Reduce Server Visibility
June 21, 2005 Posted by KP
Learnt a tip from the book “Mastering FreeBSD and OpenBSD Security”. Servers connected to the Internet receive lots of network probes (automate scans). When the probes are to connect to a TCP and UDP port where no process is listening, the default kernel will compose a TCP reset packet, or an ICMP port unreachable message, and send it as a response.
This is not good for security reasons and system resource. To change the default kernel’s behavior, there are two related variables in sysctl, add the following two lines in /etc/sysctl.conf, the system will drop these kinds of packets:
To make them go into effect immediately without reboot, run:
# sysctl net.inet.tcp.blackhole=2
# sysctl net.inet.udp.blackhole=1
By searching “net.inet.tcp.blackhole” with Google, I found a good article: Preventing Denial of Service Attacks, which coincidentally (or inevitably) used these two parameters and kern.ipc.somaxconn as important means, making a system more robust is surely helpful to fight against DoS attack, and vice versa.
- sysctl.conf Sample
- Change sshd Port
- Change FTP Port
- Monitor Your Server
- Install a Proxy Server – Privoxy
Filed Under: Security