The proc filesystem offers some significant enhancements to your network security settings. Unfortunately, most of us are unaware of anything beyond the vague rumors. In the article, we’ll review some of the basic essentials of the kernel parameters necessary by altering /proc filesystem to add to the overall network security of your Linux server.
The proc filesystem is a area of more frequently being neglected. The pseudo file structure within proc allows you to interface with the internal data structures in the kernel, either obtaining information about the system or changing specific settings.
IP Specific Settings
IP forwarding of packets between interfaces is enabled by default on many systems. If you’re not intending for your box to forward traffic between interfaces, or if you only have a single interface, it would probably be a good idea to disable forwarding. Note that altering this value resets all configuration parameters to their default values. you’ll want to modify this one before all other /proc settings.
if [ -r /proc/sys/net/ipv4/ip_forward ]; then
echo "Disabling IP forwarding"
echo "0" > /proc/sys/net/ipv4/ip_forward
fi
If your operating system is RedHat AS3/4/5 or CentOS3/4/5,you can edit sysctl.conf file.
net.ipv4.ip_forward = 0
If instead you decide to enable forwarding, you will also be able to modify the rp_filter setting; something which is often misunderstood by network administrators. The rp_filter can reject incoming packets if their source address doesn’t match the network interface that they’re arriving on, which helps to prevent IP spoofing. Turning this on, however, has its consequences: If your host has several IP addresses on different interfaces, or if your single interface has multiple IP addresses on it, you’ll find that your kernel may end up rejecting valid traffic. It’s also important to note that even if you do not enable the rp_filter, protection against broadcast spoofing is always on. Also, the protection it provides is only against spoofed internal addresses; external addresses can still be spoofed.. By default, it is disabled. To enable it, run the following:
if [ -r /proc/sys/net/ipv4/conf/all/rp_filter ]; then
echo "Enabling rp_filter"
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
fi
If your operating system is RedHat AS3/4/5 or CentOS3/4/5,you can edit sysctl.conf file.
net.ipv4.conf.all.rp_filter = 1
You may have also noticed the "all" subdirectory in this last example. In /proc/sys/net/ipv4/conf there is one subdirectory for each interface on your system along with one directory called "all". Changing specific interface directories only affects that specific interface, while changes made to the "all" directory affects all interfaces on the system.
If you have compiled your kernel with CONFIG_SYNCOOKIES, you will be able to optionally turn on or off protection against SYN flood attacks. Note the emphasis, as compiling the kernel with this value does not enable it by default. It works by sending out ‘syncookies’ when the syn backlog queue of a socket overflows. What is often misunderstood is that socket backlogging is not supported in newer operating systems, which means that your error messages may not be correctly received by the offending system. Also, if you see synflood warnings in your logs, make sure they are not the result of a heavily loaded server before enabling this setting. They can also cause connection problems for other hosts attempting to reach you. However, if you do want to enable this setting, perform the following:
if [ -r /proc/sys/net/ipv4/tcp_syncookies ]; then
echo "Enabling tcp_syncookies"
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
fi
If your operating system is RedHat AS3/4/5 or CentOS3/4/5,you can edit sysctl.conf file.
net.ipv4.tcp_syncookies = 1
Normally, a host has no control over the route any particular packet takes beyond its first hop. It is up to the other hosts on the network to complete the delivery. IP Source Routing (SRR) is a method of specifying the exact path that a packet should take among the other hosts to get to its destination. This is generally a bad idea for the security conscious, as someone could direct packets to you through a trusted interface and effectively bypass your security in some cases. A good example is traffic, such as SSH or telnet, that is blocked on one interface might arrive on another of your host’s interfaces if source routing is used, which you might not have anticipated in your firewall settings. You’ll probably want to disable this setting with:
if [ -r /proc/sys/net/ipv4/conf/all/accept_source_route ]; then
echo "Disabling source routing"
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
fi
If your operating system is RedHat AS3/4/5 or CentOS3/4/5,you can edit sysctl.conf file.
net.ipv4.conf.all.accept_source_route = 0
Packets that have source addresses with no known route are referred to as "martians". For example, if you have two different subnets plugged into the same hub, the routers on each end will see each other as martians. To log such packets to the kernel log, which should never show up in the first place, you’ll need to issue:
if [ -r /proc/sys/net/ipv4/conf/all/log_martians]; then
echo "Enabling logging of martians"
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
fi
If your operating system is RedHat AS3/4/5 or CentOS3/4/5,you can edit sysctl.conf file.
net.ipv4.conf.all.log_martians = 1
ICMP Specific Settings
Ping scanning is typically used to determine which hosts on a network are up. Typically this is done by sending ICMP ECHO request packets to the target host. This is seemingly innocent behavior, however often network administrators will block such traffic to increase their obscurity. The choices involve blocking ICMP ECHO requests to broadcast/multicast addresses and directly to the host itself. The respective commands to disable protection are:
echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
ICMP redirect messages can also be a pain. If your box is not acting as a router, you’ll probably want to disable them:
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
Sometimes you will come across routers that send out invalid responses to broadcast frames. This is a violation of RFC 1122, "Requirements for Internet Hosts — Communication Layers". As a result, these events are logged by the kernel. To avoid filling up your logfile with unnecessary clutter, you can tell the kernel not to issue these warnings:
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
Additional Resources
For more information regarding the /proc filesystem, you can refer to the documentation that comes with the Linux kernel source. Of specific help is Documentation/filesystems/proc.txt by Bowden, Bauer & Nerin. Additionally,
you can refer to Documentation/networking/ip-sysctl.txt by Kuznetsov & Savola.
Thanks for the fantastic info – I loved reading it! I always enjoy your blog. :)