Sysctl8

Traditionally, Linux used the /proc pseudo filesystem to track kernel state or what was currently happening on the system. /proc provided great insight into open processes and kernel state but did not provide a mechanism to interact with the kernel directly. BSD systems now use the sysctl(8) mechanism to both view and modify the kernel state on the fly.

sysctl(8) uses MIBs to describe each viewable and modifiable parameter. To see all available MIBs, use the all switch and pipe the (very large) output to a pager:

Having the ability to change MIBs on the fly using the write switch makes instructing the kernel to immediately apply a security setting on a running system easy. As an example, many security settings affect the values inserted into the headers of the packets seen on TCP/IP networks. You can easily view these settings:

sysctl -a | grep ip sysctl -a | grep tcp sysctl -a | grep udp sysctl -a | grep icmp sysctl -a | grep arp

Here are some examples of possible MIB changes that increase protection against common attacks:

• To change the TTL value in the IP header (which is one check used by Nmap when trying to fingerprint the operating system as seen in http://insecure.org/ nmap/osdetect/osdetect-methods.html):

sysctl -w net.inet.ip.ttl=2 55

• To force a random IPID to help protect against information gathering to determine how many hosts are behind a NAT device:

sysctl -w net.inet.ip.random id=1

• To prevent ICMP redirects that can be used to amplify a smurf or fraggle attack: On FreeBSD:

net.inet.icmp.drop redirect=1

On NetBSD/OpenBSD:

net.inet.icmp.rediraccept=0

• To further protect against smurf attacks, disable IP directed broadcasts or the forwarding of ping packets sent to the broadcast address:

On FreeBSD/OpenBSD:

net.inet.icmp.bmcastecho=1

On NetBSD/OpenBSD:

net.inet.ip.directed-broadcast=0

• To disable source routing, which could allow an attacker to access internal systems:

On FreeBSD:

net.inet.ip.accept_sourceroute=0

On NetBSD/OpenBSD:

net.inet.ip.allowsrcrt=0

On a FreeBSD system, blackhole(4) can be used to provide some protections against stealth Nmap scans:

sysctl -w net.inet.tcp.blackhole=2 sysctl -w net.inet.udp.blackhole=1

On NetBSD and OpenBSD, the sysctl MIBs are described in sysctl(8). In FreeBSD, the networking MIBs are described with each protocol, for example, tcp(4) and icmp(4).

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook


Post a comment