LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/LDP/LG/issue77/lechnyr.html

210 lines
12 KiB
HTML
Raw Permalink Blame History

<!--startcut ==============================================-->
<!-- *** BEGIN HTML header *** -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML><HEAD>
<title>Network Security with /proc/sys/net/ipv4 LG #76</title>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000AF"
ALINK="#FF0000">
<!-- *** END HTML header *** -->
<CENTER>
<A HREF="http://www.linuxgazette.com/">
<IMG ALT="LINUX GAZETTE" SRC="../gx/lglogo.png"
WIDTH="600" HEIGHT="124" border="0"></A>
<BR>
<!-- *** BEGIN navbar *** -->
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="krishnakumar.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue77/lechnyr.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../lg_faq.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="pitcher.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
<!-- *** END navbar *** -->
<P>
</CENTER>
<!--endcut ============================================================-->
<H4 ALIGN="center">
"Linux Gazette...<I>making Linux just a little more fun!</I>"
</H4>
<P> <HR> <P>
<!--===================================================================-->
<center>
<H1><font color="maroon">Network Security with /proc/sys/net/ipv4</font></H1>
<H4>By <a href="mailto:david@lechnyr.com">David Lechnyr</a></H4>
</center>
<P> <HR> <P>
<!-- END header -->
<i>In additional to firewall rulesets, the /proc filesystem offers some significant
enhancements to your network security settings. Unfortunately, most of us are
unaware of anything beyond the vague rumors and advice we've heard about this
beast. In this article, we'll review some of the basic essentials of the /proc/sys/net/ipv4
filesystem necessary to add to the overall network security of your Linux server.
</i>
<p>Perhaps one of the more frequently neglected areas of firewall configuration
involves the /proc filesystem. The pseudo file structure within proc allows
you to interface with the internal data structures in the kernel, either obtaining
information about the system or changing specific settings. Some of the parts
of /proc are read-only, while others can be modified. It is often referred to
as a <i>virtual</i> filesystem in that it doesn't take up any actual hard drive
space; files are created only on demand when you access them. In this article,
we will be focusing specifically on /proc/sys/net/ipv4.</p>
<p> In order to benefit from the use of the /proc filesystem, you'll need to enable
two settings when building your kernel. CONFIG_PROC_FS is the setting that allows
you to access and view the /proc filesystem, and CONFIG_SYSCTL is the bit that
actually allows you to modify /proc entries without requiring a reboot of the
system or a recompile of the kernel. Settings are only available at boot time
after the /proc file system has been mounted. </p>
<h3>ICMP Specific Settings</h3>
<p>Ping scanning is typically used to determine which hosts on a network are up.
Typically this is done by sending ICMP ECHO request packets to the target host.
This is seemingly innocent behavior, however often network administrators will
block such traffic to increase their obscurity. The choices involve blocking
ICMP ECHO requests to broadcast/multicast addresses and directly to the host
itself. The respective commands to disable protection are:</p>
<blockquote>
<p><code>echo &quot;0&quot; &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts<br>
echo &quot;0&quot; &gt; /proc/sys/net/ipv4/icmp_echo_ignore_all</code></p>
</blockquote>
<p>ICMP redirect messages can also be a pain. If your box is not acting as a router,
you'll probably want to disable them:</p>
<blockquote>
<p><code>echo &quot;0&quot; &gt; /proc/sys/net/ipv4/conf/all/accept_redirects</code></p>
</blockquote>
<p>Sometimes you will come across routers that send out invalid responses to broadcast
frames. This is a violation of RFC 1122, &quot;Requirements for Internet Hosts
-- Communication Layers&quot;. As a result, these events are logged by the kernel.
To avoid filling up your logfile with unnecessary clutter, you can tell the
kernel not to issue these warnings:</p>
<blockquote>
<p><code>echo &quot;1&quot; &gt; /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses</code>
</p>
</blockquote>
<h3>IP Specific Settings</h3>
<p>Ironically, IP forwarding of packets between interfaces is enabled by default
on many systems in their startup scripts. If you're not intending for your box
to forward traffic between interfaces, or if you only have a single interface,
it would probably be a good idea to disable forwarding. Note that altering this
value resets all configuration parameters to their default values; specifically,
RFC1122 for hosts and RFC1812 for routers. As a result, you'll want to modify
this one before all other /proc settings.</p>
<blockquote>
<p><code>if [ -r /proc/sys/net/ipv4/ip_forward ]; then<br>
&nbsp;&nbsp;echo &quot;Disabling IP forwarding&quot;<br>
&nbsp;&nbsp;echo &quot;0&quot; &gt; /proc/sys/net/ipv4/ip_forward<br>
fi </code></p>
</blockquote>
<p>If instead you decide to enable forwarding, you will also be able to modify
the rp_filter setting; something which is often misunderstood by network administrators.
The rp_filter can reject incoming packets if their source address doesn't match
the network interface that they're arriving on, which helps to prevent IP spoofing.
Turning this on, however, has its consequences: If your host has several IP
addresses on different interfaces, or if your single interface has multiple
IP addresses on it, you'll find that your kernel may end up rejecting valid
traffic. It's also important to note that even if you do not enable the rp_filter,
protection against broadcast spoofing is always on. Also, the protection it
provides is only against spoofed <i>internal</i> addresses; external addresses
can still be spoofed.. By default, it is disabled. To enable it, run the following:</p>
<blockquote>
<p><code>if [ -r /proc/sys/net/ipv4/conf/all/rp_filter ]; then<br>
&nbsp;&nbsp;echo "Enabling rp_filter"<br>
&nbsp;&nbsp;echo &quot;1&quot; &gt; /proc/sys/net/ipv4/conf/all/rp_filter<br>
fi</code></p>
</blockquote>
<p>You may have also noticed the &quot;all&quot; subdirectory in this last example.
In <code>/proc/sys/net/ipv4/conf</code> there is one subdirectory for each interface
on your system along with one directory called &quot;all&quot;. Changing specific
interface directories only affects that specific interface, while changes made
to the &quot;all&quot; directory affects all interfaces on the system.</p>
<p> If you have compiled your kernel with CONFIG_SYNCOOKIES, you will be able
to <i>optionally</i> turn on or off protection against SYN flood attacks. Note
the emphasis, as compiling the kernel with this value does not enable it by
default. It works by sending out 'syncookies' when the syn backlog queue of
a socket overflows. What is often misunderstood is that socket backlogging is
not supported in newer operating systems, which means that your error messages
may not be correctly received by the offending system. Also, if you see synflood
warnings in your logs, make sure they are not the result of a heavily loaded
server before enabling this setting. They can also cause connection problems
for other hosts attempting to reach you. However, if you do want to enable this
setting, perform the following:<br>
</p>
<blockquote>
<p><code>if [ -r /proc/sys/net/ipv4/tcp_syncookies ]; then<br>
&nbsp;&nbsp;echo "Enabling tcp_syncookies"<br>
&nbsp;&nbsp;echo &quot;1&quot; &gt; /proc/sys/net/ipv4/tcp_syncookies<br>
fi</code></p>
</blockquote>
<p>Normally, a host has no control over the route any particular packet takes
beyond its first hop. It is up to the other hosts on the network to complete
the delivery. IP Source Routing (SRR) is a method of specifying the <i>exact</i>
path that a packet should take among the other hosts to get to its destination.
This is generally a bad idea for the security conscious, as someone could direct
packets to you through a trusted interface and effectively bypass your security
in some cases. A good example is traffic, such as SSH or telnet, that is blocked
on one interface might arrive on another of your host's interfaces if source
routing is used, which you might not have anticipated in your firewall settings.
You'll probably want to disable this setting with:</p>
<blockquote>
<p><code>if [ -r /proc/sys/net/ipv4/conf/all/accept_source_route ]; then<br>
&nbsp;&nbsp;echo "Disabling source routing"<br>
&nbsp;&nbsp;echo &quot;0&quot; &gt; /proc/sys/net/ipv4/conf/all/accept_source_route<br>
fi </code></p>
</blockquote>
<p>Packets that have source addresses with no known route are referred to as &quot;martians&quot;.
For example, if you have two different subnets plugged into the same hub, the
routers on each end will see each other as martians. To log such packets to
the kernel log, which should never show up in the first place, you'll need to
issue:</p>
<blockquote>
<p><code>if [ -r /proc/sys/net/ipv4/conf/all/log_martians</code><code> ]; then<br>
&nbsp;&nbsp;echo "Enabling logging of martians"<br>
&nbsp;&nbsp;echo &quot;1&quot; &gt; /proc/sys/net/ipv4/conf/all/log_martians</code><code><br>
fi </code></p>
</blockquote>
<h3>Additional Resources</h3>
<p>For more information regarding the /proc filesystem, you may want to refer
to the documentation that comes with the Linux kernel source. Of specific help
is <STRONG>Documentation/filesystems/proc.txt</STRONG>
by Bowden, Bauer &amp; Nerin. Additionally, you can refer to <STRONG>Documentation/networking/ip-sysctl.txt</STRONG>
by Kuznetsov &amp; Savola.</p>
<!-- *** BEGIN bio *** -->
<SPACER TYPE="vertical" SIZE="30">
<P>
<H4><IMG ALIGN=BOTTOM ALT="" SRC="../gx/note.gif">David Lechnyr</H4>
<EM>David is a Network Administrator at the Human Resources department
of the University of Oregon. He holds a Master's Degree in Social Work along
with his MCSE+I, CNE, and CCNA certifications. He has been working with
Linux for the past five years, with an emphasis on systems security, network
troubleshooting, PHP scripting, and web/SQL integration.</EM>
<!-- *** END bio *** -->
<!-- *** BEGIN copyright *** -->
<P> <hr> <!-- P -->
<H5 ALIGN=center>
Copyright &copy; 2002, David Lechnyr.<BR>
Copying license <A HREF="../copying.html">http://www.linuxgazette.com/copying.html</A><BR>
Published in Issue 76 of <i>Linux Gazette</i>, March 2002</H5>
<!-- *** END copyright *** -->
<!--startcut ==========================================================-->
<HR><P>
<CENTER>
<!-- *** BEGIN navbar *** -->
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="krishnakumar.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue77/lechnyr.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../lg_faq.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="pitcher.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
<!-- *** END navbar *** -->
</CENTER>
</BODY></HTML>
<!--endcut ============================================================-->
Reference in New Issue View Git Blame Copy Permalink