RSS Twitter MySpace Facebook Digg Flickr

Basic Security kernel

Posted 20 June 2010 | Linux   

in this case i altered through the /proc file system or by using sysctl coz many kernel parameters can be altered through the /proc file system or by using sysctl.

Deactivate IP forwarding

#echo "0" > /proc/sys/net/ipv4/ip_forward

if you are not router Make sure that IP forwarding is turned off

Drop ping packets

#echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

sometimes many attacker identify host up with ping the ip,you can drop ping packets in order that your machine can’t respon the ping.

root@bsd:~# ping 192.168.182.250
PING 192.168.182.250 (192.168.182.250) 56(84) bytes of data.

_

Ignore broadcast pings

#echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

This disables response to ICMP broadcasts and will prevent Smurf attacks. The Smurf attack works by sending an ICMP type 0 (ping) message to the broadcast address of a network. Typically the attacker will use a spoofed source address. All the computers on the network will respond to the ping message and thereby flood the host at the spoofed source address.

Disable source routed packets

#echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

Do not accept source routed packets. Attackers can use source routing to generate traffic pretending to originate from inside your network, but that is actually routed back along the path from which it came, so attackers can compromise your network. Source routing is rarely used for legitimate purposes, so it is safe to disable it.

Disable redirect acceptance

#echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

Do not accept ICMP redirect packets. ICMP redirects can be used to alter your routing tables, possibly to a malicious end.

Protect against bad error messages

#echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

Enable protection against bogus error message responses.

Enable reverse path filtering

for i in /proc/sys/net/ipv4/conf/*; do
/bin/echo "1" > $i/rp_filter
done

Turn on reverse path filtering. This helps make sure that packets use legitimate source addresses by automatically rejecting incoming packets if the routing table entry for their source address does not match the network interface they are arriving on. This has security advantages because it prevents IP spoofing. We need to enable it for each net/ipv4/conf/* otherwise source validation isn’t fully functional.

Log all spoofed, source routed and redirect packets

#echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

Log spoofed packets, source routed packets and redirect packets.

/*done*/

but after reboot his configuration are reset,so you must edit /etc/sysctl.conf

ex:

(Manual using echo):
#echo "0" > /proc/sys/net/ipv4/ip_forward

(Automatic in sysctl.conf:)
net.ipv4.ip_forward = 0

keyword

  • alko web id (1)
  • ip_forward automatic (1)

    • If you enjoyed this post, make sure you subscribe to my RSS feed! or follow me on twitter
    Link to this post!

    Related Posts

    1 Comment

    1. Posted by Basic Security FreeBSD | kemangi's blog on 11 July 10 at 10:18am

      [...] etc same with basic security kernel linux [...]

    Leave a Reply

    :p 8) :lol: =( :8 ;) :(( :o: :[ :) :D :-| :-[) :bloody: :cool: :choler: :love: :oups: :aie: :beurk: