diff --git a/en_US.ISO8859-1/books/handbook/security/chapter.xml b/en_US.ISO8859-1/books/handbook/security/chapter.xml index 08ee1ff242..adb319e9ee 100644 --- a/en_US.ISO8859-1/books/handbook/security/chapter.xml +++ b/en_US.ISO8859-1/books/handbook/security/chapter.xml @@ -568,32 +568,36 @@ cat changed System Tuning for Security - Many of the systems features may be tuned through the use - of &man.sysctl.8;. This is also true for a few security - features which could be used to prevent denial of service - (DOS) style attacks. Some of the more - important will be covered here. Any time a setting is changed - with &man.sysctl.8;, the chance to cause undesired harm is - increased affecting the availability of the system. - Considering the CIA of the system should be - done during any system-wide configuration change. + In &os;, many system features can be tuned using + sysctl. A few of the security + features which can be tuned to prevent Denial of Service + (DoS) attacks + will be covered in this section. More information about using + sysctl, including how to temporarily change + values and how to make the changes permanent after testing, + can be found in . - The following is a list of &man.sysctl.8;'s and a short - description of what effects the changes will have on the - system. + + Any time a setting is changed + with sysctl, the chance to cause undesired harm is + increased, affecting the availability of the system. All changes + should be monitored and, if possible, tried on a testing + system before being used on a production system. + By default, the &os; kernel boots with a security level of - -1. This is called insecure mode because + -1. This is called insecure mode because immutable file flags may be turned off and all devices may be - read from or written to. The security level will remain at -1 - unless it is altered, either by the administrator or by - &man.init.8;, because of a setting in the startup scripts. - The security level may be raised during system startup by + read from or written to. The security level will remain at -1 + unless it is altered through sysctl or by + a setting in the startup scripts. + The security level may be increased during system startup by setting kern_securelevel_enable to YES in /etc/rc.conf, and the value of kern_securelevel to the desired security level. See &man.security.7; and &man.init.8; - for more information on these settings. + for more information on these settings and the available security levels. Increasing the securelevel can break @@ -601,45 +605,46 @@ cat changed prepared to do some debugging. - Next &man.sysctl.8;s to change is the - net.inet.tcp.blackhole and net.inet.udp.blackhole. When these - are set, incoming SYN packets on closed - ports will be dropped with no return RST - response. The normal behavior is to return an - RST to show a port is closed. These will - provide some level of protection against - stealth scans against a system. Set the - net.inet.tcp.blackhole to 2 and the - net.inet.udp.blackhole to 1 and review the - information in &man.blackhole.4; for more information. + The net.inet.tcp.blackhole and + net.inet.udp.blackhole settings can be used + to drop incoming SYN packets on closed + ports without sending a return RST + response. The default behavior is to return an + RST to show a port is closed. Changing the default + provides some level of protection against + ports scans, which are used to determine + which applications are running on a system. Set + net.inet.tcp.blackhole to 2 and + net.inet.udp.blackhole to 1. + Refer to &man.blackhole.4; for more information about these settings. - Additionally the net.inet.icmp.drop_redirect and - net.inet.ip.redirect should be set as well. These two - &man.sysctl.8;s will help prevent against what are called - redirect attacks. Redirect attacks are the purposeful mass - issuing of ICMP type 5 packets which should - not be required in a normal network. As such, set - net.inet.icmp.drop_redirect to 1 and set - net.inet.ip.redirect to 0. + The net.inet.icmp.drop_redirect and + net.inet.ip.redirect settings + help prevent against + redirect attacks. A redirect attack is a type of DoS which sends mass + numbers of ICMP type 5 packets. Since these packets + are not required, set + net.inet.icmp.drop_redirect to 1 and set + net.inet.ip.redirect to 0. - Source routing is method of detecting and accessing + Source routing is a method for detecting and accessing non-routable addresses on the internal network. This should - probably be disabled as non-routable addresses are normally + be disabled as non-routable addresses are normally not routable on purpose. To disable this feature, set - net.inet.ip.sourceroute and net.inet.ip.accept_sourceroute - to 0. + net.inet.ip.sourceroute and + net.inet.ip.accept_sourceroute + to 0. - Drop all ICMP echo requests to the - broadcast address. When machine on the network need to - send messages to all hosts on a subnet, the message is sent - to the broadcast address. There is no reason an external - host should need to perform such an action so set - net.inet.icmp.bmcastecho to 0 to reject - all external broadcast requests. + When a machine on the network needs to + send messages to all hosts on a subnet, an + ICMP echo request message is sent + to the broadcast address. However, there is no reason for an external + host to perform such an action. To reject + all external broadcast requests, set + net.inet.icmp.bmcastecho to 0. - Some additional &man.sysctl.8;s are documented in - &man.security.7; and it is recommended it be consulted for - additional information. + Some additional settings are documented in + &man.security.7;.