Day: 26 May 2017

Hardened Kernel Variables ( /etc/sysctl.conf )

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

#Prevent SYN attack
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2

# Disables IP source routing
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.eth0.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.lo.log_martians = 1
net.ipv4.conf.eth0.log_martians = 1

# Disables IP source routing
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.eth0.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Modify system limits for Ensim WEBppliance
fs.file-max = 65000

# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15

# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800

# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0

# Turn off the tcp_sack ( Need to turn on for traffic to internet)
#net.ipv4.tcp_sack = 0

# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0

# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1

# Set maximum amount of memory allocated to shm to 256MB
kernel.shmmax = 268435456

# Increase the maximum total TCP buffer-space allocatable
net.ipv4.tcp_mem = 57344 57344 65536

# Increase the maximum TCP write-buffer-space allocatable
net.ipv4.tcp_wmem = 32768 65536 524288

# Increase the maximum TCP read-buffer space allocatable
net.ipv4.tcp_rmem = 98304 196608 1572864

# Increase the maximum and default receive socket buffer size
net.core.rmem_max = 524280
net.core.rmem_default = 524280

# Increase the maximum and default send socket buffer size
net.core.wmem_max = 524280
net.core.wmem_default = 524280

# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000

# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536

# Increase the maximum memory used to reassemble IP fragments
net.ipv4.ipfrag_high_thresh = 512000
net.ipv4.ipfrag_low_thresh = 446464

# Increase the maximum amount of option memory buffers
net.core.optmem_max = 57344

Understanding the SysRq Key – The Magic Key To Control Linux

Linux do crash. It is not so frequent, but it happens. You know what to do when an application refuses to obey, but if everything fails, the last solution is using the supreme power on Linux: the magic SysRq key. By using this key with a combination of “Alt” and another letter, you will be able to make your computer respond no matter what. It was already evoked, but a little explanation does not hurt, and the more you know, the more prepared you will be when facing a real problem. Also, understanding the individual effect is always better than just repeating a combo learned by heart.

How To Activate The Magic Key

As said before, the magic key is super handy. But first, you have to activate this functionality if it is not already done. To check, use the command

cat /proc/sys/kernel/sysrq

If it returns a 1, the Magic Key is working. If it is a 0, you will need to activate it. In most cases, if you want to activate it temporarily, you can try

sudo echo "1" > /proc/sys/kernel/sysrq

But this did not work for me. So under Archlinux, I used instead:

sudo sysctl kernel.sysrq=1

Note that this will be only temporary. If you want the Magic Key to work even after a reboot, the best way is to edit the file “/etc/sysctl.conf”, so that the line

kernel.sysrq = 0

becomes

kernel.sysrq = 1

List of Useful Combinations

The whole point of using the Magic SysRq key is to combine it with the “Alt” key and another letter in order to trigger a particular function, even if your computer seems frozen. To begin, you should know that this System Request key is usually sharing its location with the “Print Scrn” key at the top right of your keyboard. Above the “Insert” key, and left to “Scroll Lock.”

As you can guess, the effect of the combination depends on which letter key is used. Here is a non-exhaustive list of letter you can use to obtain an interesting result.

  • b – reboots the computer
  • e – ask all processes to terminate gracefully
  • f – to get rid of an Out Of Memory condition via oom_kills
  • i – to kill all processes immediately except init
  • k – to kill absolutely all processes, including X
  • m – to output the current memory information
  • o – to shut down the computer
  • r – very useful, to take the keyboard out of the X server control
  • s – to sync data from all mounted devices (avoid data loss in case of violent reboot)
  • t – to display a list of the current tasks
  • u – to remount all file system in read-only mode

Famous Examples

Every Linux user should know these examples. If your X server is frozen and you cannot access any virtual console, using “Alt + SysRq + r” should take the keyboard away from the X server and let you perform “Ctrl + Alt + F1” in order to get to a terminal and kill the appropriate processes.

If you do not have the patience to do that, “Alt + SysRq + k” will kill everything in the same way as “Ctrl + Alt + Backspace” (but more violently).

If nothing responds at all, and the only way is to reboot your computer, the classical combo is “reisub” for “Raising Elephant Is So Utterly Boring”, or just remember the opposite of “busier“. Use each letter of this anagram with the magic key in order to:

  • Take the keyboard from X
  • Ask all programs to end gently
  • Kill the one who did not
  • Save the data from the cache to the hard drive
  • Remounts the file systems
  • Reboot

Conclusion

The idea is that the magic key combinations are generally super violent. You do not want anybody to use it on your computer while you are not looking. But as a last resort, it can become the ultimate tool. I rarely encountered a situation where SysRq did not respond. So when your Linux does not obey its master, you know what to do.