Network - security tuning

Using applications, configuring, problems
Post Reply
Message
Author
Mic67

Network - security tuning

#1 Post by Mic67 »

Ok - this is a bunch of networking parameters that can be adjusted and are basically found in the /proc/sys/net
---and surrounding folders. Some may call this kernel tuning.
This is one or the aspect of linux that is so amazing - once you understand it and it becomes useful.

These are not firewall rules per say but can act in simular ways.

Basically my approach to internet security is based on the PUPPY OS.
Kernel Tuning
firewall rules
Browser
HOST LIST

Well if you have and use puppy as intended a "live cd" it is the best direction towards internet sdecurity I have found, reboot and a fresh OS.

Kernel tuning is a set of parameters regarding networking, with the formost concern for net security and not as a best "tune" for all or any other purposes (like may create issues with printing or ?)

Firewall rules there are lots of them and many different ways to implement them. Mine are implemented for the greatest net security and not or other general computing. I dont make provision for email or printing in my firewall. To provide my ruleset would not work for most.

Brower is really important.
Dillo is probably the best (no java included)
but not necessarly practical

Opera is the most suitable but with a few special mods, re about:config ,
Turn off bit torrent
Look at extenions, I turn off the local loopback thingy there.
and a few other things.

I also use "loadmeter"
"IP STATE"
And best of all "IPTRAF" an IP network staaat utility, it will show links to your computer that
netstat -tcp -udp -c
Will not namely the windows hackers on UDP protocol trying to get port 1023 -1026 local loopback.
Now since it is UDP protocol it should show using the netstat command, but it DOES NOT, Why? good question.

Getting hacked at the instance of logon to the net using windows is what brought me to Linux.

I have got myu system tune that I only may get hacked once a month. With windows is was every 29 seconds. Stock linux is ...yep still very hackable, with the grace being that the windows hackers usually can be bothered, yet. System stalls while on the net usually constitute hacks, IMHO....

-----------------------------------
Ok the following loads the IPTABLE modules
_____________________________

MODPROBE="/sbin/modprobe"
modprobe ip_tables
modprobe iptable_filter
modprobe ip_conntrack
modprobe ip_conntrack_ftp

_________________________

Ok the network tuning
0 means "false:
1 means "true"
______________________________
#/proc/sys/net/ipv4/conf/all/

echo 0 >/proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 >proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 >/proc/sys/net/ipv4/conf/all/arp_accept
echo 0 >/proc/sys/net/ipv4/conf/all/arp_announce
echo 0 >/proc/sys/net/ipv4/conf/all/arp_filter
echo 0 >/proc/sys/net/ipv4/conf/all/forwarding
echo 0 >proc/sys/net/ipv4/conf/all/proxy_arp
echo 1 >/proc/sys/net/ipv4/conf/all/rp_filter
echo 0 >/proc/sys/net/ipv4/conf/all/secure_redirects
echo 0 >/proc/sys/net/ipv4/conf/all/send_redirects

#/proc/sys/net/ipv4/conf/default/

echo 0 >/proc/sys/net/ipv4/conf/default/accept_redirects
echo 0 >/proc/sys/net/ipv4/conf/default/accept_source_route
echo 0 >/proc/sys/net/ipv4/conf/default/arp_accept
echo 0 >/proc/sys/net/ipv4/conf/default/arp_announce
echo 0 >/proc/sys/net/ipv4/conf/default/arp_filter
echo 0 >/proc/sys/net/ipv4/conf/default/forwarding
echo 0 >/proc/sys/net/ipv4/conf/default/proxy_arp
echo 1 >/proc/sys/net/ipv4/conf/default/rp_filter
echo 0 >/proc/sys/net/ipv4/conf/default/secure_redirects
echo 0 >/proc/sys/net/ipv4/conf/default/send_redirects


/proc/sys/net/ipv4/conf/lo/

echo 0 >/proc/sys/net/ipv4/conf/lo/accept_source_route
echo 0 >/proc/sys/net/ipv4/conf/lo/arp_accept
echo 0 >/proc/sys/net/ipv4/conf/lo/arp_announce
echo 0 >/proc/sys/net/ipv4/conf/lo/arp_filter
echo 0 >/proc/sys/net/ipv4/conf/lo/forwarding
echo 0 >/proc/sys/net/ipv4/conf/lo/proxy_arp
echo 1 >/proc/sys/net/ipv4/conf/lo/rp_filter
echo 0 >/proc/sys/net/ipv4/conf/lo/secure_redirects
echo 0 >/proc/sys/net/ipv4/conf/lo/send_redirects

-------------------------
Firewall related
____________________
#/proc/sys/net/ipv4/netfilter/

echo 2222 >/proc/sys/net/ipv4/netfilter/ip_conntrack_buckets
echo 1 >/proc/sys/net/ipv4/netfilter/ip_conntrack_checksum
echo 1 >/proc/sys/net/ipv4/netfilter/ip_conntrack_count
echo 343 >/proc/sys/net/ipv4/netfilter/ip_conntrack_generic_timeout
echo 2 >echo 0 >/proc/sys/net/ipv4/netfilter/ip_conntrack_icmp_timeout
echo 1 >/proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
echo 2222 >/proc/sys/net/ipv4/netfilter/ip_conntrack_max
#echo 0 >/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
#echo 0 >/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose
#echo 0 >/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_max_retrans
echo 5 >/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close
echo 4>/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close_wait
echo 343 >/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
echo 4 >/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_fin_wait
echo 5 >/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_last_ack
#echo 0 >/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_max_retrans
#echo 0 >/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_recv
#echo 0 >/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_sent
echo 5 >/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_time_wait
echo 4 >/proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout
echo 5 >/proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout_stream

#/proc/sys/net/ipv4/

echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 >/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 2 >/proc/sys/net/ipv4/icmp_ratelimit
echo 2 >/proc/sys/net/ipv4/icmp_ratemask
echo 2 >/proc/sys/net/ipv4/igmp_max_memberships
echo 2 >/proc/sys/net/ipv4/igmp_max_msf
echo 343 >/proc/sys/net/ipv4/inet_peer_maxttl
echo 2222 >/proc/sys/net/ipv4/ip_conntrack_max
echo 69 >/proc/sys/net/ipv4/ip_default_ttl
echo 1 >/proc/sys/net/ipv4/ip_dynaddr
echo 0 >/proc/sys/net/ipv4/ip_forward
echo 123 >/proc/sys/net/ipv4/ipfrag_secret_interval
echo "35555 65000" >proc/sys/net/ipv4/ip_local_port_range
echo 0 >/proc/sys/net/ipv4/tcp_abort_on_overflow
$echo 0 >/proc/sys/net/ipv4/tcp_dsack
echo 2222 >/proc/sys/net/ipv4/tcp_max_orphans
echo 1024 >/proc/sys/net/ipv4/tcp_max_syn_backlog
echo 2222 >/proc/sys/net/ipv4/tcp_max_tw_buckets
echo 0 >/proc/sys/net/ipv4/tcp_moderate_rcvbuf
#echo 0 >/proc/sys/net/ipv4/tcp_mtu_probing
echo 1 >/proc/sys/net/ipv4/tcp_no_metrics_save
echo 0 >/proc/sys/net/ipv4/tcp_orphan_retries
#echo 0 >/proc/sys/net/ipv4/tcp_reordering
echo 0 >/proc/sys/net/ipv4/tcp_rfc1337
echo 0 >/proc/sys/net/ipv4/tcp_sack
echo 0 >/proc/sys/net/ipv4/tcp_slow_start_after_idle
#echo 0 >/proc/sys/net/ipv4/tcp_synack_retries
echo 0 >/proc/sys/net/ipv4/tcp_syn_retries
echo 0 >/proc/sys/net/ipv4/tcp_timestamps
#echo 0 >/proc/sys/net/ipv4/tcp_workaround_signed_windows

-----------------------------------------------
Cheers, Mic 67
Top
NinerSevenTango
Posts: 186
Joined: Sun 17 Jun 2007, 18:25

#2 Post by NinerSevenTango »

For other noobs like me, this page explains a lot of what is going on in the above:

http://www.securityfocus.com/infocus/1711

And it looks like these are very good ideas (to me, being that I am used to Kerio and new to Linux).

--97T--
Top
Post Reply

Return to “Users ( For the regulars )”