You are here: Sysadmin > SecurityTuning
#!/bin/sh
#
# setproc This shell script takes care of setting some good basic
# security measures by setting some variables in /proc
# Some of these are enabled in the default install, but it
# is good to make sure that they are being set on boot.
#
# Note: the file /etc/sysctl.conf could be used to do this
# in a saner way, but this works in cases when sysctl
# doesn't exist (some distributions)
#
# Note: kernel is not compiled to do ip forwarding or
# masquerading so setting options such as
# ip_forward, ip_masq_debug is not necessary (it
# could be argued that rp_filter doesn't need to be
# set either.
#
# For more information on these values, visit:
# http://www.linuxdoc.org/HOWTO/Adv-Routing-HOWTO-13.html
# Micah Jan, 14 2001
# Modified March 31 2002 for sarai -- micah
# Enable always defragging protection in /proc/sys/net/ipv4/ip_always_defrag
echo "1" > /proc/sys/net/ipv4/ip_always_defrag
# Enable broadcast echo protection
# If you ping the broadcast address of a network, all hosts are supposed to
# respond. This makes for a dandy denial-of-service tool. Setting to 1 will ignore these broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Enable bad error message protection - This to ignore ICMP errors caused by hosts in the network
# reacting badly to frames sent to what they perceive to be the broadcast address.
# in /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# The following six /proc settings are all nested in one for loop
# because they are in the same directory:
#
# * Enable IP spoofing protection turn in Source Address
# By default, routers route everything, even packets which 'obviously' don't
# belong on your network. A common example is private IP space escaping onto
# the internet. If you have an interface with a route of 195.96.96.0/24 to it,
# you do not expect packets from 212.64.94.1 to arrive there.
# Lots of people will want to turn this feature off, so the kernel hackers
# have made it easy. There are files in /proc where you can tell
# the kernel to do this for you. The method is called "Reverse Path
# Filtering". Basically, if the reply to this packet wouldn't go out the
# interface this packet came in, then this is a bogus packet and should be ignored.
# /proc/sys/net/ipv4/conf/*/rp_filter
#
# * Disable ICMP Redirect Acceptance in
# /proc/sys/net/ipv4/conf/*/accept_redirects and
# /proc/sys/net/ipv4/conf/*/send_redirects
#
# * Disable Source Routed Packets in
# /proc/sys/net/ipv4/conf/*/accept_source_route
#
# * Log Spoofed Packets, Source Routed Packets, Redirect Packets in
# /proc/sys/net/ipv4/conf/*/log_martians
#
# * Enable ICMP redirect security so that only redirect messages originating
# from gateways listed in the default gateway list are accepted in
# /proc/sys/net/ipv4/conf/*/secure_redirects
for device in `ls /proc/sys/net/ipv4/conf`
do
echo "2" > /proc/sys/net/ipv4/conf/$device/rp_filter
echo "0" > /proc/sys/net/ipv4/conf/$device/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/$device/send_redirects
echo "1" > /proc/sys/net/ipv4/conf/$device/secure_redirects
echo "0" > /proc/sys/net/ipv4/conf/$device/accept_source_route
echo "1" > /proc/sys/net/ipv4/conf/$device/log_martians
done
# Enable TCP SYN Cookie protection in /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
# stops anyone doing an OS finger print scan on the IP stack, 64 will show as linux, 61 will screw them up
echo 61 > /proc/sys/net/ipv4/ip_default_ttl
# Increase maximum number of files that the system can use
echo "16384" > /proc/sys/fs/file-max
# Incrase maximum inodes that the system can allocate, generally recommended that
# inode-max is set to be four times the value of file-max
echo "65535" > /proc/sys/fs/inode-max
# Maximal number of remembered connection requests, which still did not
# receive an acknowledgement from connecting client. Default value is 1024 for
# systems with more than 128Mb of memory, and 128 for low memory machines.
echo "256" > /proc/sys/net/ipv4/tcp_max_syn_backlog
# Number of SYN packets the kernel will send before giving up on the new connection. (def. 10)
echo "5" > /proc/sys/net/ipv4/tcp_syn_retries
echo "512" > /proc/sys/net/ipv4/route/mtu_expires
# How often TCP/IP sends out keepalive messages, default 7200 (2 hours)
echo "7600" > /proc/sys/net/ipv4/tcp_keepalive_time
# The rate at which echo replies are sent to any one destination, helps slow down ping floods
echo "10" > /proc/sys/net/ipv4/icmp_echoreply_rate
# Time to hold socket in state FIN-WAIT-2, if it was closed by our side. Peer
# can be broken and never close its side, or even died unexpectedly. Default
# value is 60sec. Usual value used in 2.2 was 180 seconds, you may restore it,
# but remember that if your machine is even underloaded WEB server, you risk
# to overflow memory with kilotons of dead sockets, FIN-WAIT-2 sockets are
# less dangerous than FIN-WAIT-1, because they eat maximum 1.5K of memory, but
# they tend to live longer. Cf. tcp_max_orphans.
# echo "360" > /proc/sys/net/ipv4/tcp_fin_timeout
# This enables a fix for 'time-wait assassination hazards in tcp', described
# in RFC 1337. If enabled, this causes the kernel to drop RST packets for
# sockets in the time-wait state.
echo "1" > /proc/sys/net/ipv4/tcp_rfc1337
# Set this if you want to disable Path MTU discovery - a technique to
# determine the largest Maximum Transfer Unit possible on your path. 0 by default
echo "0" > /proc/sys/net/ipv4/ip_no_pmtu_disc
# If a router decides that you are using it for a wrong purpose (ie, it needs
# to resend your packet on the same interface), it will send us a ICMP
# Redirect. This is a slight security risk however, so you may want to turn it
# off, or use secure redirects.
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# Set timeout on kernel panics (auto reboots after # seconds):
echo 600 > /proc/sys/kernel/panic
echo 600 > /proc/sys/kernel/panic_on_oops
--
ChristopherMitchell - 06 Jun 2002
to top
