This post will focus on hardening your networking infrastructure.
- Disable wireless networking in the kernel by running the following loop:
- OPTIONAL: I also disabled the loading of bluetooth drivers by modifying the command loop. I replaced 'net/wireless' with 'bluetooth' and save it under a different filename.
- Edit /etc/sysctl.conf to secure the network within the kernel.
# Disables packet forwarding
net.ipv4.ip_forward = 0
# Source route verification
net.ipv4.conf.all.rp_file = 1
net.ipv4.conf.default.rp_file = 1
# Don't accept source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Not a router, so do not send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Not a router, so do not accept redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
# Log all packets with impossible addresses to the kernel log
net.ipv4.conf.all.log_martians = 1
# Ignore all ICMP ECHO and TIMESTAMP requests sent via broadcast/multicast
# And protect against ICMP attacks
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_messages = 1
# Protect against SYN flood attacks, and controls the use of SYN cookies
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 2
# This is not a router so don't accept IPv6 solicitations
net.ipv6.conf.all.router_solicitations = 0
net.ipv6.conf.default.router_solicitations = 0
# Do not accept IPv6 preferences from the router
net.ipv6.conf.all.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
# Do not accept IPv6 prefix information from the router
net.ipv6.conf.all.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
# Do not accept Hop Limit settings from router
net.ipv6.conf.all.accept_ra_defrtr = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
# Do not accept configuration from router
net.ipv6.conf.all.autoconf = 0
net.ipv6.conf.default.autoconf = 0
# Not a router so don't sent IPv6 solicitations
net.ipv6.conf.all.dad_transmits = 0
net.ipv6.conf.default.dad_transmits = 0
#Assign only one address per interface
net.ipv6.conf.all.max_addresses = 1
net.ipv6.conf.default.max_addresses = 1 - OPTIONAL: While we are in /etc/sysctl.conf we may as well add a few hardening parameters for the kernel:
# Controls System Request Debugging
kernel.sysrq = 0
# Append PID to core filename in a core dump (useful to determine what happened)
kernel.core_users_pid = 1
# Activate ExecShield
kernel.exec-shield = 1
kernel.randomize_va_space = 1 - OPTIONAL: If you are going to use bridge interfaces then disable packet filtering. This way we will use the Virtual Machine's firewall rules instead of defining complex rules on the host.
net.bridge.bridge_nf_call_ip6tables = 0
net.bridge.bridge_nf_call_iptables = 0
net.bridge.bridge_nf_call_arptables = 0 - Disable automatic loading of IPv6 in the kernel by editing /etc/modprobe.d/dist.conf with:
install ipv6 /bin/true
While we are here, we will also disable the loading of uncommon networking protocols:install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true - Disable IPv6 interfaces by modifying /etc/sysconfig/network:
NETWORKING_IPV6=no
You can also turn off avahi and zeroconf by adding the line:
IPV6INIT=no
IPV6_AUTOCONF=noNOZEROCONF=yes
(NOTE: If you are not going to use zeroconf you may as well uninstall it with yum remove avahi avahi-autoipd. The avahi-libs package is required by other programs so you may still need it) - Add the following line to every file that matches the pattern /etc/sysconfig/network-scripts/ifcfg-* with:
IPV6INIT=no
- Deny all TCP Wrapper services by default. Edit /etc/hosts.deny and enter the following as the only entry:
ALL: ALL
- OPTIONAL: If you wish, only allow TCP Wrapper services (like SSH) to run on the localhost loopback interface. Edit /etc/hosts.allow and enter the following:
ALL: localhost
- Edit IP tables (the firewall) to automatically drop packets that do not match a given rule. Edit the files /etc/sysconfig/iptables & /etc/sysconfig/ip6tables
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0] - Restrict ICMP messages by removing any lines in /etc/sysconfig/iptables containing the following:
-p icmp
and replace it with:-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT - To log all dropped packets in the system replace the following line in /etc/sysconfig/iptables:
-A INPUT -j REJECT --reject-with icmp-host-prohibited-A FORWARD -j REJECT --reject-with icmp-host-prohibited
with:-A INPUT -j LOG
You will need to write the same in the equivalent IPv6 file (in /etc/sysconfig/ip6tables)
-A INPUT -j DROP-A FORWARD-j LOG
-A FORWARD -j DROP - You may have NFS installed; if you don't need it then uninstall it:
yum remove portmap nfs-utils
NOTE: If you are running virtual machines then it will need the libraries provided by portmap. Instead turn off the services:chkconfig portreserve off
chkconfig rpcgssd off
chkconfig rpcidmapd off
chkconfig rpcbind off
chkconfig rpcsvcgssd off
chkconfig nfs off
chkconfig nfslock off - Finally, to check what is running on your server:
- This will show all services:
netstat -tulp
- This will show only services with active connection
netstat -ant
- This will show you the routing table
route
- This will show you if any program is actively pulling raw packets, and is a sign that there is a network sniffer. Note that on a fresh system that a positive result may just be the DHCP client (if you use one).
cat /proc/net/packet
- This will show all services:
for i in $(find /lib/modules/`uname -r`/kernel/drivers/net/wireless -name "*.ko" -type f ) ; do
echo blacklist $i >> /etc/modprobe.d/blacklist-wireless ; done
References
- Red Hat Linux 5 Hardening Tips - National Security Agency
- Guide to the secure configuration of Red Hat Linux 5 - National Security Agency
- CentOS wiki on hardening the OS
- This guide from sysadminwiki
No comments:
Post a Comment
Thanks for contributing!! Try to keep on topic and please avoid flame wars!!