LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-18-2001, 04:37 PM   #1
iMPReZa-WRX
LQ Newbie
 
Registered: Jun 2001
Posts: 1

Rep: Reputation: 0
Talking


Hi All ! .. am i newbie sys manager .. and my first question is .. how can i stop this external stuff?
* PING to my host and don't reply
* SYN FLOOD to my host
* traceroute to my host

i guess that is something about /proc/sys/net/ipv4 but
dunno what files and what options to set =)

Thanks 4 your help =)
Pablo.
 
Old 06-18-2001, 05:05 PM   #2
d3funct
Member
 
Registered: Jun 2001
Location: Centralia, WA
Posts: 274

Rep: Reputation: 31
Go to http://www.linuxdoc.org and do a search on "netfilter" and "iptables", also do some reading up on firewalls etc...
 
Old 06-18-2001, 08:16 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
* PING to my host and don't reply
"ipchains -A input -i (interface) -p icmp --icmp-type echo-request -l -j DENY"
This will deny & log requests, top it off with
"echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all"

Quote:
* SYN FLOOD to my host
SYN flooding is when your box isn't able to complete the 3way handshake, prolly cuz the source IP's are spoofed, this way the connection won't be closed, consuming resources.
/usr/src/linux/Documentation/ip-sysctl has a few options:
the kernel "SYN COOKIES" feature has to be compiled in and doesnt stop flooding but let's u login to ure box while under attack. rp_filter will attempt reverse path address validation and tcp_max_syn_backlog handles the maximum amount of incomplete connections before they are dropped.
syncookies is handled in /proc/sys/net/ipv4, the other two in /proc/sys/net/conf/*/
Youll also want to deploy Snort which can trace DoS attack signatures such as Ping & Syn Floods. Then drop the offenders into a chain.
Real protection for flooding is only possible with an upstream shutdown. *Seems iptables got rate limiting caps.

Quote:
* traceroute to my host
Note unix uses UDP for traces while W32 uses ICMP.
Deny & log requests:
"ipchains -A input -i $(interface) -p udp --source-port 32769:65535 --destination-port 33434:33523 -j DENY -l"
"ipchains -A output -i (interface) -p icmp --icmp-type time-exceeded -l -j DENY"
*Also note some ppl don't find it necessary to "touch" the host with traceroute specifying a max hopcount to say the closest router.

Btw, if ure a newbie sysadm, its time to do some serious RTM'ing :-]
 
Old 06-19-2001, 05:13 AM   #4
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
UnSpawn has covered most of this with a good answer, but I'm going to add some more examples so you get an idea what we're talking about and see it's not just a simple case of stopping the things you've listed.

Ping stopping:
ICMP is essential for network maintenance used by the OS, there are 18 types of ICMP messages. A ping request is only 1 of them "a type 8" you'll also need to stop some others to help hide your system.

Use ipchains or tables to stop these types too:
type 8 "Icmp request"
type 10 "Icmp route solicitation"
type 11 "Time exceeded error"
type 13 "Icmp timestamp request" dead give away to OS type
type 17 "Icmp mask request"
type 15 "Icmp old bootp info" should be obsolete but not sure what the linux box would do if it saw this type so deny it anyway
Allow all the other types or your network will slowly start to screw up as the MTU size messes up.

SYN FLOOD stopping:
Basically you want to take as many SYN's as allowed then the SYN's that haven't connected are in a wait state. A resolve is done on the source, then the connection is tore down if it was faked. So you need a buffer space known as a backlog for the SYN requests.

Now if someone could use about 100 systems on T3/E3's with under 50ms latency no mater what your protecting is, it's going to cause a DOS on the port targeted.

Add these lines to improve the recovery times of Linux to such an attack:

# improve the backlog handling of SYN's
sysctl -w net.ipv4.tcp_max_syn_backlog=256
# use a cryptographic challange protocol
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Does a check on source forging
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

Someone could also do a RST attack on your box, the above won't help you if this happens.

Don't forget these too:
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

/raz
 
Old 06-19-2001, 01:47 PM   #5
jharris
Senior Member
 
Registered: May 2001
Location: Bristol, UK
Distribution: Slackware, Fedora, RHES
Posts: 2,243

Rep: Reputation: 47
I was just gonna say search the forum for Raz's posts, but I see he's already been here! LOL

Jamie...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Somethings up with my Hardrive or ... patske Linux - Newbie 1 04-10-2005 01:42 PM
somethings is wrong with GNOME egypt Red Hat 3 10-11-2004 04:16 PM
somethings is wrong with GNOME egypt Red Hat 0 09-29-2004 05:01 AM
somethings wrong with CD (?) mrb Arch 2 07-21-2004 05:41 PM
I think somethings is not right with the chkrootkit AceTech747 Linux - Security 12 01-27-2004 10:10 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:17 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration