How to disable TCP SACK for CentOS?
You should be able to do
echo "0" > /proc/sys/net/ipv4/tcp_sack
Make sure to do this as a superuser, regular system users do not have permission to alter this value.
This change is not parmanent by the way, add the following to your /etc/sysctl.conf to apply it on boot and you can use sysctl -p to directly apply the changes:
echo "net.ipv4.tcp_sack = 0" >> /etc/sysctl.conf
sysctl -p
user2924019
Updated on September 18, 2022Comments
-
user2924019 over 1 year
A new security vulnerability has been announced called "TCP SACK PANIC". https://access.redhat.com/security/vulnerabilities/tcpsack
Three related flaws were found in the Linux kernel’s handling of TCP networking. The most severe vulnerability could allow a remote attacker to trigger a kernel panic in systems running the affected software and, as a result, impact the system’s availability.
A work around suggested by theregister.co.uk is to disable TCP SACK.
https://www.theregister.co.uk/2019/06/17/linux_tcp_sack_kernel_crash/
Patches and mitigations are available, and can be applied by hand if needed, or you can wait for a security fix to be pushed or offered to your at-risk device. A key workaround is to set /proc/sys/net/ipv4/tcp_sack to 0.
How do you do this on CentOS 7.6.1810?
I've tried using
sudo nano
and editing the file to 0, but I don't have permission, I tried changing the permissions to get write access and that also returnedchanging permissions of 'tcp_sack': Operation not permitted
.-
user2924019 almost 5 yearsI realise that this may be better suited to serverfault.com
-
Kamil Maciorowski almost 5 yearsSELinux? Shared kernel virtualization?
-
-
user2924019 almost 5 yearsI set
sudo su
first, and then tried both but still gettingsysctl: permission denied on key 'net.ipv4.tcp_sack'
-
Nick almost 5 years@user2924019 If you're root it will work. Permission denied is to be expected if you do sudo with a redirect.
-
user2924019 almost 5 yearsI tried with root with and without sudo.
-
stolenmoment almost 5 yearsThe issue is that the >> happens in the user's shell, not the sudo shell. Do something like
sudo bash
then do the echo. -
PeterJ almost 5 yearsIs a reboot required?
-
Bart almost 5 yearsA reboot is not required for both solutions provided, given that if you use the sysctl.conf open you run "sysctl -p" after modifying the file