sysctl tunable parameters
If you need Linux to ignore ping requests, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.icmp_echo_ignore_all = 1
If you want or need Linux to ignore broadcast requests, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.icmp_echo_ignore_broadcasts = 1
To alert you about bad error messages in the network, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.icmp_ignore_bogus_error_responses = 1
To turn on logging for Spoofed Packets, Source Routed Packets, and Redirect Packets, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.conf.all.log_martians = 1
Disable ICMP Redirect and Enable IP Spoofing Protection
ICMP redirects are used by routers to tell the server that there is a better path to other networks than the one chosen by the server.
However, an intruder could potentially use ICMP redirect packets to alter the hosts’s routing table by causing traffic to use a path you didn’t intend.
To disable ICMP Redirect Acceptance, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.conf.all.accept_redirects = 0
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
Enable IP Spoofing Protection
IP spoofing is a technique where an intruder sends out packets which claim to be from another host by manipulating the source address. IP spoofing is very often used for denial of service attacks.
To enable IP Spoofing Protection, turn on Source Address Verification.
Edit the /etc/sysctl.conf file and add the following line:
net.ipv4.conf.all.rp_filter = 1
Kernel Tunable Security Parameters
To activate the configured kernel parameters immediately at runtime, use:
The following list shows tunable kernel parameters you can use to secure your Linux server against attacks.
For each tunable kernel parameters we will show the entry that needs to be added to the /etc/sysctl.conf configuration file to make the change permanent after reboots.
Enable TCP SYN Cookie Protection
A “SYN Attack” is a denial of service attack that consumes all the resources on a machine. Any server that is connected to a network is potentially subject to this attack.
To enable TCP SYN Cookie Protection, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.tcp_syncookies = 1
Disable IP Source Routing
Source Routing is used to specify a path or route through the network from source to destination. This feature can be used by network people for diagnosing problems.
However, if an intruder was able to send a source routed packet into the network, then he could intercept the replies and your server might not know that it’s not communicating with a trusted server.
To enable Source Route Verification, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.conf.all.accept_source_route = 0
Using NFS over TCP
To mount a shared directory using NFS over TCP, use the “proto=tcp” mount option:
# mount -o proto=tcp :/pub /usr/local/pub
Make sure the target directory, in this example /usr/local/pub, exists on the client.
You can verify the NFS over TCP mount using the mount command:
If you need NFS, it is recommended to use NFS over TCP since NFS over UDP is not very secure. All 2.4 and 2.6 kernels support NFS over TCP on the client side. Server support for TCP appears in later 2.4 kernels, and in all 2.6 kernels.
To verify whether your server supports NFS over TCP, use the wire-test command (/usr/sbin/wire-test is part of the am-utils package). If your server supports NFS over TCP, the output looks like this:
# wire-test localhost
NFS Version and protocol tests to host “localhost”…
testing vers=2, proto=”udp” -> found version 2.
testing vers=3, proto=”udp” -> found version 3.
testing vers=2, proto=”tcp” -> found version 2.
testing vers=3, proto=”tcp” -> found version 3.
#
Securing NFS
NFS (Network File System) allows servers to share files over a network. But like all network services using NFS involves risks.
If you don’t have shared directories to export, ensure that the NFS service is NOT enabled and running:
# service nfs status
rpc.mountd is stopped
nfsd is stopped
rpc.rquotad is stopped
And then check using chkconfig
# chkconfig –list nfs
nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off
#
You probably don’t need the portmap service as well which is used by NFS (the portmap daemon registers rpc-based services for services like NFS, NIS, etc.):
# service portmap status
portmap is stopped
Then check status using chkconfig
# chkconfig –list portmap
portmap 0:off 1:off 2:off 3:off 4:off 5:off 6:off
#
NFS should not be enabled if not needed.
If you must use NFS, use TCP wrapper to restrict remote access.
Make sure you export to only those machines that you really need to.
Use fully qualified domain names to diminish spoofing attempts.
Export only directories you need to export.
Export read-only wherever possible.
Use NFS over TCP.
