pavement

Secure Kernel Source

From FreeBSDwiki
(Difference between revisions)
Jump to: navigation, search
(Secure Kernel Source)
 
(Secure Kernel Source)
 
Line 2: Line 2:
 
== Secure Kernel Source ==
 
== Secure Kernel Source ==
  
The following are things you can do in the kernel source to tighten up security even more. You can prefix statements with # to make it a comment to disable it or delete the statement all together.  
+
The following are things you can do in the kernel source to tighten up security. You can prefix statements with # to make it a comment to disable it or delete the statement all together.  
  
Make these changes.
 
  
 
At the top the file is the following statement.
 
At the top the file is the following statement.
  
#options INET6           # IPv6 communications protocols
+
options INET6<br>
  
 
Ipv6 is a developmental protocol, if you are not testing this protocol on purpose, it should be disabled.
 
Ipv6 is a developmental protocol, if you are not testing this protocol on purpose, it should be disabled.
  
  
Followed by Memory disk root option. This allows a operating system to be placed into memory and run. Disable this option.
+
Followed by Memory disk root option. This allows a operating system to be placed into memory and run.  
 
+
#option MD_Root          # MD is a potential Root device
+
  
 +
option MD_Root         
  
  
Line 22: Line 20:
 
Comment these out to disable them.
 
Comment these out to disable them.
  
#options NFSCLIENT       # Network filesystem Client
+
options NFSCLIENT <br>     
#options NFSSERVER       # Network filesystem Server
+
options NFSSERVER <br>     
#options NFSLOCKD         # Network Lock Manager
+
options NFSLOCKD <br>     
#options NFS_ROOT         # NFS usable as root device
+
options NFS_ROOT <br>     
  
  
Line 31: Line 29:
 
Comment out the following option because you disabled Ipv6 earlier.
 
Comment out the following option because you disabled Ipv6 earlier.
  
#device faith  #IPv6-to-IPv4 relaying (translation
+
device faith   
  
  
 
+
options COMPAT_FREEBSD4<br>
Comment out all previous release compatible statements
+
options COMPAT_FREEBSD5<br>
 
+
options COMPAT_FREEBSD6<br>
#options COMPAT_FREEBSD4
+
options COMPAT_FREEBSD7<br>
#options COMPAT_FREEBSD5
+
#options COMPAT_FREEBSD6
+
#options COMPAT_FREEBSD7
+
  
 
   
 
   
  
Add this statement. You should have your IPFILTER or IPFIREWALL (IPFW) enabling statements already in your kernel source. Just to keep all the security options grouped together, place these by them.
+
Add the following statement.  
  
options TCP_DROP_SYNFIN       # Adds support for ignoring TCP packets
+
options TCP_DROP_SYNFIN<br>
                              # with SYN+FIN. This prevents nmap from
+
Adds support for ignoring TCP packets with SYN+FIN. This prevents nmap from identifying the TCP/IP stack.
                              # identifying the TCP/IP stack, but
+
                              # breaks support for RFC1644 extensions
+
                              # & is not recommended for web servers
+
                              # behind the firewall.
+
  
  
 +
options ICMP_BANDLIM<br>   
 +
Enables icmp error response bandwidth limiting. This will help protect from D.O.S. packet attacks.
  
Add these statements. The comments with this option are from the LINT kernel source word for word. I have an Apache web server running on my gateway/firewall box, and I use this option and can not see anything wrong happening.
 
  
 +
options RANDOM_IP_ID<br> 
 +
Causes the ID field in IP packets to be randomized instead of incremented by 1 with each packet generated. This closes a minor
 +
information leak which allows remote observers to determine the rate of packet generation on the machine by watching the counter.
  
  
options ICMP_BANDLIM    # Enables icmp error response bandwidth
+
options NO_LKM<br>
                        # limiting. This will help protect from
+
Ddisable FBSD ability to dynamically load kernel modules.  
                        # D.O.S. packet attacks.
+
 
+
options RANDOM_IP_ID    # Causes the ID field in IP packets to be
+
                        # randomized instead of incremented by 1 with
+
                        # each packet generated. This closes a minor
+
                        # information leak which allows remote
+
                        # observers to determine the rate of packet
+
                        # generation on the machine by watching the
+
                        # counter.
+
 
+
 
+
options NO_LKM          # disable FBSD ability to dynamically load
+
                        # kernel modules. If you are using the IPFILTER
+
                        # load module don’t do this
+
 
+
  
  
 
If you do not have a printer cabled off the parallel port of this PC then disable these options.
 
If you do not have a printer cabled off the parallel port of this PC then disable these options.
# Parallel port
 
  
#device ppc
+
device ppc   <br>
#device ppbus           # Parallel port bus (required)
+
device ppbus <br>
#device lpt             # Printer
+
device lpt   <br>
#device plip             # TCP/IP over parallel
+
device plip <br>
#device ppi             # Parallel port interface device
+
device ppi   <br>
  
 
   
 
   
Line 91: Line 70:
 
If you are not copying this system to other PCs with different hardware, then besides the security benefit you can also reduce the time it takes to compile the kernel by removing all unused device drivers. Review your /var/run/dmesg.boot log messages to see which devices you are really using  and only keep those. Comment out all the others. Do not delete the following device; it is used by most NICs but does not show up in dmesg as used.
 
If you are not copying this system to other PCs with different hardware, then besides the security benefit you can also reduce the time it takes to compile the kernel by removing all unused device drivers. Review your /var/run/dmesg.boot log messages to see which devices you are really using  and only keep those. Comment out all the others. Do not delete the following device; it is used by most NICs but does not show up in dmesg as used.
  
device miibus    # NICs that use MII bus support
+
device miibus     
 
+
 
+
 
+
 
+
 
+
 
+
  
 
[[Category:Securing FreeBSD]]
 
[[Category:Securing FreeBSD]]
 
[[Category:FreeBSD for Servers]]
 
[[Category:FreeBSD for Servers]]

Latest revision as of 13:26, 6 August 2012

[edit] Secure Kernel Source

The following are things you can do in the kernel source to tighten up security. You can prefix statements with # to make it a comment to disable it or delete the statement all together.


At the top the file is the following statement.

options INET6

Ipv6 is a developmental protocol, if you are not testing this protocol on purpose, it should be disabled.


Followed by Memory disk root option. This allows a operating system to be placed into memory and run.

option MD_Root


A few lines down are the network filesystem options. Comment these out to disable them.

options NFSCLIENT
options NFSSERVER
options NFSLOCKD
options NFS_ROOT


Comment out the following option because you disabled Ipv6 earlier.

device faith


options COMPAT_FREEBSD4
options COMPAT_FREEBSD5
options COMPAT_FREEBSD6
options COMPAT_FREEBSD7


Add the following statement.

options TCP_DROP_SYNFIN
Adds support for ignoring TCP packets with SYN+FIN. This prevents nmap from identifying the TCP/IP stack.


options ICMP_BANDLIM
Enables icmp error response bandwidth limiting. This will help protect from D.O.S. packet attacks.


options RANDOM_IP_ID
Causes the ID field in IP packets to be randomized instead of incremented by 1 with each packet generated. This closes a minor information leak which allows remote observers to determine the rate of packet generation on the machine by watching the counter.


options NO_LKM
Ddisable FBSD ability to dynamically load kernel modules.


If you do not have a printer cabled off the parallel port of this PC then disable these options.

device ppc
device ppbus
device lpt
device plip
device ppi


If you are not copying this system to other PCs with different hardware, then besides the security benefit you can also reduce the time it takes to compile the kernel by removing all unused device drivers. Review your /var/run/dmesg.boot log messages to see which devices you are really using and only keep those. Comment out all the others. Do not delete the following device; it is used by most NICs but does not show up in dmesg as used.

device miibus

Personal tools