Directory Permissions
If you want to prevent other users from reading the contents of your files, you have two choices:
You can set the permission of each file to 0600, so only you have read/write access.
You can put the files in a directory and set the permission of that directory to 0700, which prevents other users from accessing the files in the directory (or in any of the directory’s subdirectories) unless there is a link to the file from somewhere else.
Note the following:
You must have execute access for a directory to make it your current directory (via cd or chdir) or to change to any directory beneath (contained in) that directory.
If you do not have execute access to a directory, you cannot access the files within that directory, even if you own them.
0755 / Anybody can view the contents of the directory, but only the owner or superuser can make changes.
1777 /tmp Any user can create a file in the directory, but a user cannot delete another user’s files.
0700 $HOME A user can access the contents of his home directory, but nobody else can.
Tags: directory, permissions
Checking File Permissions and Ownership for Security
A simple way to calculate umask values is to remember that the number 2 in the umask turns off write permission, while 7 turns off read, write, and execute permission.
The umask (UNIX shorthand for “user file-creation mode mask”) is a four-digit octal number that UNIX uses to determine the file permission for newly created files. Every process has its own umask, inherited from its parent process.
The umask specifies the permissions you do not want given by default to newly created files and directories. umask works by doing a bitwise AND with the bitwise complement of the umask. Bits that are set in the umask correspond to permissions that are not automatically assigned to newly created files.
The most common umask values are 022, 027, and 077. A umask value of 022 lets the owner both read and write all newly created files, but everybody else can only read them:
0666 default file-creation mode
(0022) umask
0644 resultant mode
A umask value of 077 lets only the file’s owner read all newly created files:
A recent trend among computing centers has been to set up new accounts with a umask of 077, so a user’s files will, by default, be unreadable by anyone else on the system unless the user makes a conscious choice to make them readable.
Tags: Checking, Ownership, permissions
sysctl tunable parameters
If you need Linux to ignore ping requests, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.icmp_echo_ignore_all = 1
If you want or need Linux to ignore broadcast requests, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.icmp_echo_ignore_broadcasts = 1
To alert you about bad error messages in the network, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.icmp_ignore_bogus_error_responses = 1
To turn on logging for Spoofed Packets, Source Routed Packets, and Redirect Packets, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.conf.all.log_martians = 1
Tags: Parameters, sysctl, Tunable
Disable ICMP Redirect and Enable IP Spoofing Protection
ICMP redirects are used by routers to tell the server that there is a better path to other networks than the one chosen by the server.
However, an intruder could potentially use ICMP redirect packets to alter the hosts’s routing table by causing traffic to use a path you didn’t intend.
To disable ICMP Redirect Acceptance, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.conf.all.accept_redirects = 0
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
Enable IP Spoofing Protection
IP spoofing is a technique where an intruder sends out packets which claim to be from another host by manipulating the source address. IP spoofing is very often used for denial of service attacks.
To enable IP Spoofing Protection, turn on Source Address Verification.
Edit the /etc/sysctl.conf file and add the following line:
net.ipv4.conf.all.rp_filter = 1
Tags: Disable, enable, ICMP, IP, Protection, redirect, spoofing
Kernel Tunable Security Parameters
To activate the configured kernel parameters immediately at runtime, use:
The following list shows tunable kernel parameters you can use to secure your Linux server against attacks.
For each tunable kernel parameters we will show the entry that needs to be added to the /etc/sysctl.conf configuration file to make the change permanent after reboots.
Enable TCP SYN Cookie Protection
A “SYN Attack” is a denial of service attack that consumes all the resources on a machine. Any server that is connected to a network is potentially subject to this attack.
To enable TCP SYN Cookie Protection, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.tcp_syncookies = 1
Disable IP Source Routing
Source Routing is used to specify a path or route through the network from source to destination. This feature can be used by network people for diagnosing problems.
However, if an intruder was able to send a source routed packet into the network, then he could intercept the replies and your server might not know that it’s not communicating with a trusted server.
To enable Source Route Verification, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.conf.all.accept_source_route = 0
Tags: Kernel, Parameters, Security, Tunable
