Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

Can anyone offer more info about these settings and if they work?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Can anyone offer more info about these settings and if they work?

painfreepcpainfreepc Member
edited December 2013 in Help

Can anyone offer more info about these settings and if they work?

Secure shared memory

nano /etc/fstab

/dev/shm can be used in an attack against a running service, 
such as httpd. Modify /etc/fstab to make it more secure.

You will need to reboot for this setting to take effect:

Add the following line and save:

tmpfs     /dev/shm     tmpfs     defaults,noexec,nosuid     0     0


Harden network with sysctl settings:

"nano /etc/sysctl.conf"

The /etc/sysctl.conf file contain all the sysctl settings. 
Prevent source routing of incoming packets and log malformed 
IP's

Add the following and save:

# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Block SYN attacks
net.ipv4.tcp_syncookies = 1
# some vps's will not except the following 3
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5

# Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# Ignore Directed pings
net.ipv4.icmp_echo_ignore_all = 1


(DON'T close and save the file - You may wish to add the following)

Set the server to automatically reboot when it runs out of memory:

In the event of a traffic spike, the VPS may run out of memory 
and your site could be down for hours, well after the spike has ended. 
To avoid the extended downtime, you’ll want the VPS to automatically 
reboot instead. It’s one less thing for you to worry about and provides 
a bit more stability (a few minutes of downtime as opposed to hours).

Add the following lines and save:

vm.panic_on_oom=1
kernel.panic=10

To reload sysctl with the latest changes, enter:

sudo sysctl -p

Comments

  • SegmentationFaultSegmentationFault Member

    Securing /dev/shm is a good idea. You could also do the same for /var/tmp and add nodev to the fstab options.

    I use most of those sysctls. One thing to note is that you'll ignore incoming icmp requests, so if you use a monitoring service/script/whatever don't expect any ping replies.

    Those last sysctl settings will reboot 10sec after a kernel panic from oom. Safe to use, but if you're getting them regularly it's probably time to upgrade instead of constantly rebooting.

Sign In or Register to comment.