Home|Cudeso|Linux|*NIX / BSD|Misc|
 

/proc/sys

Contents

1. Introduction

2. Requisitions

3. ICMP

4. IP





1. Introduction

So you have installed your very own firewall and you think you're ready to go and nobody can hurt you? Think again. No way you are able to build a system that's completely secure. The only thing you can do is doing your upmost best and try to build the most secure system you're able to. But never the 100% A helpfull thing in building a secure system is the /proc filesystem. This does not replace your firewall ruleset but merely offers some significant enhancements.

Some further reading can be found at http://hr.uoregon.edu/davidrl/Documentation/filesystems/proc.txt

2. Requisitions

Before you can make use of the /proc filesystem, you should check your kernel-config and check for two settings : CONFIG_PROC_FS (this setting offers you the possibility to view what's in the proc-system)and CONFIG_SYSCTL (with this you can actually change the settings)

3. ICMP

Ping scanning is a way to determine which hosts on a network are up. You can protect yourself from a ping scan with
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
Other ICMP messages are for example route redirect message. If your host isn't acting as a router, disable them
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

4. IP

IP forwarding is enabled by default on many systems. If you're not using this host as a gateway you can disable forwarding.
if [ -r /proc/sys/net/ipv4/ip_forward ]; then echo "Disabling IP forwarding"
echo "0" > /proc/sys/net/ipv4/ip_forward fi
On the contrary, if you want to enable IP-forwarding you'll also need to modify the rp_filter_setting. This setting can prevent, in a minor way, IP-spoofing.
if [ -r /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo "Enabling rp_filter"
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter fi
When you have compÓled CONFIG_SYNCOOKIES in your kernel, you'll also be able to turn on or off the protection against SYN-flood attacks.
if [ -r /proc/sys/net/ipv4/tcp_syncookies ]; then echo "Enabling tcp_syncookies"
echo "1" > /proc/sys/net/ipv4/tcp_syncookies fi
Normally you have no control on the route a packet follows. IP Source Routing (SRR) is a method of specifying the exact path that a packet should take. Enabling this is generally a bad idea. Disabling goes as follows :
if [ -r /proc/sys/net/ipv4/conf/all/accept_source_route ]; then echo "Disabling source routing"
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route fi
When a packet arrives on an interface and the host doesn't know any route to the source address, this packet is called a 'martian'. You can log these packets (that should never arrive in fact)
if [ -r /proc/sys/net/ipv4/conf/all/log_martians ]; then echo "Enabling logging of martians" echo "1" > /proc/sys/net/ipv4/conf/all/log_martians fi
Copyleft 2002-2007 - cudeso.bewebmaster@cudeso.betop