« FreeBSD Reviews | Main | sysctl.conf Sample »

June 21, 2005

Reduce Server Visibility

Learnt a tip from the book "Mastering FreeBSD and OpenBSD Security". Servers connected to the Internet receive lots of network probes (automate scans). When the probes are to connect to a TCP and UDP port where no process is listening, the default kernel will compose a TCP reset packet, or an ICMP port unreachable message, and send it as a response.

This is not good for security reasons and system resource. To change the default kernel's behavior, there are two related variables in sysctl, add the following two lines in /etc/sysctl.conf, the system will drop these kinds of packets:
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1

To make them go into effect immediately without reboot, run:
# sysctl net.inet.tcp.blackhole=2
# sysctl net.inet.udp.blackhole=1

By searching "net.inet.tcp.blackhole" with Google, I found a good article: Preventing Denial of Service Attacks, which coincidentally (or inevitably) used these two parameters and kern.ipc.somaxconn as important means, making a system more robust is surely helpful to fight against DoS attack, and vice versa.

Category : Security

Posted by FreeBSD Newbie at June 21, 2005 08:37 PM

Comments

Post a comment

Name:

Email Address:
(Optional, will not be shown to the public)

Remember Me? YesNo

Comments: (Comment with any URL will be discarded due to crazy spambots.