Softpanorama
(slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-)

Softpanorama Search

Hardening TCP/IP stack in Linux

News	See Also	Recommended Links		TCP Flow Control
TCP handshake	Sequence numbers	IP troubleshooting	Humor	Etc

IPv6

On by default
There are daemons that are IPv6 aware: sshd, apache, bind, xinetd, etc
Ip6tables has to be specifically setup
Could have service unexpectedly open to attack

Detection

ifconfig | grep inet6
inet6 addr: fe80::21d:7eff:fe00:af5d/64 Scope:Link
inet6 addr: ::1/128 Scope:Host

Disabling

Create a file /etc/modprobe.d/ipv6
Add this line inside: install ipv6 /bin/true

Zeroconf

On by default
Used by avahi for local service discovery
Requires a hole in firewall to allow access
Advertises services to others

Detection

route | grep link-local

link-local

255.255.0.0 U 0

0 eth2

Disabling

Edit /etc/sysconfig/network

Add NOZEROCONF=yes

Then remove the avahi package and its dependencies

Review Listening Daemons

Default install is tuned for general use
Probably a few things that are unnecessary
Detection

netstat -tanp | grep LISTEN

Typical output:
[root ]# netstat -tanp | grep LISTEN
tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN 2256/nasd
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 2166/mysqld
tcp 0 0 127.0.0.1:4690 0.0.0.0:* LISTEN 2376/prelude-manage
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2057/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2244/master
tcp 0 0 :::22 :::* LISTEN 2068/sshd

Disabling Listening Daemons

Locate the pid in the netstat command

cat /proc/<pid>/cmdline

If not full path, run which or locate to find utility

rpm -qf full-path-of-daemon

rpm -e package

If difficult to remove due to dependencies:

chkconfig <service> off

/etc/sysctl.conf settings

# Don't reply to broadcasts. Prevents joining a smurf attack
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Enable protection for bad icmp error messages
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Enable syncookies for SYN flood attack protection
net.ipv4.tcp_syncookies = 1
# Log spoofed, source routed, and redirect packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
# Don't allow source routed packets
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Turn on reverse path filtering
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Don't allow outsiders to alter the routing tables
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
# Don't pass traffic between networks or act as a router
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

Iptables

Default should be pretty good
To see rules: service iptables status
Use a GUI tool if not familiar with iptables rule syntax
Use nmap from another machine to check effectiveness

tcp_wrappers

Even if iptables is in use, configure this just in case
Set /etc/hosts.deny to ALL: ALL
Many daemons compiled with support
Find by using: egrep libwrap /usr/bin/* /usr/sbin/* | sort
For each program found, use its base name to set
expected access rights (if there are any)

Example:
smbd: 192.168.1.

Unused Daemon Removal

Remove all daemons (and packages) not being used

This reduces attack footprint and improves performance

Many daemons listen on the network and could be accessible

Viewing

chkconfig –list

Disabling

rpm -qf /etc/rc.d/init.d/name

rpm -e package-name

OR chkconfig <service> off

Notes

Leave cpuspeed for speedshifting cpu and irqbalance for multicore

CPU

Disable readahead, mcstransd, firstboot, (and NetworkManager for

machines without wireless networking) since they are not needed.

System Time

Keep system time in sync
You may need to correlate the time of disparate events
across several machines to determine a chain of events
Near impossible without common time base
Use ntp in cron job
Create a file /etc/cron.daily/ntpdate containing the
following crontab:
#!/bin/sh
/usr/sbin/ntpdate ntp-server
where ntp-server is the hostname or IP address of the site NTP server

At & cron

Only allow root and people with verified need to run cron jobs

Setup cron.allow and cron.deny

Setup equivalents if you have 'at' installed

Sshd

Enable only ssh2 protocol (this is default in RHEL5)
If multi-homed, consider if it needs to listen on all addresses or just one
Do not allow root logins
Consider adding group permission for logins, AllowGroups wheel

MySQL

If database is used internally to machine, make it listen on localhost

Change passwords

Page 29

Configure Remaining Daemons

Bind

Use chroot package
Use ACLs
Consider who the DNS server is used for (internal/external) and
only serve DNS for those. Do not do both in one server instance.
Do not allow zone transfers
Do not do recursion

Apache

Remove all unneeded modules
Use mod_security to weed out injection attacks
Set correct SE Linux Booleans to maintain functionality and protection
Hide Apache Information

You should hide apache banner information from being displayed so the attackers are not aware of what version of Apache version you are running and thus making it more difficult for them to exploit any system holes and thus making vulnerability scanners work harder and in some cases impossible without knowing banner information.

How To:

Modify /etc/httpd/conf/httpd.conf

Change the ServerSignature line to: ServerSignature Off

Change the ServerTokens line to: ServerTokens Prod

Restart Apache: /sbin/service httpd restart

Init

Disable interactive boot by editing /etc/sysconfig/init
Make PROMPT=no to disable
Also add password to single user mode. Edit /etc/inittab
Add the following:S:wait:/sbin/sulogin

TCP stack protection

Enable TCP SYN Cookie Protection

A "SYN Attack" is a denial of service attack that consumes all the resources on a machine. Any server that is connected to a network is potentially subject to this attack.

Disable IP Source Routing

Source Routing is used to specify a path or route through the network from source to destination. This feature can be used by network people for diagnosing problems. However, if an intruder was able to send a source routed packet into the network, then he could intercept the replies and your server might not know that it's not communicating with a trusted server.

To enable Source Route Verification, edit the /etc/sysctl.conf file and add the following line:

  net.ipv4.conf.all.accept_source_route = 0

To enable TCP SYN Cookie Protection, edit the /etc/sysctl.conf file and add the following line:

  net.ipv4.tcp_syncookies = 1

Disable ICMP Redirect Acceptance

ICMP redirects are used by routers to tell the server that there is a better path to other networks than the one chosen by the server. However, an intruder could potentially use ICMP redirect packets to alter the hosts's routing table by causing traffic to use a path you didn't intend.

To disable ICMP Redirect Acceptance, edit the /etc/sysctl.conf file and add the following line:

  net.ipv4.conf.all.accept_redirects = 0

Enable IP Spoofing Protection

IP spoofing is a technique where an intruder sends out packets which claim to be from another host by manipulating the source address. IP spoofing is very often used for denial of service attacks. For more information on IP Spoofing, I recommend the article IP Spoofing: Understanding the basics.

To enable IP Spoofing Protection, turn on Source Address Verification. Edit the /etc/sysctl.conf file and add the following line:

  net.ipv4.conf.all.rp_filter = 1

Enable Ignoring to ICMP Requests

If you want or need Linux to ignore ping requests, edit the /etc/sysctl.conf file and add the following line:

  net.ipv4.icmp_echo_ignore_all = 1

This cannot be done in many environments.

Enable Ignoring Broadcasts Request

If you want or need Linux to ignore broadcast requests, edit the /etc/sysctl.conf file and add the following line:

  net.ipv4.icmp_echo_ignore_broadcasts = 1

Enable Bad Error Message Protection

To alert you about bad error messages in the network, edit the /etc/sysctl.conf file and add the following line:

  net.ipv4.icmp_ignore_bogus_error_responses = 1

Enable Logging of Spoofed Packets, Source Routed Packets, Redirect Packets

To turn on logging for Spoofed Packets, Source Routed Packets, and Redirect Packets, edit the /etc/sysctl.conf file and add the following line:

  net.ipv4.conf.all.log_martians = 1

References for Kernel Tunable Parameters

Network Security with /proc/sys/net/ipv4
IP Spoofing: Understanding the basics

Copyright © 1996-2009 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Site uses AdSense so you need to be aware of Google privacy policy. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

Disclaimer:

The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with.
We do not warrant the correctness of the information provided or its fitness for any purpose
In no way this site is associated with or endorse cybersquatters using the term "softpanorama" with other main or country domains (e.g. softpanorama.com) with bad faith intent to profit from the goodwill belonging to someone else.

Last updated: August 14, 2009