This article mainly introduces the Linux system in some core network parameters located in the directory / proc / sys / net / ipv4 / down, and improves the security and stability of the Linux system through the adjustment of the Linux kernel network parameters. Thus, the system administrator further enhances the security and system stability of the network.
In Linux, we can adjust the kernel network parameters in / proc / sys / net / ipv4 / directory according to different needs, through reasonable configuration, to improve the security and system stability of the network. purpose. Because this is relatively small, we can't make a comprehensive introduction. There is already a Writing of Linux organizations that are engaged in this document. I believe that in the near future, we will see a relatively complete document. Let's take a look at some commonly used kernel network parameters.
note:
1. Parameter value with speed (RATE) The parameter cannot be worked on the LoopBack interface.
2. Because the kernel is the internal clock in Hz, the speed is defined, the speed is 100 Hz, so the parameter value is 100, which means allowing 1 package / second, if 20 is allowed to allow 5 packs / seconds.
3. All kernel network parameter profiles are located in / proc / sys / net / ipv4 / directory.
1.ICP-related kernel configuration parameters
Overview: Usually we use ICMP packages to detect other protocols on the host (such as TCP and UDP) available. For example, ICMP packages containing "destination unreachable" is the most common ICMP package.
1.ICP_DestunReach_rate: Set the content of the "Destination Unreachable" ICMP package. The setting value should be an integer.
Applications:
If there is a host of A, B, first we do the following ipchains statements on the host A:
Ipchains -a input -p icmp -j reput
Different from the Reject and Deny, DENY will drop the eligible package as if the package is not received, while the REJECT sends a "Destination Unreachable" ICMP to the requesting host while throwing the package.
Then on the host B ping host a, then we will find the response speed of the "Destination Unreachable" ICMP package is very timely. Then we execute on host A:
Echo "1000"> / Proc / Sys / Net / IPv4 / ICMP_DESTUNREACH_RATE
That is, every 10 seconds respond to ICMP packages of "Destination Unreachable".
At this time, I will find the response speed of the "Destination Unreachable" ICMP package, I am very curious, I found that it is just 10 seconds.
2.ICMP_ECHO_IGNORE_BROADCASTS: Set whether to respond to ICMP ECHO request broadcast, the setting value should be the Boolean value, 0 indicates that the response ICMP ECHO request broadcast, 1 means ignored.
Note: The Windows system is not responding to the ICMP ECHO request broadcast.
Applications:
In my redhat6.x and redhat7, the value is default to 0, so when there is a network address of the network segment where I use the network segment where I am located, all Linux servers will respond, so that the user can get the user IP address of my server can be implemented
Echo "1"> / proc / sys / net / ipv4 / icmp_echo_ignore_broadcasts
To turn off this feature. Thereby preventing ICMP storms to prevent network obstruction.
3.ICMP_ECHOREPLY_RATE: Set the system response to the response speed of the ICMP package requested by the ICMP ECHO, the setting value is integer. Applications:
There is a host of A, B, first we ping the host A on the host B, you can see the response is normal, then execute the Echo "1000"> / proc / sys / net / ipv4 / icmp_echoreply_rate on the host A. That is, each 10 second responds to an ICMP Echo request package. Then ping the host A to see the response speed has become 10 seconds. It is best to adjust the value of this parameter to prevent ICMP storms.
4.ICMP_ECHO_IGNORE_ALL: Set whether the system ignores all ICMP Echo requests, if a non-0 value is set, the system will ignore all ICMP ECHO requests. In fact, this is an extreme situation of ICMP_ECHOREPLY_RATE. The parameter value is the Boolean value, 1 means ignored, 0 indicates a response.
5. ICMP_PARAMPROB_RATE: When the system receives a damaged IP or TCP header of a datagram, an ICMP package containing the error message is sent to the source. This parameter is used to set the speed of this ICMP package to the source. Of course, it is rare to go wrong with the IP or TCP header in general. The parameter value is integer.
6. ICMP_TIMEEXCEED_RATE: Denual Time TO LIVE fields are constantly decreasing when transfers on the network, when the living time is 0, the router that is processing the datagram will drop the datagram, and send a source host "Time to Live Exceeded" ICMP package. This parameter is used to set the speed of the transmission of this ICMP package. Of course, this is usually used to act as a Linux host of the router.
2. IP-related kernel configuration parameters
Configuration parameters for IP in Linux kernel network parameters are usually used to define or adjust some of the specific parameters of the IP package, and some network features of the system are defined.
1. IP_DEFAULT_TTL: Sets the living time of the IP packet issued from this unit, the parameter value is integer, the range is 0 to 128, the default is 64. In a Windows system, the survival time of the IP package is usually 128. If your system often gets "time to Live Exceeded" ICMP response, you can increase the value of this parameter, but you can't be too big, because if your route is loop, you will increase the time of the system error.
2. IP_Dynaddr: This parameter is usually used to use the dial-up connection, so that the system can immediately change the source address of the IP package as the IP address, and interrupt the original TCP conversation and re-issue a SYN request package with the new address, start new TCP conversation. When using IP spoof, this parameter can immediately change the camouflage address as a new IP address. The parameter value of this parameter can be:
1: Enable this feature
2: Enable this feature using redundant mode
0: Prohibition of this function
Applications:
When using IPChains Configuring IP spoofing drives LAN Sharing a PPP connection, sometimes the connection to connect to a site is connected, and then refreshed again and can be connected. At this time, the value of this parameter can be set to 1, thus change immediately. The camouflage address is a new IP address, you can solve such problems. Command is:
Echo "1"> / proc / sys / net / ipv4 / ip_dynaddr
3.ip_forward: You can enable the package forwarding function by this parameter, so that the system acts as a router. When the parameter value is 1, the IP forwarding is enabled, and IP forwarding is prohibited when 0. Note that we can implement IP forwarding on a single network card or dual network card.
Application example: Suppose we use a Linux host with dual NIC to act as a firewall, then we must perform the following command to open the IP forwarding function:
Echo "1"> / proc / sys / net / ipv4 / ip_forward
4. IP_LOCAL_PORT_RANGE: Sets the port range used when the local system initiates a TCP or UDP connection request. The set value is two integers, default is "1024 4999".
Applications:
Echo "1450 6000> / Proc / Sys / Net / IPv4 / IP_LOCAL_PORT_RANGE
3.TCP related kernel configuration parameters
Control all aspects of the TCP session through TCP configuration parameters.
a) TCP_FIN_TIMEOUT: During a TCP session, a first send a FIN package to b, after obtaining B ACK confirmation package, A will enter the FIN WAIT2 status waiting to wait B's FIN package and then give B send ACK Confirm package. This parameter is used to set a timeout time to enter the FIN WAIT2 status waiting for the other party FIN package. If time is still not received, the FIN package is not received, the session is released. The parameter value is integer, the unit is second, the default is 180 seconds.
b) TCP_SYN_RETIRES: When sets the beginning of establishing a TCP session, retry the number of times the SYN connection request package is sent.
The parameter value is less than 255, the default is 10. If your connection speed is very fast, you can consider reducing this value to improve system response time, even if a user with a slow connection speed, the default setting is also great enough.
c) TCP_Window_SCALING: Set whether the sliding window size of the TCP / IP session varies. The parameter value is a Boolean value, indicating variable, 0 indicates that it is not possible. TCP / IP usually used up to 65535 bytes, for high-speed networks, this value may be too small, if this feature is enabled, the TCP / IP sliding window size can increase several quantities, thereby increasing data transmission Ability.
4. Core network parameters for preventing IP spoofing attacks
Assume that there is a scenario:
In the default, the router forwards according to the destination address of the package, so the router default is forwarded from anywhere. As shown in the figure above, if the 2.2.2.2 interface of the router (i.e., the WAN interface) receives a package, the source address of the package is 1.1.1.100 (which is an intranet address), although it is impossible or unreasonable However, due to the characteristics of the router, the router will turn this unlailized package to the intranet. Thus, the hacker has a machine that opens the door for IP spoofing attacks.
Fortunately, we can prevent this by "reverse path filtering" through Linux kernel system parameters, this parameter is located in / proc / sys / net / ipv4 / cicket / down RP_FILTER files. The parameter value is an integer, and the possible values are:
2 - Perform a comprehensive reverse path filtering, it is recommended to use on the edge router. However, pay attention to, in a complex network environment, if the static route or RIP, the OSPF routing protocol is used, this value is not recommended.
1 - is the default value of this parameter, which only provides reverse path filtering directly to the network.
0 - No reverse path filtering.
Applications:
Established the following script, the file name is rp.sh
# / bin / bash
For i in / proc / sys / net / ipv4 / conf / * / rp_filter;
DO
Echo 2> $ I
DONE
Then change the file permissions chmod 755 rp.sh finally executed ./rp.sh
5. Core network parameters for each network interface
With the kernel network parameters for each network interface, you can refer to specific network interfaces such as Eth0, Eth1.
The kernel network parameters of the response.
Note: / PROC / SYS / NET / IPv4 / Conf / ALL / under parameters will be applied to all network interfaces.
1. Accept_redirects: This parameter is located in / proc / sys / net / ipv4 / conf / dev / accept_redirects (dev / accept_redirects (DEV represents a specific network interface), if there are two routers in the network segment in which your host is located, you set one into a lack Provincial gateway, but the gateway found that the IP package must pass another router when receiving your IP package. At this time, this router will send you a so-called "redirection" ICMP package, telling the IP package to another. A router. The parameter value is a Boolean value, 1 indicates that this type of redirect ICMP information is received, and 0 is ignored. Default value on the Linux host acting as a router is 0, and the default value on the general Linux host is 1. It is recommended to change it to 0, or use "safe redirection" (see below) to eliminate security hidden dangers.
2. Log_martians: Record the IP packet containing illegal address information to the kernel log. The parameter value is the Boolean value.
Applications:
Above we told the RP_FILTER reverse path filtering parameters, and we can perform the following statement
ECHO "1"> / proc / sys / net / ipv4 / conf / all / log_martians
Then IP packets can be recorded to / var / log / messages.
3. Forwarding: Enables IP forwarding capabilities of a specific network interface. The parameter value is a Boolean value, 1 indicates a record.
Applications:
Echo "1"> / proc / sys / net / ipv4 / conf / eth0 / forwarding
4. accept_source_route: Do IP packets containing source routing information. The parameter value is a Boolean value, and 1 is accepted, 0 means it is not accepted. The default value is 1 on the Linux host acting as a gateway. The default value is 0 on the general Linux host. From the perspective of security, it is recommended that you close this feature.
5. Secure_Redirects: In front, we have mentioned the concept of "safe redirection", in fact, the so-called "security redirection" is only "redirect" ICMP package from the gateway. This parameter is used to set the "security redirection" function. The parameter value is the Boolean value, and 1 means enabled, 0 indicates the disable, the default value is enabled.
6. Proxy_arp: Set whether to relate to the ARP package on the network. The parameter value is a Boolean value, 1 means relay, 0 means ignored, the default value is 0. This parameter is usually only useful to the Linux host acting as a router.
The above is some brief introduction to the Linux kernel network parameters. Because the author's level is limited, the reference is limited, it is inevitable and wrong. Welcome to discuss it.
Bye2000@263.net
Bye2000@linuxaid.com.cn
references:
Documentation / networking / ip-sysctl.txt
Adv-routing-howto
RFC792
Excerpt from:
LinuxAid