#!/bin/bash ############################################################################### # spender's linux sysctl net config script... # # (c) spender 2000 # # greets to tekneeq, rag, boda;) (gotcha this time), sys-edit, bansh33... # # and any whom i've forgotten # ############################################################################### # Ok..my second public doc. Another not frequently commented on topic, # # sysctl support under linux. It controls certain variables and configurations# # for the kernel and can thus have a great effect on the system. While # # perusing thru some of these configurations, i found them to be very weak # # security-wise, most likely because a default install(in linux anyway) is # # supposed to be functional, and not restrictive. Getting past this, you # # can edit these variables and achieve great effects on your system. Blocking# # pings, helping stop the effects of smurf attacks...stop certain kinds of # # icmp attacks and reduce the effectiveness of syn floods. Since many of # # these options are RARELY commented on, i think i'll take the time to do that# # now, even tho it's 9:30 and time for me to go to sleep;) ok...there's an # # undocumented feature in the kernel called tcp_max_syn_backlog...basically # # this is a queue for syn packets...this "log" keeps track of these packets, # # and when it is filled up, then syncookies are activated on the system. # # THEREFORE, for those of you who still are being afflicted by syn floods, # # wondering why your syncookies aren't kicking in, it's because the packets # # are being sent a few at a time from random addresses. Lowering the size of # # the syn backlog will in turn shorten the time it takes for syncookies to # # kick in, which help greatly in slowing the effects of syn floods. in # # addition to this, setting the syn_retries option to a lower value will # # also lower the amount of syn packets each spoofed address can send, # # which ends up slowing down the synflood...changing this option also does # # not harm normal traffic to the system. Lowering the amount of time a # # fragmented packet stays in memory should also reduce the effects of # # fragmented packet attacks.....all the options below i have set to what # # i believe to be the "optimal" setting. it should work fine for the # # average joe user who wants to beef up his network protection. In addition # # to this, another rarely talked about option is implimented (tho it is # # used to some extent in bastille) called rp_filter. setting this option # # to "2" sets up the system to use source validation by reversed path, # # lessening the effects of spoofed attacks..the value used in this script # # works better than that used in bastille, actually. bastille uses "1" for # # compatability purposes i'm guessing, however a value of "2" should work # # for most users out there....if it doesn't, just change it to "1". # # also enabled an option that logs invalid ip addresses. using these # # options in addition to a secure firewall (as outlined in my previous # # document), you should have a pretty secure system network-wise. anywayz... # # i hope i've shed some light on the power of sysctl under linux..and it's # # ability to enhance network protection...addition documentation on the # # network portion of sysctl can be found on your system under your kernel # # source path, under the path Documentation/networking. The file is called # # ip-sysctl.txt. if you have any questions, you can mail me at # # spender@exterminator.net. have phun! # # # ############################################################################### cd /proc/sys/net/ipv4 echo "Reconfiguring network..." echo 1 > ./icmp_destunreach_rate # num. of dest unreach (type 3) icmp to accept in 1/100s echo 1 > ./icmp_echo_ignore_broadcasts # deny pings from broadcasts (smurfs) echo 1 > ./icmp_echoreply_rate # max num. of pings to respond to in 1/100s echo 1 > ./icmp_echo_ignore_all #block all pings echo 1 > ./icmp_ignore_bogus_error_responses # ignore bad icmp packets echo 1 > ./icmp_paramprob_rate # num. of param probe packets to accept in 1/100s echo 1 > ./icmp_timeexceed_rate # num. of timeexeed packets to accept in 1/100s if [ -f ./igmp_max_memberships ]; then echo 1> ./igmp_max_memberships fi # num of igmp "memberships" to accept in 1/100s echo 0 > ./ip_always_defrag # don't always defragment packets echo 64 > ./ip_default_ttl # default time to live of 64 hops echo 0 > ./ip_forward # don't forward packets echo 15 > ./ipfrag_time # leave fragmented packets in memory for 15 secs echo 64 > ./tcp_max_syn_backlog # size in kb of syn queue echo 1 > ./tcp_syncookies # send syncookies after backlog is overflowed echo 3 > ./tcp_syn_retries # send/accept max of 3 syn retry packets per ip and timed interval echo 3 > ./tcp_retries1 # retry connections 3 times echo 7 > ./tcp_retries2 # send out max 7 "retry" packets for x in /proc/sys/net/ipv4/conf/*; do if [ -f $x/rp_filter ]; then echo 2 > $x/rp_filter fi # use source validation by reversed path if [ -f $x/accept_redirect ]; then echo 0 > $x/accept_redirect fi # don't accept icmp redirects if [ -f $x/accept_source_route ]; then echo 0 > $x/accept_source_route fi # don't accept source route packets if [ -f $x/bootp_relay ]; then echo 0 > $x/bootp_relay fi # don't accept bootp packets if [ -f $x/log_martians ]; then echo 1 > $x/log_martians fi # log impossible ip addrs to kernel logger if [ -f $x/secure_redirects ]; then echo 0 > $x/secure_redirects fi # don't accept redirects from gateway...we're doing this since routers can # be configured to not send redirect packets, and these sort of packets can # be spoofed. if [ -f $x/send_redirects ]; then echo 0 > $x/send_redirects fi # don't send icmp redirects if [ -f $x/proxy_arp ]; then echo 0 > $x/proxy_arp fi # don't proxy arp done echo "Reconfiguration completed."