Editorial review of System Tuning for Security.
Sponsored by: iXsystems
This commit is contained in:
Dru Lavigne
parent
f8416834f1
commit
b8a75b0b58
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=44730
1 changed files with 56 additions and 51 deletions
|
|
@ -568,32 +568,36 @@ cat changed
|
|||
<sect2 xml:id="security-tuning">
|
||||
<title>System Tuning for Security</title>
|
||||
|
||||
<para>Many of the systems features may be tuned through the use
|
||||
of &man.sysctl.8;. This is also true for a few security
|
||||
features which could be used to prevent denial of service
|
||||
(<acronym>DOS</acronym>) style attacks. Some of the more
|
||||
important will be covered here. Any time a setting is changed
|
||||
with &man.sysctl.8;, the chance to cause undesired harm is
|
||||
increased affecting the availability of the system.
|
||||
Considering the <acronym>CIA</acronym> of the system should be
|
||||
done during any system-wide configuration change.</para>
|
||||
<para>In &os;, many system features can be tuned using
|
||||
<command>sysctl</command>. A few of the security
|
||||
features which can be tuned to prevent Denial of Service
|
||||
(<acronym>DoS</acronym>) attacks
|
||||
will be covered in this section. More information about using
|
||||
<command>sysctl</command>, including how to temporarily change
|
||||
values and how to make the changes permanent after testing,
|
||||
can be found in <xref
|
||||
linkend="configtuning-sysctl"/>.</para>
|
||||
|
||||
<para>The following is a list of &man.sysctl.8;'s and a short
|
||||
description of what effects the changes will have on the
|
||||
system.</para>
|
||||
<note>
|
||||
<para>Any time a setting is changed
|
||||
with <command>sysctl</command>, the chance to cause undesired harm is
|
||||
increased, affecting the availability of the system. All changes
|
||||
should be monitored and, if possible, tried on a testing
|
||||
system before being used on a production system.</para>
|
||||
</note>
|
||||
|
||||
<para>By default, the &os; kernel boots with a security level of
|
||||
-1. This is called <quote>insecure mode</quote> because
|
||||
<literal>-1</literal>. This is called <quote>insecure mode</quote> because
|
||||
immutable file flags may be turned off and all devices may be
|
||||
read from or written to. The security level will remain at -1
|
||||
unless it is altered, either by the administrator or by
|
||||
&man.init.8;, because of a setting in the startup scripts.
|
||||
The security level may be raised during system startup by
|
||||
read from or written to. The security level will remain at <literal>-1</literal>
|
||||
unless it is altered through <command>sysctl</command> or by
|
||||
a setting in the startup scripts.
|
||||
The security level may be increased during system startup by
|
||||
setting <varname>kern_securelevel_enable</varname> to
|
||||
<literal>YES</literal> in <filename>/etc/rc.conf</filename>,
|
||||
and the value of <varname>kern_securelevel</varname> to the
|
||||
desired security level. See &man.security.7; and &man.init.8;
|
||||
for more information on these settings.</para>
|
||||
for more information on these settings and the available security levels.</para>
|
||||
|
||||
<warning>
|
||||
<para>Increasing the <varname>securelevel</varname> can break
|
||||
|
|
@ -601,45 +605,46 @@ cat changed
|
|||
prepared to do some debugging.</para>
|
||||
</warning>
|
||||
|
||||
<para>Next &man.sysctl.8;s to change is the
|
||||
net.inet.tcp.blackhole and net.inet.udp.blackhole. When these
|
||||
are set, incoming <acronym>SYN</acronym> packets on closed
|
||||
ports will be dropped with no return <acronym>RST</acronym>
|
||||
response. The normal behavior is to return an
|
||||
<acronym>RST</acronym> to show a port is closed. These will
|
||||
provide some level of protection against
|
||||
<quote>stealth</quote> scans against a system. Set the
|
||||
net.inet.tcp.blackhole to <quote>2</quote> and the
|
||||
net.inet.udp.blackhole to <quote>1</quote> and review the
|
||||
information in &man.blackhole.4; for more information.</para>
|
||||
<para>The <varname>net.inet.tcp.blackhole</varname> and
|
||||
<varname>net.inet.udp.blackhole</varname> settings can be used
|
||||
to drop incoming <acronym>SYN</acronym> packets on closed
|
||||
ports without sending a return <acronym>RST</acronym>
|
||||
response. The default behavior is to return an
|
||||
<acronym>RST</acronym> to show a port is closed. Changing the default
|
||||
provides some level of protection against
|
||||
ports scans, which are used to determine
|
||||
which applications are running on a system. Set
|
||||
<varname>net.inet.tcp.blackhole</varname> to <literal>2</literal> and
|
||||
<varname>net.inet.udp.blackhole</varname> to <literal>1</literal>.
|
||||
Refer to &man.blackhole.4; for more information about these settings.</para>
|
||||
|
||||
<para>Additionally the net.inet.icmp.drop_redirect and
|
||||
net.inet.ip.redirect should be set as well. These two
|
||||
&man.sysctl.8;s will help prevent against what are called
|
||||
redirect attacks. Redirect attacks are the purposeful mass
|
||||
issuing of <acronym>ICMP</acronym> type 5 packets which should
|
||||
not be required in a normal network. As such, set
|
||||
net.inet.icmp.drop_redirect to <quote>1</quote> and set
|
||||
net.inet.ip.redirect to <quote>0</quote>.</para>
|
||||
<para>The <varname>net.inet.icmp.drop_redirect</varname> and
|
||||
<varname>net.inet.ip.redirect</varname> settings
|
||||
help prevent against
|
||||
<firstterm>redirect attacks</firstterm>. A redirect attack is a type of <acronym>DoS</acronym> which sends mass
|
||||
numbers of <acronym>ICMP</acronym> type 5 packets. Since these packets
|
||||
are not required, set
|
||||
<varname>net.inet.icmp.drop_redirect</varname> to <literal>1</literal> and set
|
||||
<varname>net.inet.ip.redirect</varname> to <literal>0</literal>.</para>
|
||||
|
||||
<para>Source routing is method of detecting and accessing
|
||||
<para>Source routing is a method for detecting and accessing
|
||||
non-routable addresses on the internal network. This should
|
||||
probably be disabled as non-routable addresses are normally
|
||||
be disabled as non-routable addresses are normally
|
||||
not routable on purpose. To disable this feature, set
|
||||
net.inet.ip.sourceroute and net.inet.ip.accept_sourceroute
|
||||
to <quote>0</quote>.</para>
|
||||
<varname>net.inet.ip.sourceroute</varname> and
|
||||
<varname>net.inet.ip.accept_sourceroute</varname>
|
||||
to <literal>0</literal>.</para>
|
||||
|
||||
<para>Drop all <acronym>ICMP</acronym> echo requests to the
|
||||
broadcast address. When machine on the network need to
|
||||
send messages to all hosts on a subnet, the message is sent
|
||||
to the broadcast address. There is no reason an external
|
||||
host should need to perform such an action so set
|
||||
net.inet.icmp.bmcastecho to <quote>0</quote> to reject
|
||||
all external broadcast requests.</para>
|
||||
<para>When a machine on the network needs to
|
||||
send messages to all hosts on a subnet, an
|
||||
<acronym>ICMP</acronym> echo request message is sent
|
||||
to the broadcast address. However, there is no reason for an external
|
||||
host to perform such an action. To reject
|
||||
all external broadcast requests, set
|
||||
<varname>net.inet.icmp.bmcastecho </varname>to <literal>0</literal>.</para>
|
||||
|
||||
<para>Some additional &man.sysctl.8;s are documented in
|
||||
&man.security.7; and it is recommended it be consulted for
|
||||
additional information.</para>
|
||||
<para>Some additional settings are documented in
|
||||
&man.security.7;.</para>
|
||||
</sect2>
|
||||
</sect1>
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue