Teppen
08-17-2007, 08:34 AM
Here are a few ways to harden your linux machines. A default linux install does NOT disable or enable these below why? Im not sure. Ive tested 12 linux distro's and had to reconfigure these on every one of those systems. By the way, for those using FreeBSD, these apply to you as well, only with different commands which will be typed below the linux commands. The only Unix OS that does configure all of them at default install is OpenBSD, everyone else needs to configure manually.
______FOR LINUX USERS________
1.)
Disable ICMP broadcast echo activity
Your sys. could be used as part of Smurf attack
----
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
2.)
Disable ICMP routing redirects
Stops attackers from messing with routing tables
----
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv6.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv6.conf.all.send_redirects=0
3.)
Disable ICMP broadcast probes
Attacker might be able to reverse eng. some details of your net. infrastructure
---
You will have to block these with a packet filter like iptables.
4.)
Disable IP source routing
Stops attackers trying to spoof IP addresses, trusted internal hosts
----
sysctl -w net.ipv4.conf.all.accept_source_route=0
sysctl -w net.ipv4.conf.all.forwarding=0
sysctl -w net.ipv4.conf.all.mc_forwarding=0
5.)
Enforce sanity checking
----
sysctl -w net.ipv4.conf.all.rp_filter=1
6.)
Log & Drop "Martian" packets
Usually already dropped, but enable it just incase
----
sysctl -w net.ipv4.conf.all.log_martians=1
7.)
Make the system more resistant to SYN Flood attacks
----
sysctl -w net.ipv4.tcp_max_syn_backlog=1280
sysctl -w net.ipv4.tcp_syncookies=1
8.)
Add line "version ..." to the /etc/named.conf, within the "options{...}; block
----
options {
other options appear here....
version "VERSION NOT PROVIDED:;
};
----
Otherwise a would-be attacker could figure out your BIND version with:
----
$ dig @yourserver version.bind chaos txt
________FOR FreeBSD USERS__________
1.)
Disable ICMP broadcast echo activity
-----
sysctl -w net.inet.icmp.bmcastecho=0
2.)
Disable ICMP routing redirects
----
sysctl -w net.inet.ip.redirect=0
sysctl -w net.inet.ip6.redirect=0
3.)
Disable ICMP broadcast probes
Attacker might be able to reverse eng. some details of your net. infrastructure
----
sysctl -w net.inet.icmp.masqrepl=0
4.)
Disable IP source routing
----
sysctl -w net.inet.ip.sourceroute=0
sysctl -w net.inet.ip.accept_sourceroute=0
5.)
Enforce sanity check... dont know one for FreeBSD.
6.)
Log & Drop "Martian" packets... dont know one for FreeBSD.
7.)
Make the system more resistant to SYN Flood attacks
----
sysctl -w kern.ipc.somaxconn=1024
-
-
Hope someone finds this useful.
-
-Teppen
______FOR LINUX USERS________
1.)
Disable ICMP broadcast echo activity
Your sys. could be used as part of Smurf attack
----
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
2.)
Disable ICMP routing redirects
Stops attackers from messing with routing tables
----
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv6.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv6.conf.all.send_redirects=0
3.)
Disable ICMP broadcast probes
Attacker might be able to reverse eng. some details of your net. infrastructure
---
You will have to block these with a packet filter like iptables.
4.)
Disable IP source routing
Stops attackers trying to spoof IP addresses, trusted internal hosts
----
sysctl -w net.ipv4.conf.all.accept_source_route=0
sysctl -w net.ipv4.conf.all.forwarding=0
sysctl -w net.ipv4.conf.all.mc_forwarding=0
5.)
Enforce sanity checking
----
sysctl -w net.ipv4.conf.all.rp_filter=1
6.)
Log & Drop "Martian" packets
Usually already dropped, but enable it just incase
----
sysctl -w net.ipv4.conf.all.log_martians=1
7.)
Make the system more resistant to SYN Flood attacks
----
sysctl -w net.ipv4.tcp_max_syn_backlog=1280
sysctl -w net.ipv4.tcp_syncookies=1
8.)
Add line "version ..." to the /etc/named.conf, within the "options{...}; block
----
options {
other options appear here....
version "VERSION NOT PROVIDED:;
};
----
Otherwise a would-be attacker could figure out your BIND version with:
----
$ dig @yourserver version.bind chaos txt
________FOR FreeBSD USERS__________
1.)
Disable ICMP broadcast echo activity
-----
sysctl -w net.inet.icmp.bmcastecho=0
2.)
Disable ICMP routing redirects
----
sysctl -w net.inet.ip.redirect=0
sysctl -w net.inet.ip6.redirect=0
3.)
Disable ICMP broadcast probes
Attacker might be able to reverse eng. some details of your net. infrastructure
----
sysctl -w net.inet.icmp.masqrepl=0
4.)
Disable IP source routing
----
sysctl -w net.inet.ip.sourceroute=0
sysctl -w net.inet.ip.accept_sourceroute=0
5.)
Enforce sanity check... dont know one for FreeBSD.
6.)
Log & Drop "Martian" packets... dont know one for FreeBSD.
7.)
Make the system more resistant to SYN Flood attacks
----
sysctl -w kern.ipc.somaxconn=1024
-
-
Hope someone finds this useful.
-
-Teppen