How to optimize Plesk for Linux kernel to protect against SYN-Flood attacks

Follow

Comments

8 comments

  • Avatar
    Sid (Edited )

    Under vz7 this does not work in a container.

    # sysctl -p
    sysctl: cannot stat /proc/sys/net/ipv4/tcp_syncookies: No such file or directory
    sysctl: cannot stat /proc/sys/net/ipv4/tcp_fin_timeout: No such file or directory
    sysctl: cannot stat /proc/sys/net/ipv4/tcp_window_scaling: No such file or directory
    sysctl: cannot stat /proc/sys/net/ipv4/tcp_sack: No such file or directory

    0
    Comment actions Permalink
  • Avatar
    Nikita Nikushkin

    Hi @Sid,

    I suppose, your kernel has no enabled "tcp_syncookies", "tcp_fin_timeout", "tcp_window_scaling" and "tcp_sack" support

    Thus, the mentioned files are not present in the "/proc/sys/net/ipv4" folder and thus you are unable to manage them

    Please note that the provided solution is valid if the mentioned modules are already loaded and available for managing 

    0
    Comment actions Permalink
  • Avatar
    Raheel Ansari

    I have Plesk ONYX on Cent OS 7 and when I try to edit /etc/sysctl.conf I see the following information in there. How would I set the parameters discussed in this thread.

     

    # sysctl settings are defined through files in
    # /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
    #
    # Vendors settings live in /usr/lib/sysctl.d/.
    # To override a whole file, create a new file with the same in
    # /etc/sysctl.d/ and put new settings there. To override
    # only specific settings, add a file with a lexically later
    # name in /etc/sysctl.d/ and put new settings there.
    #
    # For more information, see sysctl.conf(5) and sysctl.d(5).
    0
    Comment actions Permalink
  • Avatar
    Alexey Lapshin

    Hello Raheel,

    Just add the mentioned parameters at the bottom of "/etc/sysctl.conf" file.

    0
    Comment actions Permalink
  • Avatar
    Raheel Ansari

    Thank you Alexey. I was under a syn flood attack for a week when I posted this question. Can you or another member explain what these settings mentioned in this post mean? 

    Secondly how do I know these settings are applied or working?

    # Enable TCP SYN cookie protection
    net.ipv4.tcp_syncookies = 1
    # Decrease the time default value for tcp_fin_timeout connection
    net.ipv4.tcp_fin_timeout = 3
    # Turn off the tcp_window_scaling
    net.ipv4.tcp_window_scaling = 0
    # Turn off the tcp_sack
    net.ipv4.tcp_sack = 0

     

     

    0
    Comment actions Permalink
  • Avatar
    Alexey Lapshin

    Hello Raheel,

    Parameters, specified in /etc/sysctl.conf defines settings of the system kernel to protect against SYN-Flood attack.
    Lines which begin with a # are considered comments and ignored.
    For the detailed definition of these parameters please refer official documentation: https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt

    If the last command in the article "# sysctl -p" was executed with no issues that means that values of the aforementioned parameters are applied.

    0
    Comment actions Permalink
  • Avatar
    Raheel Ansari

    Thank you for that explanation. I do have an understanding for code. It would be of great for myself and for future readers if you could please elaborate what each of the following mean:

    #Enable TCP SYN cookie protection
    net.ipv4.tcp_syncookies = 1
    # Decrease the time default value for tcp_fin_timeout connection
    net.ipv4.tcp_fin_timeout = 3
    # Turn off the tcp_window_scaling
    net.ipv4.tcp_window_scaling = 0
    # Turn off the tcp_sack
    net.ipv4.tcp_sack = 0

    0
    Comment actions Permalink
  • Avatar
    Daria Gavrilova

    Hello @Raheel Ansari,

    Thank you for your input.

    The mentioned definitions have the following meanings:
    tcp_syncookies - Only valid when the kernel was compiled with CONFIG_SYN_COOKIES. Send out syncookies when the syn backlog queue of a socket overflows. This is to prevent against the common 'SYN flood attack'

    tcp_fin_timeout - The length of time an orphaned (no longer referenced by any application) connection will remain in the FIN_WAIT_2 state before it is aborted at the local end.

    tcp_window_scaling - Enable window scaling as defined in RFC1323

    tcp_sack - Enable select acknowledgments (SACKS).

    To find the detailed definition of parameters, which can be found in /etc/sysctl.conf, please refer to the official documentation: https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request