Tutorial SYSCTL.CONF FOR PREVENTING ATTACKS

NatureNMoon

Restricted
Jul 8, 2016
70
124
86
Hello guys,

Sysctl.conf is a file which can help you with preventing DDoS Attacks. While using sysctl.conf, you can prevent many attacks. For example, ICMP Attacks(I have already mentioned below.). Sysctl.conf may help you better than IPTABLES. It has 5.000.000 Packet Per Second rate(It is 5 times better than IPTABLES). However, this rate depends on RAM, CPU, STORAGE, NIC, Operation System, Kernel Version of your machine.

Here is the sysctl.conf bash script;
Bash:
#!/bin/bash
# Daniel Q. - Nature N Moon - R4P3.NET
# This script will add some commands to your sysctl.conf to prevent the (D)DoS attacks.
# Use this command to start this script "chmod +x r4p3-sysctl.sh && ./r4p3-sysctl.sh"
# There may be some errors which should be about your kernel version or the other things, just ignore it, it will not be a big deal :)

echo "NATURE N MOON - R4P3.NET - SYSCTL.CONF HAS BEEN SUCCESSFULLY STARTED!"
sleep 5
echo 'net.netfilter.nf_conntrack_acct = 0' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_buckets = 65536' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_checksum = 1' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_count = 8668' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_dccp_loose = 1' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_dccp_timeout_closereq = 64' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_dccp_timeout_closing = 64' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_dccp_timeout_open = 43200' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_dccp_timeout_partopen = 480' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_dccp_timeout_request = 240' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_dccp_timeout_respond = 480' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_dccp_timeout_timewait = 240' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_events = 1' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_expect_max = 1024' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_generic_timeout = 300' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_helper = 0' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_icmp_timeout = 20' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_log_invalid = 0' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_max = 50000000' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_sctp_timeout_closed = 10' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_sctp_timeout_cookie_echoed = 3' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_sctp_timeout_cookie_wait = 3' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_sctp_timeout_established = 432000' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_sctp_timeout_heartbeat_acked = 210' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_sctp_timeout_heartbeat_sent = 30' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_sctp_timeout_shutdown_ack_sent = 3' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_sctp_timeout_shutdown_recd = 0' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_sctp_timeout_shutdown_sent = 0' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_be_liberal = 0' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_loose = 0' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_max_retrans = 3' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_close = 10' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_close_wait = 15' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_established = 86400' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 10' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_last_ack = 10' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 15' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 15' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_time_wait = 15' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 15' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_timestamp = 0' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_udp_timeout = 10' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_udp_timeout_stream = 15' >> /etc/sysctl.conf
echo 'net.netfilter.nf_log.0 = NONE' >> /etc/sysctl.conf
echo 'net.netfilter.nf_log.1 = NONE' >> /etc/sysctl.conf
echo 'net.netfilter.nf_log.10 = NONE' >> /etc/sysctl.conf
echo 'net.netfilter.nf_log.11 = NONE' >> /etc/sysctl.conf
echo 'net.netfilter.nf_log.12 = NONE' >> /etc/sysctl.conf
echo 'net.netfilter.nf_log.2 = NONE' >> /etc/sysctl.conf
echo 'net.netfilter.nf_log.3 = NONE' >> /etc/sysctl.conf
echo 'net.netfilter.nf_log.4 = NONE' >> /etc/sysctl.conf
echo 'net.netfilter.nf_log.5 = NONE' >> /etc/sysctl.conf
echo 'net.netfilter.nf_log.6 = NONE' >> /etc/sysctl.conf
echo 'net.netfilter.nf_log.7 = NONE' >> /etc/sysctl.conf
echo 'net.netfilter.nf_log.8 = NONE' >> /etc/sysctl.conf
echo 'net.netfilter.nf_log.9 = NONE' >> /etc/sysctl.conf
echo 'net.netfilter.nf_log_all_netns = 0' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_dccp_timeout_closereq = 64' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_dccp_timeout_closing = 64' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_dccp_timeout_open = 43200' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_dccp_timeout_partopen = 480' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_dccp_timeout_request = 240' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_dccp_timeout_respond = 480' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_dccp_timeout_timewait = 240' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_generic_timeout = 300' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_icmp_timeout = 20' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_sctp_timeout_closed = 10' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_sctp_timeout_cookie_echoed = 3' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_sctp_timeout_cookie_wait = 3' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_sctp_timeout_established = 432000' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_sctp_timeout_heartbeat_acked = 210' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_sctp_timeout_heartbeat_sent = 30' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_sctp_timeout_shutdown_ack_sent = 3' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_sctp_timeout_shutdown_recd = 0' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_sctp_timeout_shutdown_sent = 0' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_close = 10' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_close_wait = 15' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_established = 86400' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 10' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_last_ack = 10' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 15' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 15' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_time_wait = 15' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 15' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_udp_timeout = 10' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_udp_timeout_stream = 15' >> /etc/sysctl.conf
sysctl -p
sleep 5
echo "NATURE N MOON - R4P3.NET - SYSCTL.CONF HAS BEEN SUCCESSFULLY DONE!"

How to use?
Put the bash script into a file called "r4p3-sysctl.sh" and use the command line below to start the bash script.
Code:
chmod 777 r4p3-sysctl.sh && ./r4p3-sysctl.sh

How to disable ICMP(Optional)
I didn't add the rule blocking ICMP packets into the bash script. If you want to block ICMP traffic, you can use the command line below;
Code:
echo 'net.ipv4.icmp_echo_ignore_all = 1' >> /etc/sysctl.conf && sysctl -p

There is the sysctl.conf, on the attachment, in a firewall developed for a hospital in 2018 by me. I would really like to share it with you. It may help you a lot.
(You can optimize that sysctl.conf by using your interface. For example, there is an interface called "enp12s0f0", you can change it as "eth0" or whatever it is)
 

Attachments

  • sysctl-conf-from-2018-by-nature-n-moon.txt
    135.9 KB · Views: 27

Asphyxia

Owner
Administrator
Apr 25, 2015
1,825
2,185
287
net.netfilter.nf_conntrack_count is a read only information, you dont set it.

And increasing the conntrack table is useless if you dont increase its hashsize :)
Do you have any example rules to share?
 

fourwind

New Member
Apr 21, 2019
20
16
5
For the hashsize? depends on the distro...
Usually its locacted in /sys/module/nf_conntrack/parameters/hashsize
you cannot set it via sysctl and it should be 1/4 of the conntrack max (which is ridiculous high in this script).

Personally i would recommend to set something like 512k for max_conntrack and 128k for hashize, that should be more then fine for everyday usecase, if an attack still open more requests you probabbly cant handle it anyways only via nftables.

Code:
echo 131072 > /sys/module/nf_conntrack/parameters/hashsize

Keep in mind that this is not reboot save.
 

NatureNMoon

Restricted
Jul 8, 2016
70
124
86
echo 131072 > /sys/module/nf_conntrack/parameters/hashsize
If you save the sysctl.conf by using "sysctl -p", it is okay. However, you can also use this command line. Thank you for your interest :) You can also share your conntrack module configuration with us ;)
 

NatureNMoon

Restricted
Jul 8, 2016
70
124
86
This is not true, there is no sysctl parameter for the hashsize and "sysctl -p" only _reads_ (and applies) the sysctl.conf, it does not save anything.
I have been using like this for a long time, there is no problem and I have 5m hashsize, working amazing..
Here is the screenshot below;

As I mentioned above, it works well. As you wish dear, you can use however you want, if it is possible, please share your configs with r4p3 members :)
 

fourwind

New Member
Apr 21, 2019
20
16
5
I have been using like this for a long time, there is no problem and I have 5m hashsize, working amazing..
Here is the screenshot below;
As I mentioned above, it works well. As you wish dear, you can use however you want,

So first of all: thats the conntrack_max, we were talking about the hashsize that thats nothing set in your screen.

And well.. you can set the value whatever you like.. The thing is, if it works if you actually _use it_ and not just _set it_ is a totally different thing.
I never said that it wont work, its just unnecessary, you can not track that much connections on a single cpu. No way ;)


if it is possible, please share your configs with r4p3 members :)

I did that on the post above, i usally rely on the distros defaults and tweak the things i need. That differs from usecase to usecase.
 
Top