210 lines
12 KiB
HTML
210 lines
12 KiB
HTML
<!--startcut ==============================================-->
|
|
<!-- *** BEGIN HTML header *** -->
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
|
|
<HTML><HEAD>
|
|
<title>Network Security with /proc/sys/net/ipv4 LG #76</title>
|
|
</HEAD>
|
|
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000AF"
|
|
ALINK="#FF0000">
|
|
<!-- *** END HTML header *** -->
|
|
|
|
<CENTER>
|
|
<A HREF="http://www.linuxgazette.com/">
|
|
<IMG ALT="LINUX GAZETTE" SRC="../gx/lglogo.png"
|
|
WIDTH="600" HEIGHT="124" border="0"></A>
|
|
<BR>
|
|
|
|
<!-- *** BEGIN navbar *** -->
|
|
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="krishnakumar.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue77/lechnyr.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../lg_faq.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="pitcher.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
|
|
<!-- *** END navbar *** -->
|
|
<P>
|
|
</CENTER>
|
|
|
|
<!--endcut ============================================================-->
|
|
|
|
<H4 ALIGN="center">
|
|
"Linux Gazette...<I>making Linux just a little more fun!</I>"
|
|
</H4>
|
|
|
|
<P> <HR> <P>
|
|
<!--===================================================================-->
|
|
|
|
<center>
|
|
<H1><font color="maroon">Network Security with /proc/sys/net/ipv4</font></H1>
|
|
<H4>By <a href="mailto:david@lechnyr.com">David Lechnyr</a></H4>
|
|
</center>
|
|
<P> <HR> <P>
|
|
|
|
<!-- END header -->
|
|
|
|
|
|
|
|
|
|
<i>In additional to firewall rulesets, the /proc filesystem offers some significant
|
|
enhancements to your network security settings. Unfortunately, most of us are
|
|
unaware of anything beyond the vague rumors and advice we've heard about this
|
|
beast. In this article, we'll review some of the basic essentials of the /proc/sys/net/ipv4
|
|
filesystem necessary to add to the overall network security of your Linux server.
|
|
</i>
|
|
|
|
<p>Perhaps one of the more frequently neglected areas of firewall configuration
|
|
involves the /proc filesystem. The pseudo file structure within proc allows
|
|
you to interface with the internal data structures in the kernel, either obtaining
|
|
information about the system or changing specific settings. Some of the parts
|
|
of /proc are read-only, while others can be modified. It is often referred to
|
|
as a <i>virtual</i> filesystem in that it doesn't take up any actual hard drive
|
|
space; files are created only on demand when you access them. In this article,
|
|
we will be focusing specifically on /proc/sys/net/ipv4.</p>
|
|
<p> In order to benefit from the use of the /proc filesystem, you'll need to enable
|
|
two settings when building your kernel. CONFIG_PROC_FS is the setting that allows
|
|
you to access and view the /proc filesystem, and CONFIG_SYSCTL is the bit that
|
|
actually allows you to modify /proc entries without requiring a reboot of the
|
|
system or a recompile of the kernel. Settings are only available at boot time
|
|
after the /proc file system has been mounted. </p>
|
|
<h3>ICMP Specific Settings</h3>
|
|
<p>Ping scanning is typically used to determine which hosts on a network are up.
|
|
Typically this is done by sending ICMP ECHO request packets to the target host.
|
|
This is seemingly innocent behavior, however often network administrators will
|
|
block such traffic to increase their obscurity. The choices involve blocking
|
|
ICMP ECHO requests to broadcast/multicast addresses and directly to the host
|
|
itself. The respective commands to disable protection are:</p>
|
|
<blockquote>
|
|
<p><code>echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts<br>
|
|
echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all</code></p>
|
|
</blockquote>
|
|
<p>ICMP redirect messages can also be a pain. If your box is not acting as a router,
|
|
you'll probably want to disable them:</p>
|
|
<blockquote>
|
|
<p><code>echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects</code></p>
|
|
</blockquote>
|
|
<p>Sometimes you will come across routers that send out invalid responses to broadcast
|
|
frames. This is a violation of RFC 1122, "Requirements for Internet Hosts
|
|
-- Communication Layers". As a result, these events are logged by the kernel.
|
|
To avoid filling up your logfile with unnecessary clutter, you can tell the
|
|
kernel not to issue these warnings:</p>
|
|
<blockquote>
|
|
<p><code>echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses</code>
|
|
</p>
|
|
</blockquote>
|
|
<h3>IP Specific Settings</h3>
|
|
<p>Ironically, IP forwarding of packets between interfaces is enabled by default
|
|
on many systems in their startup scripts. If you're not intending for your box
|
|
to forward traffic between interfaces, or if you only have a single interface,
|
|
it would probably be a good idea to disable forwarding. Note that altering this
|
|
value resets all configuration parameters to their default values; specifically,
|
|
RFC1122 for hosts and RFC1812 for routers. As a result, you'll want to modify
|
|
this one before all other /proc settings.</p>
|
|
<blockquote>
|
|
<p><code>if [ -r /proc/sys/net/ipv4/ip_forward ]; then<br>
|
|
echo "Disabling IP forwarding"<br>
|
|
echo "0" > /proc/sys/net/ipv4/ip_forward<br>
|
|
fi </code></p>
|
|
</blockquote>
|
|
<p>If instead you decide to enable forwarding, you will also be able to modify
|
|
the rp_filter setting; something which is often misunderstood by network administrators.
|
|
The rp_filter can reject incoming packets if their source address doesn't match
|
|
the network interface that they're arriving on, which helps to prevent IP spoofing.
|
|
Turning this on, however, has its consequences: If your host has several IP
|
|
addresses on different interfaces, or if your single interface has multiple
|
|
IP addresses on it, you'll find that your kernel may end up rejecting valid
|
|
traffic. It's also important to note that even if you do not enable the rp_filter,
|
|
protection against broadcast spoofing is always on. Also, the protection it
|
|
provides is only against spoofed <i>internal</i> addresses; external addresses
|
|
can still be spoofed.. By default, it is disabled. To enable it, run the following:</p>
|
|
<blockquote>
|
|
<p><code>if [ -r /proc/sys/net/ipv4/conf/all/rp_filter ]; then<br>
|
|
echo "Enabling rp_filter"<br>
|
|
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter<br>
|
|
fi</code></p>
|
|
</blockquote>
|
|
<p>You may have also noticed the "all" subdirectory in this last example.
|
|
In <code>/proc/sys/net/ipv4/conf</code> there is one subdirectory for each interface
|
|
on your system along with one directory called "all". Changing specific
|
|
interface directories only affects that specific interface, while changes made
|
|
to the "all" directory affects all interfaces on the system.</p>
|
|
<p> If you have compiled your kernel with CONFIG_SYNCOOKIES, you will be able
|
|
to <i>optionally</i> turn on or off protection against SYN flood attacks. Note
|
|
the emphasis, as compiling the kernel with this value does not enable it by
|
|
default. It works by sending out 'syncookies' when the syn backlog queue of
|
|
a socket overflows. What is often misunderstood is that socket backlogging is
|
|
not supported in newer operating systems, which means that your error messages
|
|
may not be correctly received by the offending system. Also, if you see synflood
|
|
warnings in your logs, make sure they are not the result of a heavily loaded
|
|
server before enabling this setting. They can also cause connection problems
|
|
for other hosts attempting to reach you. However, if you do want to enable this
|
|
setting, perform the following:<br>
|
|
</p>
|
|
<blockquote>
|
|
<p><code>if [ -r /proc/sys/net/ipv4/tcp_syncookies ]; then<br>
|
|
echo "Enabling tcp_syncookies"<br>
|
|
echo "1" > /proc/sys/net/ipv4/tcp_syncookies<br>
|
|
fi</code></p>
|
|
</blockquote>
|
|
<p>Normally, a host has no control over the route any particular packet takes
|
|
beyond its first hop. It is up to the other hosts on the network to complete
|
|
the delivery. IP Source Routing (SRR) is a method of specifying the <i>exact</i>
|
|
path that a packet should take among the other hosts to get to its destination.
|
|
This is generally a bad idea for the security conscious, as someone could direct
|
|
packets to you through a trusted interface and effectively bypass your security
|
|
in some cases. A good example is traffic, such as SSH or telnet, that is blocked
|
|
on one interface might arrive on another of your host's interfaces if source
|
|
routing is used, which you might not have anticipated in your firewall settings.
|
|
You'll probably want to disable this setting with:</p>
|
|
<blockquote>
|
|
<p><code>if [ -r /proc/sys/net/ipv4/conf/all/accept_source_route ]; then<br>
|
|
echo "Disabling source routing"<br>
|
|
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route<br>
|
|
fi </code></p>
|
|
</blockquote>
|
|
<p>Packets that have source addresses with no known route are referred to as "martians".
|
|
For example, if you have two different subnets plugged into the same hub, the
|
|
routers on each end will see each other as martians. To log such packets to
|
|
the kernel log, which should never show up in the first place, you'll need to
|
|
issue:</p>
|
|
<blockquote>
|
|
<p><code>if [ -r /proc/sys/net/ipv4/conf/all/log_martians</code><code> ]; then<br>
|
|
echo "Enabling logging of martians"<br>
|
|
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians</code><code><br>
|
|
fi </code></p>
|
|
</blockquote>
|
|
<h3>Additional Resources</h3>
|
|
<p>For more information regarding the /proc filesystem, you may want to refer
|
|
to the documentation that comes with the Linux kernel source. Of specific help
|
|
is <STRONG>Documentation/filesystems/proc.txt</STRONG>
|
|
by Bowden, Bauer & Nerin. Additionally, you can refer to <STRONG>Documentation/networking/ip-sysctl.txt</STRONG>
|
|
by Kuznetsov & Savola.</p>
|
|
|
|
|
|
|
|
|
|
<!-- *** BEGIN bio *** -->
|
|
<SPACER TYPE="vertical" SIZE="30">
|
|
<P>
|
|
<H4><IMG ALIGN=BOTTOM ALT="" SRC="../gx/note.gif">David Lechnyr</H4>
|
|
<EM>David is a Network Administrator at the Human Resources department
|
|
of the University of Oregon. He holds a Master's Degree in Social Work along
|
|
with his MCSE+I, CNE, and CCNA certifications. He has been working with
|
|
Linux for the past five years, with an emphasis on systems security, network
|
|
troubleshooting, PHP scripting, and web/SQL integration.</EM>
|
|
|
|
<!-- *** END bio *** -->
|
|
|
|
<!-- *** BEGIN copyright *** -->
|
|
<P> <hr> <!-- P -->
|
|
<H5 ALIGN=center>
|
|
|
|
Copyright © 2002, David Lechnyr.<BR>
|
|
Copying license <A HREF="../copying.html">http://www.linuxgazette.com/copying.html</A><BR>
|
|
Published in Issue 76 of <i>Linux Gazette</i>, March 2002</H5>
|
|
<!-- *** END copyright *** -->
|
|
|
|
<!--startcut ==========================================================-->
|
|
<HR><P>
|
|
<CENTER>
|
|
<!-- *** BEGIN navbar *** -->
|
|
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="krishnakumar.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue77/lechnyr.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../lg_faq.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="pitcher.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
|
|
<!-- *** END navbar *** -->
|
|
</CENTER>
|
|
</BODY></HTML>
|
|
<!--endcut ============================================================-->
|