This is the ninth in a series of posts that describe how to secure Oracle Enterprise Linux. These posts are based on the Center for Internet Security Secure Base Line for Red Hat Enterprise Linux 5 but have been verified against Oracle Enterprise Linux (OEL) 5.5. You can download OEL here.
In Part 1 we reviewed a secure partitioning strategy, in Part 2 we performed a minimal install, in Part 3 we performed some mandatory housekeeping before starting the hardening process, in Part 4 we secured ssh, in Part 5 we enabled system accounting, in Part 6 we minimized network services, in Part 7 we configured the firewall and in Part 8 we minimized boot services. In this post we harden the network parameters.
A Word of Caution
The actions outlined in these posts have been performed on a clean install of OEL 5.5 exactly as documented in these posts. If you are contemplating taking these actions on an existing server, please take appropriate precautions such as:
- Backing up the server
- Reviewing the content of all scripts before running them
- Testing the actions on a non-production server
The hardening steps in these posts were performed in the order posted. Performing these steps in a different order my result in unpredictable behavior. Also, all these scripts MUST be run as root, not as sudo.
net.ipv4.tcp_max_syn_backlog = 4096
This parameter controls the maximum number of incomplete tcp requests that will be remembered. The higher the number, the better the chance the server will survive a syn flood attack. The OEL 5.5 default is 1024.
net.ipv4.tcp_syncookies = 1
This parameter turns syn cookies on when set to one. With syn cookies on, if the above backlog (4096) is reached, typically only during a syn flood attack, the server responds to the request with a syn cookie and forgets the request. If it is a good request, the client will eventually send a third ACK request whereupon the server will recognize the syn cookie and rebuild the connection in memory. Since syn flood requests never send the third ACK, this allows the server to ignore the bad requests and respond to the good requests although at the loss of some performance but enabling the survival of the server during the attack.
net.ipv4.conf.all.rp_filter = 1
When set to 1, this parameter enables a check to see that packets arriving at the interface will be responded to via the same interface thus helping to prevent spoofing of source addresses. In the rare cases where asynchronous routing is intended, this check should not be turned on.
net.ipv4.conf.all.accept_source_route = 0
When set to 0, the default in OEL 5.5, disables IP source routing, typically only used in source spoofing attacks.
net.ipv4.conf.all.accept_redirects = 0
When set to zero, disables ICMP redirects. The default in OEL 5.5 is 1.
net.ipv4.conf.all.secure_redirects = 0
When set to 0, prevents redirect even from gateways in the local routing table since source addresses can be spoofed. The OEL 5.5 default is 1.
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
The previous 'all' parameters impact the interfaces available at boot time. These 'default' parameters impact interfaces added later (USB or PCMCIA network card).
net.ipv4.icmp_echo_ignore_broadcasts = 1
When set to one, the OEL default, the server will not respond to broadcast pings.
Download the following script that hardens the network parameters and run as root:
Additional Network Parameters
If the server is NOT going to function as a gateway or firewall then also download and run the following script as root: