/proc/sys 网络安全选项的调整
· 让系统对 ping 没有反应
· 让系统对广播没有反应
· 取消 IP source routing
· 开启 TCP SYN Cookie 保护
· 取消 ICMP 接受 Redirect
· 开启错误讯息保护
· 开启 IP 欺骗保护
· 记录Spoofed Packets, Source Routed Packets, Redirect Packets
Redhat 6.1 的做法:
[root@deep /]# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
[root@deep /]# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
[root@deep /]# for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
> echo 0 > $f
> done
[root@deep /]# echo 1 > /proc/sys/net/ipv4/tcp_syncookies
[root@deep /]# for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
> echo 0 > $f
> done
[root@deep /]# echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
[root@deep /]# for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
> echo 0 > $f
> done
[root@deep /]# for f in /proc/sys/net/ipv4/conf/*/log_martians; do
> echo 0 > $f
> done
Redhat 6.2 的做法:
编辑 "/etc/sysctl.conf" 档案,并加入下面几行,
# Enable ignoring ping request
net.ipv4.icmp_echo_ignore_all = 1
# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Enable IP spoofing protection, turn on Source Address Verification
net.ipv4.conf.all.rp_filter = 1
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1
最后重新激活 network
[root@deep /]# /etc/rc.d/init.d/network restart