El Viernes, 18 de Mayo de 2007 16:08, John J. Culkin escribió: > All: > > Has anyone implemented any Kernel tuning for security? > > I am considering the changes listed on this page (for RHEL 3, 4 and 5): > > http://www.puschitz.com/SecuringLinux.shtml#KernelTunableSecurityParameters > > Any tips on what I should look out for if I make these changes? Also other > tips are welcome. > > -- John C. > Hi John, I have being doing some sort of kernel hardering for several years to my machines, and in general, I'm used to set up these values: (Obviusly, you should know what all the rules below do, and understand the values' meanings, if not, you might find out some kind of an unexpected behaviour) /proc/sys/net/ipv4/conf/all/accept_redirects:0 /proc/sys/net/ipv4/conf/all/accept_source_route:0 /proc/sys/net/ipv4/conf/all/send_redirects:0 /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts:1 /proc/sys/net/ipv4/ip_forward:0 /proc/sys/net/ipv4/ipfrag_time:30 /proc/sys/net/ipv4/tcp_keepalive_intvl:35 /proc/sys/net/ipv4/tcp_keepalive_probes:4 /proc/sys/net/ipv4/tcp_orphan_retries:3 /proc/sys/net/ipv4/tcp_max_orphans:8192 /proc/sys/net/ipv4/tcp_max_syn_backlog:1024 /proc/sys/net/ipv4/tcp_max_tw_buckets:200000 /proc/sys/net/ipv4/tcp_sack:1 /proc/sys/net/ipv4/tcp_syn_retries:4 /proc/sys/net/ipv4/tcp_abort_on_overflow:0 /proc/sys/net/ipv4/neigh/default/gc_stale_time:60 If you have any doubt about any of these, please let me know and I'll try to give you a hand All the best. Manuel -- Manuel Arostegui Ramirez. Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues. -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
