pavement

Sysctl.conf Security Knobs

From FreeBSDwiki
(Difference between revisions)
Jump to: navigation, search
(Sysctl.conf Security Knobs)
 
(Sysctl.conf Security Knobs)
 
Line 3: Line 3:
  
  
Add the following statements to the /etc/sysctl.conf file. You can drop the comments, but I always find them helpful later when I am looking for a problem.
+
Add the following statements to the /etc/sysctl.conf file.  
  
 
   
 
   
 +
The sysctl.conf file contains MIB's to change the default setting of internal options of the kernel at boot up time. These MIB's control how network packets are handled after the IPFW or IPFILTER software application firewalls return the packet to the kernel. Some of these MIB's may seem like they are doing the same thing, but because there is no FBSD provided documentation on the order these MIB's get control, they all get enabled here and we let the kernel do its thing.<br>
  
####################################################################
+
NOTE: Some of these MIB's can also be set in rc.conf and/or the kernel source. This will not hurt anything.<br>
#
+
# The sysctl.conf file contains MIB's to change the default setting
+
# of internal options of the kernel at boot up time. These MIB's
+
# control how network packets are handled after the IPFW or IPFILTER
+
# software application firewalls return the packet to the kernel.
+
# Some of these MIB's may seem like they are doing the same thing,
+
# but because there is no FBSD provided documentation on the order
+
# these MIB's get control, they all get enabled here and we let the
+
# kernel do its thing.
+
#
+
# NOTE: Some of these MIB's can also be set in rc.conf and/or the
+
# kernel source. This will not hurt anything.
+
#
+
####################################################################
+
  
####################################################################
 
# Redirect attacks are the purposeful mass issuing of ICMP type 5 packets.
 
# In a normal network, redirects to the end stations should not be required.
 
# To defend against this type of attack both the sending and accepting of
 
# redirect should be disabled. The first statement below enables the MIB
 
# to drop all inbound icmp redirect packets without returning any response.
 
# The second statement turns off the logging of redirect packets because
 
# there in no limit and this could fill up your logs consuming your whole
 
# hard drive. But there is no information about where the redirect packets
 
# get logged. The last statement changes the FBSD default about allowing
 
# redirects to be sent from this system to the Internet from yes to no.
 
# This option is ignored unless the host is routing IP packets, and
 
# should normally be enabled (=1) on all systems
 
# man icmp(4) and inet(4) and man ip(4) do not contain info about these MIBs.
 
# man sysctl(3) does have info on ip.redirect
 
  
net.inet.icmp.drop_redirect=1
+
Redirect attacks are the purposeful mass issuing of ICMP type 5 packets.
net.inet.icmp.log_redirect=0
+
In a normal network, redirects to the end stations should not be required. To defend against this type of attack both the sending and accepting of redirect should be disabled. The first statement below enables the MIB to drop all inbound icmp redirect packets without returning any response. The second statement turns off the logging of redirect packets because there in no limit and this could fill up your logs consuming your whole hard drive. But there is no information about where the redirect packets get logged. The last statement changes the FBSD default about allowing redirects to be sent from this system to the Internet from yes to no. This option is ignored unless the host is routing IP packets, and should normally be enabled (=1) on all systems
net.inet.ip.redirect=0
+
man icmp(4) and inet(4) and man ip(4) do not contain info about these MIBs. man sysctl(3) does have info on ip.redirect
  
  
####################################################################
+
net.inet.icmp.drop_redirect=1<br>
# Source routing is another way for an attacker to try to reach non-routable
+
net.inet.icmp.log_redirect=0<br>
# addresses behind your box. It can also be used to probe for information
+
net.inet.ip.redirect=0<br>
# about your internal networks. These functions come enabled as part of the
+
# standard FBSD core system. The following will disable them.
+
# man inet(4) and man ip(4) do not contain any information on these MIBs.
+
  
net.inet.ip.sourceroute=0
 
net.inet.ip.accept_sourceroute=0
 
  
  
####################################################################
+
 
# This MIB only drops ICMP echo requests which have a destination of your
+
Source routing is another way for an attacker to try to reach non-routable addresses behind your box. It can also be used to probe for information about your internal networks. These functions come enabled as part of the standard FBSD core system. The following will disable them. man inet(4) and man ip(4) do not contain any information on these MIBs.
# broadcast address. For example, if your network is 10.10.0.1/24,  
+
 
# (making your subnet mask 255.255.255.0) then your network broadcast address
+
 
# is 10.10.0.255. When a host on your network needs to send a message to all
+
net.inet.ip.sourceroute=0<br>
# other hosts on the subnet (which happens more often than you may think) it
+
net.inet.ip.accept_sourceroute=0<br>
# uses this address. Everyone listens on it. Hosts outside your network have
+
 
# no reason to be sending packets to your broadcast address. This MIB rejects
+
 
# all of the broadcast echo traffic from the outside world to your network
+
 
# broadcast address. If this host is a firewall or gateway, it should not
+
 
# propagate directed broadcasts originating from outside your private network.
+
This MIB only drops ICMP echo requests which have a destination of your
# The following statement sets the default to no, rejecting all external
+
broadcast address. For example, if your network is 10.10.0.1/24,  
# broadcasts requests.
+
(making your subnet mask 255.255.255.0) then your network broadcast address is 10.10.0.255. When a host on your network needs to send a message to all other hosts on the subnet (which happens more often than you may think) it uses this address. Everyone listens on it. Hosts outside your network have no reason to be sending packets to your broadcast address. This MIB rejects all of the broadcast echo traffic from the outside world to your network broadcast address. If this host is a firewall or gateway, it should not propagate directed broadcasts originating from outside your private network.
# man sysctl(3) has some info.
+
The following statement sets the default to no, rejecting all external
# man inet(4) and man icmp(4) do not contain any information on these MIBs.
+
broadcasts requests. man sysctl(3) has some info. man inet(4) and man icmp(4) do not contain any information on these MIBs.
 +
 
  
 
net.inet.icmp.bmcastecho=0
 
net.inet.icmp.bmcastecho=0
  
  
####################################################################
 
# This changes the system behavior when connection requests are received
 
# on TCP or UDP ports where there is no socket listening. The normal
 
# behavior, when a TCP SYN segment is received on a port where there
 
# is no socket accepting connections is for the system to return a
 
# RST segment and drop the connection. The requesting system will
 
# see this as a "Connection reset by peer".
 
#
 
# By turning the TCP black hole MIB on with a numeric value of one, the
 
# incoming SYN segment is merely dropped, and no RST is sent, making
 
# the system appear as a blackhole.
 
#
 
# By setting the MIB value to two, any segment arriving on a closed
 
# port is dropped without returning a RST.
 
# This provides some degree of protection against stealth port scans.
 
# The following enables this MIB. man tcp(4) and man udp(4) blackhole(4)
 
# contain a little information on these MIBs.
 
  
net.inet.tcp.blackhole=2
 
net.inet.udp.blackhole=1
 
  
 +
This changes the system behavior when connection requests are received
 +
on TCP or UDP ports where there is no socket listening. The normal
 +
behavior, when a TCP SYN segment is received on a port where there
 +
is no socket accepting connections is for the system to return a
 +
RST segment and drop the connection. The requesting system will
 +
see this as a "Connection reset by peer".
 +
 +
By turning the TCP black hole MIB on with a numeric value of one, the
 +
incoming SYN segment is merely dropped, and no RST is sent, making
 +
the system appear as a blackhole.
 +
 +
By setting the MIB value to two, any segment arriving on a closed
 +
port is dropped without returning a RST.
 +
This provides some degree of protection against stealth port scans.
 +
The following enables this MIB. man tcp(4) and man udp(4) blackhole(4)
 +
contain a little information on these MIBs.
 +
 +
 +
net.inet.tcp.blackhole=2<br>
 +
net.inet.udp.blackhole=1<br>
 +
 +
 +
 +
 +
The log_in_vain MIB will provide you with logging of attempted connections to your box on any port which does not have a service running on it. For example, if you do not have DNS server on your computer and someone would try to access your computer through DNS port 53, you would see a message such as: Connection attempt to
 +
UDP yourIP:53 from otherIP:X (where X is some high port #) displayed
 +
on the root console screen. This message also gets posted to
 +
/var/log/messages & /var/log/security.log.
 +
The following statements enable this function.
 +
man tcp(4) and man udp(4) contain a little information on these MIBs.
 +
 +
 +
net.inet.tcp.log_in_vain=1<br>
 +
net.inet.udp.log_in_vain=1<br>
 +
 +
 +
 +
 +
 +
To defend against SYN attacks more commonly known as SYNFLOOD attacks,
 +
the two queues which are targeted by this type of attack should
 +
have their size increased so that the queues can withstand an attack
 +
of low to moderate intensity with little to no effect on the stability
 +
or availability of the system. FBSD maintains separate queues for
 +
inbound socket connection requests. One queue is for half-open sockets
 +
(SYN received, SYN|ACK sent), and the other queue for fully-open sockets awaiting an accept() call from the application.
 +
The following statement increases the queue size from 128.
  
####################################################################
 
# The log_in_vain MIB will provide you with logging of attempted
 
# connections to your box on any port which does not have a service
 
# running on it. For example, if you do not have DNS server on your
 
# computer and someone would try to access your computer through DNS
 
# port 53, you would see a message such as: Connection attempt to
 
# UDP yourIP:53 from otherIP:X (where X is some high port #) displayed
 
# on the root console screen. This message also gets posted to
 
# /var/log/messages & /var/log/security.log.
 
# The following statements enable this function.
 
# man tcp(4) and man udp(4) contain a little information on these MIBs.
 
  
net.inet.tcp.log_in_vain=1
+
kern.ipc.somaxconn=1024
net.inet.udp.log_in_vain=1
+
  
  
####################################################################
 
# To defend against SYN attacks more commonly known as SYNFLOOD attacks,
 
# the two queues which are targeted by this type of attack should
 
# have their size increased so that the queues can withstand an attack
 
# of low to moderate intensity with little to no effect on the stability
 
# or availability of the system. FBSD maintains separate queues for
 
# inbound socket connection requests. One queue is for half-open sockets
 
# (SYN received, SYN|ACK sent), and the other queue for fully-open sockets
 
# awaiting an accept() call from the application.
 
# The following statement increases the queue size from 128.
 
  
kern.ipc.somaxconn=1024
 
  
 +
By allowing aged ARP entries to remain cached or lying around allows for the possibility of a hacker to create a resource exhaustion or performance degradation by filling the IP route cache with bogus ARP entries. This in turn can be used as a Denial of Service attack. To prevent this sort of problem, the following statement shortens the amount of time an ARP will be cached from 1200 to 600 seconds.
  
####################################################################
 
# By allowing aged ARP entries to remain cached or lying around
 
# allows for the possibility of a hacker to create a resource
 
# exhaustion or performance degradation by filling the IP route cache
 
# with bogus ARP entries. This in turn can be used as a Denial of
 
# Service attack. To prevent this sort of problem, the following
 
# statement shortens the amount of time an ARP will be cached
 
# from 1200 to 600 seconds.
 
  
 
net.link.ether.inet.max_age=600  
 
net.link.ether.inet.max_age=600  

Latest revision as of 13:57, 6 August 2012

[edit] Sysctl.conf Security Knobs

Add the following statements to the /etc/sysctl.conf file.


The sysctl.conf file contains MIB's to change the default setting of internal options of the kernel at boot up time. These MIB's control how network packets are handled after the IPFW or IPFILTER software application firewalls return the packet to the kernel. Some of these MIB's may seem like they are doing the same thing, but because there is no FBSD provided documentation on the order these MIB's get control, they all get enabled here and we let the kernel do its thing.

NOTE: Some of these MIB's can also be set in rc.conf and/or the kernel source. This will not hurt anything.


Redirect attacks are the purposeful mass issuing of ICMP type 5 packets. In a normal network, redirects to the end stations should not be required. To defend against this type of attack both the sending and accepting of redirect should be disabled. The first statement below enables the MIB to drop all inbound icmp redirect packets without returning any response. The second statement turns off the logging of redirect packets because there in no limit and this could fill up your logs consuming your whole hard drive. But there is no information about where the redirect packets get logged. The last statement changes the FBSD default about allowing redirects to be sent from this system to the Internet from yes to no. This option is ignored unless the host is routing IP packets, and should normally be enabled (=1) on all systems man icmp(4) and inet(4) and man ip(4) do not contain info about these MIBs. man sysctl(3) does have info on ip.redirect.


net.inet.icmp.drop_redirect=1
net.inet.icmp.log_redirect=0
net.inet.ip.redirect=0



Source routing is another way for an attacker to try to reach non-routable addresses behind your box. It can also be used to probe for information about your internal networks. These functions come enabled as part of the standard FBSD core system. The following will disable them. man inet(4) and man ip(4) do not contain any information on these MIBs.


net.inet.ip.sourceroute=0
net.inet.ip.accept_sourceroute=0



This MIB only drops ICMP echo requests which have a destination of your broadcast address. For example, if your network is 10.10.0.1/24, (making your subnet mask 255.255.255.0) then your network broadcast address is 10.10.0.255. When a host on your network needs to send a message to all other hosts on the subnet (which happens more often than you may think) it uses this address. Everyone listens on it. Hosts outside your network have no reason to be sending packets to your broadcast address. This MIB rejects all of the broadcast echo traffic from the outside world to your network broadcast address. If this host is a firewall or gateway, it should not propagate directed broadcasts originating from outside your private network. The following statement sets the default to no, rejecting all external broadcasts requests. man sysctl(3) has some info. man inet(4) and man icmp(4) do not contain any information on these MIBs.


net.inet.icmp.bmcastecho=0



This changes the system behavior when connection requests are received on TCP or UDP ports where there is no socket listening. The normal behavior, when a TCP SYN segment is received on a port where there is no socket accepting connections is for the system to return a RST segment and drop the connection. The requesting system will see this as a "Connection reset by peer".

By turning the TCP black hole MIB on with a numeric value of one, the incoming SYN segment is merely dropped, and no RST is sent, making the system appear as a blackhole.

By setting the MIB value to two, any segment arriving on a closed port is dropped without returning a RST. This provides some degree of protection against stealth port scans. The following enables this MIB. man tcp(4) and man udp(4) blackhole(4) contain a little information on these MIBs.


net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1



The log_in_vain MIB will provide you with logging of attempted connections to your box on any port which does not have a service running on it. For example, if you do not have DNS server on your computer and someone would try to access your computer through DNS port 53, you would see a message such as: Connection attempt to UDP yourIP:53 from otherIP:X (where X is some high port #) displayed on the root console screen. This message also gets posted to /var/log/messages & /var/log/security.log. The following statements enable this function. man tcp(4) and man udp(4) contain a little information on these MIBs.


net.inet.tcp.log_in_vain=1
net.inet.udp.log_in_vain=1



To defend against SYN attacks more commonly known as SYNFLOOD attacks, the two queues which are targeted by this type of attack should have their size increased so that the queues can withstand an attack of low to moderate intensity with little to no effect on the stability or availability of the system. FBSD maintains separate queues for inbound socket connection requests. One queue is for half-open sockets (SYN received, SYN|ACK sent), and the other queue for fully-open sockets awaiting an accept() call from the application. The following statement increases the queue size from 128.


kern.ipc.somaxconn=1024



By allowing aged ARP entries to remain cached or lying around allows for the possibility of a hacker to create a resource exhaustion or performance degradation by filling the IP route cache with bogus ARP entries. This in turn can be used as a Denial of Service attack. To prevent this sort of problem, the following statement shortens the amount of time an ARP will be cached from 1200 to 600 seconds.


net.link.ether.inet.max_age=600

Personal tools