The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.
You can use several kernel parameters to counteract various kinds of attack.
kernel.randomize_va_space
controls Address
Space Layout Randomization (ASLR), which can help defeat certain
types of buffer overflow attacks. A value of 0 disables ASLR, 1
randomizes the positions of the stack, virtual dynamic shared
object (VDSO) page, and shared memory regions, and 2 randomizes
the positions of the stack, VDSO page, shared memory regions,
and the data segment. The default and recommended setting is 2.
net.ipv4.conf.all.accept_source_route
controls the handling of source-routed packets, which might have
been generated outside the local network. A value of 0 rejects
such packets, and 1 accepts them. The default and recommended
setting is 0.
net.ipv4.conf.all.rp_filter
controls
reversed-path filtering of received packets to counter IP
address spoofing. A value of 0 disables source validation, 1
causes packets to be dropped if the routing table entry for
their source address does not match the network interface on
which they arrive, and 2 causes packets to be dropped if source
validation by reversed path fails (see RFC 1812). The default
setting is 0. A value of 2 can cause otherwise valid packets to
be dropped if the local network topology is complex and RIP or
static routes are used.
net.ipv4.icmp_echo_ignore_broadcasts
controls
whether ICMP broadcasts are ignored to protect against Smurf DoS
attacks. A value of 1 ignores such broadcasts, and 0 accepts
them. The default and recommended setting is 1.
net.ipv4.icmp_ignore_bogus_error_message
controls whether ICMP bogus error message responses are ignored.
A value of 1 ignores such messages, and 0 accepts them. The
default and recommended setting is 1.
To change the value of a kernel parameter, add the setting to
/etc/sysctl.conf
, for example:
kernel.randomize_va_space = 1
and then run the sysctl -p command.