Daily logs » Spoofing http://blog.pnyet.web.id A Nobody trying to become a Somebody Wed, 25 Jan 2012 15:26:10 +0000 en hourly 1 http://wordpress.org/?v=3.3.1 Optimasi Kernel Linux dengan Systcl.conf http://blog.pnyet.web.id/2010/02/11/optimasi-kernel-linux-dengan-systcl-conf.html http://blog.pnyet.web.id/2010/02/11/optimasi-kernel-linux-dengan-systcl-conf.html#comments Thu, 11 Feb 2010 04:46:54 +0000 David http://blog.pnyet.web.id/?p=87

CentOSSudah lama saya menuliskan optimasi kernel Linux dengan konfigurasi systcl.conf, tapi berhubung arsip di main blog saya http://pnyet.web.id tidak terekam search engine dengan baik maka saya menuliskan ulang disini. Konfigurasi sysctl.conf ini bertujuan untuk performance tunning, dan security tunning di sistem operasi Linux. Secara spesifik, konfigurasi ini saya gunakan di CentOS namun konfigurasi bukan tidak mungkin untuk digunakan di GNU/Linux varian lainnya.Dalam kaitannya dengan keamanan maka konfigurasi dibawah ini dapat menghindarkan server dari serangan DOS maupun Spoofing. Sebagai catatan, dalam konfigurasi ini saya menggunakan eth0 sebagai primary networking interface.

# Controls IP packet forwarding
net.ipv4.ip_forward = 0




# Do not accept source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0

# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15




# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800

# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0

# Turn off the tcp_sack
net.ipv4.tcp_sack = 0

# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0

# Controls whether core dumps will append the PID to the core filename
# Useful for debugging multi-threaded applications
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1

# Controls the maximum size of a message, in bytes
kernel.msgmnb = 65536

# Controls the default maxmimum size of a mesage queue
kernel.msgmax = 65536

# Controls the maximum shared segment size, in bytes
kernel.shmmax = 4294967295

# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 268435456

#Ignore Ping
net.ipv4.icmp_echo_ignore_all = 0




#Ignore Broadcast ICMP Request
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1

# Increases the size of the socket queue (effectively, q0).
net.ipv4.tcp_max_syn_backlog = 1024

# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000

# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536

Adapun saran atau kritikan atau referensi yang lebih baik untuk konfigurasi sysctl.conf silahkan memberikan komentar.
]]> http://blog.pnyet.web.id/2010/02/11/optimasi-kernel-linux-dengan-systcl-conf.html/feed 0