Basic network security settings
Download
Report
Transcript Basic network security settings
CIS 290
LINUX Security
Application and
Network Security
Part 1
SSH
•
/etc/ssh/sshd_config
AllowTcpForwarding no
AllowAgentForwarding No
DenyUsers, AllowUsers, DenyGroups, AllowGroups
AllowTcpForwarding No
Banner No
ChrootDirectory No
ClientAliveInterval 600
ClientAliveCountMax 0
ForceCommand
HostbasedAuthentication no
IgnoreRhosts yes
ListenAddress
LoginGraceTime
MaxAuthTries
MaxSessions
MaxStartups
PermitEmptyPasswords no
PermitRootLogin No
PermitTunnel No
Port
Protocol 2,1
SubSystem (see SFTP chroot jail)
UseDNS
UsePAM – if yes, disable PasswordAuthentication or ChallengeREsponse Authentication
X11Forwarding no
Original Sentry Tools (Psionic)
• Logcheck (still an RPM)
• Portsentry
http://sourceforge.net/projects/sentrytools/
• Tcplogd
• See also netstat –an or ss -a
Network Security
•
TCP Wrappers – hosts.allow, hosts.deny
•
/etc/security/access.conf
•
Iptables 2.4 - formerly ipfwadm <2.0, ipchains, 2.1)
•
•
/etc/sysctl.conf:
# Avoid a smurf attack
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Turn on protection for bad icmp error messages
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Turn on syncookies for SYN flood attack protection
net.ipv4.tcp_syncookies = 1
# Turn on and log spoofed, source routed, and redirect packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
•
•
•
Network Security
/etc/sysctl.conf
• # No source routed packets here
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
•
# Turn on reverse path filtering
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
•
# Make sure no one can alter the routing tables
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
•
# Don't act as a router
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
Network Security
/etc/sysctl.conf
• # Turn on execshild
kernel.exec-shield = 1
kernel.randomize_va_space = 1
•
# Tune IPv6 (or turn it off)
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 1
•
# Optimization for port usefor LBs
# Increase system file descriptor limit
fs.file-max = 65535
•
# Allow for more PIDs (to reduce rollover problems); may break some programs 327
Network Security
•
# Increase system IP port limits
net.ipv4.ip_local_port_range = 2000 65000
•
# Increase TCP max buffer size setable using setsockopt()
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608
•
# Increase Linux auto tuning TCP buffer limits
# min, default, and max number of bytes to use
# set max to at least 4MB, or higher if you use very high BDP paths
# Tcp Windows etc
net.core.rmem_max = 8388608
net.core.wmem_max = 8388608
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_window_scaling = 1
Firewall - Iptables
•
/etc/sysconfig/iptables
•
Commands: iptables, iptables-save, iptables-restore
•
There are total 4 chains:
INPUT - The default chain is used for packets addressed to the system. Use this to open or
close incoming ports (such as 80,25, and 110 etc) and ip addresses / subnet (such as
202.54.1.20/29).
OUTPUT - The default chain is used when packets are generating from the system. Use this
open or close outgoing ports and ip addresses / subnets.
FORWARD - The default chains is used when packets send through another interface. Usually
used when you setup Linux as router. For example, eth0 connected to ADSL/Cable modem
and eth1 is connected to local LAN. Use FORWARD chain to send and receive traffic from LAN
to the Internet.
RH-Firewall-1-INPUT - This is a user-defined custom chain. It is used by the INPUT, OUTPUT
and FORWARD chains.
iptables
•
Packet Matching Rules
Each packet starts at the first rule in the chain.
A packet proceeds until it matches a rule.
If a match found, then control will jump to the specified target (such as REJECT, ACCEPT,
DROP).
•
Target Meanings
The target ACCEPT means allow packet.
The target REJECT means to drop the packet and send an error message to remote host.
The target DROP means drop the packet and do not send an error message to remote host or
sending host.