Differences

This shows you the differences between two versions of the page.

Link to this comparison view

server-administration:hardening-tcpip-syn-flood [2010-06-28 22:20:21]
garrett.plasky created 		server-administration:hardening-tcpip-syn-flood [2011-07-01 19:17:13] (current)
garrett.plasky Approved
Line 11: Line 11:
 The Linux kernel allows you to directly change the various parameters needed to mitigate against SYN flood attacks. We won't go into detail here about what each one does specifically, however if you are interested you can read about them in detail {{http://www.frozentux.net/ipsysctl-tutorial/ipsysctl-tutorial.html#AEN234|here}}. First, we'll set the variables to be active immediately: The Linux kernel allows you to directly change the various parameters needed to mitigate against SYN flood attacks. We won't go into detail here about what each one does specifically, however if you are interested you can read about them in detail {{http://www.frozentux.net/ipsysctl-tutorial/ipsysctl-tutorial.html#AEN234|here}}. First, we'll set the variables to be active immediately:
  
-<code console>echo 1 > /proc/sys/net/ipv4/tcp_syncookies +<sxh bash>echo 1 > /proc/sys/net/ipv4/tcp_syncookies 
-echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog +echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog 
-echo 3 > /proc/sys/net/ipv4/tcp_synack_retries</code>+echo 3 > /proc/sys/net/ipv4/tcp_synack_retries</sxh>
  
 This sets the kernel to use the {{http://cr.yp.to/syncookies.html|SYN cookies mechanism}}, use a backlog queue size of 2048 connections, and the amount of time to keep half-open connections in the queue (3 equates to roughly 45 seconds). This sets the kernel to use the {{http://cr.yp.to/syncookies.html|SYN cookies mechanism}}, use a backlog queue size of 2048 connections, and the amount of time to keep half-open connections in the queue (3 equates to roughly 45 seconds).
Line 21: Line 21:
 To make these changes persist over consecutive reboots, we need to tell the sysctl system about these modified parameters. We use the <c>/etc/sysctl.conf</c> file to do so. We will add the following lines to the bottom of the file: To make these changes persist over consecutive reboots, we need to tell the sysctl system about these modified parameters. We use the <c>/etc/sysctl.conf</c> file to do so. We will add the following lines to the bottom of the file:
  
-<code># TCP SYN Flood Protection+<sxh shell># TCP SYN Flood Protection
 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_syncookies = 1
 net.ipv4.tcp_max_syn_backlog = 2048 net.ipv4.tcp_max_syn_backlog = 2048
-net.ipv4.tcp_synack_retries = 3</code>+net.ipv4.tcp_synack_retries = 3</sxh>
  
 Your changes will now be permanent! Your changes will now be permanent!
 {{tag>guide shell security}} {{tag>guide shell security}}