tune2fs - adjust tunable filesystem parameters on ext2/ext3/ext4 filesystems
tune2fs allows the system administrator to adjust various tunable filesystem parameters on Linux ext2, ext3, or ext4 filesystems.
The current values of these options can be displayed by using the -l option to tune2fs(8) program, or by using the dumpe2fs(8) program.
Adjust the number of mounts after which the filesystem will be checked by e2fsck(8). If max-mount-counts is 0 or -1, the number of times the filesystem is mounted will be disregarded by e2fsck(8) and the kernel.Staggering the mount-counts at which filesystems are forcibly checked will avoid all filesystems being checked at one time when using journaled filesystems.
Set the number of times the filesystem has been mounted. If set to a greater value than the max-mount-counts parameter set by the -c option, e2fsck(8) will check the filesystem at the next reboot.
Getting the current Values:
[root@proxy ~]# tune2fs -l /dev/sdb1 |grep count
Inode count: 655360
Block count: 2620595
Reserved block count: 131029
Mount count: 12
Maximum mount count: 26
[root@proxy ~]#
Example:
So for a system that contains 5 partitions and is booted approximately once a month you could do the following to stagger the mount counts:
tune2fs -c 5 -C 0 partition1
tune2fs -c 5 -C 1 partition2
tune2fs -c 5 -C 2 partition3
tune2fs -c 5 -C 3 partition4
tune2fs -c 5 -C 4 partition5
sysctl tunable parameters
If you need Linux to ignore ping requests, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.icmp_echo_ignore_all = 1
If you want or need Linux to ignore broadcast requests, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.icmp_echo_ignore_broadcasts = 1
To alert you about bad error messages in the network, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.icmp_ignore_bogus_error_responses = 1
To turn on logging for Spoofed Packets, Source Routed Packets, and Redirect Packets, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.conf.all.log_martians = 1
Kernel Tunable Security Parameters
To activate the configured kernel parameters immediately at runtime, use:
The following list shows tunable kernel parameters you can use to secure your Linux server against attacks.
For each tunable kernel parameters we will show the entry that needs to be added to the /etc/sysctl.conf configuration file to make the change permanent after reboots.
Enable TCP SYN Cookie Protection
A “SYN Attack” is a denial of service attack that consumes all the resources on a machine. Any server that is connected to a network is potentially subject to this attack.
To enable TCP SYN Cookie Protection, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.tcp_syncookies = 1
Disable IP Source Routing
Source Routing is used to specify a path or route through the network from source to destination. This feature can be used by network people for diagnosing problems.
However, if an intruder was able to send a source routed packet into the network, then he could intercept the replies and your server might not know that it’s not communicating with a trusted server.
To enable Source Route Verification, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.conf.all.accept_source_route = 0
