Archive for October, 2009

Checking File Permissions and Ownership for Security

A simple way to calculate umask values is to remember that the number 2 in the umask turns off write permission, while 7 turns off read, write, and execute permission.

The umask (UNIX shorthand for “user file-creation mode mask”) is a four-digit octal number that UNIX uses to determine the file permission for newly created files. Every process has its own umask, inherited from its parent process.

The umask specifies the permissions you do not want given by default to newly created files and directories. umask works by doing a bitwise AND with the bitwise complement of the umask. Bits that are set in the umask correspond to permissions that are not automatically assigned to newly created files.

The most common umask values are 022, 027, and 077. A umask value of 022 lets the owner both read and write all newly created files, but everybody else can only read them:

0666 default file-creation mode

(0022) umask

0644 resultant mode

A umask value of 077 lets only the file’s owner read all newly created files:

A recent trend among computing centers has been to set up new accounts with a umask of 077, so a user’s files will, by default, be unreadable by anyone else on the system unless the user makes a conscious choice to make them readable.

SBDavid

sysctl tunable parameters

sysctl tunable parameters

If you need Linux to ignore ping requests, edit the /etc/sysctl.conf file and add the following line:

net.ipv4.icmp_echo_ignore_all = 1

If you want or need Linux to ignore broadcast requests, edit the /etc/sysctl.conf file and add the following line:

net.ipv4.icmp_echo_ignore_broadcasts = 1

To alert you about bad error messages in the network, edit the /etc/sysctl.conf file and add the following line:

net.ipv4.icmp_ignore_bogus_error_responses = 1

To turn on logging for Spoofed Packets, Source Routed Packets, and Redirect Packets, edit the /etc/sysctl.conf file and add the following line:

net.ipv4.conf.all.log_martians = 1

Disable ICMP Redirect and Enable IP Spoofing Protection

ICMP redirects are used by routers to tell the server that there is a better path to other networks than the one chosen by the server.

However, an intruder could potentially use ICMP redirect packets to alter the hosts’s routing table by causing traffic to use a path you didn’t intend.

To disable ICMP Redirect Acceptance, edit the /etc/sysctl.conf file and add the following line:

net.ipv4.conf.all.accept_redirects = 0

# Do not accept ICMP redirects (prevent MITM attacks)

net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0

Enable IP Spoofing Protection

IP spoofing is a technique where an intruder sends out packets which claim to be from another host by manipulating the source address. IP spoofing is very often used for denial of service attacks.

To enable IP Spoofing Protection, turn on Source Address Verification.

Edit the /etc/sysctl.conf file and add the following line:

net.ipv4.conf.all.rp_filter = 1
SBDavid

Kernel Tunable Security Parameters

Kernel Tunable Security Parameters

To activate the configured kernel parameters immediately at runtime, use:

# sysctl -p

The following list shows tunable kernel parameters you can use to secure your Linux server against attacks.

For each tunable kernel parameters we will show the entry that needs to be added to the /etc/sysctl.conf configuration file to make the change permanent after reboots.

Enable TCP SYN Cookie Protection

A “SYN Attack” is a denial of service attack that consumes all the resources on a machine. Any server that is connected to a network is potentially subject to this attack.

To enable TCP SYN Cookie Protection, edit the /etc/sysctl.conf file and add the following line:

net.ipv4.tcp_syncookies = 1

Disable IP Source Routing

Source Routing is used to specify a path or route through the network from source to destination. This feature can be used by network people for diagnosing problems.

However, if an intruder was able to send a source routed packet into the network, then he could intercept the replies and your server might not know that it’s not communicating with a trusted server.

To enable Source Route Verification, edit the /etc/sysctl.conf file and add the following line:

net.ipv4.conf.all.accept_source_route = 0
SBDavid

Using NFS over TCP

Using NFS over TCP

To mount a shared directory using NFS over TCP, use the “proto=tcp” mount option:

# mount -o proto=tcp :/pub /usr/local/pub

Make sure the target directory, in this example /usr/local/pub, exists on the client.

You can verify the NFS over TCP mount using the mount command:

If you need NFS, it is recommended to use NFS over TCP since NFS over UDP is not very secure. All 2.4 and 2.6 kernels support NFS over TCP on the client side. Server support for TCP appears in later 2.4 kernels, and in all 2.6 kernels.

To verify whether your server supports NFS over TCP, use the wire-test command (/usr/sbin/wire-test is part of the am-utils package). If your server supports NFS over TCP, the output looks like this:

# wire-test localhost
NFS Version and protocol tests to host “localhost”…
testing vers=2, proto=”udp” -> found version 2.
testing vers=3, proto=”udp” -> found version 3.
testing vers=2, proto=”tcp” -> found version 2.
testing vers=3, proto=”tcp” -> found version 3.
#

« Prev - Next »