Thursday, 28th March 2024

Comment posted How to harden Linux Security and imprpove network efficiency on Kernel sysctl Level to Stop SYN flood by .

Recent comments by

Share this on:

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

No Responses to “…”

  1. admin says:
    Epiphany 2.30.6 Epiphany 2.30.6 Debian GNU/Linux x64 Debian GNU/Linux x64
    Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6

    Few more good ones are:

    net.ipv4.tcp_sack = 0
    net.ipv4.tcp_tw_recycle = 1
    net.ipv4.tcp_tw_reuse = 1
    net.ipv4.tcp_timestamps = 1

    Also for a busy high iron server, it’s nice to have the conntrack sysctl settings like for example:

    ipv4.netfilter.ip_conntrack_max = 131072
    net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv = 20
    net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 208000
    net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent = 80
    net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 20
    net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 40
    net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 20

    Also in my above post on many servers it might be better to set:

    net.ipv4.tcp_synack_retries = 2
    to
    net.ipv4.tcp_synack_retries = 1

    cause some Denial of Service attacks still will be working against the server with:
    net.ipv4.tcp_synack_retries = 2

    View CommentView Comment
  2. kilit says:
    Opera 9.64 Opera 9.64 Windows XP Windows XP
    Opera/9.64(Windows NT 5.1; U; en) Presto/2.1.1

    Świetny post. Na setę będę stałym gościem. Zainteresowało mnie to opisanie dziedziny. Udostępnię tę stronę kolegom. MaciejIT

    View CommentView Comment
  3. Michael says:
    Firefox 24.0 Firefox 24.0 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0

    Found your post by searching on the web. Great start for securing your systems!

    If you want to automate scanning for such entries, feel free to give my tool Lynis a try: http://www.rootkit.nl/projects/lynis.html

    View CommentView Comment
  4. admin says:
    Google Chrome 39.0.2171.95 Google Chrome 39.0.2171.95 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36

    If Apache is still experiencing issues, even though above tuning are made it is a good idea (on Debian to) place in /etc/apache2/ports.conf

    ListenBackLog 5000

    View CommentView Comment