2

While searching for more ways to secure Linux servers, I found the following /etc/sysctl.conf configuration. It came as is, without much explanation. Before using it on production environment (using Ubuntu 12.04 LTS), I'd like to know the implications of it on a web server.

# Avoid a smurf attack
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Turn on protection for bad icmp error messages
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Turn on syncookies for SYN flood attack protection
net.ipv4.tcp_syncookies = 1

# Turn on and log spoofed, source routed, and redirect packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

# No source routed packets here
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Turn on reverse path filtering
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Make sure no one can alter the routing tables
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0

# Don't act as a router
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0


# Turn on execshild
kernel.exec-shield = 1
kernel.randomize_va_space = 1

# Tune IPv6
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 1
  1. What is smurf attack?
  2. Why bad icmp error messages are bad? In other word, what good will come to disable this?
  3. What is syncookies or SYN flood attack?
  4. Why to turn on and log spoofed, source routed, and redirect packets? Why redirected and source routed packets are bad?
  5. What is reverse path filtering?
  6. What is execshild and randomize_va_space?
  7. Overall, would you like to add anything more or remove some settings from it for your server? Why?

It would be most appreciated if someone could give a explanation (or resource explaining them) on each settings here.

Update:

I found this document extremely helpful for understanding IP related settings: http://www.frozentux.net/ipsysctl-tutorial/ipsysctl-tutorial.html

Mehdi
  • 139
  • 1
  • 6

1 Answers1

8

  1. A smurf attack is where someone sends packets to a broadcast address, usually with a spoofed source, to trick you into sending a large number of replies.

  2. The clog your logs with error messages. Ignoring them keeps the logs uncluttered. It's not like you can fix the Internet anyway.

  3. A SYN flood attack is one where an attacker hits a server with a large number of TCP connection requests. The idea is to consume memory on the server, forcing it to keep track of all the connection requests. SYN cookies allow the server to handle connection requests without using any memory.

  4. Source routed packets are bad because they can be used by outsiders to cause your internal network policy to be ignored or violated. Logging spoofed, source routed, or redirect packets makes sense because unlike bad ICMP error messages, these usually indicate someone doing something deliberate, rather than a configuration error or broken router.

  5. Reverse path filtering causes your router to drop a packet if it was received on an interface you would not use to send packets to that source. Personally, I always disable it. In my experience, it creates far more problems than it solves, for example, breaking IP multipath.

David Schwartz
  • 31,449
  • 2
  • 55
  • 84
  • 3
    It's worth mentioning that the point of a smurf attack is a small number of attackers to use the server in question as a fake "source" for a DDoS with ICMP echo-reply floods. By sending a specially-crafted broadcast ping (using the source-address of the victim) to a vulnerable subnet, every machine on the subnet would "reply" to the victim. Thus it makes it easy for a small number of attackers to DDoS a victim; they wouldn't need a large botnet for this kind of DDoS. This also allows them to mask the identity of the actual attackers from the target (but not the ISPs mitigating the smurf). – Mike Pennington Aug 09 '12 at 10:10
  • @David Schwartz: Thank you! I've edited my question and added two more. Can you please explain them, too? :) – Mehdi Aug 09 '12 at 10:11
  • @MHK: Ask separate questions for separate questions. You don't pay by the question, after all. – womble Aug 09 '12 at 10:11
  • @womble, I'm afraid they are not separate question, but closely related to this settings. I think adding a separate question would be marked as duplicate. – Mehdi Aug 09 '12 at 10:14
  • @MHK, they would not be duplicates if you asked different questions about `/etc/sysctl.conf`. However, I personally think it's more useful to ask them all in the same question, since they're related to a single system's security config. – Mike Pennington Aug 09 '12 at 10:15
  • @MHK: Why would a question "What is randomize_va_space?" be closed as a duplicate of "What is reverse path filtering?". – womble Aug 09 '12 at 10:16
  • @womble, Mike answered that. I'm asking all these question based on a single configuration file. It is up to human how they would categorize, there might be a lot of way to do that, don't you think? Can we focus on the topic now? – Mehdi Aug 09 '12 at 10:20
  • @MHK: And I disagree. Someone looking for information about one of these settings is going to have problems getting answers to their question if it's buried in amongst answers to a dozen other questions. Also, if two separate people give you good answers to different sysctl settings, which one will you mark as the accepted answer? – womble Aug 09 '12 at 10:22