From d01abb44c0b39af934a461f9ebbe6aeaaa2ea572 Mon Sep 17 00:00:00 2001 From: Farid Joubbi Date: Fri, 15 Jan 2021 09:56:29 +0100 Subject: [PATCH] Syncookie (#372) * Enabled SYN cookie sysctl. Signed-off-by: Farid Joubbi * Removed SYN cookies from here since it's a default now. Signed-off-by: Farid Joubbi --- roles/os_hardening/defaults/main.yml | 8 ++++++++ roles/os_hardening/vars/Amazon.yml | 2 -- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/roles/os_hardening/defaults/main.yml b/roles/os_hardening/defaults/main.yml index 4ed730be..912b4726 100644 --- a/roles/os_hardening/defaults/main.yml +++ b/roles/os_hardening/defaults/main.yml @@ -171,6 +171,14 @@ sysctl_config: # RFC 1337 fix F1 | sysctl-10 net.ipv4.tcp_rfc1337: 1 + # Attackers use SYN flood attacks to perform a denial of service attack on a system + # by sending many SYN packets without completing the three way handshake. + # This will quickly use up slots in the kernel's half-open connection queue and + # prevent legitimate connections from succeeding. + # SYN cookies allow the system to keep accepting valid connections, even if + # under a denial of service attack. CIS Distro Independent 3.2.8. + net.ipv4.tcp_syncookies: 1 + # Send(router) or accept(host) RFC1620 shared media redirects | sysctl-12 net.ipv4.conf.all.shared_media: 1 net.ipv4.conf.default.shared_media: 1 diff --git a/roles/os_hardening/vars/Amazon.yml b/roles/os_hardening/vars/Amazon.yml index f78c22c5..4fa6c63f 100644 --- a/roles/os_hardening/vars/Amazon.yml +++ b/roles/os_hardening/vars/Amazon.yml @@ -40,7 +40,5 @@ os_always_ignore_users: ['root', 'sync', 'shutdown', 'halt', 'ec2-user'] sysctl_rhel_config: # ExecShield protection against buffer overflows kernel.exec-shield: 1 - # Syncookies is used to prevent SYN-flooding attacks. - net.ipv4.tcp_syncookies: 1 hidepid_option: '2' # allowed values: 0, 1, 2