# setproc         This shell script takes care of setting some good basic  
#                 security measures by setting some variables in /proc 
#                 Some of these are enabled in the default install, but it  
#                 is good to make sure that they are being set on boot. 
#                 Note: the file /etc/sysctl.conf could be used to do this 
#                       in a saner way, but this works in cases when sysctl 
#                       doesn't exist (some distributions) 
#                 Note: kernel is not compiled to do ip forwarding or  
#                       masquerading so setting options such as  
#                       ip_forward, ip_masq_debug is not necessary (it  
#                       could be argued that rp_filter doesn't need to be  
#                       set either. 
# For more information on these values, visit: 
# http://www.linuxdoc.org/HOWTO/Adv-Routing-HOWTO-13.html 
# Micah Jan, 14 2001 
# Modified March 31 2002 for sarai -- micah 
# Enable always defragging protection in /proc/sys/net/ipv4/ip_always_defrag 
echo "1" > /proc/sys/net/ipv4/ip_always_defrag 
# Enable broadcast echo protection  
# If you ping the broadcast address of a network, all hosts are supposed to           
# respond. This makes for a dandy denial-of-service tool. Setting to 1 will ignore these broadcasts 
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 
# Enable bad error message protection - This to ignore ICMP errors caused by hosts in the network  
# reacting badly to frames sent to what they perceive to be the broadcast address. 
# in /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 
# The following six /proc settings are all nested in one for loop 
# because they are in the same directory: 
# * Enable IP spoofing protection turn in Source Address 
# By default, routers route everything, even packets which 'obviously' don't 
# belong on your network. A common example is private IP space escaping onto 
# the internet. If you have an interface with a route of to it, 
# you do not expect packets from to arrive there. 
# Lots of people will want to turn this feature off, so the kernel hackers 
# have made it easy. There are files in /proc where you can tell 
# the kernel to do this for you. The method is called "Reverse Path 
# Filtering". Basically, if the reply to this packet wouldn't go out the 
# interface this packet came in, then this is a bogus packet and should be ignored. 
# /proc/sys/net/ipv4/conf/*/rp_filter 
# * Disable ICMP Redirect Acceptance in 
#   /proc/sys/net/ipv4/conf/*/accept_redirects and 
#   /proc/sys/net/ipv4/conf/*/send_redirects 
# * Disable Source Routed Packets in 
#   /proc/sys/net/ipv4/conf/*/accept_source_route 
# * Log Spoofed Packets, Source Routed Packets, Redirect Packets in 
#   /proc/sys/net/ipv4/conf/*/log_martians 
# * Enable ICMP redirect security so that only redirect messages originating 
#   from gateways listed in the default gateway list are accepted in 
#   /proc/sys/net/ipv4/conf/*/secure_redirects 
for device in `ls /proc/sys/net/ipv4/conf` 
    echo "2" > /proc/sys/net/ipv4/conf/$device/rp_filter 
    echo "0" > /proc/sys/net/ipv4/conf/$device/accept_redirects 
    echo "0" > /proc/sys/net/ipv4/conf/$device/send_redirects 
    echo "1" > /proc/sys/net/ipv4/conf/$device/secure_redirects 
    echo "0" > /proc/sys/net/ipv4/conf/$device/accept_source_route 
    echo "1" > /proc/sys/net/ipv4/conf/$device/log_martians 
# Enable TCP SYN Cookie protection in /proc/sys/net/ipv4/tcp_syncookies 
echo "1" > /proc/sys/net/ipv4/tcp_syncookies 
# stops anyone doing an OS finger print scan on the IP stack, 64 will show as linux, 61 will screw them up  
echo 61 > /proc/sys/net/ipv4/ip_default_ttl 
# Increase maximum number of files that the system can use 
echo "16384" > /proc/sys/fs/file-max 
# Incrase maximum inodes that the system can allocate, generally recommended that 
# inode-max is set to be four times the value of file-max 
echo "65535" > /proc/sys/fs/inode-max 
# Maximal number of remembered connection requests, which still did not 
# receive an acknowledgement from connecting client. Default value is 1024 for 
# systems with more than 128Mb of memory, and 128 for low memory machines.  
echo "256" > /proc/sys/net/ipv4/tcp_max_syn_backlog 
# Number of SYN packets the kernel will send before giving up on the new connection. (def. 10) 
echo "5" > /proc/sys/net/ipv4/tcp_syn_retries 
echo "512" > /proc/sys/net/ipv4/route/mtu_expires 
# How often TCP/IP sends out keepalive messages, default 7200 (2 hours) 
echo "7600" > /proc/sys/net/ipv4/tcp_keepalive_time 
# The rate at which echo replies are sent to any one destination, helps slow down ping floods 
echo "10" > /proc/sys/net/ipv4/icmp_echoreply_rate 
# Time to hold socket in state FIN-WAIT-2, if it was closed by our side. Peer 
# can be broken and never close its side, or even died unexpectedly. Default 
# value is 60sec. Usual value used in 2.2 was 180 seconds, you may restore it, 
# but remember that if your machine is even underloaded WEB server, you risk 
# to overflow memory with kilotons of dead sockets, FIN-WAIT-2 sockets are 
# less dangerous than FIN-WAIT-1, because they eat maximum 1.5K of memory, but 
# they tend to live longer. Cf. tcp_max_orphans. 
# echo "360" > /proc/sys/net/ipv4/tcp_fin_timeout 
# This enables a fix for 'time-wait assassination hazards in tcp', described 
# in RFC 1337. If enabled, this causes the kernel to drop RST packets for 
# sockets in the time-wait state. 
echo "1" > /proc/sys/net/ipv4/tcp_rfc1337 
# Set this if you want to disable Path MTU discovery - a technique to 
# determine the largest Maximum Transfer Unit possible on your path. 0 by default 
echo "0" > /proc/sys/net/ipv4/ip_no_pmtu_disc 
# If a router decides that you are using it for a wrong purpose (ie, it needs 
# to resend your packet on the same interface), it will send us a ICMP 
# Redirect. This is a slight security risk however, so you may want to turn it 
# off, or use secure redirects. 
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects 

# Set timeout on kernel panics (auto reboots after # seconds):
echo 600 >  /proc/sys/kernel/panic
echo 600 >  /proc/sys/kernel/panic_on_oops

-- ChristopherMitchell - 06 Jun 2002
Topic revision: r2 - 20 Jan 2005, MicahA
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback