SearchMyInformITHome SoftwareeLearningFree LibraryBook StoreArticlesDiscussions
 
Like this Article?

Buy the Book!
Price: $35.99
Add to Cart

Que
Sections:
UNIX/Linux Systems
Tweak Your Network Configurations for Security
Remote Log Server
 
 

Home > Networking > Intrusion Detection > Article

Save to MyInformIT
E-mail this to a Friend
Discuss this Article

Implementing Security, Part II: Hardening Your UNIX/Linux Servers
by Joseph Dries, the Author of The Concise Guide to Enterprise Internetworking and Security
6.15.2001

Tweak Your Network Configurations for Security

To protect your WAN connection, firewall, and DMZ servers from common attacks, take these simple steps to disable certain TCP/IP features.

Drop Source-Routed Traffic

There are actually two forms of source-routed traffic: Strict Source-Routed and Loose Source-Routed. The differences aren't that important because you want to drop all source-routed traffic. Traceroute is the most common command that uses source-routed traffic. This allows you to diagnose trouble spots in your network by specifying the route to take. Unfortunately, intruders can use source-routed traffic to try and bypass firewall rules and TCP/IP filters. Dropping source-routed traffic should be done on the edge routers, and any capable security gateways:

  • For Cisco routers, issue the following global directive: no ip source-route.

  • For OpenBSD, use the following sysctl: net.inet.ip.sourceroute=0.

  • For FreeBSD, use the following two sysctls: net.inet.ip.sourceroute=0, net.ip.accept_sourceroute=0.

  • With Solaris, use the following command: ndd -set /dev/ip ip_forward_src_routed 0.

  • For Linux 2.2.x, use the following command: echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route.

  • With Windows NT/2000, make the following Registry change:

    • HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet\Services\Tcpip\Parameters
DisableIPSourceRouting

  • Create this value as a REG_DWORD and set it to 2.

Drop-Directed Broadcast Traffic

The Smurf Denial of Service attack and others like it can be defeated by disabling directed broadcasts on the edge routers and servers exposed to the Internet:

  • With OpenBSD, use the following sysctl: net.inet.ip.directed-broadcast=0

  • For Solaris, use the following command: ndd -set /dev/ip ip_forward_directed_broadcasts 0

Ignore ICMP Echo Request Broadcast

The draft RFC draft-vshah-ddos-smurf-00, found at http://www.ietf.org/internet-drafts/draft-vshah-ddos-smurf-00.txt, states that if the network node is set to reply to an IP ICMP echo reply on a broadcast or multicast address, the node must check to make sure that the source address is on a local network of the network node. If the source address is not local, the reply must be discarded. By changing the behavior to not respond to ICMP broadcasts, you ensure that those replies are always discarded:

  • With Solaris, use the following command: ndd -set /dev/ip ip_respond_to_echo_broadcast 0

  • With Linux 2.2.x, use the following command: echo 1 > /proc/sys/net/ipv4/icmp_echo_ ignore_broadcasts

Linux has an additional control to disable ALL ICMP Echo Reply requests. Issuing the following command will make the Linux kernel ignore all ICMP Echo Requests: echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all.

Ignore ICMP Redirect Messages

An intruder might try to redirect traffic from your servers to a different gateway or a non-existent gateway. Additionally, the intruder might try to inject bogus routes into your routing table. All these can be accomplished through the unassuming ICMP Redirect Message, and it is a very effective denial of service attack. In addition to blocking ICMP Redirect messages at the firewall, if your OS supports it, add the additional layer of security of ignoring ICMP Redirect messages:

  • With Solaris, use the following command: ndd -set /dev/ip ip_ignore_redirect 1

  • With Linux 2.2.x, use the following command: echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

Disable Sending of ICMP Redirect Messages

Only routers need to send ICMP Redirect messages. Because your DMZ servers and firewall are not routing any packets, there should be no reason to send them:

  • For Solaris, use the following command: ndd -set /dev/ip ip_send_redirects 0.

  • For Linux 2.2.x, use the following command: echo 0 > /proc/sys/net/ipv4/conf/ all/send_redirects.

Time Stamp Request Broadcast

An ICMP timestamp request (ICMP type 13) allows a system to query another for the current time. The return value is the number of milliseconds since midnight. ICMP timestamp requests have been used to synchronize clocks between systems rather than using the rdate command because the precision is better. Individual timestamp requests are normal, but there is no need for a system to respond to a broadcast request. Finally, you should look into using NTP to keep time synchronized between servers because it is much better at keeping the time, and allows for authentication and peering of multiple time sources, which makes it much harder to spoof. This allows you to drop ICMP type 13 (timestamp request) and type 14 (timestamp reply):

  • With Solaris, use the following command: ndd -set /dev/ip ip_respond_to_timestamp_ broadcast 0.

  Next Section — "Remote Log Server"
 

Related Materials

Articles

Books

Free Library

Also By This Author

Articles

Books
Bottom Left Navigation Interface  
 

About Us
Advertise On InformIT
Contact Us
Legal Notice
Privacy Policy

  
   
 

© 2001 Pearson Education, Inc.
InformIT Division.
All rights reserved.
201 West 103rd Street
Indianapolis, IN 46290