Proteger SYSCTL contra ataques de SYN FLOODS en Linux

El comando sysctl es usado para visualizar, configurar y automatizar configuraciones del kernel en el directorio /proc/sys/. Un ataque posible es el SYN FlOODS (Ver el Punto 3.0 donde se explica este tipo de ataque).

Para proteger Sysctl de este tipo de ataques debemos ejecutar:

cd /etc
nano /etc/sysctl.conf

Comentar lo que tenga y colocar:

#Kernel sysctl configuration file for Red Hat Linux
 #
 # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
 # sysctl.conf(5) for more details.
 # Disables packet forwarding
 net.ipv4.ip_forward=0
 # Disables IP source routing
 net.ipv4.conf.all.accept_source_route = 0
 net.ipv4.conf.lo.accept_source_route = 0
 net.ipv4.conf.eth0.accept_source_route = 0
 net.ipv4.conf.default.accept_source_route = 0
 # Enable IP spoofing protection, turn on source route verification
 net.ipv4.conf.all.rp_filter = 1
 net.ipv4.conf.lo.rp_filter = 1
 net.ipv4.conf.eth0.rp_filter = 1
 net.ipv4.conf.default.rp_filter = 1
 # Disable ICMP Redirect Acceptance
 net.ipv4.conf.all.accept_redirects = 0
 net.ipv4.conf.lo.accept_redirects = 0
 net.ipv4.conf.eth0.accept_redirects = 0
 net.ipv4.conf.default.accept_redirects = 0
 # Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
 net.ipv4.conf.all.log_martians = 0
 net.ipv4.conf.lo.log_martians = 0
 net.ipv4.conf.eth0.log_martians = 0
 # Disables IP source routing
 net.ipv4.conf.all.accept_source_route = 0
 net.ipv4.conf.lo.accept_source_route = 0
 net.ipv4.conf.eth0.accept_source_route = 0
 # Enable IP spoofing protection, turn on source route verification
 net.ipv4.conf.all.rp_filter = 1
 net.ipv4.conf.lo.rp_filter = 1
 net.ipv4.conf.eth0.rp_filter = 1
 net.ipv4.conf.default.rp_filter = 1
 # Disable ICMP Redirect Acceptance
 net.ipv4.conf.all.accept_redirects = 0
 net.ipv4.conf.lo.accept_redirects = 0
 net.ipv4.conf.eth0.accept_redirects = 0
 net.ipv4.conf.default.accept_redirects = 0
 # Disables the magic-sysrq key
 kernel.sysrq = 0
 # Decrease the time default value for tcp_fin_timeout connection
 net.ipv4.tcp_fin_timeout = 15
 # Decrease the time default value for tcp_keepalive_time connection
 net.ipv4.tcp_keepalive_time = 1800
 # Turn off the tcp_window_scaling
 net.ipv4.tcp_window_scaling = 0
 # Turn off the tcp_sack
 net.ipv4.tcp_sack = 0
 # Turn off the tcp_timestamps
 net.ipv4.tcp_timestamps = 0
 # Enable TCP SYN Cookie Protection
 net.ipv4.tcp_syncookies = 1
 # Enable ignoring broadcasts request
 net.ipv4.icmp_echo_ignore_broadcasts = 1
 # Enable bad error message Protection
 net.ipv4.icmp_ignore_bogus_error_responses = 1
 # Log Spoofed Packets, Source Routed Packets, Redirect Packets
 net.ipv4.conf.all.log_martians = 1
 # Increases the size of the socket queue (effectively, q0).
 net.ipv4.tcp_max_syn_backlog = 1024
 # Increase the tcp-time-wait buckets pool size
 net.ipv4.tcp_max_tw_buckets = 1440000
 # Allowed local port range
 net.ipv4.ip_local_port_range = 16384 65536
 

Salir y Guardar