The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.
You can use several kernel parameters to counteract various kinds of attack.
kernel.randomize_va_space
controls Address Space Layout Randomization
(ASLR), which can help defeat certain types of buffer overflow attacks. A value of 0 disables
ASLR, 1 randomizes the positions of the stack, virtual dynamic shared object (VDSO) page, and
shared memory regions, and 2 randomizes the positions of the stack, VDSO page, shared memory
regions, and the data segment. The default and recommended setting is 2.
net.ipv4.conf.all.accept_source_route
controls the handling of
source-routed packets, which might have been generated outside the local network. A value of 0
rejects such packets, and 1 accepts them. The default and recommended setting is 0.
net.ipv4.conf.all.rp_filter
controls reversed-path filtering of
received packets to counter IP address spoofing. A value of 0 disables source validation, 1
causes packets to be dropped if the routing table entry for their source address does not
match the network interface on which they arrive, and 2 causes packets to be dropped if source
validation by reversed path fails (see RFC 1812). The default setting is 0. A value of 2 can
cause otherwise valid packets to be dropped if the local network topology is complex and RIP
or static routes are used.
net.ipv4.icmp_echo_ignore_broadcasts
controls whether ICMP
broadcasts are ignored to protect against Smurf DoS attacks. A value of 1 ignores such
broadcasts, and 0 accepts them. The default and recommended setting is 1.
net.ipv4.icmp_ignore_bogus_error_message
controls whether ICMP
bogus error message responses are ignored. A value of 1 ignores such messages, and 0 accepts
them. The default and recommended setting is 1.
To change the value of a kernel parameter, add the setting to
/etc/sysctl.conf
, for
example:
kernel.randomize_va_space = 1
and then run the sysctl -p command.