Hi So after reading this, felt I should apply the fix to a CentOS6 VPS that I have. http://www.zdnet.com/article/linux-tcp-flaw-lets-anyone-hijack-internet-traffic/ The article doesn't talk about CentOS or Redhat, but I assume the problem is the same, and hoping the solution is the same. However that doesn't seem to be the case. [root at vps ~]# uname -r 2.6.32-042stab108.7 [root at vps ~]# sysctl -a | grep ack_limit net.ipv4.tcp_challenge_ack_limit = 100 [root at vps ~]# vi /etc/sysctl.conf > Append > net.ipv4.tcp_challenge_ack_limit = 999999999 > to end of file [root at vps ~]# sysctl -p net.ipv4.ip_forward = 0 net.ipv4.tcp_syncookies = 1 error: permission denied on key 'net.bridge.bridge-nf-call-ip6tables' error: permission denied on key 'net.bridge.bridge-nf-call-iptables' error: permission denied on key 'net.bridge.bridge-nf-call-arptables' error: permission denied on key 'net.ipv4.tcp_challenge_ack_limit' [root at vps ~]# sysctl -a | grep ack_limit net.ipv4.tcp_challenge_ack_limit = 100 Am I getting a permission denied because of there is a different solution, or the problem doesn't apply to our VPS or some other reason? Regards Andrew Dent
On 12/08/16 17:33, Andrew Dent wrote:> So after reading this, felt I should apply the fix to a CentOS6 VPS that > I have. > http://www.zdnet.com/article/linux-tcp-flaw-lets-anyone-hijack-internet-traffic/ > > [root at vps ~]# uname -r > 2.6.32-042stab108.7That's not a CentOS kernel, it's an openvz kernel that is not provided by CentOS. The fixes and workarounds shown on the internet will not work with that kernel. I suggest you find a better VPS provider, what you have is essentially a glorified chroot, not a real VPS and there are many aspects of CentOS that are simply broken in that model. Peter
> Hi > > So after reading this, felt I should apply the fix to a CentOS6 VPS that I > have. > http://www.zdnet.com/article/linux-tcp-flaw-lets-anyone-hijack-internet-traffic/ > > The article doesn't talk about CentOS or Redhat, but I assume the problem is > the same, and hoping the solution is the same. > However that doesn't seem to be the case. > > [root at vps ~]# uname -r > 2.6.32-042stab108.7Not needed. This affects 3.6+ kernels. You don't have one of those.
On 12/08/16 17:56, Barry Brimer wrote:>> [root at vps ~]# uname -r >> 2.6.32-042stab108.7 > > Not needed. This affects 3.6+ kernels. You don't have one of those.It affects RHEL6 which runs 2.6.32, they backported the features that it affects. If the above openvz kernel was based on a RHEL6 kernel (and I'd guess it was) then it's affected. Peter