Security

> go up <

Common rule

The common rule for creating your own kernel is:
"Deactivate everything you do not need."
This not only gets you a truly small kernel, it also helps avoiding bugs in unfinished kernel source parts. The common rule should include deactivating the module support - [ ] Enable loadable module support. Injecting a root kit at runtime thus will be much harder for any attacker.

/proc-Filesystem

Dropping ICMP packets

# /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

This will advise the kernel to drop any ICMP packets of type 0 (zero). In a network, ping is only useful to test connects. So, no one but root does actually need ping.

Ignoring "broadcast pings"

# /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

This deactivates automatic answers to ICMP broadcasts and protects against smurf attacks.

Deactivating "source routed packets"

# /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

Attackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirected.

"bad error messages" protection

# /bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

Activates protection against "bogus error message responses".

Deactivation of "IP forwarding"

# /bin/echo "0" > /proc/sys/net/ipv4/ip_forward

This option is only required by routers (= hosts with multiple network interfaces). By default, this sould be disabled.

Logging

# /bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

This logs spoofed as well as "source routed" and "redirect".

proc-Script

As changes to /proc-entries will get lost upon any reboot of the system, I recommend saving the changes in to script (differs among distributions).

#!/bin/sh

## DECLERATION of the VARIABLES ##
echo="/bin/echo"

## for GENTOO-Users ##
depend() {
use checkroot
}

## other SPECIAL OPTIONS for this script ##
# ...

## BEGINNING to WORK ##
$echo "Setting /proc options ..."
$echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
$echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
$echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
$echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
$echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
   for i in /proc/sys/net/ipv4/conf/*; do
      $echo "1" > $i/rp_filter
   done
$echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
$echo "0" > /proc/sys/net/ipv4/ip_forward
$echo "DONE"
exit 0

To call it upon boot, actions differs among distributions. Describing all methods would break the frame of this document.

> go up <

Bootloader

LILO

To disable passing kernerl parameters at boot time, the following entries have to be made in /etc/lilo.conf:

password="password_in_plain-text"

This file should then be readable only by root, as otherwise anybody could read the plain-text password. For Unix, this is done by

$ su
# chmod 0600 /etc/lilo.conf*

Any further image can only be started by a password, at the following entry in /etc/lilo.conf:

image="/boot/bzImage.bsp"
label="GNU/Linux"
# Protect image by using a password:
restricted

GRUB

With GRUB, plain-text as well as MD5-encrypted passwords can be used. This is done as follows:

# grub
grub> md5crypt
Password: **********
Encrypted: $1$U$JK7xFegdxWH6VuppCUSIb

The encrypted password has to be saved in /boot/grub/menu.lst:

#
# Sample boot menu configuration file
#
# [...]

# you can use md5-passwords ...
password --md5 $1$U$JK7xFegdxWH6VuppCUSIb

# ... or plain-text-passwörter:
password **********

# [...]

title Boot OS
# this image is locked by an password
lock
> go up <

/etc/fstab

This is an excerpt of a fstab:

/dev/hd[a-z][0-9]      /boot      ext3      noauto,noatime      1   1

"The partition will not be automatically mounted when you're using noauto. That's good so, because normaly you don't need to do something there excepting for copying new kernels or installing bootloader to it. So for security reason it's recommended to do no mount.",
KillerFox 2005-04-25 19:16:23 @irc.forkbomb.ch, #uscc

> go up <

/etc/syslog.conf

daemon,mail.*;\
news.=crit;news.=err;news.=notice;\
*.=debug;*.=info;\
*.=notice;*.=warn      /dev/tty8

These entries provide for log entries to be written to tty8, additionally.

> go up <
Zurück Momentan Vorwärts

Valid XHTML 1.0! Valid CSS! Made with Cascading Style Sheets best viewed with any browser Debian GNU/Linux

http://kernel-project.kickino.org/index_ie_en.php?action=security
Last Change: 2011-05-04 21:17:57