/proc/sys/net 里的设置
时间:2010-11-18 来源:sandflee
转自 http://hi.baidu.com/thinkzero/blog/item/6a24d1f66cd243ff7709d77d.html
/proc/sys 网络 安全 选项的调整
· 让系统对 ping 没有反应
· 让系统对广播没有反应
· 取消 IP source routing
· 开启 TCP SYN Cookie 保护
· 取消 ICMP 接受 Redirect
· 开启错误讯息保护
· 开启 IP 欺骗保护
· 记录Spoofed Packets, Source Routed Packets, Redirect Packets
Redhat 6.1 的做法:
/]# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
/]# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
/]# for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
> echo 0 > $
> done
/]# echo 1 > /proc/sys/net/ipv4/tcp_syncookies
/]# for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
> echo 0 > $
> done
/]# echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
/]# for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
> echo 0 > $
> done
/]# for f in /proc/sys/net/ipv4/conf/*/log_martians; do
> echo 0 > $
> done
· 让系统对 ping 没有反应
· 让系统对广播没有反应
· 取消 IP source routing
· 开启 TCP SYN Cookie 保护
· 取消 ICMP 接受 Redirect
· 开启错误讯息保护
· 开启 IP 欺骗保护
· 记录Spoofed Packets, Source Routed Packets, Redirect Packets
Redhat 6.1 的做法:
/]# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
/]# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
/]# for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
> echo 0 > $
> done
/]# echo 1 > /proc/sys/net/ipv4/tcp_syncookies
/]# for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
> echo 0 > $
> done
/]# echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
/]# for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
> echo 0 > $
> done
/]# for f in /proc/sys/net/ipv4/conf/*/log_martians; do
> echo 0 > $
> done
相关阅读 更多 +
