Difference between revisions of "Sysctl"

From ArchWiki
Jump to: navigation, search
m (ignoring echo broadcasts is for stopping smurf attacks - people might want to allow pings, so putting both here is better than just one)
(Configuration)
Line 10: Line 10:
 
== Configuration ==
 
== Configuration ==
  
The sysctl preload/configuration file is located at {{Filename|/etc/sysctl.conf}}.
+
The '''sysctl''' preload/configuration file is located at {{Filename|/etc/sysctl.conf}}.
  
 
{{File
 
{{File

Revision as of 14:32, 22 October 2010


Tango-document-new.pngThis article is a stub.Tango-document-new.png

Notes: please use the first argument of the template to provide more detailed indications. (Discuss in Talk:Sysctl#)

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: please use the first argument of the template to provide a brief explanation. (Discuss in Talk:Sysctl#)
sysctl is a tool for examining and changing kernel parameters at runtime. sysctl is implemented in procfs, the virtual process file system at Template:Filename.

Configuration

The sysctl preload/configuration file is located at Template:Filename.

Template:File

The parameters available are those listed under Template:Filename. For example, the Template:Codeline parameter refers to the file Template:Filename on the file system. The Template:Codeline command can be used to display all values currently available.

Settings can be changed through file manipulation or using the sysctl utility. For example, to temporarily enable the magic sysrq key:

# sysctl kernel.sysrq=1

or:

# echo "1" > /proc/sys/kernel/sysrq

To preserve changes, add or modify the appropriate lines in Template:Filename.

Networking

Improving Performance

TCP/IP stack hardening

#### ipv4 networking ####

## TCP SYN cookie protection
## helps protect against SYN flood attacks
net.ipv4.tcp_syncookies = 1

## protect against tcp time-wait assassination hazards
## drop RST packets for sockets in the time-wait state
## (not widely supported outside of linux, but conforms to RFC)
net.ipv4.tcp_rfc1337 = 1

## tcp timestamps
## + protect against wrapping sequence numbers (at gigabit speeds)
## + round trip time calculation implemented in TCP
## - causes extra overhead and allows uptime detection by scanners like nmap
## enable @ gigabit speeds
net.ipv4.tcp_timestamps = 0
#net.ipv4.tcp_timestamps = 1

## source address verification (sanity checking)
## helps protect against spoofing attacks
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

## packet forwarding (not a router, disable it)
net.ipv4.ip_forward = 0

## forwarding (not a router, disable it)
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.default.forwarding = 0

## log martian packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

## ignore echo broadcast requests to prevent being part of smurf attacks
net.ipv4.icmp_echo_ignore_broadcasts = 1

## optionally, ignore all echo requests
#net.ipv4.icmp_echo_ignore_all = 1

## ignore bogus icmp errors
net.ipv4.icmp_ignore_bogus_error_responses = 1

## IP source routing (insecure, disable it)
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

## send redirects (not a router, disable it)
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

## ICMP routing redirects (only secure)
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.default.secure_redirects = 1