响水凹

本页面只读。您可以查看源文件，但不能更改它。如果您觉得这是系统错误，请联系管理员。
====== sysctl脚本 ======

本文讲述个人使用的sysctl脚本，用来设置几个与网络安全相关的内核参数，进一步提高安全性。

涉及参数的详细介绍在内核源代码的Documentation/networking/ip-sysctl.txt文档里，也可参考[[http://www.frozentux.net/documents/ipsysctl-tutorial|Ipsysctl-tutorial]]，同时本文也借鉴了[[http://www.linuxfromscratch.org/blfs|Beyond Linux From Scratch]]的一些做法，在此一并感谢！

===== 脚本框架 =====

脚本遵循基本的脚本规范，提供start、stop、restart功能（其实这里用start/stop不够准确，用set/unset可能更恰当）。

基本框架如下：
<code bash>
start() {
...
}

stop() {
...
}

case "$1" in
'start')
	start
	;;
'stop')
	stop
	;;
'restart')
	stop
	start
	;;
*)
	echo "usage $0 start|stop|restart"
esac
</code>

===== 脚本内容 =====

当前的脚本模板可点击：[[ftp://gwduan.com/pub/wiki/scripts/rc.sysctl.ref|rc.sysctl.ref]]。

==== start()函数 ====

忽略PING广播数据包：
<code bash>
# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
</code>

禁止源路由数据包：
<code bash>
# Disable Source Routed Packets
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
	echo 0 > $i
done
</code>

启用TCP SYN Cookie：
<code bash>
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
</code>


禁止ICMP重定向数据包：
<code bash>
# Disable ICMP Redirect Acceptance
for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do
	echo 0 > $i
done
</code>

不发送重定向数据包：
<code bash>
# Don't send Redirect Messages
for i in /proc/sys/net/ipv4/conf/*/send_redirects; do
	echo 0 > $i
done
</code>

禁止反向路径数据包：
<code bash>
# Drop Spoofed Packets coming in on an interface, where responses
# would result in the reply going out a different interface.
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
	echo 1 > $i
done
</code>

在内核日志中记录非法地址数据包：
<code bash>
# Log packets with impossible addresses.
for i in /proc/sys/net/ipv4/conf/*/log_martians; do
	echo 1 > $i
done
</code>

在内核日志中记录动态IP信息：
<code bash>
# be verbose on dynamic ip-addresses  (not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr
</code>

禁止TCP拥塞通告：
<code bash>
# disable Explicit Congestion Notification
# too many routers are still ignorant
echo 0 > /proc/sys/net/ipv4/tcp_ecn
</code>

==== stop()函数 ====

stop完全是start的逆操作，所以就没添加注释了：

<code bash>
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
	echo 1 > $i
done

echo 0 > /proc/sys/net/ipv4/tcp_syncookies

for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do
	echo 1 > $i
done

for i in /proc/sys/net/ipv4/conf/*/send_redirects; do
	echo 1 > $i
done

for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
	echo 0 > $i
done

for i in /proc/sys/net/ipv4/conf/*/log_martians; do
	echo 0 > $i
done

echo 0 > /proc/sys/net/ipv4/ip_dynaddr

echo 1 > /proc/sys/net/ipv4/tcp_ecn
</code>

==== 参数说明 ====

这里附上每个参数的说明（来自内核文档ip-sysctl.txt），不做翻译，避免歧义。

=== icmp_echo_ignore_broadcasts - BOOLEAN ===

If set non-zero, then the kernel will ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast.

Default: 1

=== accept_source_route - BOOLEAN ===

Accept packets with SRR option.

conf/all/accept_source_route must also be set to TRUE to accept packets with SRR option on the interface.

default:
  * TRUE (router)
  * FALSE (host)

=== tcp_syncookies - BOOLEAN ===

Only valid when the kernel was compiled with CONFIG_SYNCOOKIES.

Send out syncookies when the syn backlog queue of a socket overflows. This is to prevent against the common 'SYN flood attack'.

Default: FALSE

Note, that syncookies is fallback facility. It MUST NOT be used to help highly loaded servers to stand against legal connection rate. If you see SYN flood warnings in your logs, but investigation	shows that they occur because of overload with legal connections, you should tune another parameters until this warning disappear. See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow.

syncookies seriously violate TCP protocol, do not allow to use TCP extensions, can result in serious degradation of some services (f.e. SMTP relaying), visible not by you, but your clients and relays, contacting you. While you see SYN flood warnings in logs not being really flooded, your server is seriously misconfigured.

=== accept_redirects - BOOLEAN ===

Accept ICMP redirect messages.

accept_redirects for the interface will be enabled if:
  * both conf/{all,interface}/accept_redirects are TRUE in the case forwarding for the interface is enabled. or:
  * at least one of conf/{all,interface}/accept_redirects is TRUE in the case forwarding for the interface is disabled.

accept_redirects for the interface will be disabled otherwise.

default:
  * TRUE (host)
  * FALSE (router)

=== send_redirects - BOOLEAN ===

Send redirects, if router.

send_redirects for the interface will be enabled if at least one of conf/{all,interface}/send_redirects is set to TRUE, it will be disabled otherwise.

Default: TRUE

=== rp_filter - INTEGER ===

  * 0 - No source validation.
  * 1 - Strict mode as defined in RFC3704 Strict Reverse Path. Each incoming packet is tested against the FIB and if the interface is not the best reverse path the packet check will fail. By default failed packets are discarded.
  * 2 - Loose mode as defined in RFC3704 Loose Reverse Path. Each incoming packet's source address is also tested against the FIB and if the source address is not reachable via any interface the packet check will fail.

Current recommended practice in RFC3704 is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or other complicated routing, then loose mode is recommended.

The max value from conf/{all,interface}/rp_filter is used when doing source validation on the {interface}.

Default value is 0. Note that some distributions enable it in startup scripts.

=== log_martians - BOOLEAN ===

Log packets with impossible addresses to kernel log.

log_martians for the interface will be enabled if at least one of conf/{all,interface}/log_martians is set to TRUE, it will be disabled otherwise.

=== ip_dynaddr - BOOLEAN ===

If set non-zero, enables support for dynamic addresses.

If set to a non-zero value larger than 1, a kernel log message will be printed when dynamic address rewriting occurs.

Default: 0

=== tcp_ecn - INTEGER ===

Enable Explicit Congestion Notification (ECN) in TCP. ECN is only used when both ends of the TCP flow support it. It is useful to avoid losses due to congestion (when the bottleneck router supports ECN).

Possible values are:
  * 0 - disable ECN
  * 1 - ECN enabled
  * 2 - Only server-side ECN enabled. If the other end does not support ECN, behavior is like with ECN disabled.

Default: 2

===== 应用 =====

同[[.:iptables|iptables脚本]]一样，很多Linux发行版都提供了自己的sysctl方案，最常用的就是/etc/sysctl.conf。为了保持系统整体性，可以参照sysctl的语法把要设置的参数转化成sysctl格式，从而能集成进去。

下面只讲述脚本在[[http://www.slackware.com|slackware]]下的使用方法。

slackware的脚本都存放在/etc/rc.d/目录下，故首先把脚本模板放到/etc/rc.d/目录下，改名为rc.sysctl：
<code bash>
cp rc.sysctl.ref /etc/rc.d/rc.sysctl
</code>

给新脚本增加执行权限：
<code bash>
chmod +x /etc/rc.d/rc.sysctl
</code>

<note>
网络接口启动以后有些参数设置才有效。在网络接口启动后，网络服务启动(rc.inet2)前运行脚本是一个不错的时机。但如果启用了IP转发（激活/etc/rc.d/rc.ip_forward脚本），由于启用IP转发会重置相关内核参数，所以sysctl脚本需要在rc.ip_forward脚本后运行。
</note>

由于时效性没有rc.iptables那么严格，不妨在/etc/rc.d/rc.local里运行。

编辑rc.local，添加：
<code bash>
# Initialize some networking parameters.
if [ -x /etc/rc.d/rc.sysctl ]; then
  . /etc/rc.d/rc.sysctl start
fi
</code>

{{tag>sysctl}}