Jump to content
c0unt3rlog1c

Protejarea prin firewall a entry-urilor /proc

By c0unt3rlog1c, in Tutoriale in romana

Recommended Posts

c0unt3rlog1c Newbie

c0unt3rlog1c

Posted
Posted

Sumar: Exista cateva protectii network-related pe care le puteti activa prin simpla schimbare a kernelului Linux via pseudo-fisierele /proc .

Kernelul Linux poate fi configurat folosind iptables sau ipchains pentru a proteja mai bine retelele. Totusi, exista si cateva kernel-flags pe care le puteti seta pentru a va mari securitatea retelei fara cine stie ce procedee complicate.

Filesystemul /proc e impartit in mai multe bucati ale kernelului Linux. /proc nu este defapt un director cu adevarat pe disk, dar e un pseudo-filesystem generat de kernel insusi. Fisierele din aceasta locatie reprezinta configuratia interna a setarilor kernelului ce ruleaza in prezent. Unele dintre aceste valori sunt read only, in timp ce altele pot fi schimbate.

Multe entry-uri /proc configurabile au valoarea 0 sau 1, reprezentant FALS sau ADEVARAT. De exemplu, /proc/sys/net/ipv4/tcp_syncookies poate avea doar 0 sau 1. Alte entry-uri au date numerice sau ASCII, ca de exemplu /proc/sys/kernel/hostname, fisierul care contine hostname-urile. Puteti schimba sau vizualiza aceste entry-uri prin doua moduri:

1. Acces direct /proc

Pentru a vedea o variabila kernel direct, folositi cat pe fisierul respectiv in /proc :

$ cat /proc/sys/kernel/hostname
flaky

Acum, pentru a schimba variabila, cea mai simpla metoda este shell output redirection - pur si simplu scrieti in fisier:

# echo 'snowy'> /proc/sys/kernel/hostname
# cat /proc/sys/kernel/hostname
snowy

Sysctl

Pentru a vedea o variabila kernel prin sysctl, pur si simplu folositi sysctl in linia de comanda:

$ sysctl kernel.hostname
kernel.hostname = snowy

Tineti minte ca argumentul sysctl este simplu fisierul /proc, fara componenta /proc/sys, si cu slashurile convertite in spatii. Deci, /proc/sys/net/ipv4/tcp_syncookies va deveni net.ipv4.tcp_syncookies

Pentru a schimba o variabila, folositi:

# sysctl -w kernel.hostname="sleety"
kernel.hostname = sleety

Schimbarile kernelului facute nu se aplica in timpul unui reboot. Pentru ca ele sa fie aplicate, puteti sa:

  • Creati un nou script de startup in directorul /etc/rc#.d care ruleaza comenzile cat sau systcl
  • Puneti linia "variable=value" in /etc/sysctl.conf. Aceasta linie este exact ca si comenzile sysctl, fara keywordul "sysctl" sau -w :

$ cat /etc/sysctl.conf
net.ipv4.ip_forward = 0
kernel.sysrq = 1

Acum ca stiti cum sa schimbati setarile acestea, va voi da si un shell script pe care il puteti folosi ca sa tweakuiti variabilele kernelului:

 # Handy functions to set the file to one or zero
   enable () { for file in $@; do echo 1> $file; done }
  disable () { for file in $@; do echo 0> $file; done }

  # Disable inbound source routed packets to prevent folks
  # from spoofing their IP address.  No legitimate users
  # require source routing any more.
  disable /proc/sys/net/ipv4/conf/*/accept_source_route

  # Enable TCP SYN cookies to keep us from suffering from
  # syn-flood DoS or DDoS attacks.  See page at
  # http://cr.yp.to/syncookies.html if you want to know
  # how SYN cookies work - it's cool.
  enable /proc/sys/net/ipv4/tcp_syncookies

  # Ignore redirects from machines that are listed as gateways
  # (routers set by 'route add ... gw IPADDR'). Not a good idea
  # if these routers do send redirects, which is likely if you
  # multiple routers on your net but only one default configured.
  #
  # Redirects can be abused to perform man-in-the-middle attacks,
  # so you only want them enabled from trusted sources.
  enable /proc/sys/net/ipv4/conf/*/secure_redirects

  # Reject any non-secure redirects
  disable /proc/sys/net/ipv4/conf/*/accept_redirects

  # Don't send any redirects either.  (Only use if you're
  # not acting as a router that needs to send redirects.)
  disable /proc/sys/net/ipv4/conf/*/send_redirects

  # Do not respond to packets that would cause us to go out
  # a different interface than the one to which we're responding.
  enable /proc/sys/net/ipv4/conf/*/rp_filter

  # Reassemble fragmented packets.  Usually a good idea.
  enable /proc/sys/net/ip_always_defrag

  # Log any packets that have IP addresses that shouldn't exist
  enable /proc/sys/net/ipv4/conf/*/log_martians

  # Disable packet forwarding
  #  (Do not do this if you're a router/firewall!)
  disable /proc/sys/net/ipv4/ip_forward

  # Send an ARP for address to which we have a route.  Good
  # for some firewall and VPN/router setups, bad for hosts.
  disable /proc/sys/net/ipv4/conf/*/proxy_arp


  # Ignore broadcast pings
  # (Don't participate in smurf attacks)
  enable /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

  # Ignore all pings.
  #  (May be considered a bit excessive.)
  #enable icmp_echo_ignore_all

NOTA: Nu este facut de mine shell scriptul.

Multumesc pentru ca ati citit.

c0unt3rlog1c Newbie

c0unt3rlog1c

Posted
  • Author
Posted (edited)

Up..Mai are rost sa creez tutoriale, sau nu este nimeni interesat de domeniul linuxului?

Daca nu, macar spuneti-mi ce domeniu va intereseaza :) , si am sa incerc sa mai fac cate ceva.

EDIT: Nu likeurile ma intereseaza, ci doar daca ajuta pe cineva ceea ce fac eu, mi-ar fi folositoare pareri , sugestii sau critici despre asta.

Edited by c0unt3rlog1c

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...