您当前的位置:首页 > 学海无涯 > 信息安全网站首页信息安全
liunx安全攻略
发布时间:2015-02-24作者:佚名
十七、内核加固
sysctl.conf用来加固内核,目的是避免DOS和欺骗攻击
方法:
到/proc/sys目录或sysctl -a命令了解下当前配置的大概情况
然后vi/etc/sysctl.conf
添加如下内容:
#Kernel sysctlconfigurationfile forRedHat Linux #Forbinaryvalues, 0is disabled, 1is enabled. See sysctl(8)and #sysctl.conf(5)formoredetails. #Controls IP packet forwarding net.ipv4.ip_forward=0 #Controls sourcerouteverification net.ipv4.conf.default.rp_filter= 1 #Controls theSystemRequest debuggingfunctionalityofthekernel kernel.sysrq= 0 #Controls whethercoredumps willappendthePIDtothecorefilename. #Usefulfordebuggingmulti-threadedapplications. kernel.core_uses_pid= 1 #Prevent SYN attack net.ipv4.tcp_syncookies= 1 net.ipv4.tcp_max_syn_backlog = 2048 net.ipv4.tcp_synack_retries= 2 #Disables packet forwarding net.ipv4.ip_forward=0 #Disables IP sourcerouting net.ipv4.conf.all.accept_source_route= 0 net.ipv4.conf.lo.accept_source_route=0 net.ipv4.conf.eth0.accept_source_route= 0 net.ipv4.conf.default.accept_source_route=0 #Enable IP spoofingprotection,turnonsourcerouteverification net.ipv4.conf.all.rp_filter =1 net.ipv4.conf.lo.rp_filter= 1 net.ipv4.conf.eth0.rp_filter= 1 net.ipv4.conf.default.rp_filter= 1 #DisableICMPRedirect Acceptance net.ipv4.conf.all.accept_redirects =0 net.ipv4.conf.lo.accept_redirects = 0 net.ipv4.conf.eth0.accept_redirects= 0 net.ipv4.conf.default.accept_redirects = 0 #Enable LogSpoofedPackets,Source RoutedPackets,Redirect Packets net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.lo.log_martians =1 net.ipv4.conf.eth0.log_martians = 1 #Disables IP sourcerouting net.ipv4.conf.all.accept_source_route= 0 net.ipv4.conf.lo.accept_source_route=0 net.ipv4.conf.eth0.accept_source_route= 0 net.ipv4.conf.default.accept_source_route=0 #Enable IP spoofingprotection,turnonsourcerouteverification net.ipv4.conf.all.rp_filter =1 net.ipv4.conf.lo.rp_filter= 1 net.ipv4.conf.eth0.rp_filter= 1 net.ipv4.conf.default.rp_filter= 1 #DisableICMPRedirect Acceptance net.ipv4.conf.all.accept_redirects =0 net.ipv4.conf.lo.accept_redirects = 0 net.ipv4.conf.eth0.accept_redirects= 0 net.ipv4.conf.default.accept_redirects = 0 #Disables themagic-sysrqkey kernel.sysrq= 0 #Modifysystemlimits forEnsimWEBppliance fs.file-max= 65000 #Decreasethetimedefault value fortcp_fin_timeoutconnection net.ipv4.tcp_fin_timeout =15 #Decreasethetimedefault value fortcp_keepalive_timeconnection net.ipv4.tcp_keepalive_time= 1800 #Turn offthetcp_window_scaling net.ipv4.tcp_window_scaling= 0 #Turn offthetcp_sack net.ipv4.tcp_sack= 0 #Turn offthetcp_timestamps net.ipv4.tcp_timestamps=0 #EnableTCP SYN CookieProtection net.ipv4.tcp_syncookies= 1 #Enable ignoringbroadcastsrequest net.ipv4.icmp_echo_ignore_broadcasts= 1 #Enable baderror message Protection net.ipv4.icmp_ignore_bogus_error_responses=1 #LogSpoofedPackets,SourceRoutedPackets,Redirect Packets net.ipv4.conf.all.log_martians = 1 #Set maximum amount ofmemory allocatedtoshmto256MB kernel.shmmax=268435456 #Improvefile system performance vm.bdflush= 100120012851215500050018842 #Improvevirtualmemory performance vm.buffermem = 901060 #Increases thesize ofthesocket queue(effectively,q0). net.ipv4.tcp_max_syn_backlog = 1024 #Increasethemaximum totalTCP buffer-spaceallocatable net.ipv4.tcp_mem =573445734465536 #Increasethemaximum TCP write-buffer-spaceallocatable net.ipv4.tcp_wmem= 3276865536524288 #Increasethemaximum TCP read-bufferspaceallocatable net.ipv4.tcp_rmem =983041966081572864 #Increasethemaximum anddefault receive socket buffersize net.core.rmem_max= 524280 net.core.rmem_default =524280 #Increasethemaximum anddefault sendsocket buffersize net.core.wmem_max=524280 net.core.wmem_default = 524280 #Increasethetcp-time-wait bucketspoolsize net.ipv4.tcp_max_tw_buckets= 1440000 #Allowedlocal port range net.ipv4.ip_local_port_range = 1638465536 #Increasethemaximum memory usedtoreassemble IP fragments net.ipv4.ipfrag_high_thresh= 512000 net.ipv4.ipfrag_low_thresh= 446464 #Increasethemaximum amount ofoptionmemory buffers net.core.optmem_max= 57344 #Increasethemaximum number ofskb-headstobecached net.core.hot_list_length= 1024 ##DONOT REMOVETHE FOLLOWINGLINE! ##nsobuild:20051206
重启后生效
/sbin/sysctl-p sysctl-w net.ipv4.route.flush=1
关键字词:linux,安全配置,安全
下一篇:Linux之ssh登录报警