[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

segunça de rede



Boa tarde!


 Estou aplicando algumas seguranças nos nossos servidores de acordo com
 tutorial do próprio Debian, e a seguinte
 configuração é sugerida para a inicialização da rede, em
/proc/sys/net/ipv4.

 Gostaria que você desse uma lida e me desse mais detalhes sobre os
 parâmetros que você conhece,
 pois tenho pouca  experiência nesses parâmetros. Se possível também me diga
 qual texto ou referência eu posso ler para me aprofundar sobre isso.

 Muito obrigado!
 Rogério.
 __________________________________________________________________
> _______
>
>      # Script-name: /etc/network/interface-secure
>      # Modifies some default behaviour in order to secure against
>      # some TCP/IP spoofing & attacks
>      #
>      # Contributed by Dariusz Puchalak
>      #
>      echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
>                                                 # broadcast echo
protection
> enabled
>      echo 0 > /proc/sys/net/ipv4/ip_forward     # ip forwarding disabled
>      echo 1 > /proc/sys/net/ipv4/tcp_syncookies # TCP syn cookie
protection
> enabled
>      echo 1 >/proc/sys/net/ipv4/conf/all/log_martians
>                                                 # Log packets with
> impossible addresses
>                               # but be careful with this on heavy loaded
web
> servers
>      echo 1 > /proc/sys/net/ipv4/ip_always_defrag
>                                                 #  defragging protection
> always enabled
>      echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
>                                                 # bad error message
> protection enabled
>
>      # now ip spoofing protection
>      for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
>              echo 1 > $f
>      done
>
>      # and finally some more things:
>      # Disable ICMP Redirect Acceptance
>      for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
>              echo 0 > $f
>      done
>
>      for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
>            echo 0 > $f
>      done
>
>      # Disable Source Routed Packets
>      for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
>              echo 0 > $f
>      done
>
>      # Log Spoofed Packets, Source Routed Packets, Redirect Packets
>      for f in /proc/sys/net/ipv4/conf/*/log_martians; do
>              echo 1 > $f
>      done
>




Reply to: