Sunday, November 28, 2004

Some Net/FreeBSD/Linux Redhat Kernel Tunnig Variables

... As I remember, there is no way saying myself "this solves all problems!" certainly.But I believe that every OS has its own way and can secure if the admin do his best.

You may heard many times that some body tell to you: "Forget Windows and go to Linux up".I don't believe at all. I believe that "Windows may be less secure than Linux", but both of Windows & Linux can be & may be harmfull if you don't know what to do after installation & how tune it up.One thing that it seems Windows so bad is its networking architecture such as Domain Controllers, NetBT,... plus most popularity for home users & so many server side applications such as AAA.At the internet side, I believe both of Windows and Linux have vulnerability and what is the most interests for hackers about Windows is the private network and using Windows platforms as a bridge to the aim.I don't want to talk about OS or compare or so on.Just dump some methods that I'm using myself in FreeBSD and many of them working on NetBSD too. About Windows I wrote before and will write more.
Unix based OS have a usefull method for tunning & securing kernel called "sysclt",where /etc/sysctl.conf is its config file, but you may use sysctl from shell command prompt.
There are so many variables that can be changed for so many reasons such as tunning FileSystem, Networking,... using "sysctl".
Note that if you are using Samba in your network before tunning TCP variables read some notes at http://www.dd.iij4u.or.jp/~okuyamak/Documents/tuning.english.html first.
Then add these lines to /etc/sysctl.conf :
kern.ipc.somaxconn=32768
kern.ipc.maxsockbuf=67108864
kern.maxfiles=65536
kern.maxfilesperproc=32768
net.inet.tcp.rfc1323=1
net.inet.tcp.delayed_ack=0
net.inet.tcp.sendspace=65535
net.inet.tcp.recvspace=65535
net.inet.udp.recvspace=65535
net.inet.udp.maxdgram=57344
net.local.stream.recvspace=65535
net.local.stream.sendspace=65535
net.inet.ip.portrange.last=20000
net.inet.ip.portrange.hifirst=40000
net.inet.tcp.msl=1000
net.inet.icmp.drop_redirect=1
net.inet.icmp.log_redirect=0
net.inet.ip.redirect=0
net.inet6.ip6.redirect=0
net.link.ether.inet.max_age=1200
net.inet.ip.sourceroute=0
net.inet.ip.accept_sourceroute=0
net.inet.icmp.bmcastecho=0
net.inet.icmp.maskrepl=0
net.inet.tcp.inflight_enable=1
kern.polling.enable=1
&
kern.ipc.nmbclusters="65536" (in /boot/loader.conf.local)
These are some Networking variables such as Socket buffer, TCP/UDP buffers and Max Open files(usefull for Web/Cache Servers), and some anti hack, flooding, spoofing methods, ...
About Linux add these lines to /etc/rc.local.
I comment out each line to know the reason why I did it.
# Drop ICMP echo-request messages sent to broadcast or multicast addresses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts# Drop source routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route# Enable TCP SYN cookie protection from SYN floods
echo 1 > /proc/sys/net/ipv4/tcp_syncookies# Don't accept ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects# Don't send ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects# Enable source address spoofing protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter# Log packets with impossible source addresses
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
There are not all of that I'm doing, but the most popular.Depending on the server tasks & services you may have, add other kernel tunning variables.

No comments:

There was an error in this gadget