While searching for more ways to secure Linux servers, I found the following /etc/sysctl.conf configuration. It came as is, without much explanation. Before using it on production environment (using Ubuntu 12.04 LTS), I'd like to know the implications of it on a web server.
# Avoid a smurf attack
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Turn on protection for bad icmp error messages
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Turn on syncookies for SYN flood attack protection
net.ipv4.tcp_syncookies = 1
# Turn on and log spoofed, source routed, and redirect packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
# No source routed packets here
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Turn on reverse path filtering
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Make sure no one can alter the routing tables
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
# Don't act as a router
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Turn on execshild
kernel.exec-shield = 1
kernel.randomize_va_space = 1
# Tune IPv6
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 1
- What is smurf attack?
- Why bad icmp error messages are bad? In other word, what good will come to disable this?
- What is syncookies or SYN flood attack?
- Why to turn on and log spoofed, source routed, and redirect packets? Why redirected and source routed packets are bad?
- What is reverse path filtering?
- What is execshild and randomize_va_space?
- Overall, would you like to add anything more or remove some settings from it for your server? Why?
It would be most appreciated if someone could give a explanation (or resource explaining them) on each settings here.
Update:
I found this document extremely helpful for understanding IP related settings: http://www.frozentux.net/ipsysctl-tutorial/ipsysctl-tutorial.html
Best Answer
A smurf attack is where someone sends packets to a broadcast address, usually with a spoofed source, to trick you into sending a large number of replies.
The clog your logs with error messages. Ignoring them keeps the logs uncluttered. It's not like you can fix the Internet anyway.
A SYN flood attack is one where an attacker hits a server with a large number of TCP connection requests. The idea is to consume memory on the server, forcing it to keep track of all the connection requests. SYN cookies allow the server to handle connection requests without using any memory.
Source routed packets are bad because they can be used by outsiders to cause your internal network policy to be ignored or violated. Logging spoofed, source routed, or redirect packets makes sense because unlike bad ICMP error messages, these usually indicate someone doing something deliberate, rather than a configuration error or broken router.
Reverse path filtering causes your router to drop a packet if it was received on an interface you would not use to send packets to that source. Personally, I always disable it. In my experience, it creates far more problems than it solves, for example, breaking IP multipath.