Protecting your Linux servers against SYN attacks and IP spoofing isn’t nearly as hard you think. Jack Wallen shows you how.
The sysctl system allows you to make changes to a running Linux kernel. This utility reads and modifies various attributes of the kernel, such as version number, maximum limits, and a number of security settings.
The sysctl system also allows you to prevent things like SYN flood attacks and IP address spoofing. It also logs several types of suspicious packets–spoofed packets, source-routed packets, and redirects.
You can modify kernel parameters at runtime with the sysctl command or you can make changes within the system’s configuration file so those changes are more of a permanent nature.
I want to show you how you can secure sysctl with by quickly editing the configuration file. This configuration will:
-
Disable IP forwarding
-
Disable Send Packet Redirects
-
Disable ICMP Redirect Acceptance
-
Enable Bad Error Message Protection
SEE: Implementing DevOps: A guide for IT pros (free PDF) (TechRepublic)
What you’ll need
Note: I’ll be demonstrating on Ubuntu Server 18.04, but the process is the same on most every Linux distribution.
How to edit the sysctl configuration file
Log in to your Linux server or desktop and open a terminal window. From that terminal, issue the command:
sudo nano /etc/sysctl.conf
The first option to look for is:
#net.ipv4.ip_forward=1
Change that line to:
net.ipv4.ip_forward=0
The next line to edit is:
#net.ipv4.conf.all.send_redirects = 0
Change that to:
net.ipv4.conf.all.send_redirects = 0
Add the following line under that:
net.ipv4.conf.default.send_redirects = 0
Look for the line:
#net.ipv4.conf.all.accept_redirects = 0
Change that to:
net.ipv4.conf.all.accept_redirects = 0
Add the following line under that:
net.ipv4.conf.default.accept_redirects = 0
Finally, add the following lines to the bottom of the file:
net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_max_syn_backlog = 2048 net.ipv4.tcp_synack_retries = 3 net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv=45
The above lines do the following:
-
Enable Bad Error Message Protection
-
Enable SYN cookies to ensure a server avoids dropping connections when the SYN queue fills up
-
Increase the SYS backlog queue size to 2048
-
close the SYN_RECV state connections earlier
-
Lowers the timeout value for SYN_RECV to help in reducing the SYN flood attack
Save and close the file.
How to reload the configuration
You can reload the configuration issue the command:
sudo sysctl -p
One caveat to the sysctl -p command is I found it didn’t load the tcp_max_syn_backlog properly. It wasn’t until a reboot that the 2048 value was added. So, after running the sudo sysctl -p command, issue the command:
sudo less /proc/sys/net/ipv4/tcp_max_syn_backlog
Make sure the value presented is 2048.
If the value is anything less, reboot the server.
At this point, your Linux server should be better protected against SYN attacks and IP address spoofing. Enjoy that newfound security.
Also see
Source of Article