Void's Forums

[dishawjp]

I located some some security documentation at http://linuxsecurity.com and *think* that I understand what to do here, but want to ask to make sure before I make and system changes. I'm looking at my /proc/sys/net/ipv4 directory and, if I understand correctly, it's wide open. For example, I want my computer to ignore broadcast requests, but my icmp_echo_ignore_broadcasts is set to 0. If I understand correctly, then my machine *will* currently not ignore ICMP echo requests with a broadcast destination address. Do I understand this correctly, or have I got it backwards. I am a bit surprised that this would be the default setting, so I'm not going to make any changes yet. All the settings I've looked at so far are set to 0, yet it seems that for security reasons, unless I have this backwards, many of these should be set to 1. Other examples include ip_forward and tcp_syncookies.

This computer is a simple desktop and not a server of any sort.

Any guidance appreciated.

Jim Dishaw

[Void Main]

I suspect it is the default because I also suspect that setting it otherwise would break the TCP/IP RFCs in some way. Contrary to popular belief you don't necessarily want to restrict all ICMP traffic. You can break some things by doing so. Of course you weren't necessarily asking to block all ICMP and if you were I would do it another way. I personally don't mess with any of the defaults there except for maybe turning on ip forwarding for the firewall/MASQ server, but even then I set those kernel flags via sysctl and /etc/sysctl.conf. e.g. "net.ipv4.ip_forward = 1" in your /etc/sysctl.conf would turn on forwarding. "net.ipv4.icmp_echo_ignore_broadcasts = 1" would cause your machine to ignore broadcast ping requests.

Now having said that and you may be familiar with it, but I prefer to use kernel level network filtering via iptables (firewalling). Red Hat/Fedora comes with an extremely basic utility to configure this for you. You can start it from the command line by typing "redhat-config-securitylevel". Of course there are thousands of other ways to configure iptables with varying levels of complexity. There are many GUIs and wrappers for iptables like webmin, shorewall, firestarter, etc, etc, etc. Or you can just manipulate iptables directly using the "iptables" command from the command line and save the rules with a "service iptables save" or "iptables-save". Of course I prefer to have a dedicated machine set up running iptables and acting as a standalone firewall. Then it is less important to button down the desktops like fort knox.

I guess I didn't really answer your question though, sorry about that. To me your system is no more secure by disabling responses to broadcast pings and it would be a bad for the vendor to set it that way by default in my opinion.

[dishawjp]

Thanks again Voidmain,

I do use iptables from the command line for firewalling. The commands are similar enough to the older ipchains commands that I was able to pick iptables up fairly quickly. But i am still trying to learn more about Linux in general and, more specifically Linux security. I *finally* got tentative permission from my CIO to set up a Linux boot on one of the computers in my office. You'd have thought that I was asking for permission to set up a nuclear device on campus I had to go through interviews with 3 different IT folks, including the CIO, and... well, that's a story for another place and time. Anyway, they are very concerned that if I do set up a Linux box inside their firewall that it be secure and not likely to bring their Windows network to its knees.

Next I'll be converting one of the computers in my court to Linux. The folks from the Office of Court Administration (who provided me with a new Win2k box a few months ago) are less than thrilled about that. My response to them has been that I refuse to spend the taxpayers' money on purchasing M$Office 2000 and without an office suite, the computer is nothing but a dust catcher. Well, not quite, my court clerk does use it to play music CD's... But since Linux and OpenOffice are free and the taxpayers already paid for an expensive piece of hardware, the only rational thing to do with it is install Linux and use OpenOffice and get some use out of it. That one worries me a bit though since I don't have the Win2k install disks and if the Linux install fails for some reason I would probably never hear the end of it.

Sorry for the long ramble, but, as always, thanks for the info!

Jim Dishaw

[Void Main]

Thanks again Voidmain,

Anyway, they are very concerned that if I do set up a Linux box inside their firewall that it be secure and not likely to bring their Windows network to its knees.

Heh heh! Windows networks do that quite nicely on their own! :) Our Windows network (a very large one) is always on it's needs with Viruses, Exchange problems, etc, etc. Our Linux/Solaris/AIX servers don't even sneeze when the Windows admins are running around like chickens with their heads cut off. :)

[agent007]

I just love that saying VoidMain!!!!! Did u make that one up yourself?

Windows admins are running around like chickens with their heads cut off.

[Void Main]

I just love that saying VoidMain!!!!! Did u make that one up yourself?

I grew up on a farm and it's something I remember my parents/grandparents saying and it sort of stuck with me. I just assumed it was a common saying but maybe it isn't? It certainly fits in many situations like the one where I used it. If you have ever seen a chicken with it's head cut off you would know what I mean. :)

[Tux]

Its pretty common here.