geode-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (GEODE-3957) User Guide: Strengthen anti-SYNCOOKIES host machine requirement
Date Tue, 07 Nov 2017 23:59:00 GMT

    [ https://issues.apache.org/jira/browse/GEODE-3957?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16243107#comment-16243107
] 

ASF GitHub Bot commented on GEODE-3957:
---------------------------------------

davebarnes97 closed pull request #1018: GEODE-3957: User Guide - Strengthen anti-SYNCOOKIES
host machine requ…
URL: https://github.com/apache/geode/pull/1018
 
 
   

This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:

As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):

diff --git a/geode-book/master_middleman/source/subnavs/geode-subnav.erb b/geode-book/master_middleman/source/subnavs/geode-subnav.erb
index dec2fc1269..dfc2ee0f17 100644
--- a/geode-book/master_middleman/source/subnavs/geode-subnav.erb
+++ b/geode-book/master_middleman/source/subnavs/geode-subnav.erb
@@ -641,6 +641,9 @@ limitations under the License.
                         <a href="/docs/guide/<%=vars.product_version_nodot%>/managing/monitor_tune/chapter_overview.html">Performance
Tuning and Configuration</a>
                         <ul>
                             <li>
+                                <a href="/docs/guide/<%=vars.product_version_nodot%>/managing/monitor_tune/disabling_tcp_syn_cookies.html">Disabling
TCP SYN Cookies</a>
+                            </li>
+                            <li>
                                 <a href="/docs/guide/<%=vars.product_version_nodot%>/managing/monitor_tune/performance_on_vsphere.html">Improving
Performance on vSphere</a>
                             </li>
                             <li class="has_submenu">
diff --git a/geode-docs/getting_started/system_requirements/host_machine.html.md.erb b/geode-docs/getting_started/system_requirements/host_machine.html.md.erb
index 787e896ceb..1e26fefb5d 100644
--- a/geode-docs/getting_started/system_requirements/host_machine.html.md.erb
+++ b/geode-docs/getting_started/system_requirements/host_machine.html.md.erb
@@ -30,10 +30,11 @@ Each machine that will run <%=vars.product_name_long%> must meet
the following r
     -   Aggregate product-level and application-level time statistics. 
     -   Accurate monitoring of the Geode system with scripts and other tools that read the
system statistics and log files.
 -   The host name and host files are properly configured for the machine. The host name and
host file configuration can affect `gfsh` and Pulse functionality.
--   Many default Linux installations use SYN cookies to protect the 
-system against malicious attacks that flood TCP SYN packets.
-The use of SYN cookies dramatically reduces network bandwidth,
-and can be triggered by a running distributed system.
+-   Disable TCP SYN cookies. Most default Linux installations use SYN cookies to protect
the 
+system against malicious attacks that flood TCP SYN packets, but this feature 
+is not compatible with stable and busy <%=vars.product_name%> clusters. 
+Security implementations should instead seek to prevent attacks by placing <%=vars.product_name%>

+server clusters behind advanced firewall protection.
 
     To disable SYN cookies permanently:
     1. Edit the `/etc/sysctl.conf` file to include the following line:
@@ -47,3 +48,5 @@ and can be triggered by a running distributed system.
         ``` pre
         sysctl -p
         ```
+
+    See [Disabling TCP SYN Cookies](../../managing/monitor_tune/disabling_tcp_syn_cookies.html)
for details.
\ No newline at end of file
diff --git a/geode-docs/managing/monitor_tune/chapter_overview.html.md.erb b/geode-docs/managing/monitor_tune/chapter_overview.html.md.erb
index 8f7e921a87..af2c485717 100644
--- a/geode-docs/managing/monitor_tune/chapter_overview.html.md.erb
+++ b/geode-docs/managing/monitor_tune/chapter_overview.html.md.erb
@@ -21,6 +21,10 @@ limitations under the License.
 
 A collection of tools and controls allow you to monitor and adjust <%=vars.product_name_long%>
performance.
 
+-   **[Disabling TCP SYN Cookies](disabling_tcp_syn_cookies.html)**
+
+    This is a must-do for Linux systems.
+
 -   **[Improving Performance on vSphere](performance_on_vsphere.html)**
 
     This topic provides guidelines for tuning vSphere virtualized environments that host
<%=vars.product_name_long%> deployments.
diff --git a/geode-docs/managing/monitor_tune/disabling_tcp_syn_cookies.html.md.erb b/geode-docs/managing/monitor_tune/disabling_tcp_syn_cookies.html.md.erb
new file mode 100644
index 0000000000..58b3e01f06
--- /dev/null
+++ b/geode-docs/managing/monitor_tune/disabling_tcp_syn_cookies.html.md.erb
@@ -0,0 +1,42 @@
+---
+title:  Disable TCP SYN Cookies
+---
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+
+Most default Linux installations use SYN cookies to protect the 
+system against malicious attacks (such as DDOS) that flood TCP SYN packets.
+
+This feature is not compatible with stable and busy <%=vars.product_name%> clusters.
SYN Cookies protection gets
+incorrectly activated by normal <%=vars.product_name%> traffic, severely limiting bandwidth
and new connection
+rates, and destroying SLAs. Security implementations should instead seek to prevent DDOS
types of
+attacks by placing <%=vars.product_name%> server clusters behind advanced firewall
protection.
+
+To disable SYN cookies permanently:
+
+1. Edit the `/etc/sysctl.conf` file to include the following line:
+
+    ``` pre
+    net.ipv4.tcp_syncookies = 0
+    ```
+    Setting this value to zero disables SYN cookies.
+2. Reload `sysctl.conf`:
+
+    ``` pre
+    sysctl -p
+    ```


 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> User Guide: Strengthen anti-SYNCOOKIES host machine requirement
> ---------------------------------------------------------------
>
>                 Key: GEODE-3957
>                 URL: https://issues.apache.org/jira/browse/GEODE-3957
>             Project: Geode
>          Issue Type: Improvement
>          Components: docs
>            Reporter: Dave Barnes
>            Assignee: Dave Barnes
>
> Current verbiage in "Host Machine Requirements" *recommends* disabling TCP SYN cookies
on Linux platforms.
> Reports from users indicate that this should be mandatory, not merely optional.
> Suggest firewall protection to compensate for the absence of TCP SYN cookie security.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message