« 8.4 Tips » : différence entre les versions
Aller à la navigation
Aller à la recherche
(Aucune différence)
|
Dernière version du 19 juin 2013 à 15:05
Activer l'ASLR
echo 2 > /proc/sys/kernel/randomize_va_space
Disable ICMP broadcast echo activity. Otherwise, your system could be used as part of a Smurf attack:
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
Disable ICMP routing redirects. Otherwise, your system could have its routing table misadjusted by an attacker.
sysctl -w net.ipv4.conf.all.accept_redirects=0 sysctl -w net.ipv6.conf.all.accept_redirects=0 sysctl -w net.ipv4.conf.all.send_redirects=0 sysctl -w net.ipv6.conf.all.send_redirects=0
Disable ICMP broadcast probes.
You will have to block these with a packet filter like iptables
Disable IP source routing. The only use of IP source routing these days is by attackers trying to spoof IP addresses that you would trust as internal hosts.
sysctl -w net.ipv4.conf.all.accept_source_route=0 sysctl -w net.ipv4.conf.all.forwarding=0 sysctl -w net.ipv4.conf.all.mc_forwarding=0
Enforce sanity checking, also called ingress filtering or egress filtering.
sysctl -w net.ipv4.conf.all.rp_filter=1
Log and drop "Martian" packets.
sysctl -w net.ipv4.conf.all.log_martians=1
Increase resiliance under heavy TCP load (which makes the system more resistant to SYN Flood attacks).
sysctl -w net.ipv4.tcp_max_syn_backlog=1280 sysctl -w net.ipv4.tcp_syncookies=1 Already drops inactive TCP connections within 60 seconds
Increase TCP send and receive window sizes to at least 32 kbytes.
The kernel supports RFC 1323 and RFC 2018 and dynamically adjusts the TCP send and receive space by default