ArchLinux:Security: Difference between revisions

From Wiki³
No edit summary
Line 41: Line 41:


= {{Icon24|sitemap}} Sysctl =
= {{Icon24|sitemap}} Sysctl =
Being honest, Arch Linux comes fairly secure out of the box. Things like source routed packets, packet forwarding, multicast packet forwarding and ICMP redirection all default to disabled. Alas, improvements can still be made.
[[archwiki:sysctl|Sysctl]] can be used to change kernel parameters at runtime by adding to the file {{mono|/etc/sysctl.d/99-sysctl.conf}}. There are several improvements that can be made here security wise. Not all of these will be optimal in every use case scenario, but none of them will have harmful effects on your system.
== {{Icon|notebook}} Log Martian Packets ==
Setup logging on martian packets so as an administrator one can diagnose the system when an attacker is sending spoofed packets.
{{Console|1=net.ipv4.conf.default.log_martians{{=}}1<br/>net.ipv4.conf.all.log_martian{{=}}1|prompt=false}}
== {{Icon|notebook}} Secure ICMP Routing Redirects ==
If the source gateway is compromised then an user can update the routing table using Secure ICMP redirects. This can potentially lead to remote packet capture.<br/>This can be disabled.
{{Console|1=net.ipv4.conf.all.secure_redirects{{=}}0<br/>net.ipv4.conf.default.secure_redirects{{=}}0|prompt=false}}
== {{Icon|notebook}} Send Redirects ==
An unauthorized user can use a compromised host to send ICMP redirects packets to another routing device to corrupt its routing. This functionality can be disabled.
{{Console|1=net.ipv4.conf.default.send_redirects{{=}}0<br/>net.ipv4.conf.all.send_redirects{{=}}0|prompt=false}}
== {{Icon|notebook}} TCP SYN ==
An attacker can start a DDoS attack at the server by flooding it with SYN packets without initializing three way handshake. Setting this will helps protect against SYN flood attacks, however it only kicks in when {{mono|net.ipv4.tcp_max_syn_backlog}} is reached.
{{Console|1=net.ipv4.tcp_syncookies{{=}}1|prompt=false}}
== {{Icon|notebook}} TCP Time-wait ==
To protect against TCP time-wait assassination hazards drop all RST packets for sockets in the time-wait state (not widely supported outside of Linux, but conforms to RFC).
{{Console|1=net.ipv4.tcp_rfc1337{{=}}1|prompt=false}}


[[Category:Arch Linux]]
[[Category:Arch Linux]]

Revision as of 10:33, 25 July 2017

IconUNDER CONSTRUCTION: The document is currently being modified!

Icon Introduction

This is geared at providing a checklists one can walk through after setting up a new Arch Linux installation that has an open connection to the internet. Whether it is a server or just a machine at home that you have ports open on; some if not all of this information might be useful to you.

IconWARNING: While I have administered BSD and Linux machines for many years now, I am not a security expert!

Icon Crontab

Restricting access to crontab is as simple as creating a /etc/cron.allow and inserting only the names of users you want to allow access to crontab. Every other user on the system will be denied crontab access.

# sudo vim /etc/cron.allow


root
kyau

Icon Firewall

Uncomplicated Firewall or ufw is a great choice and it's simple to setup.

Install the package.

# pacaur -S ufw

Setup some basic rules that will allow SSH but deny everything else.

# sudo ufw default deny
# sudo ufw allow SSH
IconWARNING: It is highly recommended to open a new SSH window at this point (without closing the current) and verify SSH access still works.

Enable ufw on boot and then start the service.

# sudo systemctl enable ufw
# sudo ufw enable

To query the rules being applied use the status command argument.

# sudo ufw status

To see a list of all applications in the ufw database use the app argument.

# sudo ufw app list

If the creation of a custom application is needed, make one in the /etc/ufw/applications.d directory.

# sudo vim /etc/ufw/applications.d/mycustomapp


[mycustomapp]
title=My Custom App
description=Custom App for Blah
ports=11000:11005/tcp|11010/udp

This would create a custom application filter on ports 11000-11005 using tcp and port 11010 using udp. It would then merely need to be enabled.

# sudo ufw allow mycustomapp

Icon Blacklisting IPs

It might be desirable to blacklist an IP address, maybe you have seen brute force attempts from it or maybe you just want to block it. This can be done by editing /etc/ufw/before.rules. Add the blacklisting to the end of the file before COMMIT.

# sudo vim /etc/ufw/before.rules


## blacklist section
# block just 8.8.8.8
-A ufw-before-input -s 8.8.8.8 -j DROP
# block 8.8.*.*
-A ufw-before-input -s 8.8.0.0/16 -j DROP

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

Icon Disable Remote Ping

Change ACCEPT to DROP in the following lines of /etc/ufw/before.rules.

# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

If IPv6 is being used the same can be done inside of /etc/ufw/before6.rules as well.

Icon Sysctl

Being honest, Arch Linux comes fairly secure out of the box. Things like source routed packets, packet forwarding, multicast packet forwarding and ICMP redirection all default to disabled. Alas, improvements can still be made.

Sysctl can be used to change kernel parameters at runtime by adding to the file /etc/sysctl.d/99-sysctl.conf. There are several improvements that can be made here security wise. Not all of these will be optimal in every use case scenario, but none of them will have harmful effects on your system.

Icon Log Martian Packets

Setup logging on martian packets so as an administrator one can diagnose the system when an attacker is sending spoofed packets.

net.ipv4.conf.default.log_martians=1
net.ipv4.conf.all.log_martian=1

Icon Secure ICMP Routing Redirects

If the source gateway is compromised then an user can update the routing table using Secure ICMP redirects. This can potentially lead to remote packet capture.
This can be disabled.

net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0

Icon Send Redirects

An unauthorized user can use a compromised host to send ICMP redirects packets to another routing device to corrupt its routing. This functionality can be disabled.

net.ipv4.conf.default.send_redirects=0
net.ipv4.conf.all.send_redirects=0

Icon TCP SYN

An attacker can start a DDoS attack at the server by flooding it with SYN packets without initializing three way handshake. Setting this will helps protect against SYN flood attacks, however it only kicks in when net.ipv4.tcp_max_syn_backlog is reached.

net.ipv4.tcp_syncookies=1

Icon TCP Time-wait

To protect against TCP time-wait assassination hazards drop all RST packets for sockets in the time-wait state (not widely supported outside of Linux, but conforms to RFC).

net.ipv4.tcp_rfc1337=1