How to disable TCP SACK for CentOS?

linux security centos
6,192

You should be able to do

echo "0" > /proc/sys/net/ipv4/tcp_sack

Make sure to do this as a superuser, regular system users do not have permission to alter this value.

This change is not parmanent by the way, add the following to your /etc/sysctl.conf to apply it on boot and you can use sysctl -p to directly apply the changes:

echo "net.ipv4.tcp_sack = 0" >> /etc/sysctl.conf
sysctl -p
Share:
6,192
user2924019
Author by

user2924019

Updated on September 18, 2022

Comments

  • user2924019
    user2924019 over 1 year

    A new security vulnerability has been announced called "TCP SACK PANIC". https://access.redhat.com/security/vulnerabilities/tcpsack

    Three related flaws were found in the Linux kernel’s handling of TCP networking. The most severe vulnerability could allow a remote attacker to trigger a kernel panic in systems running the affected software and, as a result, impact the system’s availability.

    A work around suggested by theregister.co.uk is to disable TCP SACK.

    https://www.theregister.co.uk/2019/06/17/linux_tcp_sack_kernel_crash/

    Patches and mitigations are available, and can be applied by hand if needed, or you can wait for a security fix to be pushed or offered to your at-risk device. A key workaround is to set /proc/sys/net/ipv4/tcp_sack to 0.

    How do you do this on CentOS 7.6.1810?

    I've tried using sudo nano and editing the file to 0, but I don't have permission, I tried changing the permissions to get write access and that also returned changing permissions of 'tcp_sack': Operation not permitted.

    • user2924019
      user2924019 almost 5 years
      I realise that this may be better suited to serverfault.com
    • Kamil Maciorowski
      Kamil Maciorowski almost 5 years
      SELinux? Shared kernel virtualization?
  • user2924019
    user2924019 almost 5 years
    I set sudo su first, and then tried both but still getting sysctl: permission denied on key 'net.ipv4.tcp_sack'
  • Nick
    Nick almost 5 years
    @user2924019 If you're root it will work. Permission denied is to be expected if you do sudo with a redirect.
  • user2924019
    user2924019 almost 5 years
    I tried with root with and without sudo.
  • stolenmoment
    stolenmoment almost 5 years
    The issue is that the >> happens in the user's shell, not the sudo shell. Do something like sudo bash then do the echo.
  • PeterJ
    PeterJ almost 5 years
    Is a reboot required?
  • Bart
    Bart almost 5 years
    A reboot is not required for both solutions provided, given that if you use the sysctl.conf open you run "sysctl -p" after modifying the file

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Am i hacked? unknown processes dsfref, gfhddsfew, dsfref etc are starting automatically in centos 6.5
What does "Require all granted" on Directory / (root) REALY means? (Apache 2.4 on CentOS7
iptables blocking from internet side on eth1?
Why firewalld doesn't apply my drop rule?
Is there an easy way to check SSL cipher preference from the command-line?
Reset firewalld rules to default?
auditctl buffer setting - how large is this?
iptables - Block incoming on Eth1 and Allow All from eth0
Preventing - Large Number of Failed Login Attempts from IP
Which CentOS Version Should I Use?