Linux & Unix hardening

[Teppen]

Here are a few ways to harden your linux machines. A default linux install does NOT disable or enable these below why? Im not sure. Ive tested 12 linux distro's and had to reconfigure these on every one of those systems. By the way, for those using FreeBSD, these apply to you as well, only with different commands which will be typed below the linux commands. The only Unix OS that does configure all of them at default install is OpenBSD, everyone else needs to configure manually.

______FOR LINUX USERS________

1.)

Disable ICMP broadcast echo activity
Your sys. could be used as part of Smurf attack
----
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1

2.)

Disable ICMP routing redirects
Stops attackers from messing with routing tables
----
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv6.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv6.conf.all.send_redirects=0

3.)

Disable ICMP broadcast probes
Attacker might be able to reverse eng. some details of your net. infrastructure
---
You will have to block these with a packet filter like iptables.

4.)

Disable IP source routing
Stops attackers trying to spoof IP addresses, trusted internal hosts
----
sysctl -w net.ipv4.conf.all.accept_source_route=0
sysctl -w net.ipv4.conf.all.forwarding=0
sysctl -w net.ipv4.conf.all.mc_forwarding=0

5.)

Enforce sanity checking
----
sysctl -w net.ipv4.conf.all.rp_filter=1

6.)

Log & Drop "Martian" packets
Usually already dropped, but enable it just incase
----
sysctl -w net.ipv4.conf.all.log_martians=1

7.)

Make the system more resistant to SYN Flood attacks
----
sysctl -w net.ipv4.tcp_max_syn_backlog=1280
sysctl -w net.ipv4.tcp_syncookies=1

8.)

Add line "version ..." to the /etc/named.conf, within the "options{...}; block
----
options {
other options appear here....
version "VERSION NOT PROVIDED:;
};
----
Otherwise a would-be attacker could figure out your BIND version with:
----
$ dig @yourserver version.bind chaos txt


________FOR FreeBSD USERS__________

1.)

Disable ICMP broadcast echo activity
-----
sysctl -w net.inet.icmp.bmcastecho=0

2.)

Disable ICMP routing redirects
----
sysctl -w net.inet.ip.redirect=0
sysctl -w net.inet.ip6.redirect=0

3.)

Disable ICMP broadcast probes
Attacker might be able to reverse eng. some details of your net. infrastructure
----
sysctl -w net.inet.icmp.masqrepl=0

4.)

Disable IP source routing
----
sysctl -w net.inet.ip.sourceroute=0
sysctl -w net.inet.ip.accept_sourceroute=0

5.)

Enforce sanity check... dont know one for FreeBSD.

6.)

Log & Drop "Martian" packets... dont know one for FreeBSD.

7.)

Make the system more resistant to SYN Flood attacks
----
sysctl -w kern.ipc.somaxconn=1024
-
-
Hope someone finds this useful.
-
-Teppen

[gernblan]

Excellent post! Thank you!

Bummer he got banned though after posting something so useful, huh?

[John Adams]

Yah, kinda weird, huh?

[Angelox]

Eight more "pointless" posts - You now total 1365! You see? I'm watching you try to "out post" everyone too

Quote:

Originally Posted by John Adams

Yah, kinda weird, huh?

[Sensu-Bean]

Q: Why was Teppen banned?

A: Someone aquired his forum password and started messaging senior members with foul messages. Result teppen got banned. However, the real teppen didnt know what was going on until he was banned and tried to login. Teppen asked under a friends username for his password to be changed, and username unbanned, but was ignored.

A new years resolution Id like to see is Teppen unbanned and given a new password, perhaps even a posted message saying hey sorry about the misunderstanding, welcome back! But who knows, in the end its all up to the person who banned him. Mattmeck tells me Angelox is a "really great guy" so I guess we'll just have to wait it out.

Teppen might have lost his username, but he is still on the forums. Ban one username, ban another, ban them all. If a person has friends then no amount of bans will stop a person who has been devoted to the community since 2002. Friendship is power. Although, Teppen misses his old username. And PEQ members miss Senzo's quest submissions. Might want to give Teppen a chance.

Sensu-Bean

[Sensu-Bean]

I thought I would add a few sections to this tutorial. If anyone can further help out by adding to this tutorial please do.

9.)

UDP Flood Countermeasures (Linux)

-Some new distro's already have these commented out by default.
-Edit your /etc/inetd.conf placing # infront of all lines below.
-If #'s already exist, then your distro already performed this.

#echo stream tcp nowait root internal
#echo dgram udp wait root internal
#discard stream tcp nowait root internal
#discard dgram udp wait root internal
#daytime stream tcp nowait root internal
#daytime dgram udp wait root internal
#chargen stream tcp nowait root internal
#chargen dgram udp wait root internal
#time stream tcp nowait root internal
#time dgram udp wait root internal

At cmd line restart inetd after you make changes:

# killall -HUP inetd

[sfisque]

some general good security tasks for hardening:

1) turn off telnet and ftp in inetd.

2) set up keypair authentication for ssh access.

3) once you have keypairs set up, turn off password authentication in sshd.

4) configure sendmail to use the access database, and update it regularly to reduce the strain from spammers.

5) update hosts.allow and hosts.deny in /etc to restrict remote access (ssh uses these files also, just like inetd).

== sfisque