Differences

This shows you the differences between two versions of the page.

Link to this comparison view

server-administration:hardening-tcpip-syn-flood [2010-06-28 15:20:21]
garrett.plasky created
server-administration:hardening-tcpip-syn-flood [2011-07-01 12:17:13] (current)
garrett.plasky Approved
Line 11: Line 11:
 The Linux kernel allows you to directly change the various parameters needed to mitigate against SYN flood attacks. We won't go into detail here about what each one does specifically,​ however if you are interested you can read about them in detail {{http://​www.frozentux.net/​ipsysctl-tutorial/​ipsysctl-tutorial.html#​AEN234|here}}. First, we'll set the variables to be active immediately:​ The Linux kernel allows you to directly change the various parameters needed to mitigate against SYN flood attacks. We won't go into detail here about what each one does specifically,​ however if you are interested you can read about them in detail {{http://​www.frozentux.net/​ipsysctl-tutorial/​ipsysctl-tutorial.html#​AEN234|here}}. First, we'll set the variables to be active immediately:​
  
-<code console>echo 1 > /​proc/​sys/​net/​ipv4/​tcp_syncookies +<sxh bash>echo 1 > /​proc/​sys/​net/​ipv4/​tcp_syncookies 
-echo 2048 > /​proc/​sys/​net/​ipv4/​tcp_max_syn_backlog +echo 2048 > /​proc/​sys/​net/​ipv4/​tcp_max_syn_backlog 
-echo 3 > /​proc/​sys/​net/​ipv4/​tcp_synack_retries</​code>+echo 3 > /​proc/​sys/​net/​ipv4/​tcp_synack_retries</​sxh>
  
 This sets the kernel to use the {{http://​cr.yp.to/​syncookies.html|SYN cookies mechanism}},​ use a backlog queue size of 2048 connections,​ and the amount of time to keep half-open connections in the queue (3 equates to roughly 45 seconds). This sets the kernel to use the {{http://​cr.yp.to/​syncookies.html|SYN cookies mechanism}},​ use a backlog queue size of 2048 connections,​ and the amount of time to keep half-open connections in the queue (3 equates to roughly 45 seconds).
Line 21: Line 21:
 To make these changes persist over consecutive reboots, we need to tell the sysctl system about these modified parameters. We use the <​c>/​etc/​sysctl.conf</​c>​ file to do so. We will add the following lines to the bottom of the file: To make these changes persist over consecutive reboots, we need to tell the sysctl system about these modified parameters. We use the <​c>/​etc/​sysctl.conf</​c>​ file to do so. We will add the following lines to the bottom of the file:
  
-<code># TCP SYN Flood Protection+<sxh shell># TCP SYN Flood Protection
 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_syncookies = 1
 net.ipv4.tcp_max_syn_backlog = 2048 net.ipv4.tcp_max_syn_backlog = 2048
-net.ipv4.tcp_synack_retries = 3</code>+net.ipv4.tcp_synack_retries = 3</sxh>
  
 Your changes will now be permanent! Your changes will now be permanent!
 {{tag>​guide shell security}} {{tag>​guide shell security}}