本文讲述个人使用的sysctl脚本,用来设置几个与网络安全相关的内核参数,进一步提高安全性。
涉及参数的详细介绍在内核源代码的Documentation/networking/ip-sysctl.txt文档里,也可参考Ipsysctl-tutorial,同时本文也借鉴了Beyond Linux From Scratch的一些做法,在此一并感谢!
脚本遵循基本的脚本规范,提供start、stop、restart功能(其实这里用start/stop不够准确,用set/unset可能更恰当)。
基本框架如下:
start() { ... } stop() { ... } case "$1" in 'start') start ;; 'stop') stop ;; 'restart') stop start ;; *) echo "usage $0 start|stop|restart" esac
当前的脚本模板可点击:rc.sysctl.ref。
忽略PING广播数据包:
# Enable broadcast echo Protection echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
禁止源路由数据包:
# Disable Source Routed Packets for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $i done
启用TCP SYN Cookie:
# Enable TCP SYN Cookie Protection echo 1 > /proc/sys/net/ipv4/tcp_syncookies
禁止ICMP重定向数据包:
# Disable ICMP Redirect Acceptance for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i done
不发送重定向数据包:
# Don't send Redirect Messages for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i done
禁止反向路径数据包:
# Drop Spoofed Packets coming in on an interface, where responses # would result in the reply going out a different interface. for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $i done
在内核日志中记录非法地址数据包:
# Log packets with impossible addresses. for i in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $i done
在内核日志中记录动态IP信息:
# be verbose on dynamic ip-addresses (not needed in case of static IP) echo 2 > /proc/sys/net/ipv4/ip_dynaddr
禁止TCP拥塞通告:
# disable Explicit Congestion Notification # too many routers are still ignorant echo 0 > /proc/sys/net/ipv4/tcp_ecn
stop完全是start的逆操作,所以就没添加注释了:
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 1 > $i done echo 0 > /proc/sys/net/ipv4/tcp_syncookies for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 1 > $i done for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 1 > $i done for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $i done for i in /proc/sys/net/ipv4/conf/*/log_martians; do echo 0 > $i done echo 0 > /proc/sys/net/ipv4/ip_dynaddr echo 1 > /proc/sys/net/ipv4/tcp_ecn
这里附上每个参数的说明(来自内核文档ip-sysctl.txt),不做翻译,避免歧义。
If set non-zero, then the kernel will ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast.
Default: 1
Accept packets with SRR option.
conf/all/accept_source_route must also be set to TRUE to accept packets with SRR option on the interface.
default:
Only valid when the kernel was compiled with CONFIG_SYNCOOKIES.
Send out syncookies when the syn backlog queue of a socket overflows. This is to prevent against the common 'SYN flood attack'.
Default: FALSE
Note, that syncookies is fallback facility. It MUST NOT be used to help highly loaded servers to stand against legal connection rate. If you see SYN flood warnings in your logs, but investigation shows that they occur because of overload with legal connections, you should tune another parameters until this warning disappear. See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow.
syncookies seriously violate TCP protocol, do not allow to use TCP extensions, can result in serious degradation of some services (f.e. SMTP relaying), visible not by you, but your clients and relays, contacting you. While you see SYN flood warnings in logs not being really flooded, your server is seriously misconfigured.
Accept ICMP redirect messages.
accept_redirects for the interface will be enabled if:
accept_redirects for the interface will be disabled otherwise.
default:
Send redirects, if router.
send_redirects for the interface will be enabled if at least one of conf/{all,interface}/send_redirects is set to TRUE, it will be disabled otherwise.
Default: TRUE
Current recommended practice in RFC3704 is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or other complicated routing, then loose mode is recommended.
The max value from conf/{all,interface}/rp_filter is used when doing source validation on the {interface}.
Default value is 0. Note that some distributions enable it in startup scripts.
Log packets with impossible addresses to kernel log.
log_martians for the interface will be enabled if at least one of conf/{all,interface}/log_martians is set to TRUE, it will be disabled otherwise.
If set non-zero, enables support for dynamic addresses.
If set to a non-zero value larger than 1, a kernel log message will be printed when dynamic address rewriting occurs.
Default: 0
Enable Explicit Congestion Notification (ECN) in TCP. ECN is only used when both ends of the TCP flow support it. It is useful to avoid losses due to congestion (when the bottleneck router supports ECN).
Possible values are:
Default: 2
同iptables脚本一样,很多Linux发行版都提供了自己的sysctl方案,最常用的就是/etc/sysctl.conf。为了保持系统整体性,可以参照sysctl的语法把要设置的参数转化成sysctl格式,从而能集成进去。
下面只讲述脚本在slackware下的使用方法。
slackware的脚本都存放在/etc/rc.d/目录下,故首先把脚本模板放到/etc/rc.d/目录下,改名为rc.sysctl:
cp rc.sysctl.ref /etc/rc.d/rc.sysctl
给新脚本增加执行权限:
chmod +x /etc/rc.d/rc.sysctl
由于时效性没有rc.iptables那么严格,不妨在/etc/rc.d/rc.local里运行。
编辑rc.local,添加:
# Initialize some networking parameters. if [ -x /etc/rc.d/rc.sysctl ]; then . /etc/rc.d/rc.sysctl start fi