SECURING THE TCP/IP STACK ON SOLARIS 2.6
Solaris contains many tweakable parameters in it's kernel. In the following section, we shall modifysome of these parameters in order to take full advantage of these features. A full set of parameters can be obtained by typing: ndd -get /dev/ip \? (replace ip with udp or tcp to list those). These settings apply to Solaris 2.6 only. Be sure to apply patch 103582-12 to enable the use of the tcp_conn_req_max_q0 on Solaris 2.5.1. 1. Create a file in /etc/init.d named secureip containing the following :
These lines turn off a feature called IP forwarding. Nearly any machine that uses IP-based networking is capable of being a router, which means the bad guys could route packets through your machine to machines on your internal network or other secure machines that might trust the machine you are working on. Turning off IP forwarding disables this feature.
To prevent Solaris from forwarding datagrams directed to any of your direct broadcast adresses as link-layer broadcasts. Pings or other broadcasts to the broadcast address of your installed interface are silently discarded.
To prevent Solaris from forwarding any IP datagrams which have the source routing option activated. If Solaris forwards such datagrams, anattacker could bypass certain security constructs; such as the corporate firewall.
If a machine has two interfaces, the following commands will drop packets coming in through one interface that are destined for another interface. This can prevent host spoofing. This enables the 'strong end system' model from RFC 1122.
To prevent Solaris from responding to a ping to any of our broadcast addresses.
The following is a quick hack to break traceroute. Solaris allocates udp ports under 65535. The traceroute program tries not to reach a random UDP port above 32768 - in order to provoke an ICMP error message from the host. The following lowers the udp_smallest_anon_port and then lowers the udp_largest_anon_port. This tweak is not recommended for servers who run applications that require many active udp ports (i.e. Squid).
Solaris sets the lowest ephemerical ports above 32768, we like to have them above 25000 to have a bit more room for busy servers. We also set the highest ephemerical port to 65535. This is useful for setting ipfilters port range.
With the recent SYN flood attacks, this next parameter will increase the length of the incomplete connection queue. This queue contains an entry for every packet containing the SYN flag that has been recieved by the operating system. The server acknowledges the clients SYN request and then the connection gets queued and the kernel waits for the three way handshake to complete. The socket is in the SYN_RCVD state. The connection cannot be accepted until the handshake is completed and will reside in this queue until then.
For icmp redirect avoidance.
This changes the system configuration to shorten the ARP expiration timer to one minute instead of the default 20 minutes. This stops some of the ARP hijacking and ARP spoofing attacks. Flush the ARP entries from the IP routing table after 1 minute.
Discard ARP entries from ARP cache after 1 minute.
Don't respond to broadcast ICMP mask requests.
Don't respond to ICMP timestamp requests.
Disable address round-robin of interface groups.
Then type the following so that these modifications can take affect after a reboot; ln -s /etc/init.d/secureip /etc/rc2.d/S77secureip. The source of this script can be found here 2. To prevent Solaris from using predictable sequence numbers, add the following to the file /etc/default/inetinit This modification strenghtens the initial sequence numbersas per RFC 1948. '0' is the old predictable algorithm. '1' used random(3)and may be predictable if the attacker knows the time the machine was booted or the time the kernel parameter was changed.
3. Then type the following command :
All rights reserved. Legal terms. Privacy policy. |