send_redirects 0
Disable ICMP broadcast probes.
ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0 ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
Disable IP source routing.
ndd -set /dev/ip ip_forward_src_routed 0 ndd -set /dev/ip ip6_forward_src_routed 0
Enforce strict multi-homing for non-forwarding multi-homed systems.
ndd -set /dev/ip ip_strict_dst_multihoming 1 ndd -set /dev/ip ip6_strict_dst_multihoming 1
Increase resiliance under heavy TCP load (which makes the system more resistant to SYN Flood attacks).
ndd -set /dev/tcp tcp_conn_req_max_q 1024 ndd -set /dev/tcp tcp_conn_req_max_q0 4096 ndd -set /dev/tcp tcp_time_wait_interval 60000
Defend against TCP connection hijacking by following the recommendations of RFC 1948.
ndd -set /dev/tcp tcp_strong_iss 2 To configure this behavior to be the default after future reboots, put the line TCP_STRONG_ISS=2 in the file /etc/default/inetinit
Increase TCP send and receive window sizes to at least 32 kbytes.
ndd -set /dev/tcp tcp_xmit_hwat 32768 ndd -set /dev/tcp tcp_recv_hwat 32768