mirror of
https://github.com/dev-sec/ansible-collection-hardening
synced 2024-11-10 09:14:18 +00:00
Syncookie (#372)
* Enabled SYN cookie sysctl. Signed-off-by: Farid Joubbi <farid@joubbi.se> * Removed SYN cookies from here since it's a default now. Signed-off-by: Farid Joubbi <farid@joubbi.se>
This commit is contained in:
parent
16a41412bb
commit
d01abb44c0
2 changed files with 8 additions and 2 deletions
|
@ -171,6 +171,14 @@ sysctl_config:
|
||||||
# RFC 1337 fix F1 | sysctl-10
|
# RFC 1337 fix F1 | sysctl-10
|
||||||
net.ipv4.tcp_rfc1337: 1
|
net.ipv4.tcp_rfc1337: 1
|
||||||
|
|
||||||
|
# Attackers use SYN flood attacks to perform a denial of service attack on a system
|
||||||
|
# by sending many SYN packets without completing the three way handshake.
|
||||||
|
# This will quickly use up slots in the kernel's half-open connection queue and
|
||||||
|
# prevent legitimate connections from succeeding.
|
||||||
|
# SYN cookies allow the system to keep accepting valid connections, even if
|
||||||
|
# under a denial of service attack. CIS Distro Independent 3.2.8.
|
||||||
|
net.ipv4.tcp_syncookies: 1
|
||||||
|
|
||||||
# Send(router) or accept(host) RFC1620 shared media redirects | sysctl-12
|
# Send(router) or accept(host) RFC1620 shared media redirects | sysctl-12
|
||||||
net.ipv4.conf.all.shared_media: 1
|
net.ipv4.conf.all.shared_media: 1
|
||||||
net.ipv4.conf.default.shared_media: 1
|
net.ipv4.conf.default.shared_media: 1
|
||||||
|
|
|
@ -40,7 +40,5 @@ os_always_ignore_users: ['root', 'sync', 'shutdown', 'halt', 'ec2-user']
|
||||||
sysctl_rhel_config:
|
sysctl_rhel_config:
|
||||||
# ExecShield protection against buffer overflows
|
# ExecShield protection against buffer overflows
|
||||||
kernel.exec-shield: 1
|
kernel.exec-shield: 1
|
||||||
# Syncookies is used to prevent SYN-flooding attacks.
|
|
||||||
net.ipv4.tcp_syncookies: 1
|
|
||||||
|
|
||||||
hidepid_option: '2' # allowed values: 0, 1, 2
|
hidepid_option: '2' # allowed values: 0, 1, 2
|
||||||
|
|
Loading…
Reference in a new issue