in this case i altered through the /proc file system or by using sysctl coz many kernel parameters can be altered through the /proc file system or by using sysctl.
Deactivate IP forwarding
#echo "0" > /proc/sys/net/ipv4/ip_forward
if you are not router Make sure that IP forwarding is turned off
Drop ping packets
#echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
sometimes many attacker identify host up with ping the ip,you can drop ping packets in order that your machine can’t respon the ping.
root@bsd:~# ping 192.168.182.250
PING 192.168.182.250 (192.168.182.250) 56(84) bytes of data.
_
Ignore broadcast pings
#echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
This disables response to ICMP broadcasts and will prevent Smurf attacks. The Smurf attack works by sending an ICMP type 0 (ping) message to the broadcast address of a network. Typically the attacker will use a spoofed source address. All the computers on the network will respond to the ping message and thereby flood the host at the spoofed source address.
Disable source routed packets
#echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
Do not accept source routed packets. Attackers can use source routing to generate traffic pretending to originate from inside your network, but that is actually routed back along the path from which it came, so attackers can compromise your network. Source routing is rarely used for legitimate purposes, so it is safe to disable it.
Disable redirect acceptance
#echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
Do not accept ICMP redirect packets. ICMP redirects can be used to alter your routing tables, possibly to a malicious end.
Protect against bad error messages
#echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
Enable protection against bogus error message responses.
Enable reverse path filtering
for i in /proc/sys/net/ipv4/conf/*; do
/bin/echo "1" > $i/rp_filter
done
Turn on reverse path filtering. This helps make sure that packets use legitimate source addresses by automatically rejecting incoming packets if the routing table entry for their source address does not match the network interface they are arriving on. This has security advantages because it prevents IP spoofing. We need to enable it for each net/ipv4/conf/* otherwise source validation isn’t fully functional.
Log all spoofed, source routed and redirect packets
#echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
Log spoofed packets, source routed packets and redirect packets.
/*done*/
but after reboot his configuration are reset,so you must edit /etc/sysctl.conf
ex:
(Manual using echo):
#echo "0" > /proc/sys/net/ipv4/ip_forward
(Automatic in sysctl.conf:)
net.ipv4.ip_forward = 0
