« 8.1 Tips » : différence entre les versions

De UnixWiki
Aller à la navigation Aller à la recherche
Aucun résumé des modifications
 
(Aucune différence)

Dernière version du 15 septembre 2012 à 15:28

Rendre la pile non executable dans /etc/system:

 noexec_user_stack=1

Il faut passer le champ tcp_strong_iss à 2 (par défaut il est à 1, on peut prévoir le numéro de séquence TCP)

 ndd -set /dev/tcp tcp_strong_iss 2
 To configure this behavior to be the default after future reboots, put the line TCP_STRONG_ISS=2 in the file /etc/default/inetinit

Disable ICMP broadcast echo activity. Otherwise, your system could be used as part of a Smurf attack:

 ndd -set /dev/ip ip_respond_to_echo_broadcast 0
 ndd -set /dev/ip ip6_respond_to_echo_multicast 0
 ndd -set /dev/ip ip_forward_directed_broadcasts 0

Disable ICMP routing redirects.

 ndd -set /dev/ip ip_ignore_redirect 1
 ndd -set /dev/ip ip6_ignore_redirect 1
 ndd -set /dev/ip ip_send_redirects 0
 ndd -set /dev/ip ip6_send_redirects 0

Disable ICMP broadcast probes.

 ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0
 ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0 

Disable IP source routing.

 ndd -set /dev/ip ip_forward_src_routed 0
 ndd -set /dev/ip ip6_forward_src_routed 0 

Enforce strict multi-homing for non-forwarding multi-homed systems.

 ndd -set /dev/ip ip_strict_dst_multihoming 1
 ndd -set /dev/ip ip6_strict_dst_multihoming 1 

Increase resiliance under heavy TCP load (which makes the system more resistant to SYN Flood attacks).

 ndd -set /dev/tcp tcp_conn_req_max_q 1024
 ndd -set /dev/tcp tcp_conn_req_max_q0 4096
 ndd -set /dev/tcp tcp_time_wait_interval 60000 

Defend against TCP connection hijacking by following the recommendations of RFC 1948.

 ndd -set /dev/tcp tcp_strong_iss 2
 To configure this behavior to be the default after future reboots, put the line TCP_STRONG_ISS=2 in the file /etc/default/inetinit

Increase TCP send and receive window sizes to at least 32 kbytes.

 ndd -set /dev/tcp tcp_xmit_hwat 32768
 ndd -set /dev/tcp tcp_recv_hwat 32768