#!/sbin/sh
# This script was created by Michael Holve, August 1, 2004 for...
# Everything Solaris, http://everythingsolaris.org
#
# v0.2, August 2004 - Solaris 8 tested
# v0.1, March 2001 - Solaris 7 tested
#
# THIS SCRIPT COMES WITHOUT WARRANTY - USE AT YOUR OWN RISK!
#
# If you run primarily Web services on your system such as Apache, Zeus, thttpd
# or others, this script will open up the TCP/IP stack for heavy TCP/IP traffic
# and cut down on performance-robbing, conservative out-of-the-box values. Also
# tune the system TCP/IP parameters for higher security against hacking and DDoS
# attacks.
#
# This information has been derived from countless sources on the Web including
# articles, personal pages, documentation from Sun, Apache and BEA, Inc.
#
# Place script in /etc/init.d and link to it in /etc/rc2.d (e.g. S99tune_tcp)
# Say "hello" during boot to know it's running
#
echo "Tuning TCP/IP parameters..."
# The TCP send and receive spaces directly effect the TCP window size
# parameter. An increased window size will allow for more efficient transfers,
# particularly bulk transfers such as FTP and HTTP. The default for each is
# not optimal, and should be increased to 32768 bytes. This value should not
# be increased above 64K bytes unless the implications of RFC1323 and RFC2018
# are fully understood and support for both is enabled.
#
# Do not enable RFC1323 without also enabling support for RFC2018. Remember,
# pipe drain is a Bad Thing[tm].
#
# BEA (Weblogic) recommends 131072 for both. Might use 32767 typically.
#
/usr/sbin/ndd -set /dev/tcp tcp_xmit_hiwat 65534
/usr/sbin/ndd -set /dev/tcp tcp_recv_hiwat 65534
#/usr/sbin/ndd -set /dev/tcp tcp_cwnd_max 65534
# On a busy web server, many sockets may linger in the TIME_WAIT state. This
# is caused by improperly coded client applications that do not properly shut
# down a socket. This can also be used as a type of DDoS attack.
#
# This parameter effects the amount of time a TCP socket will remain in the
# TIME_WAIT state. The default is quite high for a busy web server, so it
# should be lowered to 60000 milliseconds (60 seconds). The parameter name
# was corrected in Solaris 7 and higher. Prior to Solaris 7, the parameter
# was incorrectly labeled as tcp_close_wait_interval.
#
# Default is 240000. You may also try 30000.
#
/usr/sbin/ndd -set /dev/tcp tcp_time_wait_interval 60000
/usr/sbin/ndd -set /dev/tcp tcp_ip_abort_interval 60000
# While great effort is undertaken to defend any network from those with
# malicious intent, several ports (largely TCP) must remain open to conduct
# business. Internet vandals may attempt to exploit these ports to launch a
# denial of service attack. One of the most popular attacks remains the SYN
# flood, wherein the socket queue of the attacked host is overwhelmed with
# bogus connection requests. To defend against such attacks, certain UNIX
# variants maintain separate queues for inbound socket connection requests.
# One queue is for half-open sockets (SYN received, SYN|ACK sent), the other
# queue for fully-open sockets awaiting an accept() call from the application.
# These two queues should be increased so that an attack of low to moderate
# intensity will have little to no effect on the stability or availability of
# the server.
#
# Default is 128 and 1024
#
# BEA (Weblogic) recommends 16385 for both. Commented lines more reasonable.
#
#/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q 1024
#/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q0 4096
/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q 16384
/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q0 16384
# A miscreant can use IP redirects to modify the routing table on a remote
# host. In a well-designed network, redirects to the end stations should not
# be required. Both the sending and accepting of redirects should be disabled.
#
# Default is 0 and 1
#
/usr/sbin/ndd -set /dev/ip ip_ignore_redirect 1
/usr/sbin/ndd -set /dev/ip ip_send_redirects 0
# It is possible for a miscreant to create a resource exhaustion or
# performance degredation by filling the IP route cache with bogus ARP
# entries. In Solaris, there are two parameters that govern the cleanup
# interval for the IP route cache. For unsolicited ARP responses, the
# parameter to be tuned is arp_cleanup_interval.
#
# Default is 30000
#
/usr/sbin/ndd -set /dev/arp arp_cleanup_interval 60000
# With source routing, an attacker can attempt to reach internal IP addresses -
# including RFC1918 addresses. It is important to disable the acceptance of
# source routed packets to prevent subtle probes of your internal networks.
#
# Default is 1
#
/usr/sbin/ndd -set /dev/ip ip_forward_src_routed 0
# Smurf attacks work by sending ICMP 8 0 (ECHO REQUEST) messages to a
# broadcast address from a spoofed address. Some IP stacks will respond, by
# default, to such messages. This should be disabled. Further, if the host is
# a firewall (router), it should not propogate directed broadcasts.
#
# Default is 1
#
/usr/sbin/ndd -set /dev/ip ip_respond_to_echo_broadcast 0
# There are two other broadcast probes that a miscreant could utilize against
# a network. The address mask query can be used to map out the size of the
# netblock, and set a range for further probes. The timestamp broadcast is
# another means of mapping and fingerprinting hosts.
#
# Default is 0 and 1. First commented line just for reference.
#
#/usr/sbin/ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0
/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment