Saturday, September 3, 2011

dns tips while configuring

Just sharing some DNS tips, which needs to keep on mind while configuring your DNS server.

1. An A Record must ALWAYS contain IP address (map host to IP)

Whenever you specify A record it must contain IP address on the Right side. The A record is so important in DNS without which the meaning of mapping hostnames to IP would be absurd. So remember this!

2. CNAME (Alias) must contain hostnames. No IPs here

3. NS an MX records must contain host names. No IPs allowed.

4. Use the DOT in the end, whenever you specify a domain name in the DNS zone file. This DOT is so important and if you forget this you will have nightmares with your dns configuration.
For example
example.com. IN NS ns1.example.com.

Why DOT? simply because it tells to start query from root servers (denoted by dot)

5. MX records (for mail servers) should contain hostnames NOT IPs.

6. Allow Port 53 for both UDP and TCP connections
If you use firewall make sure you do not block port 53 for DNS tcp and udp requests. By default dns lookups use UDP protocol while zone transfers and notifications use TCP protocol of port 53.
-Port 53 UDP = Dns Requests
-Port 53 TCP = Zone transfers

7. CNAMEs cannot co-xist with MX hosts.
Do not specify CNAME or aliases pointing to MX records.

domain.com. IN MX 10 mail.domain.com.
mail IN CNAME domain.com. ----------> WRONG

Instead use A record to map directly to IP address.

mail IN A 11.33.55.77 ---> CORRECT

8. No duplicate MX records
domain.com. IN MX mail.domain.com.
domain.com. IN MX mail.domain.com ----> DUPLICATE

In case if some information provided above is incorrect, please feel free to update me.
Will surely add more tips & tricks in the coming future.

How to prevent from DDOS

How to prevent from DDoS Attacks:-
Implement security features in your server like:
1) DDOS protection using CSF through “SYNFLOOD”.
2) Install apache modules like mod_dosevasive and mod_security in your server.
3) The best,free & open sources solution to protect from DDOs :- http://deflate.medialayer.com/
4) Configure APF and IPTABLES to reduce the DDOS.
===========================================
Description here :-
1.) DDOS protection using CSF through “SYNFLOOD”. & Connection tracking :- Please modify these option through CSF
:- 

# Enable SYN Flood Protection. This option configures iptables to offer some
# protection from tcp SYN packet DOS attempts. You should set the RATE so that
# false-positives are kept to a minimum otherwise visitors may see connection
# issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables
# man page for the correct –limit rate syntax
SYNFLOOD = Default: 0
SYNFLOOD_RATE = 100/s
SYNFLOOD_BURST = 150
# Connection Tracking. This option enables tracking of all connections from IP
# addresses to the server. If the total number of connections is greater than
# this value then the offending IP address is blocked. This can be used to help
# prevent some types of DOS attack.
#
# Care should be taken with this option. It’s entirely possible that you will
# see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD
# and HTTP so it could be quite easy to trigger, especially with a lot of
# closed connections in TIME_WAIT. However, for a server that is prone to DOS
# attacks this may be very useful. A reasonable setting for this option might
# be arround 300.
#
# To disable this feature, set this to 0
CT_LIMIT = Default: 50 (means 50 connections per ip address)
# Connection Tracking interval. Set this to the the number of seconds between
# connection tracking scans
CT_INTERVAL = Default: 30
# Send an email alert if an IP address is blocked due to connection tracking
CT_EMAIL_ALERT = Default: 1
# If you want to make IP blocks permanent then set this to 1, otherwise blocks
# will be temporary and will be cleared after CT_BLOCK_TIME seconds
CT_PERMANENT = Default: 0
# If you opt for temporary IP blocks for CT, then the following is the interval
# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)
CT_BLOCK_TIME = Default: 1800
# If you don’t want to count the TIME_WAIT state against the connection count
# then set the following to “1″
CT_SKIP_TIME_WAIT = Default: 0
# If you only want to count specific states (e.g. SYN_RECV) then add the states
# to the following as a comma separated list. E.g. “SYN_RECV,TIME_WAIT”
#
# Leave this option empty to count all states against CT_LIMIT
CT_STATES =
# If you only want to count specific ports (e.g. 80,443) then add the ports
# to the following as a comma separated list. E.g. “80,443″
#
# Leave this option empty to count all ports against CT_LIMIT
CT_PORTS = 80,443
==================================================== 
2) Install apache modules like mod_dosevasive and mod_security in your server= :-
mod_evasive and mod_security modules are used to secure Apache Web Server from DDoS and brute force attacks by implementing web application firewall.
The mod_evasive authoring site (zdziarski.com) states that mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera..
*Note: mod_evasive module has been known to cause problems with frontpage server extensions. If you use frontpage server extension, you should thoroughly test your mod_evasive installation before deploying a production server.
# wget http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz
#tar -xvzf mod_evasive_1.10.1.tar.gz
# cd mod_evasive
# /usr/local/apache/bin/apxs -cia mod_evasive.c
# mv mod_evasive.loT mod_evasive.lo
# /usr/local/apache/bin/apxs -cia mod_evasive.c
# httpd -M|grep evasiv
# vi /etc/httpd/conf/httpd.conf (edit httpd.conf with the following details)

DOSHashTableSize   3097
DOSPageCount   2
DOSSiteCount   50
DOSPageInterval   1
DOSSiteInterval   1
DOSBlockingPeriod   600

# cd /usr/local/apache/modules/
Then download mod_evasive20.so through web and place it in modules directory and change the permission with 755.
# /etc/init.d/httpd restart
==================================================================================
3) The best,free & open sources solution to protect from DDOs :- http://deflate.medialayer.com/ :-
(D)DoS Deflate is a lightweight bash shell script designed to assist in the process of blocking a denial of service attack. It utilizes the command below to create a list of IP addresses connected to the server, along with their total number of connections. It is one of the simplest and easiest to install solutions at the software level.
netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
IP addresses with over a pre-configured number of connections are automatically blocked in the server’s firewall, which can be direct iptables or Advanced Policy Firewall (APF). (We highly recommend that you use APF on your server in general, but deflate will work without it.)
Notable Features :-
* It is possible to whitelist IP addresses, via /usr/local/ddos/ignore.ip.list.
* Simple configuration file: /usr/local/ddos/ddos.conf
* IP addresses are automatically unblocked after a preconfigured time limit (default: 600 seconds)
* The script can run at a chosen frequency via the configuration file (default: 1 minute)
* You can receive email alerts when IP addresses are blocked.
Installation :-
wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh
Uninstallation :-
wget http://www.inetbase.com/scripts/ddos/uninstall.ddos
chmod 0700 uninstall.ddos
./uninstall.ddos
===================================================================
4) Configure APF and IPTABLES to reduce the DDOS. :-
Ans :- Please install APF/CSF or iptables to reduce the DDOS ,also an hardware firewall (cisco guard ) also help to mitigate DDOS attacks.

Mrtg on Linux

1. Introduction
  

MRTG (Multi Router Traffic Grapher) is an application that allows us to observe the traffic of a network. It generates html pages with graphs which are refreshed according to our network’s current state. Its source is written in Perl and C which means that it can be installed in every Operating System we like. We will also need SNMP daemon (Simple Network Management Protocol) which gives us information for a network. The following installation was accomplished under Linux and specifically Fedora Core 6. With some little changes it can be used and under other distros.

2. SNMP server

2.1 Installation
Initially we install the packets needed for SNMP. Yum makes this job a lot easier.
Next we make snmpd service to start automatically for the runlevels we want.
# yum install net-snmp-utils net-snmp  
 
And we start the server.
# chkconfig --level 345 snmpd
 
 
We can see that it is running in port 199.
# service snmpd start
 
# netstat -natv | grep ':199'
tcp        0      0 127.0.0.1:199               0.0.0.0:*                   LISTEN  

2.2  Configuration

We run ‘snmpwalk’ which creates a “tree” of information for our network.


If you see an output like this one you may proceed with the MRTG installation. Else you should make some configuration first.
# snmpwalk -v 1 -c public localhost IP-MIB::ipAdEntIfIndex
 
ip.ipAddrTable.ipAddrEntry.ipAdEntIfIndex.127.0.0.1 = 1
ip.ipAddrTable.ipAddrEntry.ipAdEntIfIndex.192.168.0.3 = 2 


We keep a backup of snmpd.conf just in case anything goes wrong  
# cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.original 
 

We open it
 
# nano /etc/snmp/snmpd.conf
 
And do the follow changes:
  • we change this line
 
com2sec notConfigUser  default       public
 
with those
com2sec local          localhost        public
com2sec mynetwork 10.0.0.0/8      public 

where 10.0.0.0/8 we put what our network is
  • we change those lines
group   notConfigGroup v1           notConfigUser group   notConfigGroup v2c          notConfigUser 

with those
group   MyRWGroup      v1          local
group   MyRWGroup      v2c         local
group   MyRWGroup      usm       local
group   MyROGroup      v1          mynetwork
group   MyROGroup      v2c         mynetwork
group   MyROGroup      usm       mynetwork  
  • we change those lines
view    systemview    included   .1.3.6.1.2.1.1 view    systemview    included   .1.3.6.1.2.1.25.1.1  
with this one
 
view    all            included      .1              80
 
  • we change this line
 
access  notConfigGroup ""      any       noauth    exact  systemview none none
 
with those
access MyROGroup ""      any       noauth    exact  all    none   none
access MyRWGroup ""      any       noauth    exact  all    all    none   
  • and finally we change those lines
syslocation Unknown (edit /etc/snmp/snmpd.conf) syscontact Root  (configure /etc/snmp/snmp.local.conf) 

 
with something like this
syslocation Linux, Fedora Core 6
syscontact Root root@localhost   
  2.3 Check
We restart the server to take affect of the notices
 
# service snmpd restart
 

And we run again
 
# snmpwalk -v 1 -c public localhost IP-MIB::ipAdEntIfIndex
 
Now we should see something like that
IP-MIB::ipAdEntIfIndex.10.103.0.33 = INTEGER: 2
IP-MIB::ipAdEntIfIndex.127.0.0.1 = INTEGER: 1 
Where 10.103.0.33 is your ip address.
 
3. MRTG

3.1 Installation

We again use yum
 
# yum install mrtg
 
3.2 Configuration
We create the folder in which our graphs and html pages will be kept
 
# mkdir /var/www/html/mrtg/
 

And we run ‘cfgmaker’ for the configuration file to be created.
 
# cfgmaker --global "workdir: /var/www/mrtg" -ifref=ip --output /etc/mrtg/mrtg.cfg --global 'options[_]: growright,bits' public@localhost
 
Here you should pay notice to --output /etc/mrtg/mrtg.cfg as long as to public@localhost. With this command we tell MRTG to create a configuration file with the name ‘mrtg.cfg’ for the traffic of our computer (localhost). Instead of localhost you may put the address of any computer you may monitor as long as it runs SNMP. 
Next we create our default index page
 
# indexmaker --output=/var/www/html/mrtg/index.html /etc/mrtg/mrtg.cfg
 

3.2.1 Apache configuration
Next we have to configure apache for MRTG to work correctly. MRTG creates a file ‘mrtg.cfg’ under /etc/httpd/conf.d we contains all the necessary for Apache. We change it to contain the ips we want to have access to our MRTG graphs. Here I have added all my network. 
Alias /mrtg /var/www/mrtg

   Order deny,allow 

   Deny from all
   Allow from 127.0.0.1 10.0.0.0/8
3.3 Check
We run the following command 
In case you get an error like this
# mrtg /etc/mrtg/mrtg.cfg
 
ERROR: Mrtg will most likely not work properly when the environment
      variable LANG is set to UTF-8. Please run mrtg in an environment
      where this is not the case. Try the following command to start:
       env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg  
you have to run the above command more than once till it runs without any error. This is normal.
# env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg 23-02-2007 17:28:53, Rateup WARNING: /usr/bin/rateup Can't remove localhost_2.old updating log file
# env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg
Finally we open our browser and type
 
http://127.0.0.1/mrtg
 

You should see something like this
mrtg1
And by clicking on it something like this
mrtg2
 
There are daily, weekly, monthly and yearly graphs which aren’t shown in the screenshot. By changing the .cfg file we can alter the information displayed to what we just want. 
4. Outroduction
With the same way it is possible to add as many computers as we want and therefore have a general overview of our network. Enjoy! ;)

HA on RHEL5




Showing newest posts with label Linux Performance n MonitoringShow older posts

HA on RHEL5

Heartbeat is a High Availabily cluster software in linux platform. Here we will discuss how to
install and configure heartbeat-3.0.3 in redhat enterprise linux. In this example we will configue
a webserver using apache and we will cluster it. It can be implemented on centos, fedora and other redhat flavors.

Heartbeat Version is : heartbeat-3.0.3

Requirements:

2 linux nodes, rhel5.4.
Node1: 192.168.0.33 hb_test1.lap.work
Node2: 192.168.0.34 hb_test2.lap.work
LAN & Internet connection.
A yum server.

Initial Steps:

Set the fully qualified hostnames and give corresponding entries in /etc/hosts and
/etc/network/network.

Configuring Apache:

#yum install httpd*

On node1

#vi /var/www/html/index.html
This is node 1 of Heartbeat HA cluster

On node2
 
#vi /var/www/html/index.html
This is node 2 of Heartbeat HA cluster

On both nodes:

#vi /etc/httpd/conf/httpd.conf
Listen 192.168.0.222:80

Now start the service in both nodes.

#service httpd start                                #it wont work untill heartbeat is started. So dont worry

#chkconfig httpd on
Confirm them from broswer.

Install the following packages in both nodes:

#yum install glibc*
#yum install gcc*
#yum install lib*
#yum install flex*
#yum install net-snmp*
#yum install OpenIPMI*
#yum install python-devel
#yum install perl*
#yum install openhpi*

Save the repo file for clusterlabs online repository in both machines:

Its availabile in http://www.clusterlabs.org/rpm/epel-5/clusterlabs.repo

it is as follows:

[clusterlabs]
name=High Availability/Clustering server technologies (epel-5)
baseurl=http://www.clusterlabs.org/rpm/epel-5
type=rpm-md
gpgcheck=0
enabled=1

[root@hb_test2 ~]# cat /etc/yum.repos.d/clusterlabs.repo
[clusterlabs]
name=High Availability/Clustering server technologies (epel-5)
baseurl=http://www.clusterlabs.org/rpm/epel-5
type=rpm-md
gpgcheck=0
enabled=1

[root@hb_test2 ~]#

After that install heartbeat packages on both nodes:

#yum install cluster-glue*

Four packages will be installed

cluster-glue
cluster-glue-libs
cluster-glue-libs-devel
cluster-glue-debuginfo

#yum install heartbeat*

Five packages will be installed including one dependency

heartbeat.i386 0:3.0.3-2.el5
heartbeat-debuginfo.i386 0:3.0.3-2.el5
heartbeat-devel.i386 0:3.0.3-2.el5
heartbeat-libs.i386 0:3.0.3-2.el5

Dependency:

resource-agents.i386 0:1.0.3-2.el5

#yum install resource-agents*

One package will be installed

resource-agents-debuginfo.i386 0:1.0.3-2.el5

Setting Configuration files:

We can do all configuration in one system and copy the /etc/ha.d to the second node.

#cd /etc/ha.d
#cat README.config

The details about configuration files are explained in this file. We have to copy three
configuration files to this directory from samples in documentation.

[root@hb_test1 ha.d]# cp /usr/share/doc/heartbeat-3.0.3/authkeys /etc/ha.d/
[root@hb_test1 ha.d]# cp /usr/share/doc/heartbeat-3.0.3/ha.cf /etc/ha.d/
[root@hb_test1 ha.d]# cp /usr/share/doc/heartbeat-3.0.3/haresources /etc/ha.d/

We have to edit the authkeys file:

We are using sha1 algorithm:

#vi authkeys
edit as follows
auth 2
#1 crc
2 sha1 test-ha
#3 md5 Hello!

And change the permission of authkeys to 600
#chmod 600 authkeys

We have to edit the ha.cf file:

#vi ha.cf
uncomment following lines and make edits

logfile /var/log/ha-log
logfacility local0
keepalive 2
deadtime 15
warntime 10
initdead 120
udpport 694
bcast eth0
auto_failback on
node hb_test1.lap.work # in both nodes command #uname -n should
node hb_test2.lap.work # give the these hostnames
We have to edit the haresources file:

#vi haresources

hb_test2.lap.work 192.168.0.222 httpd

NOTE: You dont have to create an interface and set this IP or make a IP alias. Heartbeat
will take care of it. Automaticaly.


Now exchange and save authorized keys between node1 and node2.

Key exchange:

On node1:

Generate the key:

[root@hb_test1 ~]# ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
9f:5d:47:6b:2a:2e:c8:3e:ee:8a:c2:28:5c:ad:57:79 root@hb_test1.lap.work

Pass the key to node2:
[root@hb_test1 ~]# scp .ssh/id_dsa.pub hb_test2.lap.work:/root/.ssh/authorized_keys

On node2:

Generate the key:

[root@hb_test2 ~]# ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
40:66:t8:bd:ac:bf:68:38:22:60:d8:9f:18:7d:94:21 root@hb_test2.lap.work

Pass the key to node1:
[root@hb_test2 ~]# scp .ssh/id_dsa.pub hb_test1.lap.work:/root/.ssh/authorized_keys

Now copy the /etc/ha.d of node1 to node2:
[root@hb_test1 ~]# scp -r /etc/ha.d hb_test2.lap.work:/etc/

Starting the service:

On both nodes:

#/etc/init.d/heartbeat start

You may have to restart the heartbeat service a few times. Check #ifconfig in one node you can
see an interface eth0:1 is up with IP 192.168.0.222. In that node httpd is running and in the other
node it is stopped. When the running node fails, the other one will start.

Disabling USB drive

Disabling USB drive or THUMB drive is considered as a very good security option to be implemented on server. To prevent theft of data by non-legitimate users.

Here are couple of ways in which you can disable USB drive.

METHOD #1 - By editing /boot/grub/grub.conf
Just add "nousb" at the end of the kernel line in /boot/grub/grub.conf file.
and then "reboot" your machine.

METHOD #2 - Removing the driver from default location.

ls /lib/modules/$(uname -r)/kernel/drivers/usb/storage/usb-storage.ko
mv /lib/modules/$(uname -r)/kernel/drivers/usb/storage/usb-storage.ko /root

In this method, I had moved the usb-storage.ko driver (or module) from its default location to some other place (/root in this case)

METHOD #3 - Using BLACKLIST option.

Remove the module, if it is already loaded.
modprobe -r usb_storage
Put the name of the usb_storage module in the blacklist
vim /etc/modprobe.d/blacklist and append - blacklist usb_storage

Now if you try to plug-in the USB it will not be detected by the system. 

Fail2ban Installation guide :Prevent automated SSH attacks

##Manual Installation

# Download Fail2ban from http://www.fail2ban.org/wiki/index.php/Downloads

cd /tmp
wget http://nchc.dl.sourceforge.net/sourceforge/fail2ban/fail2ban-0.8.3.tar.bz2

tar jxvf fail2ban-0.8.3.tar.bz2
rm -rf /tmp/fail2ban-0.8.3.tar.bz2
cd fail2ban-0.8.3

./setup.py install

cd /tmp/fail2ban-0.8.3/files

cp -a redhat-initd /etc/init.d/fail2ban

cd /etc/init.d/

chown root.root fail2ban

chmod 755 fail2ban

/sbin/chkconfig --add fail2ban

/sbin/chkconfig fail2ban on

cd /etc/fail2ban

cp -a jail.conf jail.conf.orig

vi /etc/fail2ban/jail.conf

Edit values as follows
##########
# Put space separated list of IPs you want to ignore
ignoreip = x.x.x.x



[[ssh-iptables]

#enabled = false
enabled = true
filter = sshd
#action = iptables[name=SSH, port=ssh, protocol=tcp]
# sendmail-whois[name=SSH, dest=you@mail.com, sender=fail2ban@mail.com]
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=admin@yourdomain.com, sender=fail2ban@mail.com]
#logpath = /var/log/sshd.log
logpath = /var/log/secure
#maxretry = 5
maxretry = 3

############

Edit Shorewall configuration (if you are using one as follow)

vi /etc/shorewall/shorewall.conf
#########
#BLACKLISTNEWONLY=Yes
BLACKLISTNEWONLY=No
##########

cd /etc/fail2ban

chown root.root fail2ban.conf
chmod 644 fail2ban.conf

# Log rotation of Fail2ban Logs

cd /etc/logrotate.d

vi fail2ban

###
/var/log/fail2ban.log {
missingok
notifempty
copytruncate
}
###

chown root.root fail2ban
chmod 644 fail2ban

/etc/rc.d/init.d/fail2ban start

# Check fail2ban.log for any errors

tail -f /var/log/fail2ban.log

rm -rf /tmp/fail2ban-0.8.3

 Reference: http://www.fail2ban.org/wiki/index.php/MANUAL_0_8

Net cat tricks

Few Useful Netcat Tricks

I always say that small, simple and self contained tools can often be more useful, and more feature rich than huge bloated frameworks. For example lets take legendary â€Å“Swiss Army Knife of Networking” - netcat. It is a single binary, which takes up about 60KB of space on your disk (give or take a few KB depending on where and how you compile it). What can it do?


Port Scanner
Netcat can be a port scanner. It does not have as many features as say nmap, but if you just want to see what ports are open on a given machine, you can simply do:

nc -v -w 1 localhost -z 1-3000

The command above will scan all the ports in the range 1-3000 on localhost.


Chat Server

Have you even needed an improvised one-on-one chat? Netcat can do that too. You simply start listening to connections on some port like this:

nc -lp 1337

Then on another machine simply connect to that port:

nc 10.48.2.40 1337

Now start typing on either machine. When you press enter, the line will immediately show up on the other machine.
Telnet Server

Nectat can also be used to set up a telnet server in a matter of seconds. You can specify the shell (or for that matter any executable) you want netcat to run at a successful connection with the -e parameter:
nc -lp 1337 -e /bin/bash
On windows you can use:
nc -lp 1337 -e cmd.exe
Then on a client machine simply connect to port 1337 and you will get full access to the shell, with the permissions of the user who ran nc on the server.
Spoofing HTTP Headers
You can use netcat to connect to a server using completely spoofed headers. You can actually type out your user agent, referrer and etc. It̢۪s useful when you want to generate bunch of hits that can be easily found in the logs or something like that:
nc google.com 80
GET / HTTP/1.1
Host: google.com
User-Agent: NOT-YOUR-BUSINESS
Referrer: YOUR-MOM.COM
Note that your request won̢۪t be sent until you generate a blank line. So hit return twice when your are done typing. You will get a response of headers and HTML streaming down your screen:
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: PREF=ID=79f8f28c854d90ec:TM=1186369443:LM=1186369443:S=UIiTvi68MtmbcmGl; expires=Sun, 1
-Jan-2038 19:14:07 GMT; path=/; domain=.google.com
Server: GWS/2.1
Transfer-Encoding: chunked
Date: Mon, 06 Aug 2007 03:04:03 GMT
738
I deleted the HTML that followed the response - but you get the idea. It is also a good way of looking at headers. Some sites have nice surprises there (like slashdot̢۪s X-Bender and X-Fry headers). Seriously, check them out!

Web Server

I think this is my favorite trick. Did you ever need to set up simple makeshift webserver that would serve a single page? I know I did. In the past when my web server at work melted down, I set up laptop with this simple script:
while true; do nc -l -p 80 -q 1 < error.html; done
The error.html page was just a very simple error message notifying our users about the outage, and giving them an estimate of when it would be fixed. It took me 3 minutes to set up, and probably saved us many angry support calls.

Cloning Hard Drive Partitions Over the Network
This trick was submitted by Craig in the comments. On a system you want to clone do:
dd if=/dev/sda | nc 192.168.0.1 9000
Where 9000 is some random port. On the receiving side di:
nc -l -p 9000 | dd of=/dev/sda
Of course you need to have the cloned partitions unmounted on both systems. So if you are cloning / you will have to boot from a live distro like Knoppix. Note that you can use this technique to clone NTFS partitions as well - just need to use a live Linux distro on both sides. 

Howto install GlusterFS on Centos/RHEL

1. Introduction
GlusterFS is a clustered file­system capable of scaling to several peta­bytes. It aggregates various storage
bricks over Infiniband RDMA or TCP/IP interconnect into one large parallel network file system. Storage
bricks can be made of any commodity hardware such as x86­64 server with SATA­II RAID and
Infiniband HBA.
2. Installation
First you need to install some software :
yum install make gcc gcc-c++
yum install flex bison byacc
We need to do a dirty trick to get the package fuse­sshfs :
vi /etc/yum.repos.d/CentOS-Base.repo
and add this at the end of the file :
[extras_fedora]
name=Fedora Core 6 Extras
mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=extras-6&arch=$basea
rch
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-extras
gpgcheck=0
Next do :
yum install fuse-sshfs --enablerepo=extras_fedora
Now we will install GlusterFS :
Get the same exact version, otherwise there is good chances it wont work. I tried with 2.0.0rc1 and 1.3.12
and there was some issues.
cd /root/
wget http://ftp.gluster.com/pub/gluster/glusterfs/2.0/LATEST/glusterfs-
2.0.0rc2.tar.gz
tar -zxvf glusterfs-2.0.0rc2.tar.gz
cd /root/glusterfs-2.0.0rc2/
Take a minute break and compile :
./configure
make && make install
For some reasons, libraries are going in the wrong directory so we need to (if someone has a clean fix to
this please post it!) :
cp /usr/local/lib/* -R /usr/lib/
Now we create some folders that will be used later on :
mkdir    /mnt/glusterfs
mkdir    /data/
mkdir    /data/export
mkdir    /data/export-ns
mkdir    /etc/glusterfs/
The fun begins on the next page :)

3. Servers configuration
Before you go further, you need to know that GlusterFS works in a client/server way. What we will do is
to make our servers both client and server for GlusterFS.
Lets start with the server configuration file ON ALL SERVERS:
vi /etc/glusterfs/glusterfs-server.vol
and make it look like this :
# file: /etc/glusterfs/glusterfs-server.vol

volume posix
  type storage/posix
  option directory /data/export
end-volume

volume locks
  type features/locks
  subvolumes posix
end-volume

volume brick
  type performance/io-threads
  option thread-count 8
  subvolumes locks
end-volume

volume posix-ns
  type storage/posix
  option directory /data/export-ns
end-volume

volume locks-ns
  type features/locks
  subvolumes posix-ns
end-volume

volume brick-ns
  type performance/io-threads
  option thread-count 8
  subvolumes locks-ns
end-volume

volume server
  type protocol/server
  option transport-type tcp
  option auth.addr.brick.allow *
  option auth.addr.brick-ns.allow *
  subvolumes brick brick-ns
end-volume
Now do :
glusterfsd -f /etc/glusterfs/glusterfs-server.vol
to start the server daemon.

4. Clients configuration
In these example files, I will use the following hosts :
server1 : 192.168.0.1
server2 : 192.168.0.2
server3 : 192.168.0.3
server4 : 192.168.0.4
[...]
Now we edit the client configuration file ON ALL SERVERS (because servers are client as well in this
howto):
vi /etc/glusterfs/glusterfs-client.vol
2 servers configuration
### Add client feature and attach to remote subvolume of server1
volume brick1
 type protocol/client
 option transport-type tcp/client
 option remote-host 192.168.0.1                      # IP address of the remote brick
 option remote-subvolume brick                           # name of the remote volume
end-volume

### Add client feature and attach to remote subvolume of server2
volume brick2
 type protocol/client
 option transport-type tcp/client
 option remote-host 192.168.0.2                         # IP address of the remote brick
 option remote-subvolume brick                           # name of the remote volume
end-volume

### The file index on server1
volume brick1-ns
 type protocol/client
 option transport-type tcp/client
 option remote-host 192.168.0.1    # IP address of the remote brick
 option remote-subvolume brick-ns        # name of the remote volume
end-volume

### The file index on server2
volume brick2-ns
 type protocol/client
 option transport-type tcp/client
 option remote-host 192.168.0.2      # IP address of the remote brick
 option remote-subvolume brick-ns        # name of the remote volume
end-volume

#The replicated volume with data
volume afr1
 type cluster/afr
 subvolumes brick1 brick2
end-volume

#The replicated volume with indexes
volume afr-ns
 type cluster/afr
 subvolumes brick1-ns brick2-ns
end-volume

#The unification of all afr volumes (used for > 2 servers)
volume unify
  type cluster/unify
  option scheduler rr # round robin
  option namespace afr-ns
  subvolumes afr1
end-volume
4 servers configuration
### Add client feature and attach to remote subvolume of server1
volume brick1
 type protocol/client
 option transport-type tcp/client
 option remote-host 192.168.0.1    # IP address of the remote brick
 option remote-subvolume brick        # name of the remote volume
end-volume

### Add client feature and attach to remote subvolume of server2
volume brick2
 type protocol/client
 option transport-type tcp/client
 option remote-host 192.168.0.2      # IP address of the remote brick
 option remote-subvolume brick        # name of the remote volume
end-volume

### Add client feature and attach to remote subvolume of server3
volume brick3
 type protocol/client
 option transport-type tcp/client
 option remote-host 192.168.0.3                 # IP address of the remote brick
 option remote-subvolume brick                   # name of the remote volume
end-volume

### Add client feature and attach to            remote subvolume of server4
volume brick4
 type protocol/client
 option transport-type tcp/client
 option remote-host 192.168.0.4                 # IP address of the remote brick
 option remote-subvolume brick                   # name of the remote volume
end-volume

### Add client feature and attach to            remote subvolume of server1
volume brick1-ns
 type protocol/client
 option transport-type tcp/client
 option remote-host 192.168.0.1              #  IP address of the remote brick
 option remote-subvolume brick-ns                   # name of the remote volume
end-volume

### Add client feature and attach to            remote subvolume of server2
volume brick2-ns
 type protocol/client
 option transport-type tcp/client
 option remote-host 192.168.0.2                 # IP address of the remote brick
 option remote-subvolume brick-ns                   # name of the remote volume
end-volume

volume afr1
 type cluster/afr
 subvolumes brick1 brick4
end-volume

volume afr2
 type cluster/afr
 subvolumes brick2 brick3
end-volume

volume afr-ns
 type cluster/afr
 subvolumes brick1-ns brick2-ns
end-volume

volume unify
  type cluster/unify
  option scheduler rr # round robin
  option namespace afr-ns
  subvolumes afr1 afr2
end-volume
So on and so forth... For configuration over 4 servers, simply add brick volumes 2 by two, replicate them
and dont forget to put them in the "unify" volume.
Now mount the GlusterFS on all servers in the cluster :
glusterfs -f /etc/glusterfs/glusterfs-client.vol /mnt/glusterfs
------------------------------------------------------------------------------------
---
5. Testing
Once you mounted the GlusterFS to /mnt/glusterfs you can start copying files and see what is happening.
Below are my tests on 4 servers. Everything works as it should, files in /data/export only show in 2 out of
4 server and everything is there under /mnt/glusterfs and /data/export­ns :
server 1 (ls    -la /data/export)
-rwxrwxrwx 1    marc marc 215663 2007-09-14         14:14   6-instructions2.pdf
-rwxrwxrwx 1    marc marc       2256 2008-12-18     11:54   budget.ods
-rwxr--r-- 1    marc marc 21281 2009-02-18          16:45   cv_nouveau.docx
-rwxrwxrwx 1    marc marc 13308 2009-01-26          10:49   cv.pdf
-rwxrwxrwx 1    marc marc 196375 2008-04-02         18:48   odometre.pdf
-rwxrwxrwx 1    marc marc       5632 2008-05-23     19:42   Thumbs.db

server 4 (ls    -la /data/export)
-rwxrwxrwx 1    marc marc 215663 2007-09-14         14:14   6-instructions2.pdf
-rwxrwxrwx 1    marc marc       2256 2008-12-18     11:54   budget.ods
-rwxr--r-- 1    marc marc 21281 2009-02-18          16:45   cv_nouveau.docx
-rwxrwxrwx 1    marc marc 13308 2009-01-26          10:49   cv.pdf
-rwxrwxrwx 1    marc marc 196375 2008-04-02         18:48   odometre.pdf
-rwxrwxrwx 1    marc marc       5632 2008-05-23     19:42   Thumbs.db

server 2 (ls    -la /data/export)
-rwxr--r-- 1    marc marc 135793 2009-02-02         15:26   bookmarks.html
-rwxrwxrwx 1    marc marc 112640 2008-11-17         21:41   cv.doc
-rwxrwxrwx 1    marc marc 13546 2007-09-11          15:43   cv.odt
-rwxrwxrwx 1    marc marc 25088 2006-07-03          17:07   menulaurentien.doc
-rwxr--r-- 1    marc marc 33734 2009-02-06          12:58   opera6.htm

server 3 (ls    -la /data/export)
-rwxr--r-- 1    marc marc 135793 2009-02-02         15:26   bookmarks.html
-rwxrwxrwx 1    marc marc 112640 2008-11-17         21:41   cv.doc
-rwxrwxrwx 1    marc marc 13546 2007-09-11          15:43   cv.odt
-rwxrwxrwx 1    marc marc 25088 2006-07-03          17:07   menulaurentien.doc
-rwxr--r-- 1    marc marc 33734 2009-02-06          12:58   opera6.htm

server x (ls    -la /mnt/glusterfs)
-rwxrwxrwx 1    marc marc 215663 2007-09-14         14:14   6-instructions2.pdf
-rwxr--r-- 1    marc marc 135793 2009-02-02         15:26   bookmarks.html
-rwxrwxrwx 1    marc marc       2256 2008-12-18     11:54   budget.ods
-rwxrwxrwx 1    marc marc 112640 2008-11-17         21:41   cv.doc
-rwxr--r-- 1    marc marc 21281 2009-02-18          16:45   cv_nouveau.docx
-rwxrwxrwx 1    marc marc 13546 2007-09-11          15:43   cv.odt
-rwxrwxrwx 1    marc marc 13308 2009-01-26          10:49   cv.pdf
-rwxrwxrwx 1    marc marc 25088 2006-07-03          17:07   menulaurentien.doc
-rwxrwxrwx 1    marc marc 196375 2008-04-02         18:48   odometre.pdf
-rwxr--r-- 1    marc marc 33734 2009-02-06          12:58   opera6.htm
-rwxrwxrwx 1    marc marc       5632 2008-05-23     19:42   Thumbs.db

server 1 (ls    -la /data/export-ns)
-rwxrwxrwx 1    marc marc        0 2007-09-14 14:14 6-instructions2.pdf
-rwxr--r-- 1    marc   marc      0  2009-02-02    15:26  bookmarks.html
-rwxrwxrwx 1    marc   marc      0  2008-12-18    11:54  budget.ods
-rwxrwxrwx 1    marc   marc      0  2008-11-17    21:41  cv.doc
-rwxr--r-- 1    marc   marc      0  2009-02-18    16:45  cv_nouveau.docx
-rwxrwxrwx 1    marc   marc      0  2007-09-11    15:43  cv.odt
-rwxrwxrwx 1    marc   marc      0  2009-01-26    10:49  cv.pdf
-rwxrwxrwx 1    marc   marc      0  2006-07-03    17:07  menulaurentien.doc
-rwxrwxrwx 1    marc   marc      0  2008-04-02    18:48  odometre.pdf
-rwxr--r-- 1    marc   marc      0  2009-02-06    12:58  opera6.htm
-rwxrwxrwx 1    marc   marc      0  2008-05-23    19:42  Thumbs.db


server 2 (ls    -la /data/export-ns)
-rwxrwxrwx 1    marc marc        0 2007-09-14     14:14  6-instructions2.pdf
-rwxr--r-- 1    marc marc        0 2009-02-02     15:26  bookmarks.html
-rwxrwxrwx 1    marc marc        0 2008-12-18     11:54  budget.ods
-rwxrwxrwx 1    marc marc        0 2008-11-17     21:41  cv.doc
-rwxr--r-- 1    marc marc        0 2009-02-18     16:45  cv_nouveau.docx
-rwxrwxrwx 1    marc marc        0 2007-09-11     15:43  cv.odt
-rwxrwxrwx 1    marc marc        0 2009-01-26     10:49  cv.pdf
-rwxrwxrwx 1    marc marc        0 2006-07-03     17:07  menulaurentien.doc
-rwxrwxrwx 1    marc marc        0 2008-04-02     18:48  odometre.pdf
-rwxr--r-- 1    marc marc        0 2009-02-06     12:58  opera6.htm
-rwxrwxrwx 1    marc marc        0 2008-05-23     19:42  Thumbs.db
Now let say we want to test how redundant is the setup. Lets reboot server1 and create new files while its
down :
> /mnt/glusterfs/testfile
> /mnt/glusterfs/testfile2
> /mnt/glusterfs/testfile3
> /mnt/glusterfs/testfile4
Once server1 is back, lets check file consistency :
server 1 (ls    -la /data/export)
-rwxrwxrwx 1    marc marc 215663 2007-09-14          14:14 6-instructions2.pdf
-rwxrwxrwx 1    marc marc       2256 2008-12-18      11:54 b4udget.ods
-rwxr--r-- 1    marc marc 21281 2009-02-18           16:45 cv_nouveau.docx
-rwxrwxrwx 1    marc marc 13308 2009-01-26           10:49 cv.pdf
-rwxrwxrwx 1    marc marc 196375 2008-04-02          18:48 odometre.pdf
-rwxrwxrwx 1    marc marc       5632 2008-05-23      19:42 Thumbs.db

server 4 (ls    -la /data/export)
-rwxrwxrwx 1    marc marc 215663 2007-09-14          14:14 6-instructions2.pdf
-rwxrwxrwx 1    marc marc       2256 2008-12-18      11:54 budget.ods
-rwxr--r-- 1    marc marc 21281 2009-02-18           16:45 cv_nouveau.docx
-rwxrwxrwx 1    marc marc 13308 2009-01-26           10:49 cv.pdf
-rwxrwxrwx 1    marc marc 196375 2008-04-02          18:48 odometre.pdf
-rw-r--r-- 1    root root           0 2009-02-19     11:32 testfile
-rw-r--r-- 1    root root           0 2009-02-19     11:32 testfile3
-rwxrwxrwx 1    marc marc       5632 2008-05-23      19:42 Thumbs.db

server 1 (ls    -la /data/export-ns)
-rwxrwxrwx 1    marc marc        0 2007-09-14 14:14 6-instructions2.pdf
-rwxr--r-- 1    marc marc        0 2009-02-02 15:26 bookmarks.html
-rwxrwxrwx 1    marc marc        0 2008-12-18 11:54 budget.ods
-rwxrwxrwx     1  marc   marc      0  2008-11-17     21:41   cv.doc
-rwxr--r--     1  marc   marc      0  2009-02-18     16:45   cv_nouveau.docx
-rwxrwxrwx     1  marc   marc      0  2007-09-11     15:43   cv.odt
-rwxrwxrwx     1  marc   marc      0  2009-01-26     10:49   cv.pdf
-rwxrwxrwx     1  marc   marc      0  2006-07-03     17:07   menulaurentien.doc
-rwxrwxrwx     1  marc   marc      0  2008-04-02     18:48   odometre.pdf
-rwxr--r--     1  marc   marc      0  2009-02-06     12:58   opera6.htm
-rwxrwxrwx     1  marc   marc      0  2008-05-23     19:42   Thumbs.db
Oups, we have an inconstency here. To fix that, gluster documentation says missing files have to be read.
So lets do this simple command to read all files :
ls -lR /mnt/glusterfs/
Now, lets check what we have on server1 :
server1 (ls -la /data/export)
-rwxrwxrwx 1 marc marc 215663 2007-09-14 14:14 6-instructions2.pdf
-rwxrwxrwx 1 marc marc            2256 2008-12-18 11:54 budget.ods
-rwxr--r-- 1 marc marc 21281 2009-02-18 16:45 cv_nouveau.docx
-rwxrwxrwx 1 marc marc 13308 2009-01-26 10:49 cv.pdf
-rwxrwxrwx 1 marc marc 196375 2008-04-02 18:48 odometre.pdf
-rw-r--r-- 1 root root                0 2009-02-19 11:32 testfile
-rw-r--r-- 1 root root                0 2009-02-19 11:32 testfile3
-rwxrwxrwx 1 marc marc            5632 2008-05-23 19:42 Thumbs.db

server1 (ls -la /data/export-ns)
-rwxrwxrwx 1 marc marc             0 2007-09-14 14:14 6-instructions2.pdf
-rwxr--r-- 1 marc marc             0 2009-02-02 15:26 bookmarks.html
-rwxrwxrwx 1 marc marc             0 2008-12-18 11:54 budget.ods
-rwxrwxrwx 1 marc marc             0 2008-11-17 21:41 cv.doc
-rwxr--r-- 1 marc marc             0 2009-02-18 16:45 cv_nouveau.docx
-rwxrwxrwx 1 marc marc             0 2007-09-11 15:43 cv.odt
-rwxrwxrwx 1 marc marc             0 2009-01-26 10:49 cv.pdf
-rwxrwxrwx 1 marc marc             0 2006-07-03 17:07 menulaurentien.doc
-rwxrwxrwx 1 marc marc             0 2008-04-02 18:48 odometre.pdf
-rwxr--r-- 1 marc marc             0 2009-02-06 12:58 opera6.htm
-rw-r--r-- 1 root root             0 2009-02-19 11:29 testfile
-rw-r--r-- 1 root root             0 2009-02-19 11:29 testfile2
-rw-r--r-- 1 root root             0 2009-02-19 11:29 testfile3
-rw-r--r-- 1 root root             0 2009-02-19 11:29 testfile4
-rwxrwxrwx 1 marc marc             0 2008-05-23 19:42 Thumbs.db
Now everything is as it should be.
------------------------------------------------------------------------------------
6. Conclusion
GlusterFS has a lot of potential. What you saw here is a small portion of what GlusterFS can do. As I said
in the first page, this setup was not tested on a live webserver and very little testing was done. If you plan
to put this on a live server and test this setup in depth, please share your experience in the forums or
simply post a comment on this page. Also, it would be very interesting if someone can post benchmarks
to see how well it scale.
Further reading : http://www.gluster.org

Linux Create A Bootable USB Pen

You need to format your USP pen device as Win FAT32. Once formatted type the following commands to make it bootable. 

Our Device Names

  1. USB Pen Device Name : /dev/sdb1
  2. DVD Mount : /media/cdrom0
  3. USB Mount Point : /media/usb
  4. USB File System : Win FAT32
  5. ISO or DVD Image : Fedora / CentOS / RHEL
To find information about your devices and current partitions run:
# dmesg | less
# dmesg | egrep -i 'cd|dvd'
fdisk -l

Use the first command to identify the USB device name.

Mount CD/DVD ISO or DVD ITSELF

Type the following command to mount Fedora 12 iso image:
# mount Fedora-12-x86_64-netinst.iso -o loop /media/cdrom0/
# DVD=/media/cdrom0
# ls -l $DVD

Sample outputs:
total 6
dr-xr-xr-x 3 root root 2048 2009-11-09 05:37 EFI
drwxr-sr-x 3 root  499 2048 2009-11-09 05:37 images
drwxr-sr-x 2 root  499 2048 2009-11-09 05:36 isolinux
You need to use files stored in isolinux directory to create a bootable usb pen.

Format Usb

Create the fdisk partition:
# fdisk /dev/sdb
You need to create only 1 partition. Next format the partition:
# USB=/media/usb
# mkdosfs /dev/sdb1

Finally mount the partition:
# mkdir -p /media/usb
# mount /dev/sdb1 /media/usb
# USB=/media/usb

Copy Required Files

Type the following commands:
# cp -av $DVD/isolinux/* $USB
# cd $USB
# rm isolinux.bin boot.cat TRANS.TBL
# mv isolinux.cfg syslinux.cfg

Also copy the installer's initial RAM disk $DVD/images/pxeboot/initrd.img (for CentOS / RHEL Linux use $DVD/RedHat/images/pxeboot/initrd.img file) CD/DVD onto the usb drive:
# cp -v $DVD/images/pxeboot/initrd.img $USB

Unmount the USB drive

# umount /dev/sdb1

Make the USB Bootable

Type the following command to make the USB drive bootable
# syslinux /dev/sdb1
# mount /dev/sdb1 $USB

syslinux is a boot loader for the Linux operating system which operates off an MS-DOS/Windows FAT filesystem.

Install Grub

Type the following command to install GRUB on the USB device:
# grub-install --root-directory=$USB /dev/sdb
Create grub.conf:
# cd $USB
# mkdir -p boot/grub

Edit the grub.conf file
default=0
timeout=5
root (hd1,0)
title Fedora Linux
kernel /vmlinuz
initrd /initrd.img
Finally, unmount the USB pen drive, enter:
# umount /dev/sdb1
Your USB pen is ready and should be bootable from the USB device. This can be used to install Fedora or CentOS or RHEL. You can also copy other required tools (such as sniffers or data recovery tools) on this pen. This is left as exercise for the reader.

Unetbootin Installer of Linux/BSD Distributions (GUI Tools)

If command line options are too complicated to follow. Try UNetbootin, which allows you to create bootable Live USB drives for a variety of Linux distributions from Windows or Linux, without requiring you to burn a CD. To install to a partition or USB drive type the following command:
$ sudo apt-get install unetbootin

Kernel Tunable Security Parameters

The following list shows tunable kernel parameters you can use to secure your Linux server against attacks.

For each tunable kernel parameters I will show the entry that needs to be added to the/etc/sysctl.conf configuration file to make the change permanent after reboots. To activate the configured kernel parameters immediately at runtime, use:

# sysctl -p

Enable TCP SYN Cookie Protection

A "SYN Attack" is a denial of service attack that consumes all the resources on a machine. Any server that is connected to a network is potentially subject to this attack.

To enable TCP SYN Cookie Protection, edit the /etc/sysctl.conf file and add the following line:
  net.ipv4.tcp_syncookies = 1

Disable IP Source Routing

Source Routing is used to specify a path or route through the network from source to destination. This feature can be used by network people for diagnosing problems. However, if an intruder was able to send a source routed packet into the network, then he could intercept the replies and your server might not know that it's not communicating with a trusted server.

To enable Source Route Verification, edit the /etc/sysctl.conf file and add the following line:
  net.ipv4.conf.all.accept_source_route = 0

Disable ICMP Redirect Acceptance

ICMP redirects are used by routers to tell the server that there is a better path to other networks than the one chosen by the server. However, an intruder could potentially use ICMP redirect packets to alter the hosts's routing table by causing traffic to use a path you didn't intend.

To disable ICMP Redirect Acceptance, edit the /etc/sysctl.conf file and add the following line:
  net.ipv4.conf.all.accept_redirects = 0

Enable IP Spoofing Protection

IP spoofing is a technique where an intruder sends out packets which claim to be from another host by manipulating the source address. IP spoofing is very often used for denial of service attacks. For more information on IP Spoofing, I recommend the article IP Spoofing: Understanding the basics.

To enable IP Spoofing Protection, turn on Source Address Verification. Edit the /etc/sysctl.conffile and add the following line:
  net.ipv4.conf.all.rp_filter = 1

Enable Ignoring to ICMP Requests

If you want or need Linux to ignore ping requests, edit the /etc/sysctl.conf file and add the following line:
  net.ipv4.icmp_echo_ignore_all = 1
This cannot be done in many environments.

Enable Ignoring Broadcasts Request

If you want or need Linux to ignore broadcast requests, edit the /etc/sysctl.conf file and add the following line:
  net.ipv4.icmp_echo_ignore_broadcasts = 1

Enable Bad Error Message Protection

To alert you about bad error messages in the network, edit the /etc/sysctl.conf file and add the following line:
  net.ipv4.icmp_ignore_bogus_error_responses = 1

Enable Logging of Spoofed Packets, Source Routed Packets, Redirect Packets

To turn on logging for Spoofed Packets, Source Routed Packets, and Redirect Packets, edit the/etc/sysctl.conf file and add the following line:
  net.ipv4.conf.all.log_martians = 1

References for Kernel Tunable Parameters

Network Security with /proc/sys/net/ipv4
IP Spoofing: Understanding the basics