8.4 Tips

De UnixWiki
Version datée du 19 juin 2013 à 15:05 par Futex (discussion | contributions) (Futex a déplacé la page 5.4 Tips vers 8.4 Tips)
(diff) ← Version précédente | Voir la version actuelle (diff) | Version suivante → (diff)
Aller à la navigation Aller à la recherche

Activer l'ASLR

 echo 2 > /proc/sys/kernel/randomize_va_space

Disable ICMP broadcast echo activity. Otherwise, your system could be used as part of a Smurf attack:

 sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1

Disable ICMP routing redirects. Otherwise, your system could have its routing table misadjusted by an attacker.

 sysctl -w net.ipv4.conf.all.accept_redirects=0
 sysctl -w net.ipv6.conf.all.accept_redirects=0
 sysctl -w net.ipv4.conf.all.send_redirects=0
 sysctl -w net.ipv6.conf.all.send_redirects=0

Disable ICMP broadcast probes.

 You will have to block these with a packet filter like iptables

Disable IP source routing. The only use of IP source routing these days is by attackers trying to spoof IP addresses that you would trust as internal hosts.

 sysctl -w net.ipv4.conf.all.accept_source_route=0
 sysctl -w net.ipv4.conf.all.forwarding=0
 sysctl -w net.ipv4.conf.all.mc_forwarding=0

Enforce sanity checking, also called ingress filtering or egress filtering.

 sysctl -w net.ipv4.conf.all.rp_filter=1

Log and drop "Martian" packets.

 sysctl -w net.ipv4.conf.all.log_martians=1

Increase resiliance under heavy TCP load (which makes the system more resistant to SYN Flood attacks).

 sysctl -w net.ipv4.tcp_max_syn_backlog=1280
 sysctl -w net.ipv4.tcp_syncookies=1
 Already drops inactive TCP connections within 60 seconds 

Increase TCP send and receive window sizes to at least 32 kbytes.

 The kernel supports RFC 1323 and RFC 2018 and dynamically adjusts the TCP send and receive space by default