Tutorial SYSCTL.CONF FOR PREVENTING ATTACKS

[NatureNMoon]

Hello guys,

Sysctl.conf is a file which can help you with preventing DDoS Attacks. While using sysctl.conf, you can prevent many attacks. For example, ICMP Attacks(I have already mentioned below.). Sysctl.conf may help you better than IPTABLES. It has 5.000.000 Packet Per Second rate(It is 5 times better than IPTABLES). However, this rate depends on RAM, CPU, STORAGE, NIC, Operation System, Kernel Version of your machine.

Here is the sysctl.conf bash script;

#!/bin/bash
# Daniel Q. - Nature N Moon - R4P3.NET
# This script will add some commands to your sysctl.conf to prevent the (D)DoS attacks.
# Use this command to start this script "chmod +x r4p3-sysctl.sh && ./r4p3-sysctl.sh"
# There may be some errors which should be about your kernel version or the other things, just ignore it, it will not be a big deal :)

echo "NATURE N MOON - R4P3.NET - SYSCTL.CONF HAS BEEN SUCCESSFULLY STARTED!"
sleep 5
echo 'net.netfilter.nf_conntrack_acct = 0' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_buckets = 65536' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_checksum = 1' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_count = 8668' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_dccp_loose = 1' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_dccp_timeout_closereq = 64' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_dccp_timeout_closing = 64' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_dccp_timeout_open = 43200' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_dccp_timeout_partopen = 480' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_dccp_timeout_request = 240' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_dccp_timeout_respond = 480' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_dccp_timeout_timewait = 240' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_events = 1' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_expect_max = 1024' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_generic_timeout = 300' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_helper = 0' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_icmp_timeout = 20' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_log_invalid = 0' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_max = 50000000' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_sctp_timeout_closed = 10' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_sctp_timeout_cookie_echoed = 3' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_sctp_timeout_cookie_wait = 3' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_sctp_timeout_established = 432000' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_sctp_timeout_heartbeat_acked = 210' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_sctp_timeout_heartbeat_sent = 30' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_sctp_timeout_shutdown_ack_sent = 3' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_sctp_timeout_shutdown_recd = 0' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_sctp_timeout_shutdown_sent = 0' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_be_liberal = 0' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_loose = 0' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_max_retrans = 3' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_close = 10' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_close_wait = 15' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_established = 86400' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 10' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_last_ack = 10' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 15' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 15' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_time_wait = 15' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 15' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_timestamp = 0' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_udp_timeout = 10' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_udp_timeout_stream = 15' >> /etc/sysctl.conf
echo 'net.netfilter.nf_log.0 = NONE' >> /etc/sysctl.conf
echo 'net.netfilter.nf_log.1 = NONE' >> /etc/sysctl.conf
echo 'net.netfilter.nf_log.10 = NONE' >> /etc/sysctl.conf
echo 'net.netfilter.nf_log.11 = NONE' >> /etc/sysctl.conf
echo 'net.netfilter.nf_log.12 = NONE' >> /etc/sysctl.conf
echo 'net.netfilter.nf_log.2 = NONE' >> /etc/sysctl.conf
echo 'net.netfilter.nf_log.3 = NONE' >> /etc/sysctl.conf
echo 'net.netfilter.nf_log.4 = NONE' >> /etc/sysctl.conf
echo 'net.netfilter.nf_log.5 = NONE' >> /etc/sysctl.conf
echo 'net.netfilter.nf_log.6 = NONE' >> /etc/sysctl.conf
echo 'net.netfilter.nf_log.7 = NONE' >> /etc/sysctl.conf
echo 'net.netfilter.nf_log.8 = NONE' >> /etc/sysctl.conf
echo 'net.netfilter.nf_log.9 = NONE' >> /etc/sysctl.conf
echo 'net.netfilter.nf_log_all_netns = 0' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_dccp_timeout_closereq = 64' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_dccp_timeout_closing = 64' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_dccp_timeout_open = 43200' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_dccp_timeout_partopen = 480' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_dccp_timeout_request = 240' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_dccp_timeout_respond = 480' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_dccp_timeout_timewait = 240' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_generic_timeout = 300' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_icmp_timeout = 20' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_sctp_timeout_closed = 10' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_sctp_timeout_cookie_echoed = 3' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_sctp_timeout_cookie_wait = 3' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_sctp_timeout_established = 432000' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_sctp_timeout_heartbeat_acked = 210' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_sctp_timeout_heartbeat_sent = 30' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_sctp_timeout_shutdown_ack_sent = 3' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_sctp_timeout_shutdown_recd = 0' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_sctp_timeout_shutdown_sent = 0' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_close = 10' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_close_wait = 15' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_established = 86400' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 10' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_last_ack = 10' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 15' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 15' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_time_wait = 15' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 15' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_udp_timeout = 10' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_udp_timeout_stream = 15' >> /etc/sysctl.conf
sysctl -p
sleep 5
echo "NATURE N MOON - R4P3.NET - SYSCTL.CONF HAS BEEN SUCCESSFULLY DONE!"

How to use?
Put the bash script into a file called "r4p3-sysctl.sh" and use the command line below to start the bash script.

chmod 777 r4p3-sysctl.sh && ./r4p3-sysctl.sh

How to disable ICMP(Optional)
I didn't add the rule blocking ICMP packets into the bash script. If you want to block ICMP traffic, you can use the command line below;

echo 'net.ipv4.icmp_echo_ignore_all = 1' >> /etc/sysctl.conf && sysctl -p

There is the sysctl.conf, on the attachment, in a firewall developed for a hospital in 2018 by me. I would really like to share it with you. It may help you a lot.
(You can optimize that sysctl.conf by using your interface. For example, there is an interface called "enp12s0f0", you can change it as "eth0" or whatever it is)

 

[fourwind]

net.netfilter.nf_conntrack_count is a read only information, you dont set it.

And increasing the conntrack table is useless if you dont increase its hashsize

 

[Asphyxia]

net.netfilter.nf_conntrack_count is a read only information, you dont set it.

And increasing the conntrack table is useless if you dont increase its hashsize

Do you have any example rules to share?

 

[fourwind]

For the hashsize? depends on the distro...
Usually its locacted in /sys/module/nf_conntrack/parameters/hashsize
you cannot set it via sysctl and it should be 1/4 of the conntrack max (which is ridiculous high in this script).

Personally i would recommend to set something like 512k for max_conntrack and 128k for hashize, that should be more then fine for everyday usecase, if an attack still open more requests you probabbly cant handle it anyways only via nftables.

echo 131072 > /sys/module/nf_conntrack/parameters/hashsize

Keep in mind that this is not reboot save.

 

[NatureNMoon]

echo 131072 > /sys/module/nf_conntrack/parameters/hashsize

If you save the sysctl.conf by using "sysctl -p", it is okay. However, you can also use this command line. Thank you for your interest You can also share your conntrack module configuration with us

 

[fourwind]

If you save the sysctl.conf by using "sysctl -p",

This is not true, there is no sysctl parameter for the hashsize and "sysctl -p" only _reads_ (and applies) the sysctl.conf, it does not save anything.

-p[FILE], --load[=FILE]
Load in sysctl settings from the file specified or /etc/sysctl.conf if none given.

 

[NatureNMoon]

This is not true, there is no sysctl parameter for the hashsize and "sysctl -p" only _reads_ (and applies) the sysctl.conf, it does not save anything.

I have been using like this for a long time, there is no problem and I have 5m hashsize, working amazing..
Here is the screenshot below;

Screenshot

Captured with Lightshot

prntscr.com

As I mentioned above, it works well. As you wish dear, you can use however you want, if it is possible, please share your configs with r4p3 members

 

[fourwind]

I have been using like this for a long time, there is no problem and I have 5m hashsize, working amazing..
Here is the screenshot below;
As I mentioned above, it works well. As you wish dear, you can use however you want,

So first of all: thats the conntrack_max, we were talking about the hashsize that thats nothing set in your screen.

And well.. you can set the value whatever you like.. The thing is, if it works if you actually _use it_ and not just _set it_ is a totally different thing.
I never said that it wont work, its just unnecessary, you can not track that much connections on a single cpu. No way

if it is possible, please share your configs with r4p3 members

I did that on the post above, i usally rely on the distros defaults and tweak the things i need. That differs from usecase to usecase.