3.3.2 clean_partial_conns

Information

The clean_partial_conns parameter determines whether or not the system is open to SYN attacks. This parameter, when enabled, clears down connections in the SYN RECEIVED state after a set period of time. This attempts to stop DoS attacks when a hacker may flood a system with SYN flag set packets.

Rationale:

The clean_partial_conns parameter will be set to 1, to clear down pending SYN received connections after a set period of time.

Solution

In /etc/tunables/nextboot, add the clean_partial_conns entry:

no -p -o clean_partial_conns=1

This makes the change permanent by adding the entry into /etc/tunables/nextboot

Default Value:

0

See Also

https://workbench.cisecurity.org/files/4119

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b.

Plugin: Unix

Control ID: 6728f93ac3126dd16277c626fd58410fd797b2fe862629eb02ac50622a44d876