Enable syn cookies in a better way

This commit is contained in:
Bob Mottram 2014-04-18 10:35:26 +01:00
parent c61b10115d
commit 0d0ddec282
1 changed files with 10 additions and 8 deletions

View File

@ -1010,14 +1010,6 @@ Enter the following:
#+BEGIN_SRC: bash #+BEGIN_SRC: bash
#!/bin/bash #!/bin/bash
# Enable syn cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Other settings
echo 1 > /proc/sys/net/ipv4/tcp_keepalive_probes
echo 2 > /proc/sys/net/ipv4/tcp_synack_retries
echo 1 > /proc/sys/net/ipv4/tcp_syn_retries
# First of all delete any existing rules. # First of all delete any existing rules.
# This means you're back to a known state: # This means you're back to a known state:
iptables -P INPUT ACCEPT iptables -P INPUT ACCEPT
@ -1168,6 +1160,7 @@ emacs /etc/sysctl.conf
Uncomment or change the following: Uncomment or change the following:
#+BEGIN_SRC: bash #+BEGIN_SRC: bash
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.all.send_redirects = 0
@ -1184,9 +1177,18 @@ And append the following:
#+BEGIN_SRC: bash #+BEGIN_SRC: bash
# ignore pings # ignore pings
net.ipv4.icmp_echo_ignore_all = 1 net.ipv4.icmp_echo_ignore_all = 1
net.ipv6.icmp_echo_ignore_all = 1
# disable ipv6 # disable ipv6
net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.all.disable_ipv6 = 1
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 1
# keepalive
net.ipv4.tcp_keepalive_probes = 9
net.ipv4.tcp_keepalive_intvl = 75
net.ipv4.tcp_keepalive_time = 7200
#+END_SRC #+END_SRC
Save and exit. It may be a good idea to reboot at this point and then log back into the BBB using ssh. You can do a safe reboot of the system by typing: Save and exit. It may be a good idea to reboot at this point and then log back into the BBB using ssh. You can do a safe reboot of the system by typing: