[TriLUG] Tuning the kernel advice?

Kevin Hunter khunter at rhoworld.com
Fri Nov 30 15:21:45 EST 2001


These are more security tweaks recommended by G. Mourani's "Securing
and Optimizing RH Linux v1.3" book.  They all seem reasonable to me,
but I'd thought I'd throw these out there to see if anyone thinks
some might not be a good idea.  This box is solely a web server
running RH 7.1 and Apache.  I've already been burned by some of his
recommendations.  It's seems he err's on the conservative side (
which isn't such a horrible thing ).

These are all parameters the author recommends setting in
/etc/sysctl.conf:

# Enable ignoring ping request
net.ipv4.icmp_echo_ignore_all = 1
# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Enable IP spoofing protection, turn on Source Address Verification
net.ipv4.conf.all.rp_filter = 1
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1

# Enable always defragging Protection
net.ipv4.ip_always_defrag = 1

This last one is already set to 0 on my server by default, but it
refers to it as "Disables automatic defragmentation".  Who's setting
is correct?




More information about the TriLUG mailing list