Network service options
To improve system security, there are
several network options that you can change using 0 to disable and 1 to
enable. The following list identifies these parameters you can use with the no
command.
|
Parameter
|
Command
|
Purpose
|
|
arpt_killc - arp
|
/usr/sbin/no -o arpt_killc=5
|
Buffer time-out; default value is 20 minutes. To avoid arp
buffer poisoning attacks, this value should be reduced to between 1 and 5
minutes
|
|
bcastping
|
/usr/sbin/no -o bcastping=0
|
Allows response to ICMP echo packets to the broadcast
address. Disabling this prevents Smurf attacks.
|
|
clean_partial_conns
|
/usr/sbin/no -o clean_partial_conns=1
|
Specifies whether or not SYN (synchronizes the sequence
number) attacks are being avoided.
|
|
directed_broadcast
|
/usr/sbin/no -o directed_broadcast=0
|
Specifies whether to allow a directed broadcast to a
gateway. Setting to 0 helps prevent directed packets from reaching a remote
network.
|
|
icmpaddressmask
|
/usr/sbin/no -o icmpaddressmask=0
|
Specifies whether the system responds to an ICMP address
mask request. Disabling this prevents access through source routing attacks.
|
|
ipforwarding
|
/usr/sbin/no -o ipforwarding=0
|
Specifies whether the kernel should forward packets.
Disabling this prevents redirected packets from reaching remote network.
|
|
ipignoreredirects
|
/usr/sbin/no -o ipignoreredirects=1
|
Specifies whether to process redirects that are received.
|
|
ipsendredirects
|
/usr/sbin/no -o ipsendredirects=0
|
Specifies whether the kernel should send redirect signals.
Disabling this prevents redirected packets from reaching remote network.
|
|
ip6srcrouteforward
|
/usr/sbin/no -o ip6srcrouteforward=0
|
Specifies whether the system forwards source-routed IPv6
packets. Disabling this prevents access through source routing attacks.
|
|
ipsrcrouteforward
|
/usr/sbin/no -o ipsrcrouteforward=0
|
Specifies whether the system forwards source-routed
packets. Disabling this prevents access through source routing attacks.
|
|
ipsrcrouterecv
|
/usr/sbin/no -o ipsrcrouterecv=0
|
Specifies whether the system accepts source-routed
packets. Disabling this prevents access through source routing attacks
|
|
ipsrcroutesend
|
/usr/sbin/no -o ipsrcroutesend=0
|
Specifies whether applications can send source-routed
packets. Disabling this prevents access through source routing attacks.
|
|
nonlocsrcroute
|
/usr/sbin/no -o nonlocsrcroute=0
|
Tells the Internet Protocol that strictly source-routed
packets may be addressed to hosts outside the local network. Disabling this
prevents access through source routing attacks.
|
|
tcp_icmpsecure
|
/usr/sbin/no -o tcp_icmpsecure=1
|
Protects TCP connections against ICMP (Internet Control
Message Protocol) source quench and PMTUD (Path MTU Discovery) attacks.
Checks the payload of the ICMP message to test the sequence number of the TCP
header is within the range of acceptable sequence numbers. Values: 0=off (default);
1=on.
|
|
ip_nfrag
|
/usr/sbin/no -o ip_nfrag=200
|
Specifies the maximum number of fragments of an IP packet
that can be kept on the IP reassembly queue at a time (default value of 200
keeps up to 200 fragments of an IP packet in the IP reassembly queue).
|
|
rfc1122addrchk
|
/usr/sbin/no -o rfc1122addrchk=0
|
Perform RFC1122 address validation; default is to allow.
This should be disabled to block incoming & outgoing SYN packets aimed at
loopback and multicast addresses.
|
|
rfc1323
|
/usr/sbin/no -o rfc1323=1
|
Value of 1 indicates that tcp_sendspace and tcp_recvspace
can exceed 64KB. Default=0
|
|
tcp_mssdflt
|
/usr/sbin/no -o tcp_mssdflt=1370
|
Default maximum segment size used in communicating with
remote networks. Values: Default: 512, Range: 512 to (MTU of local net - 64)
Change takes effect immediately. Change is effective until next boot.
Permanent change is made by adding no command to /etc/rc.net.
Diagnosis: N/A Tuning: Increase, if practical.
|
|
tcp_conn_request_max
|
20-500
|
Number of TCP concurrent connections
|
|
tcp_recvspace
|
/usr/sbin/no -o tcp_recvspace=
|
Provide the default value of the size of the TCP socket
receive buffer.
Default: 16384, Range: 0 to 64KB if rfc1323=0,
Range: 0 to 4GB if rfc1323=1.
Must be less than or equal to sb_max.Should be
equal to tcp_sendspace and uniform on all frequently accessed AIX
systems.
|
|
sb_max
|
/usr/sbin/no -o sb_max=
|
Default: 16384, Range: 0 to 64KB if rfc1323=0,
Range: 0 to 4GB if rfc1323=1.
Must be less than or equal to sb_max.
Should be equal to tcp_recvspace and uniform on all
frequently accessed AIX systems.
|
|
tcp_syn_rcvd_max
|
500
|
SYN_Flooding can be used in denial of service attacks
|
|
tcp_sendspace
|
/usr/sbin/no -o tcp_sendspace=
|
|
|
tcp_tcpsecure
|
/usr/sbin/no -o tcp_tcpsecure=7
|
Protects TCP connections against vulnerabilities. Values:
0=no protection; 1=sending a fake SYN to an established connection; 2=sending
a fake RST to an established connection; 3=injecting data in an established
TCP connection; 5-7=combination of the above vulnerabilities.
|
|
tcp_pmtu_discover
|
/usr/sbin/no -o tcp_pmtu_discover=0
|
Disabling this prevents access through source routing
attacks.
|
|
udp_pmtu_discover
|
/usr/sbin/no -o udp_pmtu_discover=0
|
Enables or disables path MTU discovery for TCP
applications. Disabling this prevents access through source routing attacks.
|
No comments:
Post a Comment