Workaround against "nf_conntrack … dropping packets error" and "Denial of Service" attacks from internal network

This commit is contained in:
Ansible Admin 2016-01-27 11:45:13 +01:00
parent 38c75df195
commit 8fb715dcdf
2 changed files with 22 additions and 0 deletions

View File

@ -1,4 +1,5 @@
#!/bin/sh #!/bin/sh
# Version 1.7
curl -X POST --data-urlencode 'payload={"text": "{{ sn_hostname }} is rebooted", "channel": "#technik", "username": "{{ sn_hostname }}", "icon_emoji": ":floppy_disk:"}' https://hooks.slack.com/services/{{ slack_token }} curl -X POST --data-urlencode 'payload={"text": "{{ sn_hostname }} is rebooted", "channel": "#technik", "username": "{{ sn_hostname }}", "icon_emoji": ":floppy_disk:"}' https://hooks.slack.com/services/{{ slack_token }}
@ -53,6 +54,16 @@ done
sleep 5 sleep 5
# Fixing the nf_conntrack … dropping packets error
# hashsize = nf_conntrack_max / 4
sysctl -w net.netfilter.nf_conntrack_max=131072
echo 32768 > /sys/module/nf_conntrack/parameters/hashsize
# Against Denial of Service attacks from internal network
# Check with: sysctl -a | grep conntrack | grep timeout
sysctl -w net.ipv4.netfilter.ip_conntrack_generic_timeout=240
sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=54000
# restart bird # restart bird
/bin/systemctl start bird /bin/systemctl start bird
/bin/systemctl start bird6 /bin/systemctl start bird6

View File

@ -1,4 +1,5 @@
#!/bin/sh #!/bin/sh
# Version 1.7
curl -X POST --data-urlencode 'payload={"text": "{{ sn_hostname }} is rebooted", "channel": "#technik", "username": "{{ sn_hostname }}", "icon_emoji": ":floppy_disk:"}' https://hooks.slack.com/services/{{ slack_token }} curl -X POST --data-urlencode 'payload={"text": "{{ sn_hostname }} is rebooted", "channel": "#technik", "username": "{{ sn_hostname }}", "icon_emoji": ":floppy_disk:"}' https://hooks.slack.com/services/{{ slack_token }}
@ -48,6 +49,16 @@ done
sleep 5 sleep 5
# Fixing the nf_conntrack … dropping packets error
# hashsize = nf_conntrack_max / 4
sysctl -w net.netfilter.nf_conntrack_max=131072
echo 32768 > /sys/module/nf_conntrack/parameters/hashsize
# Against Denial of Service attacks from internal network
# Check with: sysctl -a | grep conntrack | grep timeout
sysctl -w net.ipv4.netfilter.ip_conntrack_generic_timeout=240
sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=54000
# Start tunneldigger # Start tunneldigger
/bin/systemctl restart tunneldigger /bin/systemctl restart tunneldigger
/bin/systemctl enable tunneldigger /bin/systemctl enable tunneldigger