Network Security with /proc/sys/net/ipv4
In additional to firewall rulesets, the /proc filesystem offers some significant enhancements to your network security settings. Unfortunately, most of us are unaware of anything beyond the vague rumors and advice we've heard about this beast. In this article, we'll review some of the basic essentials of the /proc/sys/net/ipv4 filesystem necessary to add to the overall network security of your Linux server./proc/sys/net/ipv4
Perhaps one of the more frequently neglected areas of firewall configuration involves the /proc filesystem. The pseudo file structure within proc allows you to interface with the internal data structures in the kernel, either obtaining information about the system or changing specific settings. Some of the parts of /proc are read-only, while others can be modified. It is often referred to as a virtual filesystem in that it doesn't take up any actual hard drive space; files are created only on demand when you access them. In this article, we will be focusing specifically on /proc/sys/net/ipv4.
In order to benefit from the use of the /proc filesystem, you'll need to enable two settings when building your kernel. CONFIG_PROC_FS is the setting that allows you to access and view the /proc filesystem, and CONFIG_SYSCTL is the bit that actually allows you to modify /proc entries without requiring a reboot of the system or a recompile of the kernel. Settings are only available at boot time after the /proc file system has been mounted.
ICMP Specific Settings
Ping scanning is typically used to determine which hosts on a network are up. Typically this is done by sending ICMP ECHO request packets to the target host. This is seemingly innocent behavior, however often network administrators will block such traffic to increase their obscurity. The choices involve blocking ICMP ECHO requests to broadcast/multicast addresses and directly to the host itself. To enable protection against both types of ICMP ECHO requests, use the following commands:
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
ICMP redirect messages can also be a pain. If your box is not acting as a router, you'll probably want to disable them:
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
Sometimes you will come across routers that send out invalid responses to broadcast frames. This is a violation of RFC 1122, "Requirements for Internet Hosts -- Communication Layers". As a result, these events are logged by the kernel. To avoid filling up your logfile with unnecessary clutter, you can tell the kernel not to issue these warnings:
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
IP Specific Settings
Ironically, IP forwarding of packets between interfaces is enabled by default on many systems in their startup scripts. If you're not intending for your box to forward traffic between interfaces, or if you only have a single interface, it would probably be a good idea to disable forwarding. Note that altering this value resets all configuration parameters to their default values; specifically, RFC1122 for hosts and RFC1812 for routers. As a result, you'll want to modify this one before all other /proc settings.
if [ -r /proc/sys/net/ipv4/ip_forward ]; then echo "Disabling IP forwarding" echo "0" > /proc/sys/net/ipv4/ip_forward fi
If instead you decide to enable forwarding, you will also be able to modify the rp_filter setting; something which is often misunderstood by network administrators. The rp_filter can reject incoming packets if their source address doesn't match the network interface that they're arriving on, which helps to prevent IP spoofing. Turning this on, however, has its consequences: If your host has several IP addresses on different interfaces, or if your single interface has multiple IP addresses on it, you'll find that your kernel may end up rejecting valid traffic. It's also important to note that even if you do not enable the rp_filter, protection against broadcast spoofing is always on. Also, the protection it provides is only against spoofed internal addresses; external addresses can still be spoofed.. By default, it is disabled. To enable it, run the following:
if [ -r /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo "Enabling rp_filter" echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter fi
You may have also noticed the "all" subdirectory in this last example. In /proc/sys/net/ipv4/conf
there is one subdirectory for each interface on your system along with one directory called "all". Changing specific interface directories only affects that specific interface, while changes made to the "all" directory affects all interfaces on the system.
If you have compiled your kernel with CONFIG_SYNCOOKIES, you will be able to optionally turn on or off protection against SYN flood attacks. Note the emphasis, as compiling the kernel with this value does not enable it by default. It works by sending out 'syncookies' when the syn backlog queue of a socket overflows. What is often misunderstood is that socket backlogging is not supported in newer operating systems, which means that your error messages may not be correctly received by the offending system. Also, if you see synflood warnings in your logs, make sure they are not the result of a heavily loaded server before enabling this setting. They can also cause connection problems for other hosts attempting to reach you. However, if you do want to enable this setting, perform the following:
if [ -r /proc/sys/net/ipv4/tcp_syncookies ]; then echo "Enabling tcp_syncookies" echo "1" > /proc/sys/net/ipv4/tcp_syncookies fi
Normally, a host has no control over the route any particular packet takes beyond its first hop. It is up to the other hosts on the network to complete the delivery. IP Source Routing (SRR) is a method of specifying the exact path that a packet should take among the other hosts to get to its destination. This is generally a bad idea for the security conscious, as someone could direct packets to you through a trusted interface and effectively bypass your security in some cases. A good example is traffic, such as SSH or telnet, that is blocked on one interface might arrive on another of your host's interfaces if source routing is used, which you might not have anticipated in your firewall settings. You'll probably want to disable this setting with:
if [ -r /proc/sys/net/ipv4/conf/all/accept_source_route ]; then echo "Disabling source routing" echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route fi
Packets that have source addresses with no known route are referred to as "martians". For example, if you have two different subnets plugged into the same hub, the routers on each end will see each other as martians. To log such packets to the kernel log, which should never show up in the first place, you'll need to issue:
if [ -r /proc/sys/net/ipv4/conf/all/log_martians
]; then echo "Enabling logging of martians" echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
fi
Additional Resources
For more information regarding the /proc filesystem, you may want to refer to the documentation that comes with the Linux kernel source. Of specific help is Documentation/filesystems/proc.txt by Bowden, Bauer & Nerin. Additionally, you can refer to Documentation/networking/ip-sysctl.txt by Kuznetsov & Savola.
About the Author
David Lechnyr is a Network Administrator at the Human Resources department of the University of Oregon. He holds a Master's Degree in Social Work along with his MCSE+I, CNE, and CCNA certifications. He has been working with Linux for the past five years, with an emphasis on systems security, network troubleshooting, PHP scripting, and web/SQL integration.