4.2.1 clean_partial_conns

Information

The clean_partial_conns parameter determines whether or not the system is open to SYN attacks. This parameter, when enabled, clears down connections in the SYN RECEIVED state after a set period of time. This attempts to stop DoS attacks when a hacker may flood a system with SYN flag set packets.

Rationale:

The clean_partial_conns parameter will be set to 1, to clear down pending SYN received connections after a set period of time.

Solution

In /etc/tunables/nextboot, add the clean_partial_conns entry:

no -p -o clean_partial_conns=1

This makes the change permanent by adding the entry into /etc/tunables/nextboot

Default Value:

0

See Also

https://workbench.cisecurity.org/benchmarks/13069

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b.

Plugin: Unix

Control ID: 79377ebfd47b31e5b7fe49710e84b905f50c2aec3e550cad6cdf8fe3d2392206