Syncookie (#372)

* Enabled SYN cookie sysctl. Signed-off-by: Farid Joubbi <farid@joubbi.se> * Removed SYN cookies from here since it's a default now. Signed-off-by: Farid Joubbi <farid@joubbi.se>
2024-09-20 13:21:52 +00:00 · 2021-01-15 09:56:29 +01:00 · 2021-01-15 09:56:29 +01:00 · d01abb44c0
commit d01abb44c0
parent 16a41412bb
2 changed files with 8 additions and 2 deletions
--- a/roles/os_hardening/defaults/main.yml
+++ b/roles/os_hardening/defaults/main.yml
@ -171,6 +171,14 @@ sysctl_config:
  # RFC 1337 fix F1 | sysctl-10
  net.ipv4.tcp_rfc1337: 1

+  # Attackers use SYN flood attacks to perform a denial of service attack on a system
+  # by sending many SYN packets without completing the three way handshake.
+  # This will quickly use up slots in the kernel's half-open connection queue and
+  # prevent legitimate connections from succeeding.
+  # SYN cookies allow the system to keep accepting valid connections, even if
+  # under a denial of service attack. CIS Distro Independent 3.2.8.
+  net.ipv4.tcp_syncookies: 1
+
  # Send(router) or accept(host) RFC1620 shared media redirects | sysctl-12
  net.ipv4.conf.all.shared_media: 1
  net.ipv4.conf.default.shared_media: 1
--- a/roles/os_hardening/vars/Amazon.yml
+++ b/roles/os_hardening/vars/Amazon.yml
@ -40,7 +40,5 @@ os_always_ignore_users: ['root', 'sync', 'shutdown', 'halt', 'ec2-user']
 sysctl_rhel_config:
  # ExecShield protection against buffer overflows
  kernel.exec-shield: 1
-  # Syncookies is used to prevent SYN-flooding attacks.
-  net.ipv4.tcp_syncookies: 1

 hidepid_option: '2'  # allowed values: 0, 1, 2