sysctl.conf options to harden the server

Support for security such as Firewalls and securing linux
Post Reply
stephan
Posts: 17
Joined: 2006/09/07 01:05:48
Contact:

sysctl.conf options to harden the server

Post by stephan » 2006/09/19 02:16:20

Hi,

I've been reading about sysctl.conf and the options that can be put in.

I have found a couple of websites that list changes you can make, to make the server more resistant to attacks.

The links are:

http://www.eth0.us/sysctl
and
http://michael-and-mary.net/node/1261


There are more listed in google.

So my question really is, does anyone have a definitive list of the options that are "best". I suppose that each situation is different, but I'm reluctant to just change all these options without doing a load of research into each one and thinking carefully about all the possible side-effects.

I suppose what I'm asking, is has anyone got a nice list, which I can take a look at, maybe combine with these other two, then put onto my server. Also, has anyone got any warnings about any of these options which might make things go horribly wrong.

I'm going to check into it myself as well, looking up each option, but if anyone has any information or links to information they'd like to share before I spend hours doing that, please let me know.


*edit* just found this: http://ipsysctl-tutorial.frozentux.net/ipsysctl-tutorial.html
so I'll be reading that one to start with I think, it seems to be the information source for the others.

stephan
Posts: 17
Joined: 2006/09/07 01:05:48
Contact:

Re: sysctl.conf options to harden the server

Post by stephan » 2006/09/21 09:58:42

Ok, so a couple of days on, I've done more reading, but am ready to ask for help again. The reason I asked about sysctl.conf is below.

At the moment, I'm using the APF firewall and it's "antidos" feature. I know as everyone says, you need to block DOS attacks upstream, but I still want to get this protection to stop people flooding the server with connections. I'm using a test script to flood Apache with connections, and unfortunately it works, Apache grinds to a halt and my IP doesn't get blocked. I've been through all the settings of APF+Antidos, and I've read all the documentation I can find on it, plus searched google. I'm wondering maybe if it only blocks certain types of attacks and isn't logging my mass test connections in /var/log/messages, which means that APF just ignores it. I'm not sure if I really need to use APF to be honest, I'm wondering if just using iptables on it's own would be better. What I want is to have all ports blocked apart from a few like 22, 25, 80, 110, etc and that's all I really use APF for.

I'm interested in getting the server to reject people with over a certain number of connections, either at once, or over a minute or so perhaps.


So.... my questions...

Does anyone have some sample iptables rules that they could paste to me for:

Only allowing certain ports
Dropping more than X number of connections to the server from one IP.


If it helps, I've found these around the internet, I'm not sure if they work. I'm a bit reluctant to use them at the moment, because I don't have a spare server I can test them on at the moment. I suppose I will need to get one fairly soon.

iptables -I INPUT -p tcp -m state --state NEW -m recent \
--set
iptables -I INPUT -p tcp -m state --state NEW -m recent \
--update --seconds 60 --hitcount 600 -j DROP

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
--set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
--update --seconds 60 --hitcount 4 -j DROP


Thanks for any advice. I appreciate this is a bit of a newbie question, but I have researched and tested some options with no success. I'm not asking for people to do all the work for me, but if anyone has anything saved that they could cut and paste, or just point me in a better/right direction, that would be great.


http://www.centos.org/modules/newbb/viewtopic.php?topic_id=4441&forum=32&post_id=15636#forumpost15636 seems relevant, maybe this line could be adapted: IPTABLES -A FORWARD -m limit --limit 1/s --limit-burst 50 -j LOG --log-level 7 --log-prefix "IPT FORWARD packet died: " -j DROP

stephan
Posts: 17
Joined: 2006/09/07 01:05:48
Contact:

Re: sysctl.conf options to harden the server

Post by stephan » 2006/09/21 10:07:06

Hmm.

I'm going to try and modify this:

iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT


It seems like a decent starting point to make up my own rule.

I'd still appreciate any input in anyone that is an expert on iptables

stephan
Posts: 17
Joined: 2006/09/07 01:05:48
Contact:

Re: sysctl.conf options to harden the server

Post by stephan » 2006/09/23 06:40:19

This is what I've come up with:

iptables -A INPUT -p tcp --dport 80 -m limit --limit 20/s -j LOG --log-level 7 --log-prefix "Packet dropped: " -j DROP


I hope, that this would limit incoming connections (so basically http requests to apache) to 20 per second, and drop any more than that.

20 is just a number I've picked for now, but I might change.


This is just a mix up from "man iptables" and other people's rules. Does it look right/wrong? I'm interested to see what everyone thinks before I put it on the server.

Thanks

Post Reply

Return to “CentOS 4 - Security Support”