Servers offering services towards the Internet normally communicate with their communication partners via TCP/IP. The IP stack in the Linux kernel is responsible for this communication and looks after the transparent handling of communication for the server services (such as the Apache web server).
Certain functions and weak points in the protocols of the TCP/IP family, however, can be used for attacks and sabotage actions. The Linux kernel must therefore be configured so that it can resist such attacks.
An incoming application level gateway may offer protection from all attacks that take place in the lower protocol layers, but an added safety net cannot do any harm. Certain settings must be made on the server itself to achieve this. If there is only a screening router (packet filter) lying in front of the server, these settings are extremely important.
The most important measure is the prevention of SYN flooding attacks. Linux is equipped with the most effective solution of all operating systems for this, the SYN-cookies. ICMP redirects and pings to broadcast addresses are rejected as are IP source-routed packets. The packet filters of the Linux kernel are also of great use as an additional self-protection mechanism for servers in the DMZ.
Was this article helpful?