Default kernel network variables, sysctl, not secure enough.

To: debian-user@lists.debian.org
Subject: Default kernel network variables, sysctl, not secure enough.
From: "C.T.F. Jansen" <frank.jansen@actrix.gen.nz>
Date: Sun, 02 Feb 2014 13:47:36 +1300
Message-id: <52ED95A8.90408@actrix.gen.nz>
In-reply-to: <20130123233758.GD4249@hysteria.proulx.com>
References: <20130123233758.GD4249@hysteria.proulx.com>

Greetings,

Did a security audit on Debian 7 using tiger and found some less thansecure settings for network variables in the kernel.


One of the variables flagged was

                            net.ipv4.conf.all.rp_filter  .

This and the rest in this group can be set in /etc/sysctl.conf . Thecommented out values in this file look for all the world like thecorrect settings for a reasonably secure system. The default values aredifferent and leave openings that may be exploited.

The "documentation" referred to at the top of /etc/sysctl.conf has nouseful information in it. Haven't found any man pages yet that definethese variables.Had a look at www.kernel.org/doc/man-pages but this was not sufficientlyinformative.

Had a look in /usr/share/doc . Didn't notice anything. Looked throughthe package library for kernel documentation, information on sysctl andmore besides :


              apt-cache search kernel

this yielded a list :

              linux-doc-3.2
              debian-kernel-handbook
              linux-doc

Installed them and looked for man pages, nothing found, then through/usr/share/doc again. This had a number of extra files in it that seemedrelevant but the variables set were not found as such. A look in


  /usr/share/doc/linux-doc-32/Documentation/networking/ip-sysctl.txt

defines the values for the previously mentioned variable, with rp_filterat the end of it. The variable itself was not listed in this file so agrep did not find it. One had to look through each possible relevantfile, a number of them (by the way), and discover that the variabledefinitions were listed according to their relevant directory in /proc .In this case :


/proc/sys/net/ipv4/conf/all/rp_filter

The actual value in /proc , the one being used by the system, was thedefault which needs to be tightened up.

Editing /etc/sysctl.conf and uncommenting most of the settings willimprove the situation.

Someone put a README* in /etc/sysctl.d that suggested one put alocal.conf file in /etc/sysctl.d . This may be a better way to do itbut isn't documented anywhere, I think. It is less than obvious and maybe hard to find later.

Putting sysctl commands in start-up scripts may be challenging to findlater but site procedures vary. The variables can be set using sysctl aswell.

How about modifying the supplied /etc/sysctl.conf so that the currentlycommented out settings are uncommented since these are obviously betterand as recommended by various bodies as sound practise etc.

No need to take these ideas on the chin Bob :-)

Cheers,

frank.jansen@actrix.gen.nz, ZL2TTS

Reply to:

Follow-Ups:
- Re: Default kernel network variables, sysctl, not secure enough.
  - From: Reco <recoverym4n@gmail.com>

Prev by Date: Re: How can I secure a Debian installation?
Next by Date: Suggest a tool for decoding binary data
Previous by thread: Re: Question regarding swap partition when installing Linux Mint Debian.
Next by thread: Re: Default kernel network variables, sysctl, not secure enough.
Index(es):
- Date
- Thread