CLASS="section" BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#840084" ALINK="#0000FF" >

5.24. The kernel tunable parameters

With the new version of Red Hat Linux 6.2 all kernel parameters available under the /proc/sys subdirectory of Linux can be configured at runtime. You can now use the new /etc/sysctl.conf file under Red Hat Linux 6.2 to modify and set kernel parameters at runtime. The sysctl.conf file is read and loaded each time the system reboots. All settings are now stored in the /etc/sysctl.conf file. All modifications to /proc/sys should be made through /etc/sysctl.conf, because they offer better for control, and are executed before rc.local or any other users scripts. We have shown you the networking security options that you must configure on your server for both Red Hat Linux version 6.1 and 6.2 below.

5.24.1. Prevent your system responding to Ping

Version 6.1 only

Preventing your system for responding to ping request can be a big improvement in your network security since no one can ping on your server and receive an answer. The TCP/IP protocol suite has a number of loopholes that allows an attacker to leverage techniques in the form of covert channels to surreptitiously pass data in otherwise benign packets. Preventing your server from responding to ping requests can help to minimize this problem. An...

            [root@deep] /#echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
            
... should do the job such that your system won't respond to ping on any interface. You can add this line in your /etc/rc.d/rc.local file so the command will be automatically set if your system reboots. Not responding to pings would at least keep most "crackers" out because they would never even know it's there. To turn it backs on, simply do this:

            [root@deep] /#echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
            
You can add this line in your /etc/rc.d/rc.local file so the command will be automatically set if your system reboots.

Version 6.2 only

Edit the /etc/sysctl.conf file and add the following line:

            # Enable ignoring ping request
            net.ipv4.icmp_echo_ignore_all = 1
            
You must restart your network for the change to take effect. The command to restart the network is the following: To restart all network devices manually on your system, use the following command:

            [root@deep] /# /etc/rc.d/init.d/network restart
            

Setting network parameters [ OK ] Bringing up interface lo [ OK ] Bringing up interface eth0 [ OK ] Bringing up interface eth1 [ OK ]