[네트워크][보안] 각종 DoS 공격에 대처하기 위한 리눅스 튜닝설정
아래의 설정을 추가하였습니다.
아래의 설정은 ICMP 기반의 DoS 공격뿐만 아니라 TCP기반의
SYN Flooding 공격에 대비하기 위한 서버 설정값입니다.
cd /proc/sys/net/ipv4
echo “Kernel Value Modification Start…………”
echo 1 > ./icmp_destunreach_rate
echo 1 > ./icmp_echo_ignore_broadcasts
echo 1 > ./icmp_echoreply_rate
echo 1 > ./icmp_ignore_bogus_error_responses
echo 1 > ./icmp_paramprob_rate
echo 1 > ./icmp_timeexceed_rate
if [ -f ./igmp_max_memberships ]; then
echo 1> ./igmp_max_memberships
fi
echo 0 > ./ip_always_defrag
echo 64 > ./ip_default_ttl
echo 0 > ./ip_forward
echo 15 > ./ipfrag_time
echo 64 > ./tcp_max_syn_backlog
echo 1 > ./tcp_syncookies
echo 3 > ./tcp_syn_retries
echo 3 > ./tcp_retries1
echo 7 > ./tcp_retries2
for x in /proc/sys/net/ipv4/conf/*; do
if [ -f $x/rp_filter ]; then
echo 2 > $x/rp_filter
fi
if [ -f $x/accept_redirect ]; then
echo 0 > $x/accept_redirect
fi
if [ -f $x/accept_source_route ]; then
echo 0 > $x/accept_source_route
fi
if [ -f $x/bootp_relay ]; then
echo 0 > $x/bootp_relay
fi
if [ -f $x/log_martians ]; then
echo 1 > $x/log_martians
fi
if [ -f $x/secure_redirects ]; then
echo 0 > $x/secure_redirects
fi
if [ -f $x/send_redirects ]; then
echo 0 > $x/send_redirects
fi
if [ -f $x/proxy_arp ]; then
echo 0 > $x/proxy_arp
fi
done
echo “OK!! Kernel Value Modification was completed.”