This site is now 100% read-only, and retired.

Secure Networking within kernel

Posted by markiemark on Fri 23 Sep 2005 at 16:37

While iptables offers a viable means for limiting network intrusion from outside a local area network as well as containing users in a defined environment set by the adminstrator, there can be much had with the kernel's use of certain, "flags", if you will that redirect the kernel what to do and what not to do with certain specific protocols.

Upon further inspection of /proc/sys/net/ipv4 (or ipv6 depending on your preference and matter of use) one will be quick to see a whole slew of files. As you start to get further into the listing you'll notice that most files will simply contain a 1 (for enable), 0 (for disable) and some will be complete integers themselves.

Setting an entry can be done by running a command like this:

# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all 
# echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all 

The 1st of course is enable, and the 2nd is disable.

An explanation of some of the rather interesting ones:

If you're not forwarding traffic between interfaces or if you have only a single interface, its usually a good idea to disable forwarding:

echo 0 > /proc/sys/net/ipv4/ip_forward

rp_filter can reject incoming packets if their source does not match the networks interface from which they are arriving from. This is a good way to prevent IP spoofing (usually not a good idea if you have several IP addresses on different interfaces or if a single interface has multiple IP addys).

echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

If your kernel has been compiled with CONFIG_SYSNCOOKIES then you will have the ability to decide protection against SYN floods:

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

Some port scanners send ICMP ECHO requests to see what hosts are up, this is easily circumvented although enabling this will break any pings from legitimate machines:

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

And finally, if your host is penetrated by a user account that was brute forced or hacked into you can ignore broadcast pings to prevent you from being an unwilling participant in smurf attacks:

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

Generally, a lot can be had from the kernels abilities to do various network tasks on respected protocols, provided root sets them as so.

Of course these entries depend on how your network is configured, say for instance if you need the ability to ping different hosts, or if you run alot of IPs on a single interface, etc. Any changes done to a file can be reversed easily.

 

 


Re: Secure Networking within kernel
Posted by Steve (82.41.xx.xx) on Fri 23 Sep 2005 at 16:41
[ View Weblogs ]

It is worth noting that you can setup a lot of these parameters in the file /etc/sysctl.conf.

For example to ignore broadcasts you can set:

net/ipv4/icmp_echo_ignore_broadcasts=1

This flag will then take effect the next time you reboot, or if you run:

sysctl

(Running either "man sysctl", or "man sysctl.conf" will give more details).

Steve
--

[ Parent ]

Re: Secure Networking within kernel
Posted by markiemark (67.184.xx.xx) on Fri 23 Sep 2005 at 16:45
Thats very true, same congfigurations can be made using sysctl buts its a nice "on the fly" solution hehe :)

[ Parent ]

Re: Secure Networking within kernel
Posted by El_Cubano (66.93.xx.xx) on Fri 23 Sep 2005 at 23:55

That's awesome. I had always resorted to rebooting when updating something in /etc/sysctl.conf.


--
Roberto C. Sanchez
http://familiasanchez.net/~roberto/

[ Parent ]

Re: Secure Networking within kernel
Posted by Anonymous (24.58.xx.xx) on Fri 23 Sep 2005 at 17:23
Also of note, a few of these options (spoofprotect, syncookies, ip_forward) can be set in /etc/network/options, which is handled by /etc/init.d/networking (from the netbase package) at boot time.

[ Parent ]

Re: Secure Networking within kernel
Posted by dkg (216.254.xx.xx) on Sat 8 Oct 2005 at 02:27
[ View Weblogs ]
It's probably a bad idea to get in the habit of using /etc/network/options. Apparently that config file is officially deprecated as of debian's netbase package version 4.22, which just propagated into testing recently.

bug #322548 appears to have a decent summary of the rationale for this decision.

[ Parent ]

Re: Secure Networking within kernel
Posted by Anonymous (82.157.xx.xx) on Fri 23 Sep 2005 at 21:48
Don't forget IPv6!

[ Parent ]

Re: Secure Networking within kernel
Posted by Anonymous (81.57.xx.xx) on Tue 27 Sep 2005 at 16:19
Some others that might be of interest for this topic:
/proc/sys/net/ipv4/icmp_ratelimit
/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
/proc/sys/net/ipv4/conf/*/log_martians
/proc/sys/net/ipv4/conf/*/accept_redirects
/proc/sys/net/ipv4/conf/*/accept_source_route

For a complete reference of kernel IP tunable sysctls, see /usr/src/linux-2.6.11.12/Documentation/networking/ip-sysctl.txt

To reply another comment: you don't need to reboot in order to apply on the fly /etc/sysctl.conf modifications:

sysctl -p /etc/sysctl.conf # is enough

By the way, setting all those params on /etc/sysctl.conf is imho the proper way to do it. One should never try to override (or be overriden by ? are your scripts started before procps ? take care !) a standard config file.

[ Parent ]