20160805 Linux Kernel Parameter
Linux Kernel Parameter
■ 리눅스 커널 변수(Linux Kernel Parameter)에 대해서
-> 리눅스 시스템의 커널 변수의 값을 제어하여 시스템을 최적화할 수 있는 방식이다.
-> 리눅스의 커널 패러미터는 /proc/sys 디렉토리에 존재한다.
(예) net.ipv4.icmp_echo_ignore_all <---> /proc/sys/net/ipv4/icmp_echo_ignore_all
■ 커널 패러미터 설정 방법
(임시적) # echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
(영구적) # sysctl -w net.ipv4.icmp_echo_ignore_all=1 ; sysctl -p
or
# vi /etc/sysctl.conf
net.ipv4.icmp_echo_ignore_all = 1
# sysctl -p
■ sysctl CMD, /etc/sysctl.conf
(1) sysctl CMD
NAME
sysctl - configure kernel parameters at runtime
SYNOPSIS
sysctl [-n] [-e] variable ...
sysctl [-n] [-e] [-q] -w variable=value ...
sysctl [-n] [-e] [-q] -p <filename>
sysctl [-n] [-e] -a
sysctl [-n] [-e] -A
DESCRIPTION
sysctl is used to modify kernel parameters at runtime. The parameters
available are those listed under /proc/sys/. Procfs is required for
sysctl(8) support in Linux. You can use sysctl(8) to both read and
write sysctl data.
PARAMETERS
-n Use this option to disable printing of the key name when print-
ing values.
-w Use this option when you want to change a sysctl setting.
-p Load in sysctl settings from the file specified or
/etc/sysctl.conf if none given. Specifying - as filename means
reading data from standard input.
-a Display all values currently available.
-A Same as -a
(명령어 형식)
# sysctl -a (# sysctl -a | grep icmp)
# sysctl -p (/etc/sysctl.conf)
# sysctl -n net.ipv4.icmp_echo_ignore_all
# sysctl -w net.ipv4.icmp_echo_ignore_all=0
[실습] sysctl CMD
■ 대상 선정
# sysctl -a | grep ip_forward
net.ipv4.ip_forward = 0
# sysctl -a
.... (생략) ....
# sysctl -a | grep ip_forward
net.ipv4.ip_forward = 0 |
# sysctl -n net.ipv4.ip_forward
0 |
# sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1 |
# sysctl -a | grep ip_forward
net.ipv4.ip_forward = 1 |
# cat /proc/sys/net/ipv4/ip_forward
1 |
# cat /etc/sysctl.conf | grep ip_forward
net.ipv4.ip_forward = 0 |
# sysctl -w net.ipv4.ip_forward=0
net.ipv4.ip_forward = 0 |
# cat /proc/sys/net/ipv4/ip_forward
0 |
# cat /etc/sysctl.conf | grep ip_forward
net.ipv4.ip_forward = 0 |
# vi /etc/sysctl.conf
# Kernel sysctl configuration file for Red Hat Linux # # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and # sysctl.conf(5) for more details.
# Controls IP packet forwarding [수정전] net.ipv4.ip_forward = 0
[수정후] net.ipv4.ip_forward = 1
.... (중략) .... |
# sysctl -a | grep ip_forward
net.ipv4.ip_forward = 0 |
# cat /proc/sys/net/ipv4/ip_forward
0 |
# sysctl -p
net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 kernel.sysrq = 0 kernel.core_uses_pid = 1 net.ipv4.tcp_syncookies = 1 kernel.msgmnb = 65536 kernel.msgmax = 65536 kernel.shmmax = 4294967295 kernel.shmall = 268435456 |
# sysctl -a | grep ip_forward
net.ipv4.ip_forward = 1 |
# cat /proc/sys/net/ipv4/ip_forward
1 |
(2) /etc/sysctl.conf 파일
# rpm -qa | grep kernel
kernel-2.6.18-411.el5 kernel-2.6.18-194.el5 kernel-headers-2.6.18-411.el5 |
kernel-2.6.18-411.el5 : 커널 패키지
kernel-headers-2.6.18-411.el5 : 커널 소스코드(EX: 컴파일해서 사용하는 드라이버 설치시필요)
# yum -y install kernel-doc
-> 출력내용 생략
# rpm -ql kernel-doc | grep sysctl
/usr/share/doc/kernel-doc-2.6.18/Documentation/networking/ip-sysctl.txt /usr/share/doc/kernel-doc-2.6.18/Documentation/networking/ipvs-sysctl.txt /usr/share/doc/kernel-doc-2.6.18/Documentation/sysctl /usr/share/doc/kernel-doc-2.6.18/Documentation/sysctl/README /usr/share/doc/kernel-doc-2.6.18/Documentation/sysctl/abi.txt /usr/share/doc/kernel-doc-2.6.18/Documentation/sysctl/fs.txt /usr/share/doc/kernel-doc-2.6.18/Documentation/sysctl/kernel.txt /usr/share/doc/kernel-doc-2.6.18/Documentation/sysctl/sunrpc.txt /usr/share/doc/kernel-doc-2.6.18/Documentation/sysctl/vm.txt |
■ /etc/sysctl.conf example file
# The following is suitable for dedicated web server, mail, ftp server etc. # --------------------------------------- # BOOLEAN Values: # a) 0 (zero) - disabled / no / false # b) Non zero - enabled / yes / true # -------------------------------------- # Controls IP packet forwarding net.ipv4.ip_forward = 0
# Controls source route verification net.ipv4.conf.default.rp_filter = 1
# Do not accept source routing net.ipv4.conf.default.accept_source_route = 0
# Controls the System Request debugging functionality of the kernel kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename # Useful for debugging multi-threaded applications kernel.core_uses_pid = 1
# Controls the use of TCP syncookies #net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_synack_retries = 2
########## IPv4 networking start ############## # Send redirects, if router, but this is just server net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0
# Accept packets with SRR option? No net.ipv4.conf.all.accept_source_route = 0
# Accept Redirects? No, this is not router net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0
# Log packets with impossible addresses to kernel log? yes net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.secure_redirects = 0
# Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast net.ipv4.icmp_echo_ignore_broadcasts = 1
# Prevent against the common 'syn flood attack' net.ipv4.tcp_syncookies = 1
# Enable source validation by reversed path, as specified in RFC1812 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1
########## IPv6 networking start ############## # Number of Router Solicitations to send until assuming no routers are present. # This is host and not router net.ipv6.conf.default.router_solicitations = 0
# Accept Router Preference in RA? net.ipv6.conf.default.accept_ra_rtr_pref = 0
# Learn Prefix Information in Router Advertisement net.ipv6.conf.default.accept_ra_pinfo = 0
# Setting controls whether the system will accept Hop Limit settings from a router advertisement net.ipv6.conf.default.accept_ra_defrtr = 0
#router advertisements can cause the system to assign a global unicast address to an interface net.ipv6.conf.default.autoconf = 0
#how many neighbor solicitations to send out per address? net.ipv6.conf.default.dad_transmits = 0
# How many global unicast IPv6 addresses can be assigned to each interface? net.ipv6.conf.default.max_addresses = 1
########## IPv6 networking ends ##############
#Enable ExecShield protection kernel.exec-shield = 1 kernel.randomize_va_space = 1
# TCP and memory optimization # increase TCP max buffer size setable using setsockopt() #net.ipv4.tcp_rmem = 4096 87380 8388608 #net.ipv4.tcp_wmem = 4096 87380 8388608
# increase Linux auto tuning TCP buffer limits #net.core.rmem_max = 8388608 #net.core.wmem_max = 8388608 #net.core.netdev_max_backlog = 5000 #net.ipv4.tcp_window_scaling = 1
# increase system file descriptor limit fs.file-max = 65535
#Allow for more PIDs kernel.pid_max = 65536
#Increase system IP port limits net.ipv4.ip_local_port_range = 2000 65000 |
참고사이트
http://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/
'모의해킹 침해대응 전문가 과정' 카테고리의 다른 글
20160819 프로젝트#4 + 피드백 (0) | 2016.08.19 |
---|---|
20160805 Sophos UTM (0) | 2016.08.05 |
20160804 ACL(Access Control List) (0) | 2016.08.04 |
20160804 Linux and Unix sudo command (0) | 2016.08.04 |
20160804 SELinux (0) | 2016.08.04 |