httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <di...@webweaving.org>
Subject Re: Invalid argument: setsockopt: (TCP_NODELAY)
Date Sat, 16 Oct 1999 14:34:50 GMT

And of course you could patch the source to change the log level, and play
with that for the jumpy/insecure feeling admin's.

Dw

On Wed, 13 Oct 1999, Bill Jones wrote:

> > Solaris v2.6.
> <snipped>
> > The people around here were getting jumpy about little error messages,
> > and saying pagan things like "is Apache really cut out to handle this
> > site"
> <snipped>
> 
> If the 'audience' is gonna have a bowl movement -
> there is very little you can do to stop it.
> They may be on a witch hunt.
> 
> The Apache docs don't really say it's *not* a problem.
> How many log entries are you getting?  Have you messed
> with the ndd /dev/tcp \? settings?
> 
> 2.6 is funny...  Is your 2.6 fully patched?
> 
> See http://www.rvs.uni-hannover.de/people/voeckler/tune/EN/tune.html
>     http://www.nationwide.net/~aleph1/FAQ
> 
> Do a
>      ndd /dev/ip ?  to verify correct sequences..
>      ndd /dev/tcp ?  to verify correct sequences..
> 
> 
> The command set (for the /etc/init.d/inetinit file) is:
> 
> # Disable ANY packet forwarding. Same as touching /etc/notrouter...
> ndd -set /dev/ip ip_forwarding 0
> 
> # Disable directed broadcasts...
> ndd -set /dev/ip ip_forward_directed_broadcasts 0
> 
> # Disable forwarding source-routed packets...
> ndd -set /dev/ip ip_forward_src_routed 0
> 
> # Enable RFC 1948 support, which uses less predictable TCP sequence numbers;
> # copy the encrypted password from /etc/shadow as the tcp_1948_phrase...
> # (First line same as adding TCP_STRONG_ISS=2 into /etc/default/inetinit...)
> ndd -set /dev/tcp tcp_strong_iss 2
> 
> #Not Used: ndd -set /dev/tcp tcp_1948_phrase <root passwd from /etc/shadow>
> #
> 
> # Disable responding to broadcast pings, a prevalent DoS attack (SMURF.)
> ndd -set /dev/ip ip_respond_to_echo_broadcast 0
> 
> # Defend against SYN flooding...
> ndd -set /dev/tcp tcp_ip_abort_cinterval 10000
> 
> # Lengthens the backlog queue, helpful in SYN flooding protection...
> echo "tcp_param_arr+14/W 0t10240" | adb -kw /dev/ksyms /dev/mem
> ndd -set /dev/tcp tcp_conn_req_max_q 8192
> 
> # the _q0 is the incomplete socket...
> ndd -set /dev/tcp tcp_conn_req_max_q0 8192
> 
> HTH,
> -Sneex-  :]
> 



Mime
View raw message