Comment posted How to harden Linux Security and imprpove network efficiency on Kernel sysctl Level to Stop SYN flood by .
Recent comments by
Tags: adminstrate, amount, anti, apache mysql, autoconf, default, default network, default router, Denial, denial of service, denial of service attacks, exploits, file, harden, How to, imprpove, internet sites, ip networking, ipv, ipv4, ipv6, kernel, kernel level, level, Linux, Linux Security, linux server, memory, network efficiency, non, number, protection, proxy server, Qmail, quot, ra, randomize, reordering, responce, responce times, router linux, routers, rtr, security, security level, serverskernel, Service, solicitations, Source, SYN, syn flood attack, sysctl, time, variables, wmem
Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6
Few more good ones are:
net.ipv4.tcp_sack = 0
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_timestamps = 1
Also for a busy high iron server, it’s nice to have the conntrack sysctl settings like for example:
ipv4.netfilter.ip_conntrack_max = 131072
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv = 20
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 208000
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent = 80
net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 20
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 40
net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 20
Also in my above post on many servers it might be better to set:
net.ipv4.tcp_synack_retries = 2
to
net.ipv4.tcp_synack_retries = 1
cause some Denial of Service attacks still will be working against the server with:
View CommentView Commentnet.ipv4.tcp_synack_retries = 2
Opera/9.64(Windows NT 5.1; U; en) Presto/2.1.1
Świetny post. Na setę będę stałym gościem. Zainteresowało mnie to opisanie dziedziny. Udostępnię tę stronę kolegom. MaciejIT
View CommentView CommentMozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
Found your post by searching on the web. Great start for securing your systems!
If you want to automate scanning for such entries, feel free to give my tool Lynis a try: http://www.rootkit.nl/projects/lynis.html
View CommentView CommentMozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
If Apache is still experiencing issues, even though above tuning are made it is a good idea (on Debian to) place in /etc/apache2/ports.conf
ListenBackLog 5000
View CommentView Comment