Setting kernel parameters with sysctl

The traditional method that you'll see in older Linux textbooks is to echo a value into a /proc parameter. This doesn't directly work with sudo, so you'll need to use the bash -c command to force the command to execute. Here, you can see me changing the value for the icmp_echo_ignore_all parameter:

[donnie@localhost ~]$ sudo bash -c "echo '1' > /proc/sys/net/ipv4/icmp_echo_ignore_all"
[donnie@localhost ~]$ cat /proc/sys/net/ipv4/icmp_echo_ignore_all
1
[donnie@localhost ~]$

With the value set to 1, this machine will now ignore all ping packets, regardless of how the firewall is configured. Any value you set like this is temporary and will go back to its default setting when you reboot the machine.

Next in the list after this one is the icmp_echo_ignore_broadcasts setting, which looks as follows:

[donnie@localhost ipv4]$ cat icmp_echo_ignore_broadcasts 
1
[donnie@localhost ipv4]$

It's already enabled by default, so out of the box, Linux is already immune to Denial-of-Service (DoS) attacks that involve ICMP broadcast flooding.

Configuring /proc parameters with echo is old hat, and personally, I don't like to do it. It's better to use sysctl, which is the more modern way of doing business. It's easy to use, and you can read all about it in the sysctl man page.

To see a list of all the parameter settings, just do the following:

[donnie@localhost ~]$ sudo sysctl -a
abi.vsyscall32 = 1
crypto.fips_enabled = 1
debug.exception-trace = 1
debug.kprobes-optimization = 1
dev.hpet.max-user-freq = 64
dev.mac_hid.mouse_button2_keycode = 97
dev.mac_hid.mouse_button3_keycode = 100
dev.mac_hid.mouse_button_emulation = 0
dev.raid.speed_limit_max = 200000
dev.raid.speed_limit_min = 1000
dev.scsi.logging_level = 0
fs.aio-max-nr = 65536
. . .
. . .

To set a parameter, use the -w option to write the new value. The trick to this is that the forward slashes in the directory path are replaced by dots, and you ignore the /proc/sys part of the path. So, to change the icmp_echo_ignore_all value back to 0, we'll do this:

[donnie@localhost ~]$ sudo sysctl -w net.ipv4.icmp_echo_ignore_all=0
net.ipv4.icmp_echo_ignore_all = 0
[donnie@localhost ~]$

In this case, the change is permanent because I'm just changing the parameter back to its default setting. Normally, though, any changes we make like this only last until we reboot the machine. Sometimes, that's okay, but sometimes, we might need to make the changes permanent.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.144.97.189