Securing and Optimizing Linux:RedHat Edition | All about OS

The kernel tunable parameters

Категория: Securing and Optimizing

Under Red Hat Linux 6.1
[root@deep /]# echo 1 > /proc/sys/net/ipv4/tcp_syncookies
Add the above commands to the 7etc/rc.d/rc.local” script file and you’ll not have to type it again the next time you reboot your system.
Under Red Hat Linux 6.2
Edit the 7etc/sysctl.conf file and add the following line:
# Enable TCP SYN Cookie Protection net.ipv4.tcp_syncookies = 1
You must restart your network for the change to take effect. The command to restart the network is the following:
• To restart all network devices manually on your system, use the following command: [root@deep /]# /etc/rc.d/init.d/network restart
Setting network parameters [ OK ]
Bringing up interface lo [ OK ]
Bringing up interface ethO [ OK ]
Bringing up interface eth1 [ OK ]
NOTE: If you receive an error message during execution of the above command, check that you are enable the TCP syncookies option in your kernel configuration: IP: TCP syncookie support (not enabled per default) (CONFIG_SYN_COOKIES) [Yin/?].
Disable ICMP Redirect Acceptance
When hosts use a non-optimal or defunct route to a particular destination, an ICMP redirect packet is used by routers to inform the hosts what the correct route should be. If an attacker is able to forge ICMP redirect packets, he or she can alter the routing tables on the host and
possibly subvert the security of the host by causing traffic to flow via a path you didn’t intend. It’s strongly recommended to disable ICMP Redirect Acceptance to protect your server from this hole.
Under Red Hat Linux 6.1
[root@deep /]# for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
> echo 0 > $f
> done
[root@deep /]#
Add the above commands to the 7etc/rc.d/rc.local” script file and you’ll not have to type it again the next time you reboot your system.
Under Red Hat Linux 6.2
Edit the 7etc/sysctl.conf file and add the following line:
# Disable ICMP Redirect Acceptance net.ipv4.conf.all.accept_redirects = 0
You must restart your network for the change to take effect. The command to restart the network is the following:
• To restart all networks devices manually on your system, use the following command:

Страниц: 1 2 3 4 5

« Fix the permissions under “/etc/rc.d/init.d” directory for script files
Unusual or hidden files »