Archive for the tag 'Kernel'

SBDavid

Kernel Tunable Security Parameters

Kernel Tunable Security Parameters

To activate the configured kernel parameters immediately at runtime, use:

# sysctl -p

The following list shows tunable kernel parameters you can use to secure your Linux server against attacks.

For each tunable kernel parameters we will show the entry that needs to be added to the /etc/sysctl.conf configuration file to make the change permanent after reboots.

Enable TCP SYN Cookie Protection

A “SYN Attack” is a denial of service attack that consumes all the resources on a machine. Any server that is connected to a network is potentially subject to this attack.

To enable TCP SYN Cookie Protection, edit the /etc/sysctl.conf file and add the following line:

net.ipv4.tcp_syncookies = 1

Disable IP Source Routing

Source Routing is used to specify a path or route through the network from source to destination. This feature can be used by network people for diagnosing problems.

However, if an intruder was able to send a source routed packet into the network, then he could intercept the replies and your server might not know that it’s not communicating with a trusted server.

To enable Source Route Verification, edit the /etc/sysctl.conf file and add the following line:

net.ipv4.conf.all.accept_source_route = 0
SBDavid

Kernel Modules

To find out what a particular driver/module does, the modinfo command can be used in many cases:

root@:~# modinfo -d i915
Intel Graphics

modinfo — program to show information about a Linux Kernel module

root@:~# modinfo -d soundcore
Core sound module

modinfo extracts information from the Linux Kernel modules given on the command line. If the module name is not a filename, then the /lib/modules/version directory is searched, as done by modprobe(8).

root@:~# modinfo -d ext3
Second Extended Filesystem with journaling extensions

To set parameters during module loads, you can add entries to /etc/modprobe.conf on RHEL or /etc/modprobe.conf.local on SLES.

« Prev