RHEL Security Kernel Tuning
Manuel Arostegui Ramirez
manuel at todo-linux.com
Fri May 18 17:59:05 UTC 2007
El Viernes, 18 de Mayo de 2007 16:08, John J. Culkin escribió:
> All:
>
> Has anyone implemented any Kernel tuning for security?
>
> I am considering the changes listed on this page (for RHEL 3, 4 and 5):
>
> http://www.puschitz.com/SecuringLinux.shtml#KernelTunableSecurityParameters
>
> Any tips on what I should look out for if I make these changes? Also other
> tips are welcome.
>
> -- John C.
>
Hi John,
I have being doing some sort of kernel hardering for several years to my
machines, and in general, I'm used to set up these values:
(Obviusly, you should know what all the rules below do, and understand the
values' meanings, if not, you might find out some kind of an unexpected
behaviour)
/proc/sys/net/ipv4/conf/all/accept_redirects:0
/proc/sys/net/ipv4/conf/all/accept_source_route:0
/proc/sys/net/ipv4/conf/all/send_redirects:0
/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts:1
/proc/sys/net/ipv4/ip_forward:0
/proc/sys/net/ipv4/ipfrag_time:30
/proc/sys/net/ipv4/tcp_keepalive_intvl:35
/proc/sys/net/ipv4/tcp_keepalive_probes:4
/proc/sys/net/ipv4/tcp_orphan_retries:3
/proc/sys/net/ipv4/tcp_max_orphans:8192
/proc/sys/net/ipv4/tcp_max_syn_backlog:1024
/proc/sys/net/ipv4/tcp_max_tw_buckets:200000
/proc/sys/net/ipv4/tcp_sack:1
/proc/sys/net/ipv4/tcp_syn_retries:4
/proc/sys/net/ipv4/tcp_abort_on_overflow:0
/proc/sys/net/ipv4/neigh/default/gc_stale_time:60
If you have any doubt about any of these, please let me know and I'll try to
give you a hand
All the best.
Manuel
--
Manuel Arostegui Ramirez.
Electronic Mail is not secure, may not be read every day, and should not
be used for urgent or sensitive issues.
More information about the redhat-list
mailing list