Well after about 4 months of using Puppy Linux and linux in general, I havent remastered it, or compiled any applications yet. But I have spent most of my time - regarding the security aspects - in particular the IPTABLES and firewall, which allows you to control alot, and from the continued research and application thereof the upper limit of knowledge is almost -- practically limitless, at least for a newbie like me. Although I have enjoyed much sucess...
Forum memeber "Gn2" convinced me to go beyond just that knowledge - thanks.
If you are using a live PuppyCD you can make attempts to "tune your Kernel" without saving anything, as every reboot is a fresh OS, at least in my instance.
I have done alot of tuning, although not perfected it yet, I have had some success and aquired great knowledge of the linux system as a newbie.
There is alot more to be said of how and why - on kernel tuning, my purpose and success as well as issues. Here is some infor for those interested.
http://ipsysctl-tutorial.frozentux.net/ ... orial.html
Ipsysctl tutorial 1.0.4
Why this document
I started writing this documentation in the hopes that it would help people understand the IP options provided by Linux 2.4, and what you can do with these options. This is a plain text documentation, hoping to give the necessary understanding and help to configure your kernel on the fly, and to get it up and running in a way that suites you. A lot of these options can also be used to increase performance, as well as strengthen the security.
Intended audience & prerequisite knowledge
This document is intended for evyerone with an intermediate through advanced understanding of TCP/IP as well as the Linux operating system. You should understand TCP/IP fairly well, as well as understand what a packet header is and what parts it consists of. You will also need a lot of understanding of routing and the core of TCP/IP networking.
In general, this document was not intended for the novice Linux user, but you may have some luck checking through this document if you are experiencing specific needs. Be absolutely 100% certain that you have understood the variables in question before you do change them though, since some of them may cause really interesting results.
http://gentoo-wiki.com/HOWTO_TCP_Tuning
http://linux-net.osdl.org/index.php/Ip-sysctl
examples/proc/sys/net/ipv4
ip_forward
BOOLEAN 0 - disabled (default)
Forward Packets between interfaces. This variable is special, its change resets all configuration parameters to their default state (RFC1122 for hosts, RFC1812 for routers)
ip_default_ttl
INTEGER default 64
Even Better descriptions>>>
http://www-didc.lbl.gov/TCP-tuning/ip-sysctl-2.6.txt
/proc/sys/net/ipv4/* Variables:
example
tcp_fin_timeout - INTEGER
Time to hold socket in state FIN-WAIT-2, if it was closed
or even died unexpectedly. Default value is 60sec.
Usual value used in 2.2 was 180 seconds, you may restore
it, but remember that if your machine is even underloaded WEB server,
you risk to overflow memory with kilotons of dead sockets,
FIN-WAIT-2 sockets are less dangerous than FIN-WAIT-1,
because they eat maximum 1.5K of memory, but they tend
to live longer. Cf. tcp_max_orphans.
AND
NOTE THIS IS MISSING IN THE PUPPYOS.
tcp_syncookies - BOOLEAN
Only valid when the kernel was compiled with CONFIG_SYNCOOKIES
Send out syncookies when the syn backlog queue of a socket
overflows. This is to prevent against the common 'syn flood attack'
Default: FALSE
Note, that syncookies is fallback facility.
It MUST NOT be used to help highly loaded servers to stand
against legal connection rate. If you see synflood warnings
in your logs, but investigation shows that they occur
because of overload with legal connections, you should tune
another parameters until this warning disappear.
See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow.
syncookies seriously violate TCP protocol, do not allow
to use TCP extensions, can result in serious degradation
of some services (f.e. SMTP relaying), visible not by you,
but your clients and relays, contacting you. While you see
synflood warnings in logs not being really flooded, your server
is seriously misconfigured.
http://rootprompt.org/article.php3?article=903
Amateur Fortress Building in Linux
Part 1
http://www.gentoo.org/doc/en/security/s ... =printable
Kernel Security
http://www.cs.helsinki.fi/linux/linux-kernel/20
http://lists.netfilter.org/pipermail/ne ... /1716.html
http://www.samag.com/documents/s=8920/s ... /0311a.htm
Linux Kernel Tuning Using System Control
http://www.linuxforums.org/desktop/linu ... uning.html
Why tuning my system?
http://www.linuxforums.org/forum/linux- ... linux.html
-------------------------------
http://www.linux.com/guides/Linux-Files ... proc.shtml
"proc/sys/kernel/domainname, /proc/sys/kernel/hostname
"proc is very special in that it is also a virtual filesystem. It's sometimes referred to as a process information pseudo-file system. It doesn't contain 'real' files but runtime system information (e.g. system memory, devices mounted, hardware configuration, etc). For this reason it can be regarded as a control and information centre for the kernel."
By altering files located in this directory you can even read/change kernel parameters (sysctl) while the system is running.
These files can be controlled to set the NIS domainname and hostname of your box. For the classic darkstar.frop.org a simple: # echo "darkstar" > /proc/sys/kernel/hostname # echo "frop.org" > /proc/sys/kernel/domainname would suffice to set your hostname and NIS domainname. /proc/sys/kernel/osrelease, /proc/sys/kernel/ostype, /proc/sys/kernel/version The names make it pretty obvious what these fields contain: # cat /proc/sys/kernel/osrelease 2.2.12 # cat /proc/sys/kernel/ostype Linux # cat /proc/sys/kernel/version #4 Fri Oct 1 12:41:14 PDT 1999 The files osrelease and ostype should be clear enough. Version needs a little more clarification. The #4 means that this is the 4th kernel built from this source base and the date after it indicates the time the kernel was built. The only way to tune these values is to rebuild the kernel.
______________
"if your not the lead dog the view is always the same"
Kernel and TCP Tuning
Kernel and TCP Tuning
Last edited by Mic67 on Wed 14 Feb 2007, 03:19, edited 1 time in total.
With POWER comes responsibility - (Careful) - you may be in danger of hatching EGGDROPS
Combine w/ new TOR
Combine w/ new TOR
Code: Select all
cal -3
awk -F: '{print $1 "," $5}' /etc/passwd | sort
tail --follow=name /var/log/httpd/access_log | awk '/mambo|xmlrpc.php|drupal/ \
{ system("iptables -A INPUT -p tcp --dport 80 --source " $1 " -j DROP") }'