Home > Security > Reduce Server Visibility

Reduce Server Visibility

June 21, 2005 Posted by KP

Learnt a tip from the book “Mastering FreeBSD and OpenBSD Security”. Servers connected to the Internet receive lots of network probes (automate scans). When the probes are to connect to a TCP and UDP port where no process is listening, the default kernel will compose a TCP reset packet, or an ICMP port unreachable message, and send it as a response.

This is not good for security reasons and system resource. To change the default kernel’s behavior, there are two related variables in sysctl, add the following two lines in /etc/sysctl.conf, the system will drop these kinds of packets:
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1

To make them go into effect immediately without reboot, run:
# sysctl net.inet.tcp.blackhole=2
# sysctl net.inet.udp.blackhole=1

By searching “net.inet.tcp.blackhole” with Google, I found a good article: Preventing Denial of Service Attacks, which coincidentally (or inevitably) used these two parameters and kern.ipc.somaxconn as important means, making a system more robust is surely helpful to fight against DoS attack, and vice versa.



Related Posts:

Filed Under: Security

Comments are closed.



Archives