173.88.199.104: /* Sysctl.conf Security Knobs */

2012-08-06T18:57:33Z

Sysctl.conf Security Knobs

173.88.199.104: Sysctl.conf Security Knobs

2012-08-06T18:34:17Z

Sysctl.conf Security Knobs

New page

== Sysctl.conf Security Knobs ==

Add the following statements to the /etc/sysctl.conf file. You can drop the comments, but I always find them helpful later when I am looking for a problem.

####################################################################
#
# The sysctl.conf file contains MIB's to change the default setting
# of internal options of the kernel at boot up time. These MIB's
# control how network packets are handled after the IPFW or IPFILTER
# software application firewalls return the packet to the kernel.
# Some of these MIB's may seem like they are doing the same thing,
# but because there is no FBSD provided documentation on the order
# these MIB's get control, they all get enabled here and we let the
# kernel do its thing.
#
# NOTE: Some of these MIB's can also be set in rc.conf and/or the
# kernel source. This will not hurt anything.
#
####################################################################

####################################################################
# Redirect attacks are the purposeful mass issuing of ICMP type 5 packets.
# In a normal network, redirects to the end stations should not be required.
# To defend against this type of attack both the sending and accepting of
# redirect should be disabled. The first statement below enables the MIB
# to drop all inbound icmp redirect packets without returning any response.
# The second statement turns off the logging of redirect packets because
# there in no limit and this could fill up your logs consuming your whole
# hard drive. But there is no information about where the redirect packets
# get logged. The last statement changes the FBSD default about allowing
# redirects to be sent from this system to the Internet from yes to no.
# This option is ignored unless the host is routing IP packets, and
# should normally be enabled (=1) on all systems
# man icmp(4) and inet(4) and man ip(4) do not contain info about these MIBs.
# man sysctl(3) does have info on ip.redirect

net.inet.icmp.drop_redirect=1
net.inet.icmp.log_redirect=0
net.inet.ip.redirect=0

####################################################################
# Source routing is another way for an attacker to try to reach non-routable
# addresses behind your box. It can also be used to probe for information
# about your internal networks. These functions come enabled as part of the
# standard FBSD core system. The following will disable them.
# man inet(4) and man ip(4) do not contain any information on these MIBs.

net.inet.ip.sourceroute=0
net.inet.ip.accept_sourceroute=0

####################################################################
# This MIB only drops ICMP echo requests which have a destination of your
# broadcast address. For example, if your network is 10.10.0.1/24,
# (making your subnet mask 255.255.255.0) then your network broadcast address
# is 10.10.0.255. When a host on your network needs to send a message to all
# other hosts on the subnet (which happens more often than you may think) it
# uses this address. Everyone listens on it. Hosts outside your network have
# no reason to be sending packets to your broadcast address. This MIB rejects
# all of the broadcast echo traffic from the outside world to your network
# broadcast address. If this host is a firewall or gateway, it should not
# propagate directed broadcasts originating from outside your private network.
# The following statement sets the default to no, rejecting all external
# broadcasts requests.
# man sysctl(3) has some info.
# man inet(4) and man icmp(4) do not contain any information on these MIBs.

net.inet.icmp.bmcastecho=0

####################################################################
# This changes the system behavior when connection requests are received
# on TCP or UDP ports where there is no socket listening. The normal
# behavior, when a TCP SYN segment is received on a port where there
# is no socket accepting connections is for the system to return a
# RST segment and drop the connection. The requesting system will
# see this as a "Connection reset by peer".
#
# By turning the TCP black hole MIB on with a numeric value of one, the
# incoming SYN segment is merely dropped, and no RST is sent, making
# the system appear as a blackhole.
#
# By setting the MIB value to two, any segment arriving on a closed
# port is dropped without returning a RST.
# This provides some degree of protection against stealth port scans.
# The following enables this MIB. man tcp(4) and man udp(4) blackhole(4)
# contain a little information on these MIBs.

net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1

####################################################################
# The log_in_vain MIB will provide you with logging of attempted
# connections to your box on any port which does not have a service
# running on it. For example, if you do not have DNS server on your
# computer and someone would try to access your computer through DNS
# port 53, you would see a message such as: Connection attempt to
# UDP yourIP:53 from otherIP:X (where X is some high port #) displayed
# on the root console screen. This message also gets posted to
# /var/log/messages & /var/log/security.log.
# The following statements enable this function.
# man tcp(4) and man udp(4) contain a little information on these MIBs.

net.inet.tcp.log_in_vain=1
net.inet.udp.log_in_vain=1

####################################################################
# To defend against SYN attacks more commonly known as SYNFLOOD attacks,
# the two queues which are targeted by this type of attack should
# have their size increased so that the queues can withstand an attack
# of low to moderate intensity with little to no effect on the stability
# or availability of the system. FBSD maintains separate queues for
# inbound socket connection requests. One queue is for half-open sockets
# (SYN received, SYN|ACK sent), and the other queue for fully-open sockets
# awaiting an accept() call from the application.
# The following statement increases the queue size from 128.

kern.ipc.somaxconn=1024

####################################################################
# By allowing aged ARP entries to remain cached or lying around
# allows for the possibility of a hacker to create a resource
# exhaustion or performance degradation by filling the IP route cache
# with bogus ARP entries. This in turn can be used as a Denial of
# Service attack. To prevent this sort of problem, the following
# statement shortens the amount of time an ARP will be cached
# from 1200 to 600 seconds.

net.link.ether.inet.max_age=600

[[Category:Securing FreeBSD]]
[[Category:FreeBSD for Servers]]

Sysctl.conf Security Knobs - Revision history

173.88.199.104: /* Sysctl.conf Security Knobs */

173.88.199.104: Sysctl.conf Security Knobs