1. # Kernel sysctl configuration file for Red Hat Linux

  2. #

  3. # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and

  4. # sysctl.conf(5) for more details.

  5. # Controls IP packet forwarding

  6. net.ipv4.ip_forward = 0

  7. # Controls source route verification

  8. net.ipv4.conf.default.rp_filter = 1

  9. # Controls the System Request debugging functionality of the kernel

  10. kernel.sysrq = 0

  11. # Controls whether core dumps will append the PID to the core filename.

  12. # Useful for debugging multi-threaded applications.

  13. kernel.core_uses_pid = 1

  14. #Prevent SYN attack

  15. net.ipv4.tcp_syncookies = 1

  16. net.ipv4.tcp_max_syn_backlog = 2048

  17. net.ipv4.tcp_synack_retries = 2

  18. # Disables packet forwarding

  19. net.ipv4.ip_forward=0

  20. # Disables IP source routing

  21. net.ipv4.conf.all.accept_source_route = 0

  22. net.ipv4.conf.lo.accept_source_route = 0

  23. net.ipv4.conf.eth0.accept_source_route = 0

  24. net.ipv4.conf.default.accept_source_route = 0

  25. # Enable IP spoofing protection, turn on source route verification

  26. net.ipv4.conf.all.rp_filter = 1

  27. net.ipv4.conf.lo.rp_filter = 1

  28. net.ipv4.conf.eth0.rp_filter = 1

  29. net.ipv4.conf.default.rp_filter = 1

  30. # Disable ICMP Redirect Acceptance

  31. net.ipv4.conf.all.accept_redirects = 0

  32. net.ipv4.conf.lo.accept_redirects = 0

  33. net.ipv4.conf.eth0.accept_redirects = 0

  34. net.ipv4.conf.default.accept_redirects = 0

  35. # Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets

  36. net.ipv4.conf.all.log_martians = 1

  37. net.ipv4.conf.lo.log_martians = 1

  38. net.ipv4.conf.eth0.log_martians = 1

  39. # Disables IP source routing

  40. net.ipv4.conf.all.accept_source_route = 0

  41. net.ipv4.conf.lo.accept_source_route = 0

  42. net.ipv4.conf.eth0.accept_source_route = 0

  43. net.ipv4.conf.default.accept_source_route = 0

  44. # Enable IP spoofing protection, turn on source route verification

  45. net.ipv4.conf.all.rp_filter = 1

  46. net.ipv4.conf.lo.rp_filter = 1

  47. net.ipv4.conf.eth0.rp_filter = 1

  48. 14

  49. net.ipv4.conf.default.rp_filter = 1

  50. # Disable ICMP Redirect Acceptance

  51. net.ipv4.conf.all.accept_redirects = 0

  52. net.ipv4.conf.lo.accept_redirects = 0

  53. net.ipv4.conf.eth0.accept_redirects = 0

  54. net.ipv4.conf.default.accept_redirects = 0

  55. # Disables the magic-sysrq key

  56. kernel.sysrq = 0

  57. # Modify system limits for Ensim WEBppliance

  58. fs.file-max = 65000

  59. # Decrease the time default value for tcp_fin_timeout connection

  60. net.ipv4.tcp_fin_timeout = 15

  61. # Decrease the time default value for tcp_keepalive_time connection

  62. net.ipv4.tcp_keepalive_time = 1800

  63. # Turn off the tcp_window_scaling

  64. net.ipv4.tcp_window_scaling = 0

  65. # Turn off the tcp_sack

  66. net.ipv4.tcp_sack = 0

  67. # Turn off the tcp_timestamps

  68. net.ipv4.tcp_timestamps = 0

  69. # Enable TCP SYN Cookie Protection

  70. net.ipv4.tcp_syncookies = 1

  71. # Enable ignoring broadcasts request

  72. net.ipv4.icmp_echo_ignore_broadcasts = 1

  73. # Enable bad error message Protection

  74. net.ipv4.icmp_ignore_bogus_error_responses = 1

  75. # Log Spoofed Packets, Source Routed Packets, Redirect Packets

  76. net.ipv4.conf.all.log_martians = 1

  77. # Set maximum amount of memory allocated to shm to 256MB

  78. kernel.shmmax = 268435456

  79. # Improve file system performance

  80. vm.bdflush = 100 1200 128 512 15 5000 500 1884 2

  81. # Improve virtual memory performance

  82. vm.buffermem = 90 10 60

  83. # Increases the size of the socket queue (effectively, q0).

  84. net.ipv4.tcp_max_syn_backlog = 1024

  85. # Increase the maximum total TCP buffer-space allocatable

  86. net.ipv4.tcp_mem = 57344 57344 65536

  87. # Increase the maximum TCP write-buffer-space allocatable

  88. net.ipv4.tcp_wmem = 32768 65536 524288

  89. 15

  90. # Increase the maximum TCP read-buffer space allocatable

  91. net.ipv4.tcp_rmem = 98304 196608 1572864

  92. # Increase the maximum and default receive socket buffer size

  93. net.core.rmem_max = 524280

  94. net.core.rmem_default = 524280

  95. # Increase the maximum and default send socket buffer size

  96. net.core.wmem_max = 524280

  97. net.core.wmem_default = 524280

  98. # Increase the tcp-time-wait buckets pool size

  99. net.ipv4.tcp_max_tw_buckets = 1440000

  100. # Allowed local port range

  101. net.ipv4.ip_local_port_range = 16384 65536

  102. # Increase the maximum memory used to reassemble IP fragments

  103. net.ipv4.ipfrag_high_thresh = 512000

  104. net.ipv4.ipfrag_low_thresh = 446464

  105. # Increase the maximum amount of option memory buffers

  106. net.core.optmem_max = 57344

  107. # Increase the maximum number of skb-heads to be cached

  108. net.core.hot_list_length = 1024

  109. ## DO NOT REMOVE THE FOLLOWING LINE!

  110. ## nsobuild:20051206

复制代码

重启后生效
/sbin/sysctl -p

  1. sysctl -w net.ipv4.route.flush=1

复制代码


27.更改SSH端口
更改SSH默认端口号在一定程度上可以提高安全性
方法:
vi /etc/ssh/sshd_config
Port 22改为其他端口
当然不要忘记把更改的端口加进防火墙
然后重启生效/etc/init.d/ssh restart
如果安装了APF并把端口添加之后,还要重启APF:/etc/init.d/apf restart

28./tmp,/var/tmp,/dev/shm分区的安全
/tmp,/var/tmp,/dev/shm目录是不安全的,任何用户都可以执行脚本。
最好的解决办法是挂载ncexec和nosuid选项的参数
注意:不建议在CPanel使用
方法:
/tmp目录:
cd /dev
创建 100M (“count”) 的存储文件:
dd if=/dev/zero of=tmpMnt bs=1024 count=100000
设为一个扩展的文件系统:

  1. /sbin/mke2fs /dev/tmpMnt (“…is not a block special device. continue?”回答yes)

复制代码

备份现有临时文件:

  1. cp -R /tmp/ /tmp_backup

复制代码

用noexec挂载新文件系统:

  1. mount -o loop,rw,nosuid,noexec /dev/tmpMnt /tmp

复制代码

  1. chmod 0777 /tmp

复制代码

把备份的文件拷贝回去:

  1. cp -R /tmp_backup/* /tmp/

复制代码

删除备份:

  1. rm -rf /tmp_backup

复制代码

修改/etc/fstab 添加下面的条目使其在引导时仍然有效

  1. /dev/tmpMnt /tmp ext2 loop,rw,nosuid,noexec 0 0

复制代码


/var/tmp目录:

  1. mv /var/tmp /var/tmpbak

  2. ln -s /tmp /var/tmp

  3. cp /var/tmpbak/* /tmp/

复制代码


/dev/shm目录:
编辑/etc/fstab
把 none /dev/shm tmpfs defaults,rw 0 0
改为

  1. none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0

复制代码