SECURING THE TCP/IP STACK ON SOLARIS 2.6

Applies to the practice :
Securing the tcp/ip stack on Solaris 2.6

Applicable technologies:
Unix; Solaris 2.6 operating system

Solaris contains many tweakable parameters in it's kernel. In the following section, we shall modifysome of these parameters in order to take full advantage of these features. A full set of parameters can be obtained by typing: ndd -get /dev/ip \? (replace ip with udp or tcp to list those). These settings apply to Solaris 2.6 only. Be sure to apply patch 103582-12 to enable the use of the tcp_conn_req_max_q0  on Solaris 2.5.1.

1. Create a file in /etc/init.d named secureip containing the following :

#!/bin/sh

These lines turn off a feature called IP forwarding. Nearly any machine that uses IP-based networking is capable of being a router, which means the bad guys could route packets through your machine to machines on your internal network or other secure machines that might trust the machine you are working on. Turning off IP forwarding disables this feature.

ndd -set /dev/ip ip_forwarding 0
echo "setting ip_forwarding off."

To prevent Solaris from forwarding datagrams directed to any of your direct broadcast adresses as link-layer broadcasts. Pings or other broadcasts to the broadcast address of your installed interface are silently discarded.

ndd -set /dev/ip ip_forward_directed_broadcasts 0
echo "setting ip_forward_directed_broadcasts off."

To prevent Solaris from forwarding any IP datagrams which have the source routing option activated. If Solaris forwards such datagrams, anattacker could bypass certain security constructs; such as the corporate firewall.

ndd -set /dev/ip ip_forward_src_routed 0
echo "setting ip_forward_src_routed off."

If a machine has two interfaces, the following commands will drop packets coming in through one interface that are destined for another interface. This can prevent host spoofing. This enables the 'strong end system' model from RFC 1122.

ndd -set /dev/ip ip_strict_dst_multihoming 1
echo "setting ip_strict_dst_multihoming on."

To prevent Solaris from responding to a ping to any of our broadcast addresses.

ndd -set /dev/ip ip_respond_to_echo_broadcast 0
echo "setting ip_respond_to_echo_broadcast off."

The following is a quick hack to break traceroute. Solaris allocates udp ports under 65535. The traceroute program tries not to reach a random UDP port above 32768 - in order to provoke an ICMP error message from the host. The following lowers the udp_smallest_anon_port and then lowers the udp_largest_anon_port. This tweak is not recommended for servers who run applications that require many active udp ports (i.e. Squid).

ndd -set /dev/udp udp_smallest_anon_port 8192
echo "lowering the udp_smallest_anon_port to 8192."
ndd -set /dev/udp udp_largest_anon_port 32767
echo "lowering the udp_largest_anon_port to 32767."

Solaris sets the lowest ephemerical ports above 32768, we like to have them above 25000 to have a bit more room for busy servers. We also set the highest ephemerical port to 65535. This is useful for setting ipfilters port range.

ndd -set /dev/tcp tcp_smallest_anon_port 25000
echo "setting the smallest tcp port to 25000."
ndd -set /dev/tcp tcp_largest_anon_port 65535
echo "setting the largest tcp port to 65535."

With the recent SYN flood attacks, this next parameter will increase the length of the incomplete connection queue. This queue contains an entry for every packet containing the SYN flag that has been recieved by the operating system. The server acknowledges the clients SYN request and then the connection gets queued and the kernel waits for the three way handshake to complete. The socket is in the SYN_RCVD state. The connection cannot be accepted until the handshake is completed and will reside in this queue until then.

ndd -set /dev/tcp tcp_conn_req_max_q0 10240
echo "increasing the length of the incomplete connection queue."

For icmp redirect avoidance.

ndd -set /dev/ip ip_ignore_redirect 1
echo "setting ip_ignore_redirect on."
ndd -set /dev/ip ip_send_redirects 0
echo "setting ip_send_redirects off."

This changes the system configuration to shorten the ARP expiration timer to one minute instead of the default 20 minutes. This stops some of the ARP hijacking and ARP spoofing attacks. Flush the ARP entries from the IP routing table after 1 minute.

ndd -set /dev/ip ip_ire_flush_interval 60000
echo "flushing the arp entries from the routing table after 1 minute."

Discard ARP entries from ARP cache after 1 minute.

ndd -set /dev/arp arp_cleanup_interval 60000 echo "arp cleanup after 1 minute."

Don't respond to broadcast ICMP mask requests.

ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0
echo "setting respond to address mask broadcast off."

Don't respond to ICMP timestamp requests.

ndd -set /dev/ip ip_respond_to_timestamp 0
echo "setting respond to icmp timestamp  requests off."

Disable address round-robin of interface groups.

ndd -set /dev/ip ip_enable_group_ifs 0
echo "disabling the round-robin of interface groups."

Then type the following so that these modifications can take affect after a reboot; ln -s /etc/init.d/secureip /etc/rc2.d/S77secureip. The source of this script can be found here

2. To prevent Solaris from using predictable sequence numbers, add the following to the file /etc/default/inetinit This modification strenghtens the initial sequence numbersas per RFC 1948. '0' is the old predictable algorithm. '1' used random(3)and may be predictable if the attacker knows the time the machine was booted or the time the kernel parameter was changed.

TCP_STRONG_ISS=2

3. Then type the following command :

ndd -set /dev/tcp tcp_1948_phrase <type random caracters; preferably geiger readings of radioactive decay>


Questions or comments? Copyright 1996-1999 PGCI Inc.
All rights reserved. Legal terms. Privacy policy.