The kernel tunable parameters
With the new version of Red Hat Linux 6.2 all kernel parameters available under the 7proc/sys” subdirectory of Linux can be configured at runtime. You can now use the new “/etc/sysctl.conf file under Red Hat Linux 6.2 to modify and set kernel parameters at runtime. The “sysctl.conf” file is read and loaded each time the system reboots. All settings are now stored in the “/etc/sysctl.conf file. All modifications to 7proc/sys” should be made through “/etc/sysctl.conf, because they are better for control, and are executed before “rc.local” or any other “users” scripts. Below, we show you the networking security options that you must configure on your server for Red Hat Linux version 6.1 and 6.2.
Prevent your system from responding to ping request
Preventing your system for responding to ping request can be a big improvement in your network security since no one can ping on your server and receive an answer. The TCP/IP protocol suite has a number of weaknesses that allows an attacker to leverage techniques in the form of covert channels to surreptitiously pass data in otherwise benign packets. Preventing your server from responding to ping requests can help to minimize this problem.
Under Red Hat Linux 6.1
An…
[root@deep /]# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
… should do the job such that your system won’t respond to ping on any interface. You can add
this line in your 7etc/rc.d/rc.local” file so the command will be automatically set if your system
reboots. Not responding to pings would at least keep most “crackers” out because they would
never even know it’s there.
To turn it backs on, simply
[root@deep /]# echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
You can add this line in your 7etc/rc.d/rc.local” file so the command will be automatically set if your system reboots.
Under Red Hat Linux 6.2
Edit the “/etc/sysctl.conf file and add the following line:
# Enable ignoring ping request net.ipv4.icmp_echo_ignore_all = 1
You must restart your network for the change to take effect. The command to restart the network is the following:
• To restart all network devices manually on your system, use the following command: [root@deep /]# /etc/rc.d/init.d/network restart
Setting network parameters [ OK ]
Bringing up interface lo [ OK ]
Bringing up interface ethO [ OK ]
Bringing up interface eth1 [ OK ]
Prevent your system from responding to broadcasts request
As for the ping request, it’s also important to disable broadcast request. When a packet is sent to an IP broadcast address (i.e. 192.168.1.255) from a machine on the local network, that packet is delivered to all machines on that network. Then all the machines on a network respond to this ICMP echo request and the result can be severe network congestion or outages (denial-of-service attacks). See the RFC 2644 for more information.
Under Red Hat Linux 6.1
[root@deep /]# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
You can add this line in your 7etc/rc.d/rc.local” file so the command will be automatically set if your system reboots.
Under Red Hat Linux 6.2
Edit the 7etc/sysctl.conf file and add the following line:
# Enable ignoring broadcasts request net.ipv4.icmp_echo_ignore_broadcasts = 1
You must restart your network for the change to take effect. The command to restart the network is the following: