Hi
So after reading this, felt I should apply the fix to a CentOS6 VPS that I have. http://www.zdnet.com/article/linux-tcp-flaw-lets-anyone-hijack-internet-traf...
The article doesn't talk about CentOS or Redhat, but I assume the problem is the same, and hoping the solution is the same. However that doesn't seem to be the case.
[root@vps ~]# uname -r 2.6.32-042stab108.7 [root@vps ~]# sysctl -a | grep ack_limit net.ipv4.tcp_challenge_ack_limit = 100 [root@vps ~]# vi /etc/sysctl.conf
Append net.ipv4.tcp_challenge_ack_limit = 999999999 to end of file
[root@vps ~]# sysctl -p net.ipv4.ip_forward = 0 net.ipv4.tcp_syncookies = 1 error: permission denied on key 'net.bridge.bridge-nf-call-ip6tables' error: permission denied on key 'net.bridge.bridge-nf-call-iptables' error: permission denied on key 'net.bridge.bridge-nf-call-arptables' error: permission denied on key 'net.ipv4.tcp_challenge_ack_limit' [root@vps ~]# sysctl -a | grep ack_limit net.ipv4.tcp_challenge_ack_limit = 100
Am I getting a permission denied because of there is a different solution, or the problem doesn't apply to our VPS or some other reason?
Regards
Andrew Dent
On 12/08/16 17:33, Andrew Dent wrote:
So after reading this, felt I should apply the fix to a CentOS6 VPS that I have. http://www.zdnet.com/article/linux-tcp-flaw-lets-anyone-hijack-internet-traf...
[root@vps ~]# uname -r 2.6.32-042stab108.7
That's not a CentOS kernel, it's an openvz kernel that is not provided by CentOS. The fixes and workarounds shown on the internet will not work with that kernel.
I suggest you find a better VPS provider, what you have is essentially a glorified chroot, not a real VPS and there are many aspects of CentOS that are simply broken in that model.
Peter
Hi
So after reading this, felt I should apply the fix to a CentOS6 VPS that I have. http://www.zdnet.com/article/linux-tcp-flaw-lets-anyone-hijack-internet-traf...
The article doesn't talk about CentOS or Redhat, but I assume the problem is the same, and hoping the solution is the same. However that doesn't seem to be the case.
[root@vps ~]# uname -r 2.6.32-042stab108.7
Not needed. This affects 3.6+ kernels. You don't have one of those.
On 12/08/16 17:56, Barry Brimer wrote:
[root@vps ~]# uname -r 2.6.32-042stab108.7
Not needed. This affects 3.6+ kernels. You don't have one of those.
It affects RHEL6 which runs 2.6.32, they backported the features that it affects. If the above openvz kernel was based on a RHEL6 kernel (and I'd guess it was) then it's affected.
Peter
On Fri, 12 Aug 2016, Peter wrote:
On 12/08/16 17:56, Barry Brimer wrote:
[root@vps ~]# uname -r 2.6.32-042stab108.7
Not needed. This affects 3.6+ kernels. You don't have one of those.
It affects RHEL6 which runs 2.6.32, they backported the features that it affects. If the above openvz kernel was based on a RHEL6 kernel (and I'd guess it was) then it's affected.
If this feature was backported, then it surely may be the case although I've not seen any reference indicating that. If you wouldn't mind including a link that indicates this, that would be appreciated.
Thanks, Barry
On 08/11/2016 11:07 PM, Barry Brimer wrote:
On Fri, 12 Aug 2016, Peter wrote:
On 12/08/16 17:56, Barry Brimer wrote:
[root@vps ~]# uname -r 2.6.32-042stab108.7
Not needed. This affects 3.6+ kernels. You don't have one of those.
It affects RHEL6 which runs 2.6.32, they backported the features that it affects. If the above openvz kernel was based on a RHEL6 kernel (and I'd guess it was) then it's affected.
If this feature was backported, then it surely may be the case although I've not seen any reference indicating that.
https://access.redhat.com/security/cve/cve-2016-5696 says CentOS 6 is affected.
On Thu, 11 Aug 2016, Alice Wonder wrote:
On 08/11/2016 11:07 PM, Barry Brimer wrote:
On Fri, 12 Aug 2016, Peter wrote:
On 12/08/16 17:56, Barry Brimer wrote:
[root@vps ~]# uname -r 2.6.32-042stab108.7
Not needed. This affects 3.6+ kernels. You don't have one of those.
It affects RHEL6 which runs 2.6.32, they backported the features that it affects. If the above openvz kernel was based on a RHEL6 kernel (and I'd guess it was) then it's affected.
If this feature was backported, then it surely may be the case although I've not seen any reference indicating that.
https://access.redhat.com/security/cve/cve-2016-5696 says CentOS 6 is affected.
I stand corrected. Thanks!
Barry
-
Alice Wonder -
Andrew Dent -
Barry Brimer -
Peter