tcplimit, ipdrop, ipblock

Ir abajo

default tcplimit, ipdrop, ipblock

Mensaje por Lorena Wells el Dom Ago 04, 2013 1:54 pm

Usando firewalls dinámicos.

4- Optimizando y asegurando la red con el sysctl.conf

cat /proc/sys/net/ipv4/tcp_syncookies

# Enable IP spoofing protection, turn on Source Address Verification

net.ipv4.conf.all.rp_filter = 1

# Enable TCP SYN Cookie Protection

net.ipv4.tcp_syncookies = 1

# Enable ignoring broadcasts request

net.ipv4.icmp_echo_ignore_broadcasts = 1

1). Activate SynCookies protection

It works by sending out 'syncookies' when the
syn backlog queue of a socket overflows.

=> echo 1 >/proc/sys/net/ipv4/tcp_syncookies


=> /sbin/sysctl -w net.ipv4.tcp_syncookies=1

2). Disable source routing

=> for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f


=> /sbin/sysctl -w net.ipv4.conf.all.accept_source_route=0

3). Reverse Path Filtering

Reject incoming packets if their source address doesn't match
the network interface that they're arriving on

=> for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f


=> /sbin/systcl -w net.ipv4.conf.all.rp_filter=1

4). Log RP filter dropped packets (martians)

=> for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f


=> /sbin/sysctl -w net.ipv4.conf.all.log_martians=1

5). Maximal number of remembered connection requests

=> /sbin/sysctl -w net.ipv4.tcp_max_syn_backlog=256

6). How may times to retry before killing TCP connection

(default 7 on most systems)

=> /sbin/sysctl -w net.ipv4.tcp_orphan_retries=4

7). Number of SYN packets the kernel will send before giving up

=> /sbin/sysctl -w net.ipv4.tcp_syn_retries=5

8). Disable broadcast icmp reply

=> /sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1

9). Ignore Bogus icmp packets

=> /sbin/sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1

10). Disable ICMP redirect

=> echo 0 >/proc/sys/net/ipv4/conf/all/accept_redirects
=> echo 0 >/proc/sys/net/ipv4/conf/all/send_redirects


=> /sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0
=> /sbin/sysctl -w net.ipv4.conf.all.send_redirects=0

11). Disable timestamps

=> echo 0 >/proc/sys/net/ipv4/tcp_timestamps


=> /sbin/sysctl -w net.ipv4.tcp_timestamps=0

12). Reduce DOS ability by reducing timeouts

=> echo 30 >/proc/sys/net/ipv4/tcp_fin_timeout
=> echo 1800 >/proc/sys/net/ipv4/tcp_keepalive_time
=> echo 0 >/proc/sys/net/ipv4/tcp_window_scaling
=> echo 0 >/proc/sys/net/ipv4/tcp_sack


=> /sbin/sysctl -w net.ipv4.tcp_fin_timeout=30
=> /sbin/sysctl -w net.ipv4.tcp_keepalive_time=1800
=> /sbin/sysctl -w net.ipv4.tcp_window_scaling=0
=> /sbin/sysctl -w net.ipv4.tcp_sack=0

- Lista de todas las variables del TCP:
[Tienes que estar registrado y conectado para ver este vínculo]

- Lista de Variables del /proc/sys/net/ipv4/* (con varlores por defecto y explicaciones)
[Tienes que estar registrado y conectado para ver este vínculo]

Más ejemplos de configuración completa del sysctl.conf en las referencias del documento.
Lorena Wells

Puntos : 270
Reputación : 1
Mensajes : 64
Pais Peru

Volver arriba Ir abajo

Volver arriba

Permisos de este foro:
No puedes responder a temas en este foro.