#!/sbin/sh # This script was created by Michael Holve, August 1, 2004 for... # Everything Solaris, http://everythingsolaris.org # # v0.2, August 2004 - Solaris 8 tested # v0.1, March 2001 - Solaris 7 tested # # THIS SCRIPT COMES WITHOUT WARRANTY - USE AT YOUR OWN RISK! # # If you run primarily Web services on your system such as Apache, Zeus, thttpd # or others, this script will open up the TCP/IP stack for heavy TCP/IP traffic # and cut down on performance-robbing, conservative out-of-the-box values. Also # tune the system TCP/IP parameters for higher security against hacking and DDoS # attacks. # # This information has been derived from countless sources on the Web including # articles, personal pages, documentation from Sun, Apache and BEA, Inc. # # Place script in /etc/init.d and link to it in /etc/rc2.d (e.g. S99tune_tcp) # Say "hello" during boot to know it's running # echo "Tuning TCP/IP parameters..." # The TCP send and receive spaces directly effect the TCP window size # parameter. An increased window size will allow for more efficient transfers, # particularly bulk transfers such as FTP and HTTP. The default for each is # not optimal, and should be increased to 32768 bytes. This value should not # be increased above 64K bytes unless the implications of RFC1323 and RFC2018 # are fully understood and support for both is enabled. # # Do not enable RFC1323 without also enabling support for RFC2018. Remember, # pipe drain is a Bad Thing[tm]. # # BEA (Weblogic) recommends 131072 for both. Might use 32767 typically. # /usr/sbin/ndd -set /dev/tcp tcp_xmit_hiwat 65534 /usr/sbin/ndd -set /dev/tcp tcp_recv_hiwat 65534 #/usr/sbin/ndd -set /dev/tcp tcp_cwnd_max 65534 # On a busy web server, many sockets may linger in the TIME_WAIT state. This # is caused by improperly coded client applications that do not properly shut # down a socket. This can also be used as a type of DDoS attack. # # This parameter effects the amount of time a TCP socket will remain in the # TIME_WAIT state. The default is quite high for a busy web server, so it # should be lowered to 60000 milliseconds (60 seconds). The parameter name # was corrected in Solaris 7 and higher. Prior to Solaris 7, the parameter # was incorrectly labeled as tcp_close_wait_interval. # # Default is 240000. You may also try 30000. # /usr/sbin/ndd -set /dev/tcp tcp_time_wait_interval 60000 /usr/sbin/ndd -set /dev/tcp tcp_ip_abort_interval 60000 # While great effort is undertaken to defend any network from those with # malicious intent, several ports (largely TCP) must remain open to conduct # business. Internet vandals may attempt to exploit these ports to launch a # denial of service attack. One of the most popular attacks remains the SYN # flood, wherein the socket queue of the attacked host is overwhelmed with # bogus connection requests. To defend against such attacks, certain UNIX # variants maintain separate queues for inbound socket connection requests. # One queue is for half-open sockets (SYN received, SYN|ACK sent), the other # queue for fully-open sockets awaiting an accept() call from the application. # These two queues should be increased so that an attack of low to moderate # intensity will have little to no effect on the stability or availability of # the server. # # Default is 128 and 1024 # # BEA (Weblogic) recommends 16385 for both. Commented lines more reasonable. # #/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q 1024 #/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q0 4096 /usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q 16384 /usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q0 16384 # A miscreant can use IP redirects to modify the routing table on a remote # host. In a well-designed network, redirects to the end stations should not # be required. Both the sending and accepting of redirects should be disabled. # # Default is 0 and 1 # /usr/sbin/ndd -set /dev/ip ip_ignore_redirect 1 /usr/sbin/ndd -set /dev/ip ip_send_redirects 0 # It is possible for a miscreant to create a resource exhaustion or # performance degredation by filling the IP route cache with bogus ARP # entries. In Solaris, there are two parameters that govern the cleanup # interval for the IP route cache. For unsolicited ARP responses, the # parameter to be tuned is arp_cleanup_interval. # # Default is 30000 # /usr/sbin/ndd -set /dev/arp arp_cleanup_interval 60000 # With source routing, an attacker can attempt to reach internal IP addresses - # including RFC1918 addresses. It is important to disable the acceptance of # source routed packets to prevent subtle probes of your internal networks. # # Default is 1 # /usr/sbin/ndd -set /dev/ip ip_forward_src_routed 0 # Smurf attacks work by sending ICMP 8 0 (ECHO REQUEST) messages to a # broadcast address from a spoofed address. Some IP stacks will respond, by # default, to such messages. This should be disabled. Further, if the host is # a firewall (router), it should not propogate directed broadcasts. # # Default is 1 # /usr/sbin/ndd -set /dev/ip ip_respond_to_echo_broadcast 0 # There are two other broadcast probes that a miscreant could utilize against # a network. The address mask query can be used to map out the size of the # netblock, and set a range for further probes. The timestamp broadcast is # another means of mapping and fingerprinting hosts. # # Default is 0 and 1. First commented line just for reference. # #/usr/sbin/ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0 /usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0