网络安全选项的调整

/proc/sys 网络安全选项的调整

? 让系统对 ping 没有反应

? 让系统对广播没有反应

? 取消 IP source routing

? 开启 TCP SYN Cookie 保护

? 取消 ICMP 接受 Redirect

? 开启错误讯息保护

? 开启 IP 欺骗保护

? 记录Spoofed Packets, Source Routed Packets, Redirect Packets

Redhat 6.1 的做法:

[root@deep /]# echo 1

/proc/sys/net/ipv4/icmp_echo_ignore_all

[root@deep /]# echo 1

/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

[root@deep /]# for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do

echo 0 $f

done

[root@deep /]# echo 1

/proc/sys/net/ipv4/tcp_syncookies

[root@deep /]# for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do

echo 0 $f

done

[root@deep /]# echo 1

/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

[root@deep /]# for f in /proc/sys/net/ipv4/conf/*/rp_filter; do

echo 0 $f

done

[root@deep /]# for f in /proc/sys/net/ipv4/conf/*/log_martians; do

echo 0 $f

done

Redhat 6.2 的做法:

编辑 "/etc/sysctl.conf" 档案，并加入下面几行，

# Enable ignoring ping request

net.ipv4.icmp_echo_ignore_all = 1

# Enable ignoring broadcasts request

net.ipv4.icmp_echo_ignore_broadcasts = 1

# Disables IP source routing

net.ipv4.conf.all.accept_source_route = 0

# Enable TCP SYN Cookie Protection

net.ipv4.tcp_syncookies = 1

# Disable ICMP Redirect Acceptance

net.ipv4.conf.all.accept_redirects = 0

# Enable bad error message Protection

net.ipv4.icmp_ignore_bogus_error_responses = 1

# Enable IP spoofing protection, turn on Source Address Verification

net.ipv4.conf.all.rp_filter = 1

# Log Spoofed Packets, Source Routed Packets, Redirect Packets

net.ipv4.conf.all.log_martians = 1

最后重新激活 network

[root@deep /]# /etc/rc.d/init.d/network restart

• ·SybaseASE安全“着陆”Linux
• ·使用Linux的tftp功能配置cisco
• ·用Linux打造路由器
• ·Linux安全
• ·美语话题不求人-生活不求人(口袋版)|报价￥6
• ·使用iptables设定一些安全防护功能(1)
• ·使用iptables设定一些安全防护功能(2)
• ·美语话题不求人-休闲不求人(口袋版)|报价￥4
• ·使用iptables设定一些安全防护功能(3)
• ·Linux安全吗？