Kernel hardering part 1

And then, kernel.exec-shield was born.

Exec Shield is a project that got started at Red Hat, Inc in late 2002 with the aim of reducing the risk of worm or other automated remote attacks on Linux systems. The first result of the project was a security patch for the Linux kernel that adds an NX bit to x86 CPUs. While the Exec Shield project has had many other components, some people refer to this first patch as Exec Shield.

This could be set as a kernel command line parameter or the
sysctl. It has the following values and effects:

– a value of 0 completely disables ExecShield and Address Space Layout Randomization
– a value of 1 enables them ONLY if the application bits for these protections are set to “enable”
– a value of 2 enables them by default, except if the application bits are set to “disable”
– a value of 3 enables them always, whatever the application bits

So we need something like that in sysctl.conf and run sysctl -p:

kernel.exec-shield=3
kernel.randomize_va_space=3

Change levels if it causes trouble.

 

/proc and dmesg restrictions

Restricting process output. Useful for evil users but still not enough:

hidepid accepts three different values:

  • hidepid=0 (default): This is the default setting and gives you the default behaviour.
  • hidepid=1: With this option an normal user would not see other processes but their own about ps, top etc, but he is still able to see process IDs in /proc
  • hidepid=2: Users are only able too see their own processes (like with hidepid=1), but also the other process IDs are hidden for them in /proc

edit fstab to look something like that:

proc    /proc    proc    defaults,nosuid,noexec,hidepid=2    0     0


dmesg restricting:

edit sysctl.conf and just add

kernel.dmesg_restrict=1

Hide kernel symbol addresses
kernel.kptr_restrict = 1


TCP/IP stack hardening

#### ipv4 networking ####

## TCP SYN cookie protection (default)
## helps protect against SYN flood attacks
## only kicks in when net.ipv4.tcp_max_syn_backlog is reached
net.ipv4.tcp_syncookies=1

## protect against tcp time-wait assassination hazards
## drop RST packets for sockets in the time-wait state
## (not widely supported outside of linux, but conforms to RFC)
net.ipv4.tcp_rfc1337=1

## tcp timestamps
## + protect against wrapping sequence numbers (at gigabit speeds)
## + round trip time calculation implemented in TCP
## - causes extra overhead and allows uptime detection by scanners like nmap
## enable @ gigabit speeds
net.ipv4.tcp_timestamps=0
#net.ipv4.tcp_timestamps = 1

## source address verification (sanity checking)
## helps protect against spoofing attacks
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1

## disable ALL packet forwarding (not a router, disable it) (default)
#net.ipv4.ip_forward=0

## log martian packets
net.ipv4.conf.all.log_martians=1

## ignore echo broadcast requests to prevent being part of smurf attacks (default)
net.ipv4.icmp_echo_ignore_broadcasts=1

## optionally, ignore all echo requests
## this is NOT recommended, as it ignores echo requests on localhost as well
#net.ipv4.icmp_echo_ignore_all = 1

## ignore bogus icmp errors (default)
net.ipv4.icmp_ignore_bogus_error_responses=1

## IP source routing (insecure, disable it) (default)
net.ipv4.conf.all.accept_source_route=0

## send redirects (not a router, disable it)
#net.ipv4.conf.all.send_redirects=0

## ICMP routing redirects (only secure)
net.ipv4.conf.all.accept_redirects=0
#net.ipv4.conf.all.secure_redirects = 1 (default)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.