Control and configure the Linux kernel and network settings through /etc/sysctl.conf. #Ignore icmp ping broadcast packets and should be enabled to avoid amplification attacks net.ipv4.icmp_echo_ignore_broadcasts = 1 # Enable malicious icmp error message protection net.ipv4.icmp_ignore_bogus_error_responses = 1 # Enable SYN flood attack protection, which means enable SYN Cookies. When the SYN waiting queue overflows, enable cookies to deal with it, which can prevent a small number of SYN attacks. The default value is 0, which means it is closed. net.ipv4.tcp_syncookies = 1 # Enable and log spoofing, source routing and redirection packets net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 # Process passively routed packets net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 # reverse-pathfiltering Reverse path filtering. After the system receives an ip packet, it will reversely check whether the ip of the ip packet matches the network interface they arrive at. If it does not match, it will be discarded. It is an anti-ip packet spoofing strategy. # The rp_filter can reject incoming packets if their sourceaddress doesn’t match the network interface that they’re arrivingon, which helps to prevent IP spoofing. Turning this on, however,has its consequences: If your host has several IP addresses ondifferent interfaces, or if your single interface has multiple IPaddresses on it, you’ll find that your kernel may end up rejectingvalid traffic. It’s also important to note that even if you do notenable the rp_filter, protection against broadcast spoofing isalways on. Also, the protection it provides is only against spoofedinternal addresses; external addresses can still be spoofed.. Bydefault, it is disabled. net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 #Turn off redirection. If the network where the host is located has multiple routers, you set one of them as the default gateway, but when the gateway receives your ip packet, it finds that the ip packet must pass through another router, so the gateway gives your host Send a "redirect" icmp packet, telling the host to forward the packet to another router. 1 means that the host accepts such redirection packets, 0 means ignore it; Linux defaults to 1, and can be set to 0 to eliminate hidden dangers. net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 #Prohibit packet forwarding, do not do router function. The so-called forwarding means that when the host has multiple network cards, one of them receives the data packet, and sends the packet to the other network card of the local machine according to the destination IP address of the data packet, and the network card continues to send the data packet according to the routing table. This is usually what a router is supposed to do. #Compare gateway: When an intranet host sends a data packet to the public network, since the destination host is not in the same network segment as the source host, the data packet is temporarily sent to the intranet default gateway for processing, and the host on this network segment does not do anything to the data packet. any response. Since the source host ip is private, it is forbidden to use it on the public network, so the source sending address of the data packet must be changed to the available ip on the public network. The gateway then sends the packet to the destination host. After the destination host receives the data packet, it only thinks that it is a request sent by the gateway, and does not know the existence of the intranet host, nor does it need to know. After the destination host processes the request, it sends the response information back to the gateway. After the gateway receives it, it modifies the destination IP address of the data packet sent by the destination host to the IP address of the requesting intranet host, and sends it to the intranet host. This is the second job of the gateway - routing and forwarding of data packets. As long as the host on the intranet checks that the destination IP of the data packet is the same as the IP address of the source host that sent the request, it will respond, which completes a request. net.ipv4.ip_forward = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 # Enable execshield. execshield is mainly used to randomize stack addresses to avoid malicious addresses being modified by exploit programs, which may lead to execution of attack programs. kernel.exec-shield = 1 kernel.randomize_va_space = 1 # IPv6 settings net.ipv6.conf.default.router_solicitations = 0 net.ipv6.conf.default.accept_ra_rtr_pref = 0 net.ipv6.conf.default.accept_ra_pinfo = 0 net.ipv6.conf.default.accept_ra_defrtr = 0 net.ipv6.conf.default.autoconf = 0 net.ipv6.conf.default.dad_transmits = 0 net.ipv6.conf.default.max_addresses = 1 # Increase the system file descriptor limit fs.file-max = 65535 # allow more PIDs (reduce rollover issues); may break some programs 32768 kernel.pid_max = 65536 # Increase the system IP port limit net.ipv4.ip_local_port_range = 2000 65000 # Increase the maximum TCP buffer size net.ipv4.tcp_rmem = 4096 87380 8388608 net.ipv4.tcp_wmem = 4096 87380 8388608 # Increase Linux auto-tuning TCP buffer limit # Minimum, default and maximum bytes that can be used # The maximum value is not less than 4MB, if you use a very high BDP path it can be set higher # Tcp window etc. net.core.rmem_max = 8388608 net.core.wmem_max = 8388608 net.core.netdev_max_backlog = 5000 net.ipv4.tcp_window_scaling = 1
refer to:
http://bbs.chinaunix.net/thread-2208198-1-1.html
http://soft.chinabyte.com/os/3/11851003.shtml
http://wenku.baidu.com/link?url=VCgeTBbyHrRdCw0AM8IC51qn17cjut4JI8wDAIReQgkVC4vOP7KA-8ULkV0IcQd-Y23o4WfBt8aDB1tBQo3nVQJKlqBaBHz1VgNbm6cKB27
...
Reference: http://bbs.chinaunix.net/thread-2208198-1-1.html http://soft.chinabyte.com/os/3/11851003.shtml http://wenku.baidu.com/link? url=VCgeTBbyHrRdCw0AM8IC51qn17cjut4JI8wDAIReQgkVC4vOP7KA-8ULkV0IcQd-Y23o4WfBt8aDB1tBQo3nVQJKlqBaBHz1VgNbm6cKB27 …