Kernel Security

Several kernel configuration options are available to improve security through the /proc pseudo-filesystem. Quite a few of the files in /proc/sys are directly related to security. Enabled if contains a 1 and disabled if it contains a 0. Many of the options available in /proc/sys/net/ipv4 include:

• icmp_echo_ignore_all: Ignore all ICMP ECHO requests. Enabling this option will prevent this host from responding to ping requests.

• icmp_echo_ignore_broadcasts: Ignore ICMP echo requests with a broadcast/ multicast destination address. Your network may be used as an exploder for denial of service packet flooding attacks to other hosts.

• ip_forward: Enable or disable the forwarding of IP packets between interfaces. Default value is dependent on whether the kernel is configured as host or router.

• ip_masq_debug: Enable or disable debugging of IP masquerading.

• tcp_syncookies: Protection from the “SYN Attack”. Send syncookies when the SYN backlog queue of a socket overflows.

• rp_filter: Determines if source address verification is enabled. Enable this option on all routers to prevent IP spoofing attacks against the internal network.

• secure_redirects: Accept ICMP redirect messages only for gateways listed in default gateway list.

• log_martians: Log packets with impossible addresses to kernel log.

• accept_source_route: Determines whether source routed packets are accepted or declined. Should be disabled unless specific reason requires it.

The file /etc/sysctl.conf on recent Red Hat contains a few default settings and is processed at system startup. The /sbin/sysctl program can be used to control these parameters. It is also possible to configure their values using /bin/echo. For example, to disable IP forwarding, as root run:

echo “0” > /proc/sys/net/ipv4/ip_forward

This must written to a system startup file or /etc/sysctl.conf on Red Hat to occur after each reboot. More information is available in proc.txt file in the kernel Documentation/ directory.